soc it to em electromagnetic side channel attacks on a
play

SoC it to EM: electromagnetic side-channel attacks on a complex - PowerPoint PPT Presentation

Oct 01, 2022 •111 likes •630 views

SoC it to EM: electromagnetic side-channel attacks on a complex system-on-chip Jake Longo 1 Elke De Mulder 2 Dan Page 1 Mike Tunstall 2 1 University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. UK. 2 Rambus

  1. SoC it to EM: electromagnetic side-channel attacks on a complex system-on-chip Jake Longo 1 Elke De Mulder 2 Dan Page 1 Mike Tunstall 2 1 University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. UK. 2 Rambus Cryptography Research Division, 425 Market Street, 11th Floor, San Francisco, CA 94105, United States. 16 / 09 / 15 � jake.longo@bris.ac.uk � SoC it to EM Slide 1 of 23

  2. Presentation Layout ◮ Motivation? ◮ Methodology outline and execution ◮ Summary of attack results ◮ Further comments ◮ Future work � jake.longo@bris.ac.uk � SoC it to EM Slide 2 of 23

  3. Motivation? Address some misconceptions of side-channel attacks on complex devices. ◮ High-clock rate targets → high sample rate equipment. ◮ Complex embedded systems → di ffi cult DPA. ◮ High degree of parallelism → low SNR ∼ intrinsic side-channel resistance. � jake.longo@bris.ac.uk � SoC it to EM Slide 3 of 23

  4. Analysis Plan ◮ Target selection and identification ◮ Signal exploration ◮ Batch signal pre-processing ◮ Leakage detection ◮ Signal post-processing ◮ Textbook DPA � jake.longo@bris.ac.uk � SoC it to EM Slide 4 of 23

  5. Target Platform BeagleBone Black Attack Environment Hardware: ◮ ARM Cortex-A8 1 GHz CPU (High clock rate) ◮ ARM NEON SIMD (High degree of parallelism) ◮ TI proprietary cryptographic hardware (RNG, SHA-1, AES) Software: ◮ Debian Wheezy (3 . 15) (Full unmodified Linux distribution) ◮ OpenSSL 1 . 0 . 1 j (Bulk encryption) � jake.longo@bris.ac.uk � SoC it to EM Slide 5 of 23

  6. Target Selection and Identification Integer core NEON core PowerVR Display GPU controller L1 I-cache L1 D-cache Cryptographic L2 cache Network co-processor controller 176 kB ROM 64 kB OCP bridge RAM 64 kB RAM OCP-based L3 / L4 NoC interconnect UART DMA SPI RTC I 2 C WDT DDR-based memory interface USB JTAG . . . . . . � jake.longo@bris.ac.uk � SoC it to EM Slide 6 of 23

  7. Target Selection and Identification Integer core NEON core PowerVR Display GPU controller L1 I-cache L1 D-cache Cryptographic L2 cache Network co-processor controller 176 kB ROM 64 kB OCP bridge RAM 64 kB RAM OCP-based L3 / L4 NoC interconnect UART DMA SPI RTC I 2 C WDT DDR-based memory interface USB JTAG . . . . . . ◮ OpenSSL software AES-128-CBC � jake.longo@bris.ac.uk � SoC it to EM Slide 6 of 23

  8. Target Selection and Identification Integer core NEON core PowerVR Display GPU controller L1 I-cache L1 D-cache Cryptographic L2 cache Network co-processor controller 176 kB ROM 64 kB OCP bridge RAM 64 kB RAM OCP-based L3 / L4 NoC interconnect UART DMA SPI RTC I 2 C WDT DDR-based memory interface USB JTAG . . . . . . ◮ OpenSSL software AES-128-CBC ◮ OpenSSL NEON Bitsliced AES-128-CBC � jake.longo@bris.ac.uk � SoC it to EM Slide 6 of 23

  9. Target Selection and Identification Integer core NEON core PowerVR Display GPU controller L1 I-cache L1 D-cache Cryptographic L2 cache Network co-processor controller 176 kB ROM 64 kB OCP bridge RAM 64 kB RAM OCP-based L3 / L4 NoC interconnect UART DMA SPI RTC I 2 C WDT DDR-based memory interface USB JTAG . . . . . . ◮ OpenSSL software AES-128-CBC ◮ OpenSSL NEON Bitsliced AES-128-CBC ◮ OpenSSL hardware accelerated AES-128-CBC � jake.longo@bris.ac.uk � SoC it to EM Slide 6 of 23

