Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About - - PowerPoint PPT Presentation

β–Ά
remote timing attacks on tpms
SMART_READER_LITE
LIVE PREVIEW

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About - - PowerPoint PPT Presentation

Jun 24, 2023 482 likes β€’1.21k views

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

slide-1
SLIDE 1

Remote Timing Attacks on TPMs, AKA TPM-Fail

Daniel Moghimi

slide-2
SLIDE 2

#BHUSA @BLACKHATEVENTS @DANIELMGMI

About Me

  • Daniel Moghimi
  • @danielmgmi
  • https://moghimi.org
  • Security Researcher
  • PhD Candidate @ WPI
  • Microarchitectural Attacks
  • Side Channels
  • Breaking Crypto Implementations
  • Trusted Execution Environment (Intel SGX)

2

slide-3
SLIDE 3

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Thanks!

  • Berk Sunar @ WPI
  • Nadia Heninger @ UCSD
  • Thomas Eisenbarth @ UzL
  • Jan Wichelmann @ UzL

3

slide-4
SLIDE 4

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptanalysis

4 Encrypt Decrypt Sign m k

  • Cryptosystem with an input m, output c, and secret k
  • Attacker tries to learn k by looking at (m, c)

c

slide-5
SLIDE 5

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptanalysis

5 Encrypt Decrypt Sign m k

  • Cryptosystem with an input m, output c, and secret k
  • Attacker tries to learn k by looking at (m, c)

c 𝐹𝐷𝐸𝑇𝐡 π‘‡π‘—π‘•π‘œ: 𝑦1, 𝑧1 = 𝑙𝑗 Γ— 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 π‘œ 𝑑𝑗 = 𝑙𝑗

βˆ’1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 π‘œ

𝑑1 = 𝑙1

βˆ’1 𝑨 + 𝑠 1𝑒 𝑛𝑝𝑒 π‘œ

𝑑2 = 𝑙2

βˆ’1 𝑨 + 𝑠2𝑒 𝑛𝑝𝑒 π‘œ

slide-6
SLIDE 6

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptanalysis

6 Encrypt Decrypt Sign m k

  • Cryptosystem with an input m, output c, and secret k
  • Attacker tries to learn k by looking at (m, c)

c 𝐹𝐷𝐸𝑇𝐡 π‘‡π‘—π‘•π‘œ: 𝑦1, 𝑧1 = 𝑙𝑗 Γ— 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 π‘œ 𝑑𝑗 = 𝑙𝑗

βˆ’1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 π‘œ

𝑙1= 𝑙2= π‘™π‘œ 𝑑1 = π‘™βˆ’1 𝑨 + 𝑠

1𝑒 𝑛𝑝𝑒 π‘œ

𝑑2 = π‘™βˆ’1 𝑨 + 𝑠2𝑒 𝑛𝑝𝑒 π‘œ

slide-7
SLIDE 7

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptanalysis

7 Encrypt Decrypt Sign m k

  • Cryptosystem with an input m, output c, and secret k
  • Attacker tries to learn k by looking at (m, c)

c 𝐹𝐷𝐸𝑇𝐡 π‘‡π‘—π‘•π‘œ: 𝑦1, 𝑧1 = 𝑙𝑗 Γ— 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 π‘œ 𝑑𝑗 = 𝑙𝑗

βˆ’1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 π‘œ

𝑙1= 𝑙2= π‘™π‘œ 𝑑1 = π‘™βˆ’1 𝑨 + 𝑠

1𝑒 𝑛𝑝𝑒 π‘œ

𝑑2 = π‘™βˆ’1 𝑨 + 𝑠2𝑒 𝑛𝑝𝑒 π‘œ 𝑑2 βˆ’ 𝑑1 = 𝑠2 βˆ’ 𝑠

1 𝑒 𝑛𝑝𝑒 π‘œ

slide-8
SLIDE 8

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Side-Channel Cryptanalysis

8 Encrypt Decrypt Sign m k

  • Cryptosystem with an input m, output c, and secret k
  • Attacker tries to learn k by looking at (m, c) and signal s

c s

slide-9
SLIDE 9

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Side-Channel Attacks

9

  • Channels
  • Power Analysis
  • EM Analysis
  • …
  • Timing Analysis
  • CPU Side Channels
  • Threat Models:
  • Physical Access
  • Local Access (Co-location)
  • Remote
slide-10
SLIDE 10

