Software Side-Channel Analysis: Attack Synthesis Lucas Bang - - PowerPoint PPT Presentation

1

Software Side-Channel Analysis: Attack Synthesis

Lucas Bang

Dissertation Defense Committee: Tevfik Bultan (chair) ¨ Omer E˘ gecio˘ glu Ben Hardekopf

2 - 1

Publications during PhD

Bang, Aydin, Phan, Pasareanu, Bultan. [FSE 2016] “String Analysis for Side Channels with Segmented Oracles.” Bang, Rosner, Bultan. [Euro S&P 2018] “Online Synthesis of Adaptive Side-Channel Attacks Based On Noisy Observations.” Bang, Aydin, Bultan. [FSE 2015] “Automatically Computing Path Complexity of Programs.” Aydin, Eiers, Bang, Brennan, Gavrilov, Yu, Bultan. [FSE 2018 (accepted)] “Parameterized Model Counting for String and Numeric Constraints.”

Submitted papers

Saha, Kadron, Eiers, Bang, Bultan. “Attack Synthesis for Strings via Incremental Model Counting and Meta-Heuristics.” Tsiskaridze, Bang, McMahan, Bultan, Sherwood. “Information Leakage in Arbiter Protocols.” Phan, Bang, Pasareanu, Malacaria, Bultan. [CSF 17] “Synthesis of Adaptive Side-Channel Attacks.” Aydin, Bang, Bultan. [CAV 2015] “Automata-Based Model Counting for String Constraints.”

2 - 2

Publications during PhD

Bang, Aydin, Phan, Pasareanu, Bultan. [FSE 2016] “String Analysis for Side Channels with Segmented Oracles.” Bang, Rosner, Bultan. [Euro S&P 2018] “Online Synthesis of Adaptive Side-Channel Attacks Based On Noisy Observations.” Bang, Aydin, Bultan. [FSE 2015] “Automatically Computing Path Complexity of Programs.” Aydin, Eiers, Bang, Brennan, Gavrilov, Yu, Bultan. [FSE 2018 (accepted)] “Parameterized Model Counting for String and Numeric Constraints.”

Submitted papers

Saha, Kadron, Eiers, Bang, Bultan. “Attack Synthesis for Strings via Incremental Model Counting and Meta-Heuristics.” Tsiskaridze, Bang, McMahan, Bultan, Sherwood. “Information Leakage in Arbiter Protocols.” Phan, Bang, Pasareanu, Malacaria, Bultan. [CSF 17] “Synthesis of Adaptive Side-Channel Attacks.” Aydin, Bang, Bultan. [CAV 2015] “Automata-Based Model Counting for String Constraints.”

2 - 3

Publications during PhD

Bang, Aydin, Phan, Pasareanu, Bultan. [FSE 2016] “String Analysis for Side Channels with Segmented Oracles.” Bang, Rosner, Bultan. [Euro S&P 2018] “Online Synthesis of Adaptive Side-Channel Attacks Based On Noisy Observations.” Bang, Aydin, Bultan. [FSE 2015] “Automatically Computing Path Complexity of Programs.” Aydin, Eiers, Bang, Brennan, Gavrilov, Yu, Bultan. [FSE 2018 (accepted)] “Parameterized Model Counting for String and Numeric Constraints.”

Submitted papers

Saha, Kadron, Eiers, Bang, Bultan. “Attack Synthesis for Strings via Incremental Model Counting and Meta-Heuristics.” Tsiskaridze, Bang, McMahan, Bultan, Sherwood. “Information Leakage in Arbiter Protocols.” Phan, Bang, Pasareanu, Malacaria, Bultan. [CSF 17] “Synthesis of Adaptive Side-Channel Attacks.” Aydin, Bang, Bultan. [CAV 2015] “Automata-Based Model Counting for String Constraints.”

3

Side-Channel Attacks

4 - 1

4 - 2

4 - 3

4 - 4 Side channel: learn secrets through indirect observation. Time P i z z a s Panama Granada Kuwait

5 - 1

5 - 2

Secret Data

Program

5 - 3

1 private s = getBufferSize();

Program

5 - 4

1 private s = getBufferSize(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 log.write("too large"); // 1 s 7 else 8 some computation; // 2 s 9 return 0; 10 } 1 private s = getBufferSize();

input, i

5 - 5

1 private s = getBufferSize(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 log.write("too large"); // 1 s 7 else 8 some computation; // 2 s 9 return 0; 10 } 1 private s = getBufferSize();

input, i s ≤ i ⇒ o = 1

5 - 6

1 private s = getBufferSize(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 log.write("too large"); // 1 s 7 else 8 some computation; // 2 s 9 return 0; 10 } 1 private s = getBufferSize();

input, i s ≤ i ⇒ o = 1 s > i ⇒ o = 2

5 - 7

1 private s = getBufferSize(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 log.write("too large"); // 1 s 7 else 8 some computation; // 2 s 9 return 0; 10 } 1 private s = getBufferSize();

input, i s ≤ i ⇒ o = 1 s > i ⇒ o = 2

s? 1 ≤ s ≤ 8

5 - 8

1 private s = getBufferSize(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 log.write("too large"); // 1 s 7 else 8 some computation; // 2 s 9 return 0; 10 } 1 private s = getBufferSize();

input, i s ≤ i ⇒ o = 1 s > i ⇒ o = 2

s?

