Reasoning about Aggregation of Information in Timing Attacks Boris - - PowerPoint PPT Presentation

Reasoning about Aggregation of Information in Timing Attacks

Itsaka Rakotonirina Boris Köpf

INRIA Nancy Grand-Est Microsoft Research

Choose a letter: A or B.

Choose a letter: A or B. Does it occur more than 10 times in TARATATATARATATATA ?

Choose a letter: A or B. Does it occur more than 10 times in TARATATATARATATATA ?

🤕

Choose a letter: A or B. Does it occur more than 10 times in TARATATATARATATATA ? No.

🤕

Choose a letter: A or B. Does it occur more than 10 times in TARATATATARATATATA ? Q : Which letter was chosen? No.

🤕

3

Timing attacks

24

• n RSA (Kocher)
• n RSA (Dhem et al.)

Meltdown (Lipp et al.) Spectre (Kocher et al.)

• n AES (Bernstein)
• n AES (Acıiçmez et al.)
• n ECDH (Kaufmann et al.)

Lucky Thirteen (AlFardan, Paterson) RIDL (van Schaik et al.) 1996 1998 2005 2007 2013 2016 2018 2018 2019 2014 Flush+Reload (Yarom, Falkner) ZombieLoad (Schwarz et al.) 2019

…

3

Timing attacks

24

A long-term secret, and queries to an oracle O : public input ↦ execution time of a program

Remote measurements

• n RSA (Kocher)
• n RSA (Dhem et al.)

Meltdown (Lipp et al.) Spectre (Kocher et al.)

• n AES (Bernstein)
• n AES (Acıiçmez et al.)
• n ECDH (Kaufmann et al.)

Lucky Thirteen (AlFardan, Paterson) RIDL (van Schaik et al.) 1996 1998 2005 2007 2013 2016 2018 2018 2019 2014 Flush+Reload (Yarom, Falkner) ZombieLoad (Schwarz et al.) 2019

…

3

Timing attacks

24

Exploit timing variations, and not the absolute execution time

Differential measurements

A long-term secret, and queries to an oracle O : public input ↦ execution time of a program

Remote measurements

• n RSA (Kocher)
• n RSA (Dhem et al.)

Meltdown (Lipp et al.) Spectre (Kocher et al.)

• n AES (Bernstein)
• n AES (Acıiçmez et al.)
• n ECDH (Kaufmann et al.)

Lucky Thirteen (AlFardan, Paterson) RIDL (van Schaik et al.) 1996 1998 2005 2007 2013 2016 2018 2018 2019 2014 Flush+Reload (Yarom, Falkner) ZombieLoad (Schwarz et al.) 2019

…

3

Timing attacks

24

Exploit timing variations, and not the absolute execution time

Differential measurements

A long-term secret, and queries to an oracle O : public input ↦ execution time of a program

Remote measurements

The secret is recovered chunk by chunk

Compositionality

• n RSA (Kocher)
• n RSA (Dhem et al.)

Meltdown (Lipp et al.) Spectre (Kocher et al.)

• n AES (Bernstein)
• n AES (Acıiçmez et al.)
• n ECDH (Kaufmann et al.)

Lucky Thirteen (AlFardan, Paterson) RIDL (van Schaik et al.) 1996 1998 2005 2007 2013 2016 2018 2018 2019 2014 Flush+Reload (Yarom, Falkner) ZombieLoad (Schwarz et al.) 2019

…

4

Attacker model Under what hypotheses?

Timing attacks

24

Exploit timing variations, and not the absolute execution time

Differential measurements

A long-term secret, and queries to an oracle O : public input ↦ execution time of a program

Remote measurements

The secret is recovered chunk by chunk

Compositionality

5

Contributions

24

A model of timing attacks

capturing the essence of compositional attacks

Core hypotheses giving rise to efficient attacks

under the form of independence properties

Generic attack descriptions + cost analyses

A model for timing leakage

7 24

Program

k

Long-term secret

m

Public input

• Observation

constant across all invocations

• f the program

chosen by the attacker e.g. timing as a real number

8

A simple example

24

for i = 0 to n — 1 do if k[i] ≠ m[i] then g() done

1 2 3

8

A simple example

24

t(k,m) = Σi=1 k[i] ⊕ m[i] Hamming distance execution time proportional to: = nb of bits where k and m differ

n

for i = 0 to n — 1 do if k[i] ≠ m[i] then g() done

1 2 3

9

Aggregation of information

24

Hamming distance potential values of the long-term secret t(k,m) = Σi=1 k[i] ⊕ m[i]

3

k

9

Aggregation of information

24

Hamming distance potential values of the long-term secret t(k,m) = Σi=1 k[i] ⊕ m[i]