  10. NEON? “NEON technology is a 128-bit SIMD (Single Instruction, Multiple Data) architecture extension for the ARM Cortex ™ -A series processors.” ◮ Clear use-cases for wide datapath bit-slicing. ◮ Gradually being adopted to accelerate crypto imlementations. [BS12] D.J. Bernstein and P. Schwabe. “NEON Crypto”. In: CHES . LNCS 7428, 2012, pp. 320–339. D.F. Câmara et al. “Fast Software Polynomial Multiplication on ARM [Câm + 13] Processors Using the NEON Engine”. In: CD-ARES . 2013, pp. 137–154. S. Holzer-Graf et al. “E ffi cient Vector Implementations of AES-Based [Hol + 13] Designs: A Case Study and New Implemenations for Grøstl”. In: CT-RSA . 2013, pp. 145–161. H. Seo et al. “Montgomery Modular Multiplication on ARM-NEON [Seo + 14] Revisited”. In: ICISC . 2014, pp. 328–342. J. Wang et al. “Higher-Order Masking in Practice: A Vector Implementation [Wan + 15] of Masked AES for ARM NEON”. In: CT-RSA . 2015, pp. 181–198. � jake.longo@bris.ac.uk � SoC it to EM Slide 7 of 23

  11. THE DOCUMENTATION HAS ...PROBABLY DMA Engine something in a key some mode settings something out IRQ_0 IRQ_1 AES NOTHING ABOUT IT IT SORT OF LOOKS SOMETHING LIKE THIS... Cryptographic Co-processor? � jake.longo@bris.ac.uk � SoC it to EM Slide 8 of 23

  12. Signal Exploration (1) Test loop 1 while true do sleep(0.08) ; 2 openssl aes-128-cbc -in pt.bin -out ct.bin; 3 sleep(0.025); 4 matrixMultiply -in pt.bin; 5 6 end Spectrogram − 30 1200 Frequency (MHz) − 35 1000 − 40 Power (db) 800 − 45 − 50 600 − 55 400 − 60 200 − 65 0 − 70 0 10 20 30 40 50 60 70 80 Time (ms) � jake.longo@bris.ac.uk � SoC it to EM Slide 9 of 23

  13. Signal Exploration (1) Test loop 1 while true do sleep(0.08) ; 2 openssl aes-128-cbc -in pt.bin -out ct.bin; 3 sleep(0.025); 4 matrixMultiply -in pt.bin; 5 6 end Spectrogram − 30 1200 Frequency (MHz) − 35 1000 − 40 Power (db) 800 − 45 − 50 600 − 55 400 − 60 200 − 65 0 − 70 0 10 20 30 40 50 60 70 80 Time (ms) � jake.longo@bris.ac.uk � SoC it to EM Slide 9 of 23

  14. Signal Exploration (1) Test loop 1 while true do sleep(0.08) ; 2 openssl aes-128-cbc -in pt.bin -out ct.bin; 3 sleep(0.025); 4 matrixMultiply -in pt.bin; 5 6 end Spectrogram − 30 1200 Frequency (MHz) − 35 1000 − 40 Power (db) 800 − 45 − 50 600 − 55 400 − 60 200 − 65 0 − 70 0 10 20 30 40 50 60 70 80 Time (ms) � jake.longo@bris.ac.uk � SoC it to EM Slide 9 of 23

  15. Signal Exploration (1) Test loop 1 while true do sleep(0.08) ; 2 openssl aes-128-cbc -in pt.bin -out ct.bin; 3 sleep(0.025); 4 matrixMultiply -in pt.bin; 5 6 end Spectrogram − 30 1200 Frequency (MHz) − 35 1000 − 40 Power (db) 800 − 45 − 50 600 − 55 400 − 60 200 − 65 0 − 70 0 10 20 30 40 50 60 70 80 Time (ms) � jake.longo@bris.ac.uk � SoC it to EM Slide 9 of 23