• utput, 0

1 ≤ s ≤ 8

5 - 9

1 private s = getBufferSize(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 log.write("too large"); // 1 s 7 else 8 some computation; // 2 s 9 return 0; 10 } 1 private s = getBufferSize();

input, i s ≤ i ⇒ o = 1 s > i ⇒ o = 2

s?

• utput, 0

1 ≤ s ≤ 8

5 - 10

1 private s = getBufferSize(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 log.write("too large"); // 1 s 7 else 8 some computation; // 2 s 9 return 0; 10 } 1 private s = getBufferSize();

input, i s ≤ i ⇒ o = 1 s > i ⇒ o = 2

s? 1 ≤ s ≤ 8

5 - 11

1 private s = getBufferSize(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 log.write("too large"); // 1 s 7 else 8 some computation; // 2 s 9 return 0; 10 } 1 private s = getBufferSize();

input, i s ≤ i ⇒ o = 1 s > i ⇒ o = 2

s? 1 ≤ s ≤ 8

5 - 12

1 private s = getBufferSize(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 log.write("too large"); // 1 s 7 else 8 some computation; // 2 s 9 return 0; 10 } 1 private s = getBufferSize();

input, i s ≤ i ⇒ o = 1 s > i ⇒ o = 2

s? 1 ≤ s ≤ 8

5 - 13

1 private s = getBufferSize(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 log.write("too large"); // 1 s 7 else 8 some computation; // 2 s 9 return 0; 10 } 1 private s = getBufferSize();

input, i

s?

• = 1 ⇒ s ≤ i
• = 2 ⇒ s > i

1 ≤ s ≤ 8

5 - 14

1 private s = getBufferSize(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 log.write("too large"); // 1 s 7 else 8 some computation; // 2 s 9 return 0; 10 } 1 private s = getBufferSize();

s?

• = 1 ⇒ s ≤ i
• = 2 ⇒ s > i

input, 4

1 ≤ s ≤ 8

5 - 15

1 private s = getBufferSize(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 log.write("too large"); // 1 s 7 else 8 some computation; // 2 s 9 return 0; 10 } 1 private s = getBufferSize();

s?

input, 4

• = 1 ⇒ s ≤ 4
• = 2 ⇒ s > 4

1 ≤ s ≤ 8

5 - 16

1 private s = getBufferSize(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 log.write("too large"); // 1 s 7 else 8 some computation; // 2 s 9 return 0; 10 } 1 private s = getBufferSize();

s?

input, 4

• = 1 ⇒ s ≤ 4
• = 2 ⇒ s > 4

1 ≤ s ≤ 8

Attacker can binary search on s using i and o.

6

7 - 1

Boolean compare(pw, input){ for(int i = 0; i < pw.length(), i++) if(pw[i] != input[i]) return false; return true; }

Is my code vulnerable to side-channel attacks?

7 - 2

Boolean compare(pw, input){ for(int i = 0; i < pw.length(), i++) if(pw[i] != input[i]) return false; return true; }

Automated Analysis Synthesized Attack

Is my code vulnerable to side-channel attacks?

7 - 3

Boolean compare(pw, input){ for(int i = 0; i < pw.length(), i++) if(pw[i] != input[i]) return false; return true; }

Automated Analysis Synthesized Attack

Is my code vulnerable to side-channel attacks?

• 1. Static Offline Analysis

7 - 4

Boolean compare(pw, input){ for(int i = 0; i < pw.length(), i++) if(pw[i] != input[i]) return false; return true; }

Automated Analysis Synthesized Attack

Is my code vulnerable to side-channel attacks?

• 1. Static Offline Analysis
• 2. Static Offline + Dynamic + Online Analysis

7 - 5

Boolean compare(pw, input){ for(int i = 0; i < pw.length(), i++) if(pw[i] != input[i]) return false; return true; }

Automated Analysis Synthesized Attack

Is my code vulnerable to side-channel attacks?