3

000

• = t(k,000) ∈ {0,1,2,3}

⟼ k

9

Aggregation of information

24

Hamming distance potential values of the long-term secret t(k,m) = Σi=1 k[i] ⊕ m[i]

3

000

• = t(k,000) ∈ {0,1,2,3}

⟼ ⇒ k ∈ { k’ | t(k’,000) = o } k

9

Aggregation of information

24

Hamming distance potential values of the long-term secret t(k,m) = Σi=1 k[i] ⊕ m[i]

3

000

• = t(k,000) ∈ {0,1,2,3}

⟼ ⇒ k ∈ { k’ | t(k’,000) = o } k

9

Aggregation of information

24

Hamming distance potential values of the long-term secret t(k,m) = Σi=1 k[i] ⊕ m[i]

3

000

• = t(k,000) ∈ {0,1,2,3}

⟼ 001

• ’ = t(k,001)

⟼ ⇒ k ∈ { k’ | t(k’,000) = o } k

9

Aggregation of information

24

Hamming distance potential values of the long-term secret t(k,m) = Σi=1 k[i] ⊕ m[i]

3

000

• = t(k,000) ∈ {0,1,2,3}

⟼ 001

• ’ = t(k,001)

⟼ ⇒ k ∈ { k’ | t(k’,000) = o } k

9

Aggregation of information

24

Hamming distance potential values of the long-term secret t(k,m) = Σi=1 k[i] ⊕ m[i]

3

000

• = t(k,000) ∈ {0,1,2,3}

⟼ 001

• ’ = t(k,001)

⟼ 010

• ’’ = t(k,010)

⟼ ⇒ k ∈ { k’ | t(k’,000) = o } k

9

Aggregation of information

24

Hamming distance potential values of the long-term secret t(k,m) = Σi=1 k[i] ⊕ m[i]

3

000

• = t(k,000) ∈ {0,1,2,3}

⟼ 001

• ’ = t(k,001)

⟼ 010

• ’’ = t(k,010)

⟼ ⇒ k ∈ { k’ | t(k’,000) = o } k

k

10

Aggregation of information

24

potential values of the long-term secret

k

10

Aggregation of information

24

Compute this equivalence relation

• ver the set of secrets

static approach

(security bounds) potential values of the long-term secret

k

10

Aggregation of information

24

Compute this equivalence relation

• ver the set of secrets

static approach

(security bounds)

Given an oracle to t(k, . ), retrieve the class enclosing k dynamic approach

(attacks) potential values of the long-term secret

A more practical model for timing leakage

12 24

Program

k

Long-term secret

m1,m2

Two public inputs

• 1-o2

Difference of timings

13

Differential measurements

24

Program

k m1,m2

• 1-o2

Less powerful attacker, but… Compositionality Closer to the models used in actual attack research

Compositionality for differential measurements

15

Compositional attacks

24

recovering k?

with oracle to execution time m ↦ t(k,m)

for i = 0 to n — 1 do if k[i] ≠ m[i] then g() done

1 2 3

15

Compositional attacks

24

recovering k?

with oracle to execution time m ↦ t(k,m)

if t(k,0) < t(k,2i) for i = 0 to n — 1 do if k[i] ≠ m[i] then g() done

1 2 3

15

Compositional attacks

24

recovering k?

with oracle to execution time m ↦ t(k,m)

if t(k,0) < t(k,2i) then K := K ∩ { k | k[i] = 1 } else K := K ∩ { k | k[i] = 0 } Exploiting the ith iteration for i = 0 to n — 1 do if k[i] ≠ m[i] then g() done

1 2 3

16

Sequential composition

24

for i = 0 to n — 1 do if Testi(k,x) = 1 then g() done x = m x = fi(k,x)

1 2 3 4 5

16

Sequential composition

24

for i = 0 to n — 1 do if Testi(k,x) = 1 then g() done x = m x = fi(k,x)

1 2 3 4 5

p = p0; p2 ; … ; pn-1 Goal: writing this code under the form

16

Sequential composition

24

for i = 0 to n — 1 do if Testi(k,x) = 1 then g() done x = m x = fi(k,x)

1 2 3 4 5

p = p0; p2 ; … ; pn-1 Goal: writing this code under the form

pi computes fi : K x M →M with execution time Testi : K x M → {0,1}

17

Sequential composition

24

pcomp = p1 ; p2

17

Sequential composition

24

pcomp = p1 ; p2

pℓ computes fℓ : K x M →M with execution time tℓ : K x M →O

17

Sequential composition

24

pcomp = p1 ; p2 fcomp = f2 ◦ f1 States are composed

pℓ computes fℓ : K x M →M with execution time tℓ : K x M →O

17

Sequential composition

24

pcomp = p1 ; p2 fcomp = f2 ◦ f1 States are composed

pℓ computes fℓ : K x M →M with execution time tℓ : K x M →O composition of public values, i.e. (f ◦ g)(k,m) = f(k, g(k,m))