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Secure Elements

Software is insecure. Heartbleed? Computers are just Evil?! Rootkits? Ransomware? Untrusted /Bad Org.?

slide-11
SLIDE 11

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Secure Elements

Software is insecure. Heartbleed? Computers are just Evil?! Hardware-based Root of Trust?!

11

Rootkits? Ransomware? Untrusted /Bad Org.?

slide-12
SLIDE 12

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Trusted Platform Module (TPM)

  • Security Chip for Computers?
  • Tamper Resistant
  • Side-Channel Resistant
  • Crypto Co-processor

12

slide-13
SLIDE 13

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Trusted Platform Module (TPM)

  • Security Chip for Computers?
  • Tamper Resistant
  • Side-Channel Resistant
  • Crypto Co-processor

Trusted Computing Base

13

slide-14
SLIDE 14

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Trusted Platform Module (TPM)

  • Cryptographic Co-processor, specified by Trusted Computing Group
  • Secure Storage
  • Integrity Measurement
  • TRNG
  • Hash Functions
  • Encryption
  • Digital Signatures

14

slide-15
SLIDE 15

#BHUSA @BLACKHATEVENTS @DANIELMGMI

TPM – Digital Signatures

  • Applications
  • Trusted Execution of Signing Operations
  • Remote Attestation
  • TPM 2.0 supports Elliptic-Curve Digital Signature
  • ECDSA
  • ECSchnorr
  • ECDAA (Anonymous Remote Attestation)

15

slide-16
SLIDE 16

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Trusted Computing Group

  • https://trustedcomputinggroup

.org/membership/certification/

  • https://trustedcomputinggroup

.org/membership/certification/ tpm-certified-products/

16

slide-17
SLIDE 17

#BHUSA @BLACKHATEVENTS @DANIELMGMI

STMicroelectronics ST33TPHF2ESPI

  • ST33TPHF2ESPI Data Brief
  • https://www.st.com/resource/en/data_brief/st33tphf2espi.pdf
  • ST33TPHF2ESPI CC Evaluation
  • https://www.ssi.gouv.fr/uploads/2018/10/anssi-cible-cc-2018_41en.pdf

17

slide-18
SLIDE 18

#BHUSA @BLACKHATEVENTS @DANIELMGMI

18

slide-19
SLIDE 19

Are TPMs really side- channel resistant?

19

slide-20
SLIDE 20

#BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test

  • TPM frequency ~= 32-120 MHz
  • CPU Frequency is more than 2 GHz

20

slide-21
SLIDE 21

#BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – Intel PTT (fTPM)

  • Intel Platform Trust Technology (PTT)
  • Integrated firmware-TPM inside the CPU package
  • Runs on top of Converged Security and

Management Engine (CSME)

  • Standalone low power processor
  • Has been around since Haswell

21 CPU PCH CSME fTPM

slide-22
SLIDE 22

#BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – Intel PTT (fTPM)

  • Intel Platform Trust Technology (PTT)
  • Integrated firmware-TPM inside the CPU package
  • Runs on top of Converged Security and

Management Engine (CSME)

22

Histogram

CPU PCH CSME fTPM

slide-23
SLIDE 23

#BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – Intel PTT (fTPM)

23

  • Linux TPM Command Response Buffer (CRB) driver
  • Kernel Driver to increase the Resolution