• 1. Static Offline Analysis
• 2. Static Offline + Dynamic + Online Analysis

8 - 1

Side Channels and Searching: Entropy

8 - 2 secret s ∈ S i ∈ I

Side Channels and Searching: Entropy

S

8 - 3 secret s ∈ S i ∈ I

Side Channels and Searching: Entropy

S

8 - 4 secret s ∈ S i ∈ I

• 1
• 2

Side Channels and Searching: Entropy

S

8 - 5 secret s ∈ S i ∈ I

• 1
• 2

Side Channels and Searching: Entropy

S

8 - 6 secret s ∈ S i ∈ I

• 1
• 2

Side Channels and Searching: Entropy

S

8 - 7 secret s ∈ S i ∈ I

s

Good outcome, very unlikely.

• 1
• 2

Side Channels and Searching: Entropy

S

8 - 8 secret s ∈ S i ∈ I

s

Bad outcome, very likely.

• 1
• 2

Side Channels and Searching: Entropy

S

8 - 9 secret s ∈ S i ∈ I

Side Channels and Searching: Entropy

S

8 - 10 secret s ∈ S i ∈ I s

Side Channels and Searching: Entropy

S

8 - 11 secret s ∈ S i ∈ I s

Side Channels and Searching: Entropy

S

8 - 12 secret s ∈ S i ∈ I s p(s ∈ )

Side Channels and Searching: Entropy

S

8 - 13 secret s ∈ S i ∈ I s p(s ∈ ) =

Side Channels and Searching: Entropy

S

8 - 14 secret s ∈ S i ∈ I

p1 p2 p3 p4 Side Channels and Searching: Entropy

S

8 - 15 secret s ∈ S i ∈ I

p1 p2 p3 p4

Quantify expected information gain measured in bits.

Side Channels and Searching: Entropy

S

8 - 16 secret s ∈ S i ∈ I

p1 p2 p3 p4

Quantify expected information gain measured in bits.

1 pj Side Channels and Searching: Entropy

S

8 - 17 secret s ∈ S i ∈ I

p1 p2 p3 p4

Quantify expected information gain measured in bits.

1 pj

log2

Side Channels and Searching: Entropy

S

8 - 18 secret s ∈ S i ∈ I

p1 p2 p3 p4

Quantify expected information gain measured in bits.

1 pj

log2 pj n

j=1 Side Channels and Searching: Entropy

S

8 - 19 secret s ∈ S i ∈ I

p1 p2 p3 p4

Quantify expected information gain measured in bits.

1 pj

log2 pj n

j=1

H =

Side Channels and Searching: Entropy

S

8 - 20 secret s ∈ S i ∈ I Quantify expected information gain measured in bits.

1 pj

log2 pj n

j=1

i

H(i) =

Side Channels and Searching: Entropy

S

9 - 1

max H(i) ⇒Binary Search

• = 1 ⇒ s ≤ i
• = 2 ⇒ s > i

9 - 2

max H(i) ⇒Binary Search

• = 1 ⇒ s ≤ i
• = 2 ⇒ s > i

9 - 3

max H(i) ⇒Binary Search

• = 1 ⇒ s ≤ i
• = 2 ⇒ s > i

Password Checker Constraints

9 - 4

max H(i) ⇒Binary Search

• = 1 ⇒ s ≤ i
• = 2 ⇒ s > i

9 - 5

max H(i) ⇒Binary Search

• = 1 ⇒ s ≤ i
• = 2 ⇒ s > i

max H(i) ⇒Optimal Search

any program constraints

9 - 6

max H(i) ⇒Binary Search

• = 1 ⇒ s ≤ i
• = 2 ⇒ s > i

max H(i) ⇒Optimal Search

any program constraints

H(i) ???

10 - 1

Symbolic Execution

Execute program on symbolic rather than concrete inputs. Maintain path constraints, PCs, φj over symbolic inputs. if(c) then s1; else s2;

c φ φ ← φ ∧ c T F φ ← φ ∧ ¬c

For branch instructions: φj(s, i) characterizes the relation between s, i, and oj

10 - 2

Symbolic Execution

Execute program on symbolic rather than concrete inputs. Maintain path constraints, PCs, φj over symbolic inputs. if(c) then s1; else s2;

c φ φ ← φ ∧ c T F φ ← φ ∧ ¬c

Maintain path constraints, PCs, φj over symbolic inputs. For branch instructions: φ1 φ2 φ3 φ4 φj(s, i) characterizes the relation between s, i, and oj

11 - 1

)= p(s ∈

11 - 2 φ

)= p(s ∈

φ = #φ (i)

11 - 3 {φj (s, i )}

Model Counter

{#φj (i)} φ

)= p(s ∈

φ = #φ (i)

11 - 4 {φj (s, i )}

Model Counter

{#φj (i)} φ #φ (i) is the number of satisfying solutions (models) for φ (s, i) for a given i.