  16. Signal Exploration (1) Test loop 1 while true do sleep(0.08) ; 2 openssl aes-128-cbc -in pt.bin -out ct.bin; 3 sleep(0.025); 4 matrixMultiply -in pt.bin; 5 6 end Spectrogram − 30 1200 Frequency (MHz) − 35 1000 − 40 Power (db) 800 − 45 − 50 600 − 55 400 − 60 200 − 65 0 − 70 0 10 20 30 40 50 60 70 80 Time (ms) � jake.longo@bris.ac.uk � SoC it to EM Slide 9 of 23

  17. Signal Pre-processing (1) OpenSSL S / W Trace Amplitude OpenSSL Frequency Response − 30 1200 0 2000 4000 6000 8000 10000 12000 Sample Index − 35 1000 − 40 Frequency (MHz) 800 − 45 Power (db) − 50 600 − 55 400 − 60 200 − 65 0 − 70 Time (ms) � jake.longo@bris.ac.uk � SoC it to EM Slide 10 of 23

  18. Signal Pre-processing (1) OpenSSL S / W Trace Amplitude OpenSSL Frequency Response − 30 1200 0 2000 4000 6000 8000 10000 12000 Sample Index − 35 1000 − 40 OpenSSL S / W Trace – Filtered Frequency (MHz) 800 − 45 Power (db) Amplitude − 50 600 − 55 400 − 60 0 2000 4000 6000 8000 10000 12000 Sample Index 200 − 65 0 − 70 Time (ms) � jake.longo@bris.ac.uk � SoC it to EM Slide 10 of 23

  19. Signal Pre-processing (1) OpenSSL S / W Trace Amplitude OpenSSL Frequency Response − 30 1200 0 2000 4000 6000 8000 10000 12000 Sample Index − 35 1000 − 40 OpenSSL S / W Trace – Filtered Frequency (MHz) 800 − 45 Power (db) Amplitude − 50 600 − 55 400 − 60 0 2000 4000 6000 8000 10000 12000 Sample Index 200 − 65 0 − 70 Time (ms) � jake.longo@bris.ac.uk � SoC it to EM Slide 10 of 23

  20. Signal Pre-processing (1) OpenSSL S / W Trace Amplitude OpenSSL Frequency Response − 30 1200 0 2000 4000 6000 8000 10000 12000 Sample Index − 35 1000 − 40 OpenSSL S / W Trace – Filtered Frequency (MHz) 800 − 45 Power (db) Amplitude − 50 600 − 55 400 − 60 0 2000 4000 6000 8000 10000 12000 Sample Index 200 − 65 OpenSSL S / W Trace – Filtered & De-modulated 0 − 70 Time (ms) Amplitude 0 2000 4000 6000 8000 10000 12000 Sample Index � jake.longo@bris.ac.uk � SoC it to EM Slide 10 of 23

  21. Signal Pre-processing (2) OpenSSL NEON Trace Amplitude 0 10000 20000 30000 40000 50000 Sample Index OpenSSL NEON Trace – Filtered Amplitude 0 10000 20000 30000 40000 50000 Sample Index OpenSSL NEON Trace – Filtered & De-modulated Amplitude 0 10000 20000 30000 40000 50000 Sample Index � jake.longo@bris.ac.uk � SoC it to EM Slide 11 of 23

  22. YAY! Signal Pre-processing (3) OpenSSL H / W Trace Amplitude 20000 30000 40000 50000 60000 70000 Sample Index ◮ Number of peaks match number of encryptions! � � jake.longo@bris.ac.uk � SoC it to EM Slide 12 of 23

  23. HMMMM... Signal Pre-processing (3) OpenSSL H / W Trace Amplitude 20000 30000 40000 50000 60000 70000 Sample Index ◮ Number of peaks match number of encryptions! � ◮ Peaks track by Hamming weight of plaintext... � jake.longo@bris.ac.uk � SoC it to EM Slide 12 of 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks Pieter Robyns Motivation and introduction Motivation Information about performing EM side-channel attacks using SDR is quite scarce A few

758 views • 42 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

535 views • 31 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

Nicolas Belleville 1 Damien Courouss 1 Karine Heydemann 2 1 Univ Grenoble Alpes, CEA, List, F-38000 Grenoble, France Henri-Pierre Charles 1 firstname.lastname@cea.fr 2 Sorbonne Universit, CNRS, LIP6, F-75005, Paris, France

715 views • 53 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World Crypto & Privacy ibenik , Croatia Outline Why physical attacks matter Implementation attacks and power analysis Leakage Detection

