Mind The Portability A Warriors Guide through Realistic Profiled Side-channel Analysis Shivam Bhasin 1 , Dirmanto Jap 1 , Anupam Chattopadhyay 1 , Stjepan Picek 2 , Annelie Heuser 3 , and Ritu Ranjan Shrivastwa 4 1 NTU, Singapore 2 TU Delft, Netherlands 3 IRISA, France 4 Secure-IC France NDSS 2020, San Diego 23-26 February 2020
Side-Channel Analysis (SCA) Side-channel measurement Encryption requests Energy Timing reference THEN NOW 2
EMA SPA, DPA, templates, etc. ⇒ Side-channel trace What is SCA? TA • Non-invasive (power, EM, timing, …) Attacked circuit Time • Powerful & practical. Ex: – Keeloq – FPGA Bitstream encryption – Bitcoin wallets – … • Applications: Secret key recovery and more … • Serious threat to embedded systems 3
Types of SCA • Simple SCA (ex. Visual inspection) • Non Profiled SCA (ex. DPA, CPA, other on the fly statistical attacks) • Profiled SCA (ex. Templates, Machine-Learning based attacks) In the following, we focus on profiled power/EM attacks on embedded devices targeting encryption algorithms for secret key recovery 4
Profiled SCA Profiling Phase Attack Phase Known Key Unknown Key Device 1 Device 2 Traces Label hypothesis Labels Traces train Profiled Classification Secret Classification Algorithm Model Algorithm Key • Target exploitation in few traces, ideally single trace • Classification Algorithm: Template Attacks (TA) vs Machine Learning (ML) • Deep Learning has shown great success with protected implementations 5 • Recent work with deep learning report successful attack in 100X less traces (500 vs 5).
Expectations vs Reality Attack Phase Profiling Phase Known Key Unknown Key Device 1 Device 2 Traces Label hypothesis Labels Traces train E x p e c t e d Classification Profiled Classification Secret Algorithm Model Algorithm Key 6
Expectations vs Reality Attack Phase Profiling Phase Unknown Key Known Key Device 1 Device 2 Traces Label hypothesis Labels Traces train Traces test Reality E x p e c t e d Classification Profiled Classification Secret Algorithm Model Algorithm Key 7
Portability • B and B’ are two copies of same device • Differences between B and B’ are due to uncontrolled variations in process, measurement setup, or other stochastic factors • Portability denotes all settings in which an attacker can conduct the training on the measurement data obtained from a clone device B’ and import the learned knowledge L B’ to model the actual device B, under similar parameter setup 8
Practical Study of Portability 9 Different Sources Of Portability: Process variation (chip, wires, PCB components, connectors), environmental factors, ...
Comparing Signal Quality 10
Comparing SCA Vulnerability 11
Same Device Different Device > 2 0 X Same Key D e g r a d a t i o n Different Key 12
Why Does It Happen? !!! OVERFITTING !!! 13
Proposed Multi-Device Model Attack Phase Profiling Phase Unknown Key Known Key Device test Device 1 Device 2 Device 3 Traces test Label hypothesis Labels Traces val Traces train Classification Profiled Classification Secret Algorithm Model Algorithm Key 14
Proposed Multi-Device Model • Multiple Device Model (MDM) denotes all settings where attacker can conduct the training on measurement data from a number of similar devices (≥ 2), B’ = {B 0 ’,..., B n−1 ’} > 10X improvements and import the learned knowledge L B’ to model the actual device B, under similar but uncontrolled parameter setup 15
Overcoming Human Error • Electromagnetic measurements often preferred over power measurements – Easy access – High SNR – Localized Leakage capture – … • Extremely sensitive to probe position (position, distance, and orientation) • Error comes naturally when measuring on multiple devices • We call this human error of placement • A classical case of Portability 16
Overcoming Human Error • Electromagnetic measurements often preferred over power measurements – Easy access – High SNR – Localized Leakage capture – … • Extremely sensitive to probe position MDM (position, distance, and orientation) • Error comes naturally when measuring on multiple devices • We call this human error of placement • A classical case of Portability 17
Conclusions • One must consider portability issues in machine learning based SCA • We proposed Multiple Device Model (MDM) to overcome portability • Direct application to EM measurement • Future Directions: – Application to heterogenous devices – MDM with one device noise, process-variation models 18
Thank You !!! 19
Side-Channel Analysis (SCA) 20 Lets look at a basic CMOS cell
Side-Channel Analysis (SCA) 1 à 0 Random Number Generator ENTROPY ENTROPY POST- TRNG OUTPUT PROCESSING SOURCE EXTRACTION RANDOMNESS SOURCE ONLINE ALARM TEST RAW OUTPUT Extending from one cell to a full circuit Measure by Electromagnetic Probe 0 à 1 21
Expectations vs Reality • Profiling and Testing device MUST be distinct • An aspect often overlooked in profiled SCA research • Leads to pessimistic security evaluations • A common issue for certification labs evaluating security-critical products • Known as Portability 22
Recommend
More recommend