)= p(s ∈

φ = #φ (i)

11 - 5 {φj (s, i )}

Model Counter

{#φj (i)} φ #φ (i) is the number of satisfying solutions (models) for φ (s, i) for a given i.

p (i) = #φ(i)

|S|

)= p(s ∈

φ = #φ (i)

11 - 6 {φj (s, i )}

Model Counter

{#φj (i)} φ #φ (i) is the number of satisfying solutions (models) for φ (s, i) for a given i.

p (i) = #φ(i)

|S|

H(i) = n

j=1 pj(i) log2 1 pj(i) )= p(s ∈

φ = #φ (i)

12 - 1 Symbolic Execution Model Counting Information Theory

H(i)

H(i) is a symbolic expression that measures the expected information an attacker gains when making input i.

12 - 2 Maximize

H(i)

i∗ Symbolic Execution Model Counting Information Theory

H(i)

H(i) is a symbolic expression that measures the expected information an attacker gains when making input i. Maximizing H(i) gives an optimal side-channel attack. [IEEE Computer Security Foundations 2017]

13 - 1

• 1. Fully Static Offline Approach

Assumes an ideal observation model (i.e. instruction counts). Does not account for actual runtime behavior.

13 - 2

• 1. Fully Static Offline Approach

Assumes an ideal observation model (i.e. instruction counts). Does not account for actual runtime behavior.

• 2. Static / Dynamic + Offline / Online Approach

Automatically, dynamically estimates runtime observations. Uses Bayesian inference and weighted model counting to account for noise.

14 - 1

Side-Channel Attack Synthesis Under Noisy Conditions

[IEEE European Security & Privacy 2018]

14 - 2

1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 }

14 - 3

1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 }

Hardware + OS

14 - 4

1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 }

Hardware + OS Network

14 - 5

1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 }

s? Hardware + OS Network

14 - 6

1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 }

input, i

s? Hardware + OS Network

14 - 7

1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 }

input, i

s? Hardware + OS Network

14 - 8

1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 }

input, i

s? Hardware + OS Network

14 - 9

1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 }

input, i

s? Hardware + OS Network s ≤ i ⇒ o = 1

14 - 10

1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 }

input, i

s? Hardware + OS Network s ≤ i ⇒ o = 1

14 - 11

1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 }

input, i

s? Hardware + OS Network s ≤ i ⇒ o = 1

s ≤ i

14 - 12

1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 }

input, i

s? Hardware + OS Network

s ≤ i s > i

15 - 1

15 - 2 s? Attacker Belief

15 - 3 s?

1 8

1 2 3 4 5 6 7 8

Attacker Belief

15 - 4 s?

1 8

1 2 3 4 5 6 7 8

Attacker Belief Input Choice i∗

15 - 5 s? s ≤ i s > i

1 8

1 2 3 4 5 6 7 8

Attacker Belief Input Choice i∗ Observation Noise

15 - 6 s?

1 8

1 2 3 4 5 6 7 8

Attacker Belief Input Choice i∗ Observation Noise = 5 s ≤ 5 s > 5

15 - 7 s?

1 8

1 2 3 4 5 6 7 8

Attacker Belief Input Choice i∗ Observation Noise = 5 s ≤ 5 s > 5

t = 4.12

15 - 8 s? Attacker Belief Input Choice i∗ Observation Noise = 5

1 8

1 2 3 4 5 6 7 8

1 3

s ≤ 5 s > 5

t = 4.12

15 - 9 s?

1 8

1 2 3 4 5 6 7 8

Attacker Belief Input Choice i∗ Observation Noise = 5 s ≤ 5 s > 5

15 - 10 s?

