Side-channel attacks in a microkernel environment Thomas Frase - - PowerPoint PPT Presentation

side channel attacks in a microkernel environment
SMART_READER_LITE
LIVE PREVIEW

Side-channel attacks in a microkernel environment Thomas Frase - - PowerPoint PPT Presentation

Apr 25, 2023 295 likes •585 views

Side-channel attacks in a microkernel environment Thomas Frase Thomas.b.Frase@student.hs-rm.de Fabian Seiberling Fabian.b.Seiberling@student.hs-rm.de 1st Wiesbaden Workshop on 13.02.2014 Advanced Microkernel Operating Systems Table of

slide-1
SLIDE 1

Side-channel attacks in a microkernel environment

Thomas Frase Thomas.b.Frase@student.hs-rm.de Fabian Seiberling Fabian.b.Seiberling@student.hs-rm.de

13.02.2014

1st Wiesbaden Workshop on Advanced Microkernel Operating Systems

slide-2
SLIDE 2

2

Table of contents

1

Introduction

2

Public Key Cryptography

3

Side-channel Attacks

4

Real-world Examples

5

Conclusion

slide-3
SLIDE 3

3

Introduction

Side-channel attacks use the physical implementation of a cryptographic function to gain information about the key. Ciphertext Message Decryption function Key Side-channel attack

Side-channel information

Cryptographic Implementation

slide-4
SLIDE 4

4

Public Key Cryptography

Alice Bob Generate big primes p and q

slide-5
SLIDE 5

4

Public Key Cryptography

Alice Bob Calculate n = p · q

slide-6
SLIDE 6

4

Public Key Cryptography

Alice Bob Find e with gcd(e, n) = 1

slide-7
SLIDE 7

4

Public Key Cryptography

Alice Bob Find d with e · d ≡ 1 (mod n)

slide-8
SLIDE 8

4

Public Key Cryptography

Alice Bob Public key: (e, n) Private key: (d, n)

slide-9
SLIDE 9

4

Public Key Cryptography

Alice Bob Public Key (e, n)

slide-10
SLIDE 10

4

Public Key Cryptography

Alice Bob Encrypt mes- sage: c = me (mod n)

slide-11
SLIDE 11

4

Public Key Cryptography

Alice Bob Encrypted message c

slide-12
SLIDE 12

4

Public Key Cryptography

Alice Bob Decrypt mes- sage: m = cd (mod n)

slide-13
SLIDE 13

5

Exponentiation by squaring

Algorithm

Input: c, d, n Output: m let d1, ..., dn be the bits of d; let bits(x) be the bit-length of x; m ← 1; for i = bits(d) down to 1 do m ← m2 (mod n); if di = 1 then m ← m · c (mod n); end end

slide-14
SLIDE 14

6

Side-channel Attacks

Types of side channel attacks: Acoustic cryptanalysis Data remanence Differential fault analysis Electromagnetic attacks Power monitoring attack Timing attack

slide-15
SLIDE 15

7

Side-channel Attacks

Acoustic cryptanalysis

Attacks which use the noise emitted by the computer while using the cryptographic function.

Data remanence

attacks which use to read the data which was used by a cryptographic function. The data can be restored after the cryptographic function delete them.

slide-16
SLIDE 16

8

Side-channel Attacks

Differential fault analysis

This attack create a fault in the cryptographic function to gain information about the current state of the function. A fault can be created with high temperature, to high or low voltage or with electric or magnetic fields.

Electromagnetic attacks

Attacks which use the electromagnetic field to gain information about the secret of the cryptographic function.

slide-17
SLIDE 17

9

Side-channel Attacks

Power monitoring attack

This attack used the characteristic of the power consumption for each instruction of the CPU.

Timing attack

Attacks which measure the execution time of parts of the cryptographic function to gain information.

slide-18
SLIDE 18

10

Example: Power monitoring attack

Square-and-multiply algorithm Different amount of power Digital oscilloscope Differential power analysis

slide-19
SLIDE 19

11

Acoustic Attack

Genkin, Shamir and Tromer

RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis Extraction of full 4096-bit RSA key Attack using various microphones Uses adaptive chosen-ciphertext Target: GnuPG on Laptops

slide-20
SLIDE 20

12

Acoustic Attack

Electrical components produce high-frequency noise Voltage regulator noise depends heavily on CPU instructions / load Various CPU instructions distinguishable in acoustic spectrum

slide-21
SLIDE 21

13

Acoustic Attack

GnuPG uses optimization (RSA-CRT) mp = cdp

(mod p)

mq = cdq

(mod q)

Attack targets each bit of q individually

Choose c Determine qi = 1 or qi = 0 Modify c according to last step Repeat

Factorize n from q

slide-22
SLIDE 22

14

Acoustic Attack

Consequences for microkernels? Attack is independent of operating system Mitigation best done on algorithm-level Self-eavesdropping can be mitigated by considering the microphone a security critical resource

slide-23
SLIDE 23

15

Access-driven Cross-VM Attack

Yinqian, Juels, Reiter, and Ristenpart

Cross-VM Side Channels and Their Use to Extract Private Keys Almost complete extraction of private key Required brute-force search of about 10,000 keys Target: GnuPG in a Xen-based VM

slide-24
SLIDE 24

16

Access-driven Cross-VM Attack

Attacker and victim on different guest VMs Attacker spies on the instruction cache Cache-based delays reveals used code paths in victim

slide-25
SLIDE 25

17

Access-driven Cross-VM Attack

Preempting the victim Noise-reduction Classification

SVM (Support vector machines) HMM (Hidden Markov model) Fragment stitching

slide-26
SLIDE 26

18

Access-driven Cross-VM Attack

Consequences for microkernels? Side-channel resistant algorithms Scheduling

Make it hard for the attacker to preempt the victim

Flushing caches

Flush instruction cache on context switch for critical tasks

slide-27
SLIDE 27

19

Conclusion

Side-channel attacks can be used on a microkernel Some attacks can be prevented by additional security Implementations on the microkernel Some attacks can only prevented by changing the Implementation of the cryptographic function