17

Sequential composition

24

pcomp = p1 ; p2 fcomp = f2 ◦ f1 States are composed tcomp = t1 + (t2 ◦ f1) Timings are summed

pℓ computes fℓ : K x M →M with execution time tℓ : K x M →O composition of public values, i.e. (f ◦ g)(k,m) = f(k, g(k,m))

18

Key hypothesis: independence

24

18

Key hypothesis: independence

24

Theorem Hypotheses Leak(t+t’) = Leak(t) ⋂ Leak(t’) t,t’ timing functions

18

Key hypothesis: independence

24

Theorem Hypotheses Leak(t+t’) = Leak(t) ⋂ Leak(t’) t,t’ timing functions

• Leak(t) = the equivalence relation on

secrets characterising timing leakage

18

Key hypothesis: independence

24

Theorem Hypotheses Leak(t+t’) = Leak(t) ⋂ Leak(t’) t,t’ timing functions

• X distribution of public inputs
• for all secrets k,k’, the distributions

t(k, X) and t’(k’, X) are independent

• Leak(t) = the equivalence relation on

secrets characterising timing leakage

19

Randomised compositional attack

24

19

Randomised compositional attack

24

Inputs

• racle to t(k*, .) execution time of (p1;…;pn)

independent blocks p1 = (f1,t1) ,…,pn = (fn,tn) for some k*

19

Randomised compositional attack

24

Inputs

• racle to t(k*, .) execution time of (p1;…;pn)

independent blocks p1 = (f1,t1) ,…,pn = (fn,tn) for some k*

Output

equivalence class of k* in Leak(t)

K := set of all secrets M := sample of r random messages for i=1 to n do K := K ∩ Attack (t̄i | K x M) done return K

19

Randomised compositional attack

24

Inputs

• racle to t(k*, .) execution time of (p1;…;pn)

independent blocks p1 = (f1,t1) ,…,pn = (fn,tn) for some k*

Output

equivalence class of k* in Leak(t)

Algorithm

K := set of all secrets M := sample of r random messages for i=1 to n do K := K ∩ Attack (t̄i | K x M) done return K

19

Randomised compositional attack

24

Inputs

• racle to t(k*, .) execution time of (p1;…;pn)

independent blocks p1 = (f1,t1) ,…,pn = (fn,tn) for some k*

Output

equivalence class of k* in Leak(t)

Algorithm

timing attack on t̄i = ti ◦ fi-1 ◦ … ◦ f1 with oracle to t(k*, . )

Applications

21

for simple bit-serial operations, n bits Bruteforce O(2n) measurements

• Random. attack

O(n log(n/ε)) random measurements

(to guarantee proba of success 1 – ε)

Cost analysis

24

21

for simple bit-serial operations, n bits Bruteforce O(2n) measurements

• Random. attack

O(n log(n/ε)) random measurements

(to guarantee proba of success 1 – ε)

Cost analysis

24

complexity gain by exploiting the program structure

22

Explaining documented attacks

24

as instances of the randomised attack VS independent blocks

22

Explaining documented attacks

24

as instances of the randomised attack VS independent blocks

• n RSA (Dhem et al.)

1998 Targets: Extracts: Exploits:

• implem. of modular exponentiation

with Montgomery multiplications all bits of the secret exponent but one timing variations of squaring operations

22

Explaining documented attacks

24

as instances of the randomised attack VS independent blocks

• n RSA (Dhem et al.)

1998 Targets: Extracts: Exploits:

• implem. of modular exponentiation

with Montgomery multiplications all bits of the secret exponent but one timing variations of squaring operations

1 block = 1 multiplication Decomposition:

22

Explaining documented attacks

24

as instances of the randomised attack VS independent blocks

Targets: Extracts: Exploits:

• n AES (Acıiçmez et al.)

2007

• implem. of AES with precomputed tables

all bits of the encryption key timing variations due to cache

1 block = 1 table lookup Decomposition:

Conclusion

24

Conclusion

24

A formal model for reasoning about timing attacks

24

Conclusion

24

A formal model for reasoning about timing attacks Compositionality results

24

Conclusion

24

A formal model for reasoning about timing attacks Compositionality results Generic description of attacks / cost analysis

24

Conclusion

24

A formal model for reasoning about timing attacks Compositionality results Captures several documented attacks Generic description of attacks / cost analysis

24

Conclusion

24

A formal model for reasoning about timing attacks Compositionality results Captures several documented attacks Generic description of attacks / cost analysis Future: use as a basis for automating attack synthesis