1 8

1 2 3 4 5 6 7 8

Attacker Belief Input Choice i∗ Observation Noise = 5

more likely

s ≤ 5 s > 5 t = 2.3

less likely

15 - 11 s? Attacker Belief Input Choice i∗ Observation Noise = 5

1 8

1 2 3 4 5 6 7 8

s ≤ 5 s > 5

15 - 12 s? Attacker Belief Input Choice i∗ Observation Noise = 5

1 8

1 2 3 4 5 6 7 8

p(s|o, i∗) s ≤ 5 s > 5

15 - 13 s? Attacker Belief Input Choice i∗ Observation Noise = 5

1 8

1 2 3 4 5 6 7 8

p(o|s, i) p(s|o, i∗) s ≤ 5 s > 5

15 - 14 s? Attacker Belief Input Choice i∗ Observation Noise = 5

1 8

1 2 3 4 5 6 7 8

p(o|s, i) p(s|o, i∗) p(o|s, i) s ≤ 5 s > 5

15 - 15 s? Attacker Belief Input Choice i∗ Observation Noise = 5

1 8

1 2 3 4 5 6 7 8

p(o|s, i) p(s|o, i∗) p(o|s, i∗) s ≤ 5 s > 5

15 - 16 s? Attacker Belief Input Choice i∗ Observation Noise = 5

1 8

1 2 3 4 5 6 7 8

p(o|s, i) p(s|o, i∗) p(o|s, i∗) s ≤ 5 s > 5

15 - 17 s? Attacker Belief Input Choice i∗ Observation Noise = 5

1 8

1 2 3 4 5 6 7 8

p(o|s, i) p(s|o, i∗) p(s|o, i∗) s ≤ 5 s > 5

15 - 18 s? Attacker Belief Input Choice i∗ Observation Noise = 5

1 8

1 2 3 4 5 6 7 8

p(o|s, i) p(s|o, i∗) p(s|o, i∗) Bayes’ Rule s ≤ 5 s > 5

15 - 19 s? Attacker Belief Input Choice i∗ Observation Noise = 5

1 8

1 2 3 4 5 6 7 8

p(o|s, i) p(s|o, i∗) p(s|o, i∗) Bayes’ Rule s ≤ 5 s > 5

15 - 20 s? Attacker Belief Input Choice i∗ Observation Noise = 5

1 8

1 2 3 4 5 6 7 8

p(o|s, i) p(s|o, i∗) p(s|o, i∗) Bayes’ Rule

Model Counting

s ≤ 5 s > 5

15 - 21 s? Attacker Belief Input Choice i∗ Observation Noise = 5

1 8

1 2 3 4 5 6 7 8

p(o|s, i) p(s|o, i∗) p(s|o, i∗) Bayes’ Rule

Weighted Model Counting

s ≤ 5 s > 5

15 - 22 s? Attacker Belief Input Choice i∗ Observation Noise = 5

1 8

1 2 3 4 5 6 7 8

p(o|s, i) p(s|o, i∗) p(s|o, i∗) Bayes’ Rule

Weighted Model Counting

max H(i) s ≤ 5 s > 5

16 - 1

16 - 2

• 1. Offline Static Analysis

16 - 3

• 1. Offline Static Analysis
• 2. Offline Dynamic Analysis

16 - 4

• 1. Offline Static Analysis
• 2. Offline Dynamic Analysis
• 3. Online Attack Synthesis

16 - 5

• 1. Offline Static Analysis
• 2. Offline Dynamic Analysis
• 3. Online Attack Synthesis

16 - 6

Source Code

Symbolic Execution {φj (s, i )} P (s, i )

path constraints

16 - 7

Source Code

Symbolic Execution {φj (s, i )} P (s, i )

path constraints

{wj = (sj, ij )}

PC models(witnesses)

16 - 8

Source Code

Symbolic Execution {φj (s, i )} P (s, i )

path constraints

{wj = (sj, ij )}

PC models(witnesses)

Each PC characterizes an observable program behavior (s, i ) | = φj (s′, i′ ) | = φj

16 - 9

Source Code

Symbolic Execution {φj (s, i )} P (s, i )

path constraints

{wj = (sj, ij )}

PC models(witnesses)

Each PC characterizes an observable program behavior (s, i ) | = φj (s′, i′ ) | = φj P (s, i ) P (s′, i′ )

? ?

constraints

16 - 10

Source Code

Symbolic Execution {φj (s, i )} P (s, i )

path constraints

{wj = (sj, ij )}

PC models(witnesses)

Each PC characterizes an observable program behavior (s, i ) | = φj (s′, i′ ) | = φj P (s, i ) P (s′, i′ )

? ?

characterizes observationally indistinguishable behaviors φj (s, i ) P (s, i ) is a representative of all behaviors in that class

constraints

16 - 11

• 1. Offline Static Analysis
• 2. Offline Dynamic Analysis
• 3. Online Attack Synthesis

16 - 12

• 1. Offline Static Analysis
• 2. Offline Dynamic Analysis
• 3. Online Attack Synthesis

16 - 13 Characterize effect of noise on each class of program behaviors using the witness for that behavior.

16 - 14 {wj = (si, ij )}

P (s, i ) HW / OS

Network Characterize effect of noise on each class of program behaviors using the witness for that behavior.

16 - 15 {wj = (si, ij )}

P (s, i ) HW / OS

Network Characterize effect of noise on each class of program behaviors using the witness for that behavior.

16 - 16 {wj = (si, ij )}

P (s, i ) HW / OS

Network Characterize effect of noise on each class of program behaviors using the witness for that behavior.

16 - 17 {wj = (si, ij )}

P (s, i ) HW / OS

Network ×1000 Characterize effect of noise on each class of program behaviors using the witness for that behavior.

16 - 18 {wj = (si, ij )}

P (s, i ) HW / OS

Network ×1000

{ } , ,...

p(o|sj, ij) Characterize effect of noise on each class of program behaviors using the witness for that behavior.

