side channel analysis using a model counting constraint
play

Side Channel Analysis Using a Model Counting Constraint Solver and - PowerPoint PPT Presentation

Dec 20, 2022 •184 likes •1.1k views

Side Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution Tevfik Bultan Computer Science Department University of California, Santa Barbara (UCSB) Joint work with: Abdulbaki Aydin, Lucas Bang, UCSB Corina

  1. Side Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution Tevfik Bultan Computer Science Department University of California, Santa Barbara (UCSB) Joint work with: Abdulbaki Aydin, Lucas Bang, UCSB Corina Pasareanu, Quoc-Sang Phan, CMU, NASA

  2. Verification Laboratory (VLab) University of California, Santa Barbara (UCSB) • VLab: Research on automated verification, program analysis, formal methods, software engineering, computer security • Recent research: String analysis, Model counting constraint solvers, Side channel analysis, Data model verification, Web application verification and security • Always looking for talented and hard working graduate students!

  3. Publications most closely related to this talk } “String Analysis for Side Channels with Segmented Oracles.” Lucas Bang , Abdulbaki Aydin , Quoc-Sang Phan, Corina S. Pasareanu , Tevfik Bultan, FSE’16. } “Automata-based Model Counting for String Constraints.” Abdulbaki Aydin, Lucas Bang, Tevfik Bultan, CAV’15. 3

  4. Quantitative Information Flow Problem Given a program and a secret that the program accesses: Figure out how much information is leaked about the secret by observing the behavior of the program 4

  5. Overview Symbolic Program Execution Path Constraints Model Counting Probability Distribution for Observables Side Channel Analysis Information Leakage 5

  6. Overview Symbolic Program Execution Path Constraints Model Counting Probability Distribution for Observables Side Channel Analysis Information Leakage 6

  7. A 4-digit PIN Checker 7

  8. Symbolic Execution of PIN Checker 8

  9. Probabilistic Symbolic Execution Can we determine the probability of executing a program path? } Let PC i denote the path constraint for a program path } Let |PC i | denote the number of possible solutions for PC i } Let |D| denote the size of the input domain } Assume uniform distribution over the input domain } Then the probability of executing that program path is: p(PC i ) = |PC i | / |D|

  10. Probabilistic Symbolic Execution of PIN Checker } Assume binary 4 digit PIN, P and G each have 4 bits } |D| = 2 8 = 256 } p(PC i ) = |PC i | / |D| 10

  11. Probabilistic Symbolic Execution of PIN Checker } Assume binary 4 digit PIN, P and G each have 4 bits } |D| = 2 8 = 256 } p(PC i ) = |PC i | / |D| 11

  12. Probabilistic Symbolic Execution of PIN Checker } Assume binary 4 digit PIN, P and G each have 4 bits } |D| = 2 8 = 256 } p(PC i ) = |PC i | / |D| 12

  13. Probabilistic Symbolic Execution of PIN Checker } Assume binary 4 digit PIN, P and G each have 4 bits } |D| = 2 8 = 256 } Probability that an adversary can guess a prefix of length i in one guess is given by p i 13

  14. Overview Symbolic Program Execution Path Constraints Model Counting Probability Distribution for Observables Side Channel Analysis Information Leakage 14

  15. Information Leakage } Note that any PIN checker leaks information about the secret (secret is the pin value P) } When an adversary tries a guess G there are two scenarios: ¨ If G matches P then adversary learns the PIN ¨ If G does not match P , then the adversary learns that the PIN value is not G } This is due to the public output of the PIN checker ¨ This is called the main channel } However, there may be other observations one can make about the PIN checker that reveals more information about P 15

  16. Information Leakage } An adversary may observe more than just the public output of a program, such as ¨ execution time ¨ memory usage ¨ file size ¨ network package size } There may be information leakage about the secret from these observable values } These are called side channels 16

  17. Entropy: Quantifying Information Leakage } How can we quantify information leakage? } Shannon Entropy } Intuition: } The expected amount of information gain (i.e., the expected amount of surprise) expressed in terms of bits 17

  18. Entropy: Quantifying Information Leakage } Entropy example: } Seattle weather in December: Always raining } p rain = 1, p sun = 0 } Entropy: H = 0 } San Francisco weather in December: Coin flip } p rain = ½ , p sun = ½ } Entropy: H = 1 } Santa Barbara weather in December: Almost always beautiful: } p rain = 1/10, p sun = 9/10 } Entropy: H = 0.496 18