CPU PCH CSME fTPM

slide-24
SLIDE 24

#BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – ECDSA Nonce

  • Intel fTPM: 4-bit Window Nonce

Length Leakage

  • ECDSA
  • ECSChnorr
  • BN-256 (ECDAA)

24 0101000100111111...111 t 4.8 4.84 4.76 4.72 4.67 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111

Nonce

slide-25
SLIDE 25

#BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – ECDSA Nonce

  • Intel fTPM: 4-bit Window Nonce

Length Leakage

  • ECDSA
  • ECSChnorr
  • BN-256 (ECDAA)

25 0101000100111111...111 t 4.8 4.84 4.76 4.72 4.67 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111

Nonce

slide-26
SLIDE 26

#BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – ECDSA Nonce

  • Intel fTPM: 4-bit Window Nonce

Length Leakage

  • ECDSA
  • ECSChnorr
  • BN-256 (ECDAA)

26 0101000100111111...111 t 4.8 4.84 4.76 4.72 4.67 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111

Nonce

slide-27
SLIDE 27

#BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – ECDSA Nonce

  • Intel fTPM: 4-bit Window Nonce

Length Leakage

  • ECDSA
  • ECSChnorr
  • BN-256 (ECDAA)

27 0101000100111111...111 t 4.8 4.84 4.76 4.72 4.67 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111

Nonce

slide-28
SLIDE 28

#BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – ECDSA Nonce

  • Intel fTPM: 4-bit Window Nonce

Length Leakage

  • ECDSA
  • ECSChnorr
  • BN-256 (ECDAA)

28 0101000100111111...111 t 4.8 4.84 4.76 4.72 4.67 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111

Nonce

slide-29
SLIDE 29

#BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – ECDSA Nonce

  • Intel fTPM: 4-bit Window Nonce

Length Leakage

  • ECDSA
  • ECSChnorr
  • BN-256 (ECDAA)

29 0101000100111111...111 t 4.8 4.84 4.76 4.72 4.67 0000100100111111...111 1101000100111111...111 0000000000111111...111 0000000000001111...111

Nonce

3.33 ms

slide-30
SLIDE 30

#BHUSA @BLACKHATEVENTS @DANIELMGMI

DEMO, TIMING

30

slide-31
SLIDE 31

#BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test - Analysis

  • RSA and ECDSA timing test on 3 dedicated TPM and Intel fTPM
  • Various non-constant behaviour for both RSA and ECDSA

31

slide-32
SLIDE 32

32

slide-33
SLIDE 33

#BHUSA @BLACKHATEVENTS @DANIELMGMI

High-resolution Timing Test – ECDSA Nonce

  • STMicro TPM: Bit-by-Bit Nonce Length Leakage

33

slide-34
SLIDE 34

#BHUSA @BLACKHATEVENTS @DANIELMGMI

TPM-Fail – Recovering Private ECDSA Key

  • TPM is programmed with an unknown key
  • We already have a template for 𝑒𝑗.
  • 1. Collect list of signatures (𝑠

𝑗, 𝑑𝑗) and timing samples 𝑒𝑗.

  • 2. Filter signatures based on 𝑒𝑗 and keeps (𝑠

𝑗, 𝑑𝑗) with a known bias.

  • 3. Lattice-based attack to recover private key 𝑒, from signatures

with biased nonce 𝑙𝑗.

34

slide-35
SLIDE 35

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Lattice and Hidden Number Problem

  • 𝑑 = π‘™βˆ’1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 π‘œ

35

slide-36
SLIDE 36

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Lattice and Hidden Number Problem

  • 𝑑 = π‘™βˆ’1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 π‘œ β†’ 𝑙𝑗

βˆ’1 βˆ’ 𝑑𝑗 βˆ’1𝑠 𝑗𝑒 βˆ’ 𝑑𝑗 βˆ’1𝑨 ≑ 0 𝑛𝑝𝑒 π‘œ

36

slide-37
SLIDE 37

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Lattice and Hidden Number Problem