16 - 19 {wj = (si, ij )}

P (s, i ) HW / OS

Network ×1000

{ } , ,...

p(o|sj, ij) Characterize effect of noise on each class of program behaviors using the witness for that behavior.

Smooth Kernel Density Estimation

16 - 20 {wj = (si, ij )}

P (s, i ) HW / OS

Network ×1000

{ } , ,...

p(o|sj, ij) Characterize effect of noise on each class of program behaviors using the witness for that behavior.

Smooth Kernel Density Estimation ˆ p(o|φ) = ˆ p(o|w) = 1 nh

n

• r=1

K

• − or

h

16 - 21 {wj = (si, ij )}

P (s, i ) HW / OS

Network ×1000

{ } , ,...

p(o|sj, ij) Characterize effect of noise on each class of program behaviors using the witness for that behavior.

Merging via Hellinger Distance

16 - 22 {wj = (si, ij )}

P (s, i ) HW / OS

Network ×1000

{ } , ,...

p(o|sj, ij) Characterize effect of noise on each class of program behaviors using the witness for that behavior.

dH(p, q) =

• 1

2 ∞

−∞

• p(x) −
• q(x)

2 dx Merging via Hellinger Distance

16 - 23 {wj = (si, ij )}

P (s, i ) HW / OS

Network ×1000

{ } , ,...

p(o|sj, ij) Characterize effect of noise on each class of program behaviors using the witness for that behavior. Observation constraint φ′: Disjunction over path constraints which characterizes inputs that are observationally indistinguishable via side-channel observation.

dH(ˆ p(o|φ1), ˆ p(o|φ2)) < τ ⇒ let φ′ = φ1 ∨ φ2

16 - 24

• 1. Offline Static Analysis
• 2. Offline Dynamic Analysis
• 3. Online Attack Synthesis

16 - 25

{ } , ,...

ˆ p(o|φ) Belief p(s)

16 - 26

max I

i∗

{ } , ,...

ˆ p(o|φ) Belief p(s)

16 - 27

max I

i∗

{ } , ,...

ˆ p(o|φ) Belief p(s)

P (s, i ) HW / OS

Network

16 - 28

max I

i∗

{ } , ,...

ˆ p(o|φ) Belief

P (s, i ) HW / OS

Network p(s|o, i∗)

Bayesian Update

• bserve o

16 - 29

max I

i∗

{ } , ,...

ˆ p(o|φ) Belief

P (s, i ) HW / OS

Network p(s|o, i∗)

Bayesian Update

• bserve o

16 - 30

max I

i∗

{ } , ,...

ˆ p(o|φ) Belief

P (s, i ) HW / OS

Network p(s|o, i∗)

Bayesian Update

• bserve o

I(s; φ(s, i)|i) = −

n

• i=1

p(φ(s, i)|i) log2 p(φ(s, i)|i) Expected info gain given attacker input Observation constraint probabilities

16 - 31

max I

i∗

{ } , ,...

ˆ p(o|φ) Belief

P (s, i ) HW / OS

Network p(s|o, i∗)

Bayesian Update

• bserve o

I(s; φ(s, i)|i) = −

n

• i=1

p(φ(s, i)|i) log2 p(φ(s, i)|i) Expected info gain given attacker input Observation constraint probabilities p(φ(s, i)|i) =

• s∈S

p(s)φ(s, i)

16 - 32

max I

i∗

{ } , ,...

ˆ p(o|φ) Belief

P (s, i ) HW / OS

Network p(s|o, i∗)

Bayesian Update

• bserve o

I(s; φ(s, i)|i) = −

n

• i=1

p(φ(s, i)|i) log2 p(φ(s, i)|i) Expected info gain given attacker input Observation constraint probabilities p(φ(s, i)|i) =

• s∈S

p(s)φ(s, i) Model Counting

16 - 33

max I

i∗

{ } , ,...

ˆ p(o|φ) Belief

P (s, i ) HW / OS

Network p(s|o, i∗)

Bayesian Update

• bserve o

I(s; φ(s, i)|i) = −

n

• i=1

p(φ(s, i)|i) log2 p(φ(s, i)|i) Expected info gain given attacker input Observation constraint probabilities p(φ(s, i)|i) =

• s∈S

p(s)φ(s, i) Model Counting Weighted

16 - 34

max I

i∗

{ } , ,...

ˆ p(o|φ) Belief

P (s, i ) HW / OS

Network p(s|o, i∗)

Bayesian Update

• bserve o

I(s; φ(s, i)|i) = −

n

• i=1

p(φ(s, i)|i) log2 p(φ(s, i)|i) Expected info gain given attacker input Observation constraint probabilities p(φ(s, i)|i) =

• s∈S

p(s)φ(s, i) Barvinok

16 - 35

• 1. Offline Static Analysis
• 2. Offline Dynamic Analysis
• 3. Online Attack Synthesis

17 NASA Symbolic PathFinder (SPF) Z3 Constraint Solver Python Profiler Client NUC Server Barvinok Mathematica Weighted Symbolic Model Counting Numeric Maximization Symbolic Entropy Computation Intel P (s, i )

Implementation

• 1. Offline Static Analysis
• 2. Offline Dynamic Analysis
• 3. Online Attack Synthesis

18

Case Study: LawDB

DB: key = employee ID Some employee IDs have restricted access.