  19. Information Leakage via Side Channels } Side channels produce a set of observables that partition the secret: } By computing the probability of observable values we can compute the entropy: } We can compute the probability of observable values using model counting: 19 Bang et al., String Analysis for Side Channels with Segmented Oracles (FSE’16)

  20. Symbolic Execution of PIN Checker Bang et al., String Analysis for Side Channels with Segmented Oracles (FSE’16) 20

  21. Probabilistic Symbolic Execution of PIN Checker } Assume binary 4 digit PIN, P and G each have 4 bits } |D| = 2 8 = 256 21

  22. Information Leakage } H: The expected amount of information gain by the adversary Bang et al., String Analysis for Side Channels with Segmented Oracles (FSE’16) 22

  23. A secure PIN checker } Only two observables (just the main channel, no side channel): o 0 : does not match, o 1 : full match } p(o 0 ) = 15/16, p(o 1 ) = 1/16 } H secure = 0.33729 Bang et al., String Analysis for Side Channels with Segmented Oracles (FSE’16) 23

  24. Secure vs. insecure PIN checker } Given a PIN of length L where each PIN digit has K values } Secure PIN checker } K L guesses in the worst case } Example: 16 digit password where each digit is ASCII 128 16 tries in the worst case, which would take a lot of years } Insecure PIN checker } A prefix attack that determines each digit one by one starting with the leftmost digit } Example: 16 digit password where each digit is ASCII 128 × 16tries in the worst case, which would not take too much time Bang et al., String Analysis for Side Channels with Segmented Oracles (FSE’16) 24

  25. Secure vs. insecure PIN checker Bang et al., String Analysis for Side Channels with Segmented Oracles (FSE’16) 25

  26. Not just a toy example Vulnerabilities that are similar to the simple PIN example happen in real software systems Timing Side Channels } HMAC keys: Google Keyczar Library, Xbox 360 } Authorization Frameworks: OAuth, OpenID } Java’s Array.equals, String.equals } C’s memcmp Network Packet Size Side Channel } Compression Ratio Infoleak Made Easy (CRIME) Bang et al., String Analysis for Side Channels with Segmented Oracles (FSE’16) 26

  27. Overview Symbolic Program Execution Path Constraints Model Counting Probability Distribution for Observables Side Channel Analysis Information Leakage 27

  28. Model Counting String Constraint Solver OUTPUT INPUT counting string function: constraint: Automata-Based model Counting 𝒈 𝒅 𝑫 length bound: 𝒍 string constraint solver (ABC) # of strings with length ≤ 𝒍 for which 𝑫 evaluates to true Aydin et al., Automata-based Model Counting for String Constraints. (CAV’15) 28

  29. Automata Based Counter (ABC) A Model Counting String Constraint Solver OUTPUT INPUT counting string function: constraint: Automata-Based model Counting 𝒈 𝒅 𝑫 length bound: 𝒍 string constraint solver (ABC) # of strings with length ≤ 𝒍 for which 𝑫 evaluates to true Aydin et al., Automata-based Model Counting for String Constraints. (CAV’15) 29

  30. String Constraint Language 30

  31. Example String Expressions String Expression Constraint Language s.length() length(s) s.isEmpty() length(s) == 0 s.startsWith(t,n) 0 ≤ n ⋀ n ≤ |s| ⋀ Java begins(substring(s,n,|s|),t) s.indexOf(t,n) indexof(substring(s,n,|s|),t) s.replaceAll(p,r) replaceall(s,p,r) strrpos(s, t) lastindexof(s,t) substr_replace(s, substring(s,0,i).t.substring(s,j,|s|) t,i,j) PHP strip_tags(s) replaceall(s,("<a>"|"<p>"|...),"") mysql_real_escape ...replaceall(s _string(s) ,replaceall(s,“\\",“\\\\") ,"’", “\’")... 31

  32. Model Counting String Constraint Solver OUTPUT INPUT counting string function: constraint: Automata-Based model Counting 𝒈 𝒅 𝑫 length bound: 𝒍 string constraint solver (ABC) # of strings with length ≤ 𝒍 for which 𝑫 evaluates to true Aydin et al., Automata-based Model Counting for String Constraints. (CAV’15) 32