  • 𝑑 = π‘™βˆ’1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 π‘œ β†’ 𝑙𝑗

βˆ’1 βˆ’ 𝑑𝑗 βˆ’1𝑠 𝑗𝑒 βˆ’ 𝑑𝑗 βˆ’1𝑨 ≑ 0 𝑛𝑝𝑒 π‘œ

  • 𝐡𝑗 = βˆ’π‘‘π‘—

βˆ’1𝑠 𝑗, 𝐢𝑗 = βˆ’π‘‘π‘— βˆ’1𝑨 β†’ 𝑙𝑗 + 𝐡𝑗𝑒 + 𝐢𝑗 = 0

37

slide-38
SLIDE 38

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Lattice and Hidden Number Problem

  • 𝑑 = π‘™βˆ’1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 π‘œ β†’ 𝑙𝑗

βˆ’1 βˆ’ 𝑑𝑗 βˆ’1𝑠 𝑗𝑒 βˆ’ 𝑑𝑗 βˆ’1𝑨 ≑ 0 𝑛𝑝𝑒 π‘œ

  • 𝐡𝑗 = βˆ’π‘‘π‘—

βˆ’1𝑠 𝑗, 𝐢𝑗 = βˆ’π‘‘π‘— βˆ’1𝑨 β†’ 𝑙𝑗 + 𝐡𝑗𝑒 + 𝐢𝑗 = 0

  • Let π‘Œ be the upper bound on ki and (𝑒, 𝑙0, 𝑙1 … , π‘™π‘œ) is unknown

38

[1] Dan Boneh and Ramarathnam Venkatesan. Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

slide-39
SLIDE 39

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Lattice and Hidden Number Problem

  • 𝑑 = π‘™βˆ’1 𝑨 + 𝑒𝑠 𝑛𝑝𝑒 π‘œ β†’ 𝑙𝑗

βˆ’1 βˆ’ 𝑑𝑗 βˆ’1𝑠 𝑗𝑒 βˆ’ 𝑑𝑗 βˆ’1𝑨 ≑ 0 𝑛𝑝𝑒 π‘œ

  • 𝐡𝑗 = βˆ’π‘‘π‘—

βˆ’1𝑠 𝑗, 𝐢𝑗 = βˆ’π‘‘π‘— βˆ’1𝑨 β†’ 𝑙𝑗 + 𝐡𝑗𝑒 + 𝐢𝑗 = 0

  • Let π‘Œ be the upper bound on ki and (𝑒, 𝑙0, 𝑙1 … , π‘™π‘œ) is unknown
  • Lattice Construction:

π‘œ π‘œ β‹± π‘œ 𝐡1 𝐡2 … 𝐡𝑒

π‘Œ π‘œ

𝐢1 𝐢2 … 𝐢𝑒 π‘Œ

LLL/BKZ 39

slide-40
SLIDE 40

40

DEMO LATTICE ATTACK

slide-41
SLIDE 41

#BHUSA @BLACKHATEVENTS @DANIELMGMI

TPM-Fail – Key Recovery Results

  • Intel fTPM
  • ECDSA, ECSchnorr and BN-256 (ECDAA)
  • Three different threat model System, User, Network
  • STMicroelectronics TPM
  • CC EAL4+ Certified
  • Give you the key in 80 minutes

41

slide-42
SLIDE 42

42 Timing difference for each window (4.76e8 - 4.72e8)/3600e6 * 1000 = 1.11 ms ping 192.168.1.x average rtt 0.713 ms ping 1.1.1.1 (Cloudflare DNS) average rtt 19.312 ms

slide-43
SLIDE 43

#BHUSA @BLACKHATEVENTS @DANIELMGMI

TPM-Fail Case Study: StrongSwan VPN

VPN Client VPN Server TPM Device

43

slide-44
SLIDE 44

#BHUSA @BLACKHATEVENTS @DANIELMGMI

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_π½π‘‚π½π‘ˆ[ π‘žπ‘ π‘π‘žπ‘π‘‘π‘π‘š, 𝑕𝑦, π‘œπ½, … ]