Server Client

Writes to log file depending on whether IDres ∈ [minID, maxID] From DARPA Space-Time Analysis for Cybersecurity (STAC)

SEARCH midID maxID List of employees.

19 - 1 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 2 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 3 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 4 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 5 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 6 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 7 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 8 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 9 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 10 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 11 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 12 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 13 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 14 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 15 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 16 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 17 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 18 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 19 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 20 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 21 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 22 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 23 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 24 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

19 - 25 IDres = 92 1 ≤ ID ≤ 100 ID1 = 64 ID2 = 85

20 ID Range # Employees Offline Analysis Attack time (m) # steps 1-100 1-10000 1-10000 1-10000 3 4 5 10 57s 2m21s 6m30s 42m09s 2m38s 2m43s 3m08s 4m31s 25 45 48 77

21 - 1 Boolean compare(String pw, String input){ for(int i = 0; i < pw.length, i++) if(pw[i] != input[i]) return false; return true; }

Segment Oracle Side Channel Attacks

21 - 2

harveymudd california

Boolean compare(String pw, String input){ for(int i = 0; i < pw.length, i++) if(pw[i] != input[i]) return false; return true; }

pw: input: Segment Oracle Side Channel Attacks

21 - 3

harveymudd california

Boolean compare(String pw, String input){ for(int i = 0; i < pw.length, i++) if(pw[i] != input[i]) return false; return true; }

pw: input: Segment Oracle Side Channel Attacks

21 - 4

harveymudd

Boolean compare(String pw, String input){ for(int i = 0; i < pw.length, i++) if(pw[i] != input[i]) return false; return true; }

pw: input: harmonicas Segment Oracle Side Channel Attacks

21 - 5

harveymudd

Boolean compare(String pw, String input){ for(int i = 0; i < pw.length, i++) if(pw[i] != input[i]) return false; return true; }

pw: input: harmonicas Segment Oracle Side Channel Attacks

21 - 6

harveymudd

Boolean compare(String pw, String input){ for(int i = 0; i < pw.length, i++) if(pw[i] != input[i]) return false; return true; }

pw: input: harmonicas Segment Oracle Side Channel Attacks

21 - 7

harveymudd

Boolean compare(String pw, String input){ for(int i = 0; i < pw.length, i++) if(pw[i] != input[i]) return false; return true; }

pw: input: harmonicas Segment Oracle Side Channel Attacks

21 - 8

harveymudd

Boolean compare(String pw, String input){ for(int i = 0; i < pw.length, i++) if(pw[i] != input[i]) return false; return true; }

pw: input: harmonicas Segment Oracle Side Channel Attacks

21 - 9

harveymudd

Boolean compare(String pw, String input){ for(int i = 0; i < pw.length, i++) if(pw[i] != input[i]) return false; return true; }

pw: input: harmonicas

Attacker can brute-force individual characters!

Segment Oracle Side Channel Attacks

String Analysis for Side Channels with Segmented Oracles [IEEE Foundations of Software Engineering 2016]

22 - 1 Attack Synthesis vs. PW Checker

22 - 2

ε fzgk daaz zgap uaak bnza ecjq zmna tzar zmna maau vzsc qyas asvr cmxq csja cnte cwcs ctdo cved cvfo ceyu ciil ciub ciij cimq citz ciqz ciaz ciok cida cijw . . . cigz cisu cisp cine ciqk ciqi ciqz ciqz ciqu ciqz ciqc ciqz ciqe ciqr . . . ciqk ciqd ciqd ciqr ciqz

Phase 0 Phase 1 Phase 2 Phase 3

ciqa ciqa ciqg ciqa

Phase 4 Attack Synthesis vs. PW Checker

22 - 3

ε fzgk daaz zgap uaak bnza ecjq zmna tzar zmna maau vzsc qyas asvr cmxq csja cnte cwcs ctdo cved cvfo ceyu ciil ciub ciij cimq citz ciqz ciaz ciok cida cijw . . . cigz cisu cisp cine ciqk ciqi ciqz ciqz ciqu ciqz ciqc ciqz ciqe ciqr . . . ciqk ciqd ciqd ciqr ciqz