972 views • 52 slides
System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz MIT CSAIL Microsoft Research Security is a big concern in cloud adoption Why are cache-based side channel

588 views • 38 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet

Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet

Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet GREYC - LMNO Universit e de Caen Darmstadt 29th of April 2010 1 / 59 Outline Pairing over elliptic curves 1 Definition and properties of

1.55k views • 111 slides
Design principles: laughing in the face of change Perdita Stevens School of Informatics

Design principles: laughing in the face of change Perdita Stevens School of Informatics

Design principles: laughing in the face of change Perdita Stevens School of Informatics University of Edinburgh Plan What are we trying to achieve? Review: Design principles you know from Inf2C-SE Going further: SOLID design

494 views • 32 slides
Multigenerational mobility in India / Vegard Iversen, Anustup Kundu & Kunal Sen September 13,

Multigenerational mobility in India / Vegard Iversen, Anustup Kundu & Kunal Sen September 13,

Multigenerational mobility in India / Vegard Iversen, Anustup Kundu & Kunal Sen September 13, 2019 1 / 15 Multigenerational mobility in India Vegard Iversen 1 Anustup Kundu 2 3 Kunal Sen 2 1 University of Greenwich 2 UNU-WIDER 3 University of

412 views • 16 slides
Grammatical Theory with Gradient Symbol Structures The GSC Research Group Paul Smolensky

Grammatical Theory with Gradient Symbol Structures The GSC Research Group Paul Smolensky

Grammatical Theory with Gradient Symbol Structures The GSC Research Group Paul Smolensky Graldine Legendre Ma6 Goldrick Colin Wilson Kyle Rawlins Ben Van Durme Akira Omaki Paul Tupper Don Mathis Pyeong-Whan Cho Laurel Brehm Nick

606 views • 58 slides
Interoperating direct and indirect optimal control solvers Olivier Cots, Joint work with J.-B.

Interoperating direct and indirect optimal control solvers Olivier Cots, Joint work with J.-B.

Interoperating direct and indirect optimal control solvers Olivier Cots, Joint work with J.-B. Caillau, P. Martinon and the invaluable help of Inria Sophia SED 9th International Congress on Industrial and Applied Mathematics (ICIAM 2019), July

631 views • 27 slides
Detecting Data Center Cooling Problems Using a Data-driven Approach Charley Chen, Guosai Wang,

Detecting Data Center Cooling Problems Using a Data-driven Approach Charley Chen, Guosai Wang,

Detecting Data Center Cooling Problems Using a Data-driven Approach Charley Chen, Guosai Wang, Jiao Sun and Wei Xu Tsinghua University Data Center Cooling Problems Are Important 32% of the system errors are caused by hardware and cooling

332 views • 17 slides
H Street Bridge, NE Replacement Industry Day Industry Day Speakers Ellen Jones Chief Project

H Street Bridge, NE Replacement Industry Day Industry Day Speakers Ellen Jones Chief Project

H Street Bridge, NE Replacement Industry Day Industry Day Speakers Ellen Jones Chief Project Delivery Officer, District Department of Transportation (DDOT) George A. Schutter Chief Procurement Officer and Director, DC Office of Contracting and

768 views • 41 slides
Minimum Opaque Covers for Polygonal The Connected Regions Opaque Cover Problem Opaque Covers

Minimum Opaque Covers for Polygonal The Connected Regions Opaque Cover Problem Opaque Covers

Minimum Opaque Covers M. Brazil Preliminaries Minimum Opaque Covers for Polygonal The Connected Regions Opaque Cover Problem Opaque Covers with Multiple Connected Marcus Brazil Components Scott Provan, Doreen Thomas, Jia Weng Some

345 views • 16 slides
Gaussian Mixture Penalization for Trajectory Optimization Problems C. Rommel 1 , 2 , J. F. Bonnans

Gaussian Mixture Penalization for Trajectory Optimization Problems C. Rommel 1 , 2 , J. F. Bonnans

Gaussian Mixture Penalization for Trajectory Optimization Problems C. Rommel 1 , 2 , J. F. Bonnans 1 , B. Gregorutti 2 and P. Martinon 1 CMAP Ecole Polytechnique - INRIA 1 Safety Line 2 ISMP - July 2 nd 2018 ISMP - July 2 nd 2018 (CMAP, INRIA,

1.32k views • 95 slides

More recommend