VPN Client VPN Server TPM Device

44

slide-45
SLIDE 45

#BHUSA @BLACKHATEVENTS @DANIELMGMI

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_π½π‘‚π½π‘ˆ[ π‘žπ‘ π‘π‘žπ‘π‘‘π‘π‘š, 𝑕𝑦, π‘œπ½, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_π½π‘‚π½π‘ˆ

π‘ π‘“π‘‘π‘žπ‘π‘œπ‘‘π‘“[ π‘žπ‘ π‘π‘žπ‘π‘‘π‘π‘š, 𝑕𝑦, π‘œπ‘†, … ]

π‘‘π‘‘β„Žπ‘π‘ π‘“π‘’βˆ’π‘‘π‘“π‘‘π‘ π‘“π‘’ = π‘„π‘†πΊβ„Ž(𝑕𝑦𝑧) 45

slide-46
SLIDE 46

#BHUSA @BLACKHATEVENTS @DANIELMGMI

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_π½π‘‚π½π‘ˆ[ π‘žπ‘ π‘π‘žπ‘π‘‘π‘π‘š, 𝑕𝑦, π‘œπ½, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_π½π‘‚π½π‘ˆ

π‘ π‘“π‘‘π‘žπ‘π‘œπ‘‘π‘“[ π‘žπ‘ π‘π‘žπ‘π‘‘π‘π‘š, 𝑕𝑦, π‘œπ‘†, … ]

π‘‘π‘‘β„Žπ‘π‘ π‘“π‘’βˆ’π‘‘π‘“π‘‘π‘ π‘“π‘’ = π‘„π‘†πΊβ„Ž(𝑕𝑦𝑧) 𝐽𝐿𝐹_π΅π‘£π‘’β„Ž[ π‘‡π‘—π‘•π‘œπ‘‘π‘™π½, (π‘œπ‘†, … ) ] 46

slide-47
SLIDE 47

#BHUSA @BLACKHATEVENTS @DANIELMGMI

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_π½π‘‚π½π‘ˆ[ π‘žπ‘ π‘π‘žπ‘π‘‘π‘π‘š, 𝑕𝑦, π‘œπ½, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_π½π‘‚π½π‘ˆ

π‘ π‘“π‘‘π‘žπ‘π‘œπ‘‘π‘“[ π‘žπ‘ π‘π‘žπ‘π‘‘π‘π‘š, 𝑕𝑦, π‘œπ‘†, … ]

π‘‘π‘‘β„Žπ‘π‘ π‘“π‘’βˆ’π‘‘π‘“π‘‘π‘ π‘“π‘’ = π‘„π‘†πΊβ„Ž(𝑕𝑦𝑧) 𝐽𝐿𝐹_π΅π‘£π‘’β„Ž[ π‘‡π‘—π‘•π‘œπ‘‘π‘™π½, (π‘œπ‘†, … ) ] 𝐽𝐿𝐹_π΅π‘£π‘’β„Žπ‘ π‘“π‘‘π‘žπ‘π‘œπ‘‘π‘“[ π‘‡π‘—π‘•π‘œπ‘‘π‘™π‘†, (π‘œπ‘†, … ) ] 47

slide-48
SLIDE 48

#BHUSA @BLACKHATEVENTS @DANIELMGMI

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_π½π‘‚π½π‘ˆ[ π‘žπ‘ π‘π‘žπ‘π‘‘π‘π‘š, 𝑕𝑦, π‘œπ½, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_π½π‘‚π½π‘ˆ

π‘ π‘“π‘‘π‘žπ‘π‘œπ‘‘π‘“[ π‘žπ‘ π‘π‘žπ‘π‘‘π‘π‘š, 𝑕𝑦, π‘œπ‘†, … ]