  33. String Automata Construction 𝐷 ≡ ¬ 𝑦 ∈ 01 ∗ ∧ 𝑀𝐹𝑂 𝑦 = 2 33

  34. String Automata Construction 𝐷 ≡ ¬ 𝑦 ∈ 01 ∗ ∧ 𝑀𝐹𝑂 𝑦 = 2 34

  35. String Automata Construction 𝐷 ≡ ¬ 𝑦 ∈ 01 ∗ ∧ 𝑀𝐹𝑂 𝑦 = 2 35

  36. String Automata Construction 𝐷 ≡ ¬ 𝑦 ∈ 01 ∗ ∧ 𝑀𝐹𝑂 𝑦 = 2 36

  37. String Automata Construction 𝐷 ≡ ¬ 𝑦 ∈ 01 ∗ ∧ 𝑀𝐹𝑂 𝑦 = 2 37

  38. String Automata Construction 𝐷 ≡ ¬ 𝑦 ∈ 01 ∗ ∧ 𝑀𝐹𝑂 𝑦 = 2 38

  39. String Automata Construction 𝐷 ≡ ¬ 𝑦 ∈ 01 ∗ ∧ 𝑀𝐹𝑂 𝑦 = 2 39

  40. String Automata Construction 𝐷 ≡ ¬ 𝑦 ∈ 01 ∗ ∧ 𝑀𝐹𝑂 𝑦 = 2 40

  41. String Automata Construction 𝐷 ≡ ¬ 𝑦 ∈ 01 ∗ ∧ 𝑀𝐹𝑂 𝑦 = 2 41

  42. String Automata Construction 𝐷 ≡ ¬ 𝑦 ∈ 01 ∗ ∧ 𝑀𝐹𝑂 𝑦 = 2 ⋂ 42

  43. String Automata Construction 𝐷 ≡ ¬ 𝑦 ∈ 01 ∗ ∧ 𝑀𝐹𝑂 𝑦 = 2 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides
Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015 Montreal, QC. Overview W.t.f is side-channel power analysis (again) Example: IEEE 802.15.4 Node Example: AES-256 Bootloader W.t.f.

633 views • 47 slides
Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of side-channel countermeasures Anh-Tuan Hoang, Neil Hanley and Mire ONeill CHES 2020 14-18 September 2020 Outline

620 views • 21 slides
A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1 Emmanuel Prouff 2, 3 Lo C 1 Univ. Grenoble Alpes, CEA, LETI, DSYS, CESTI, F-38000

1.39k views • 86 slides
Software Side-Channel Analysis: Attack Synthesis Lucas Bang Dissertation Defense Committee:

Software Side-Channel Analysis: Attack Synthesis Lucas Bang Dissertation Defense Committee:

Software Side-Channel Analysis: Attack Synthesis Lucas Bang Dissertation Defense Committee: Tevfik Bultan (chair) Omer E gecio glu Ben Hardekopf 1 Publications during PhD Aydin, Bang , Bultan. [CAV 2015] Automata-Based Model

2.13k views • 198 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, &quot;Power Analysis Attacks, Revealing the Secrets of Smart Cards&quot;, Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Link with linear cryptanalysis Standard Differential Power Analysis Noise-based security (is

1.17k views • 92 slides
Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to the basics!! details on power / EM leakage (low/high noise scenario) how/where to attack AES? di ff erent attacker models overview of

1.28k views • 74 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt

A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt

FIRST TALK A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt f r Sicherheit in der Informationstechnik (BSI), Bonn, Germany Barcelona, May 22, 2007 Power attacks on a block cipher

1.13k views • 13 slides
Side-channel analysis of six SHA-3 candidates in HMAC scheme Olivier Beno t and Thomas

Side-channel analysis of six SHA-3 candidates in HMAC scheme Olivier Beno t and Thomas

Background Correlation Analysis Results Conclusion Side-channel analysis of six SHA-3 candidates in HMAC scheme Olivier Beno t and Thomas Peyrin CHES 2010 Workshop Santa Barbara - August 18, 2010 Background Correlation Analysis

1.1k views • 36 slides
Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

Conference on Cryptographic Hardware and Embedded Systems (CHES) 2020 Strength in Numbers: Improving Generalization with Ensembles in Machine Learning-based Profiled Side-Channel Analysis Guilherme Perin , Lukasz Chmielewski, Stjepan Picek In

468 views • 25 slides
Confusing Information: How Confusion Improves Side-Channel Analysis for Monobit Leakages

Confusing Information: How Confusion Improves Side-Channel Analysis for Monobit Leakages

Confusing Information: How Confusion Improves Side-Channel Analysis for Monobit Leakages Cryptarchi 2018 June 17-19, 2018 Guidel-Plage, France Eloi de Chrisey, Sylvain Guilley &amp; Olivier Rioul Tlcom ParisTech, Universit

559 views • 34 slides
Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high

Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high

Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high security solutions Rohde &amp; Schwarz SIT GmbH Stuttgart/Germany Dr. Torsten Schtze Workshop on Applied Cryptography Lightweight