π‘‘π‘‘β„Žπ‘π‘ π‘“π‘’βˆ’π‘‘π‘“π‘‘π‘ π‘“π‘’ = π‘„π‘†πΊβ„Ž(𝑕𝑦𝑧) 𝐽𝐿𝐹_π΅π‘£π‘’β„Ž[ π‘‡π‘—π‘•π‘œπ‘‘π‘™π½, (π‘œπ‘†, … ) ] 48

slide-49
SLIDE 49

#BHUSA @BLACKHATEVENTS @DANIELMGMI

TPM-Fail Case Study: StrongSwan VPN

𝐽𝐿𝐹_π½π‘‚π½π‘ˆ[ π‘žπ‘ π‘π‘žπ‘π‘‘π‘π‘š, 𝑕𝑦, π‘œπ½, … ]

VPN Client VPN Server TPM Device

𝐽𝐿𝐹_π½π‘‚π½π‘ˆ

π‘ π‘“π‘‘π‘žπ‘π‘œπ‘‘π‘“[ π‘žπ‘ π‘π‘žπ‘π‘‘π‘π‘š, 𝑕𝑦, π‘œπ‘†, … ]

π‘‘π‘‘β„Žπ‘π‘ π‘“π‘’βˆ’π‘‘π‘“π‘‘π‘ π‘“π‘’ = π‘„π‘†πΊβ„Ž(𝑕𝑦𝑧) 𝐽𝐿𝐹_π΅π‘£π‘’β„Ž[ π‘‡π‘—π‘•π‘œπ‘‘π‘™π½, (π‘œπ‘†, … ) ] 𝐽𝐿𝐹_π΅π‘£π‘’β„Žπ‘ π‘“π‘‘π‘žπ‘π‘œπ‘‘π‘“[ π‘‡π‘—π‘•π‘œπ‘‘π‘™π‘†, (π‘œπ‘†, … ) ] 49

slide-50
SLIDE 50

#BHUSA @BLACKHATEVENTS @DANIELMGMI

TPM-Fail Case Study: StrongSwan VPN Key Recovery

  • Remote Key Recovery after about 44,000 handshake ~= 5 hours

50

slide-51
SLIDE 51

51

System Adversary User Adversary Remote Sample UDP App Remote StrongSwan VPN

slide-52
SLIDE 52

#BHUSA @BLACKHATEVENTS @DANIELMGMI

CacheQuote [2]

52

[2] F Dall, G De Micheli, T Eisenbarth, D Genkin, N Heninger, A Moghimi, Y Yarom. CacheQuote: Efficiently Recovering Long-term Secrets of SGX EPID via Cache Attacks

slide-53
SLIDE 53

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptographic Implementation is Hard - ECDSA

53 𝐹𝐷𝐸𝑇𝐡 π‘‡π‘—π‘•π‘œ: 𝑦1, 𝑧1 = 𝑙𝑗 Γ— 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 π‘œ 𝑑𝑗 = 𝑙𝑗

βˆ’1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 π‘œ

slide-54
SLIDE 54

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptographic Implementation is Hard - ECDSA

54 𝐹𝐷𝐸𝑇𝐡 π‘‡π‘—π‘•π‘œ: 𝑦1, 𝑧1 = 𝑙𝑗 Γ— 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 π‘œ 𝑑𝑗 = 𝑙𝑗

βˆ’1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 π‘œ

slide-55
SLIDE 55

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptographic Implementation is Hard - ECDSA

55 𝐹𝐷𝐸𝑇𝐡 π‘‡π‘—π‘•π‘œ: 𝑦1, 𝑧1 = 𝑙𝑗 Γ— 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 π‘œ 𝑑𝑗 = 𝑙𝑗

βˆ’1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 π‘œ

𝑙𝑗 = 3 β†’ 3 Γ— 𝐻 = 2𝐻 + 𝐻

slide-56
SLIDE 56

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptographic Implementation is Hard - ECDSA

56 𝐹𝐷𝐸𝑇𝐡 π‘‡π‘—π‘•π‘œ: 𝑦1, 𝑧1 = 𝑙𝑗 Γ— 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 π‘œ 𝑑𝑗 = 𝑙𝑗

βˆ’1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 π‘œ

𝑙𝑗 = 3 β†’ 3 Γ— 𝐻 = 2𝐻 + 𝐻 𝑙𝑗 = 7 β†’ 7 Γ— 𝐻 = 2 2𝐻 + 2𝐻 + 𝐻

slide-57
SLIDE 57

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptographic Implementation is Hard - ECDSA

57 𝐹𝐷𝐸𝑇𝐡 π‘‡π‘—π‘•π‘œ: 𝑦1, 𝑧1 = 𝑙𝑗 Γ— 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 π‘œ 𝑑𝑗 = 𝑙𝑗

βˆ’1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 π‘œ

𝑙𝑗 = 3 β†’ 3 Γ— 𝐻 = 2𝐻 + 𝐻 𝑙𝑗 = 7 β†’ 7 Γ— 𝐻 = 2 2𝐻 + 2𝐻 + 𝐻 𝑙𝑗 = 7 β†’ 23 Γ— 𝐻 = 2 2(2(2𝐻) + 𝐻) + 𝐻 + 𝐻

slide-58
SLIDE 58

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptographic Implementation is Hard - ECDSA

58 𝐹𝐷𝐸𝑇𝐡 π‘‡π‘—π‘•π‘œ: 𝑦1, 𝑧1 = 𝑙𝑗 Γ— 𝐻 𝑠𝑗 = 𝑦1 𝑛𝑝𝑒 π‘œ 𝑑𝑗 = 𝑙𝑗

βˆ’1 𝑨 + 𝑠𝑗𝑒 𝑛𝑝𝑒 π‘œ

𝑙𝑗 = 3 β†’ 3 Γ— 𝐻 = 2𝐻 + 𝐻 𝑙𝑗 = 7 β†’ 7 Γ— 𝐻 = 2 2𝐻 + 2𝐻 + 𝐻 𝑙𝑗 = 7 β†’ 23 Γ— 𝐻 = 2 2(2(2𝐻) + 𝐻) + 𝐻 + 𝐻 //Scalar Mul: Add & Double Q = 0 R = G for k_b in k: if k_b == 1: Q = add(Q, R) R = double(R) return Q

slide-59
SLIDE 59

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Cryptographic Implementation is Hard

  • Many Algorithms to do the same thing
  • Scalar Multiplication
  • Double-Add Algorithm
  • Montgomery Double-Add
  • Sliding Window
  • Fixed Window
  • Unclear Threat Model
  • What is a side channel?
  • Power Analysis, Timing, Cache?

59

slide-60
SLIDE 60

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Software Leakages

  • Secret Dependent Control Flow
  • Secret Dependent Memory Access Pattern
  • Secret Dependent Timing, e.g: ARM Cortext-M3 umull

60 state[i] = state[i] ^ sbox[roundKey[i]] for(int i = 0; i < Bitlength(key); ++i)

slide-61
SLIDE 61

#BHUSA @BLACKHATEVENTS @DANIELMGMI

MicroWalk Goal

  • Automated Analysis
  • Dynamic Approach
  • Binary-level Analysis:
  • Leakages introduced by compilation
  • Closed-source libraries
  • Locate leakage source at Instruction Level

61

slide-62
SLIDE 62

#BHUSA @BLACKHATEVENTS @DANIELMGMI

MicroWalk Model

  • In practice: Attacker measures
  • Execution time for (int i = 0; i < bitlength(key); ++i)
  • Memory usage pattern state[i] = state[i] ^ sbox[roundKey[i]]
  • In theory: Attacker gets access to execution trace with
  • Executed instructions
  • Branch targets
  • Memory access offsets