595 views • 15 slides
Mind The Portability A Warriors Guide through Realistic Profiled Side-channel Analysis Shivam

Mind The Portability A Warriors Guide through Realistic Profiled Side-channel Analysis Shivam

Mind The Portability A Warriors Guide through Realistic Profiled Side-channel Analysis Shivam Bhasin 1 , Dirmanto Jap 1 , Anupam Chattopadhyay 1 , Stjepan Picek 2 , Annelie Heuser 3 , and Ritu Ranjan Shrivastwa 4 1 NTU, Singapore 2 TU Delft,

335 views • 22 slides
PKU-NEC@TRECvid SED 2011: Sequence-Based Event Detection in Surveillance Video Yonghong Tian 1 ,

PKU-NEC@TRECvid SED 2011: Sequence-Based Event Detection in Surveillance Video Yonghong Tian 1 ,

PKU-NEC@TRECvid SED 2011: Sequence-Based Event Detection in Surveillance Video Yonghong Tian 1 , Yaowei Wang 1,3 and Wei Zeng 2 1 National Engineering Laboratory for Video Technology, School of EE &amp; CS, Peking University 2 NEC Laboratories,

529 views • 35 slides
Overview of Research at IITB Computational studies on Hindustani music CompMusic Workshop,

Overview of Research at IITB Computational studies on Hindustani music CompMusic Workshop,

Overview of Research at IITB Computational studies on Hindustani music CompMusic Workshop, Chennai 2013 Preeti Rao Department of Electrical Engineering I.I.T. Bombay 1 Some goals Automatic tagging of audio by genre, style, raga,

349 views • 21 slides
Presented by Jason A. Donenfeld Nov November ember 15 , , 2018 2018 Linux Plumbers Conference

Presented by Jason A. Donenfeld Nov November ember 15 , , 2018 2018 Linux Plumbers Conference

Presented by Jason A. Donenfeld Nov November ember 15 , , 2018 2018 Linux Plumbers Conference Who Who Am I? Am I? Jason Donenfeld, also known as zx2c4 . Background in exploitation, kernel vulnerabilities, crypto vulnerabilities, and

728 views • 56 slides
Mark Maudsley The journey so far Original EOI = January 2017 Agreeing standard = July 2018

Mark Maudsley The journey so far Original EOI = January 2017 Agreeing standard = July 2018

Our journey developing standards Metal Fabrication Standard March 2018 Mark Maudsley The journey so far Original EOI = January 2017 Agreeing standard = July 2018 with caveats Agreeing Assessment Plan = close but ? Indicative

357 views • 19 slides
Person Re-Identification Chi Zhang Megvii (Face++) zhangchi@megvii.com Nov 2017 Outline

Person Re-Identification Chi Zhang Megvii (Face++) zhangchi@megvii.com Nov 2017 Outline

Person Re-Identification Chi Zhang Megvii (Face++) zhangchi@megvii.com Nov 2017 Outline Person Re-Identification Metric Learning Mutual Learning Feature Alignments Re-Ranking Enhance ReID Pose Estimation

2.99k views • 79 slides
Gravitational lensing science with CSS-OS Weak lensing: Zuhui Fan (PKU) Shear measurement: Jun

Gravitational lensing science with CSS-OS Weak lensing: Zuhui Fan (PKU) Shear measurement: Jun

Gravitational lensing science with CSS-OS Weak lensing: Zuhui Fan (PKU) Shear measurement: Jun Zhang (SJTU) Strong lensing: Ran Li (NAOC) Outline Organization of working groups Weak lensing science Plan of weak lensing simulation

735 views • 37 slides
Beyond Determinism in Measurement-based Quantum Computation Simon Perdrix CNRS, Laboratoire

Beyond Determinism in Measurement-based Quantum Computation Simon Perdrix CNRS, Laboratoire

Beyond Determinism in Measurement-based Quantum Computation Simon Perdrix CNRS, Laboratoire dInformatique de Grenoble Joint work with Mehdi Mhalla, Mio Murao, Masato Someya, Peter Turner NWC, 23/05/2011 ANR CausaQ CNRS-JST Strategic

467 views • 31 slides
Karim El Defrawy and Gene Tsudik IEEE- ICNP08 10/22/2008 1 Introduction Privacy and

Karim El Defrawy and Gene Tsudik IEEE- ICNP08 10/22/2008 1 Introduction Privacy and

Karim El Defrawy and Gene Tsudik IEEE- ICNP08 10/22/2008 1 Introduction Privacy and Security in MANETs Related Work Overview of Group Signatures PRISM Protocol and Operation Security Analysis and Simulations

613 views • 32 slides

More recommend