62

slide-63
SLIDE 63

#BHUSA @BLACKHATEVENTS @DANIELMGMI

MicroWalk Approach

  • Generate set of random test cases and capture execution traces
  • Analysis A: Compute pairwise diffs

63

slide-64
SLIDE 64

#BHUSA @BLACKHATEVENTS @DANIELMGMI

MicroWalk Approach

  • Generate set of random test cases and capture execution traces
  • Analysis A: Compute pairwise diffs
  • Analysis B: Compute mutual information between execution trace

and input

64

slide-65
SLIDE 65

#BHUSA @BLACKHATEVENTS @DANIELMGMI

MicroWalk Implementation

  • Dynamic binary instrumentation using Intel Pin
  • Collect traces while program runs
  • Modules:
  • Emulate other CPUs or disable certain capabilities (e.g. AES-NI)
  • Modify RDRAND output

65

slide-66
SLIDE 66

#BHUSA @BLACKHATEVENTS @DANIELMGMI

MicroWalk Implementation

  • Raw traces only contain absolute addresses of memory accesses

0x1111107A β†’ sbox+0x7A

  • Removal of uninteresting trace entries β†’ considerable size

reduction

  • Modules:
  • Configure memory address leakage granularity 0x156F β†’ 0x1540

66

slide-67
SLIDE 67

#BHUSA @BLACKHATEVENTS @DANIELMGMI

MicroWalk Implementation

  • Load and analyze preprocessed traces
  • Optionally pass results to visualization stage
  • Modules:
  • Compute pairwise trace diffs
  • Calculate mutual information for each memory accessing instruction

67

slide-68
SLIDE 68

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Coordinated Disclosure - STMicroelectronics

  • STMicroelectronics (CVE-2019-16863)
  • 05/15/2019: Reported to ST
  • 05/17/2019: Acknowledged
  • Lots of calls/emails to clarify the disclosure process
  • 09/12/2019: Verified new version of STM TPM firmware
  • After 11/12/2019:
  • HP and Lenovo have issued firmware updates.
  • ST released a list of affected devices.

68

05/15/2019: Report TPM Vuln to STM 05/17/2019: STM Acknowledged 09/12/2019: We verified new version

  • f STM TPM

Post 11/12/2019: HP and Lenovo issued firmware update

slide-69
SLIDE 69

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Coordinated Disclosure - Intel

  • Intel (CVE-2019-11090)
  • 02/01/2019: Reported to IPSIRT
  • 02/12/2019: Acknowledged (Outdated Intel IPP Crypto library)
  • 11/12/2019: Firmware Update for Intel Management Engine

69 02/01/2019: Reported fTPM Vulns to IPSIRT 02/12/2019: Acknowledged Outdated IPP Library 11/12/2019: (CVE-2019- 11090) Firmware Update for CSME

slide-70
SLIDE 70

#BHUSA @BLACKHATEVENTS @DANIELMGMI

MicroWalk Analysis Results

  • Rigorous Analysis of two Closed-source Libraries
  • Intel IPP CVEs
  • CVE-2018-12155
  • CVE-2018-12156

70

06/22/2018: Report IPP Vulns to IPSIRT 06/25/2018: Acknowledged the Receipt 12/05/2018: CVE-2018-12155 02/01/2019: Report fTPM Vulns to IPSIRT 02/12/2019: Acknowledged Outdated IPP Library 11/12/2019: (CVE-2019- 11090) Firmware Update for CSME

slide-71
SLIDE 71

#BHUSA @BLACKHATEVENTS @DANIELMGMI

Questions?!

https://tpm.fail/ https://www.usenix.org/conference/us enixsecurity20/presentation/moghimi

TPM-FAIL

71 https://github.com/ VernamLab/TPM-Fail https://github.com /UzL-ITS/Microwalk