Phase 0 Phase 1 Phase 2 Phase 3

ciqa ciqa ciqg ciqa

Phase 4 Attack Synthesis vs. PW Checker

22 - 4

ε fzgk daaz zgap uaak bnza ecjq zmna tzar zmna maau vzsc qyas asvr cmxq csja cnte cwcs ctdo cved cvfo ceyu ciil ciub ciij cimq citz ciqz ciaz ciok cida cijw . . . cigz cisu cisp cine ciqk ciqi ciqz ciqz ciqu ciqz ciqc ciqz ciqe ciqr . . . ciqk ciqd ciqd ciqr ciqz

Phase 0 Phase 1 Phase 2 Phase 3

ciqa ciqa ciqg ciqa

Phase 4 Attack Synthesis vs. PW Checker

22 - 5

ε fzgk daaz zgap uaak bnza ecjq zmna tzar zmna maau vzsc qyas asvr cmxq csja cnte cwcs ctdo cved cvfo ceyu ciil ciub ciij cimq citz ciqz ciaz ciok cida cijw . . . cigz cisu cisp cine ciqk ciqi ciqz ciqz ciqu ciqz ciqc ciqz ciqe ciqr . . . ciqk ciqd ciqd ciqr ciqz

Phase 0 Phase 1 Phase 2 Phase 3

ciqa ciqa ciqg ciqa

Phase 4 Attack Synthesis vs. PW Checker

22 - 6

ε fzgk daaz zgap uaak bnza ecjq zmna tzar zmna maau vzsc qyas asvr cmxq csja cnte cwcs ctdo cved cvfo ceyu ciil ciub ciij cimq citz ciqz ciaz ciok cida cijw . . . cigz cisu cisp cine ciqk ciqi ciqz ciqz ciqu ciqz ciqc ciqz ciqe ciqr . . . ciqk ciqd ciqd ciqr ciqz

Phase 0 Phase 1 Phase 2 Phase 3

ciqa ciqa ciqg ciqa

Phase 4 Attack Synthesis vs. PW Checker

22 - 7

ε fzgk daaz zgap uaak bnza ecjq zmna tzar zmna maau vzsc qyas asvr cmxq csja cnte cwcs ctdo cved cvfo ceyu ciil ciub ciij cimq citz ciqz ciaz ciok cida cijw . . . cigz cisu cisp cine ciqk ciqi ciqz ciqz ciqu ciqz ciqc ciqz ciqe ciqr . . . ciqk ciqd ciqd ciqr ciqz

Phase 0 Phase 1 Phase 2 Phase 3

ciqa ciqa ciqg ciqa

Phase 4 Attack Synthesis vs. PW Checker

22 - 8 Attack Synthesis vs. PW Checker Offline time: 9m54s Attack time: 19m03s Attack steps: 79

23 - 1

int memcmp(s1, s2, n) CONST VOID *s1; CONST VOID *s2; size t n; { unsigned char u1, u2; for ( ; n−− ; s1++, s2++) { u1 = * (unsigned char *) s1; u2 = * (unsigned char *) s2; if ( u1 != u2) { return (u1-u2); } } return 0; }

23 - 2

int memcmp(s1, s2, n) CONST VOID *s1; CONST VOID *s2; size t n; { unsigned char u1, u2; for ( ; n−− ; s1++, s2++) { u1 = * (unsigned char *) s1; u2 = * (unsigned char *) s2; if ( u1 != u2) { return (u1-u2); } } return 0; }

Xbox OS, HMAC signatures compared with memcmp! Allowed insecure kernel downgrade.

24 - 1

Space/Time Analysis for Cybersecurity Benchmark

24 - 2

Space/Time Analysis for Cybersecurity Benchmark

24 - 3

Space/Time Analysis for Cybersecurity Benchmark

24 - 4

Space/Time Analysis for Cybersecurity Benchmark

24 - 5

Space/Time Analysis for Cybersecurity Benchmark

24 - 6

Space/Time Analysis for Cybersecurity Benchmark

24 - 7

Space/Time Analysis for Cybersecurity Benchmark

24 - 8

Space/Time Analysis for Cybersecurity Benchmark

25

Space/Time Analysis for Cybersecurity Benchmark

STAC–1 STAC–3 STAC–11A STAC–11B STAC–4 STAC–12

Number of Attack Steps Attack Synthesis Time |S|, Secret Domain Size |S|, Secret Domain Size

26

Closing Remark

Boolean compare(String pw, String input){ for(int i = 0; i < pw.length, i++) if(pw[i] != input[i]) return false; return true; } “Premature optimization is the root of all evil.” - Donald Knuth

27 Maximize

H(i)

i ∗ Symbolic Execution Model Counting Entropy

H(i)

Summary Contributions

Quantifying side-channel leaks with model counting. Static offline attack synthesis. Dynamic online attack synthesis with noise. QIF and attack synthesis for segment oracles.

28

29

Publications during PhD

Bang, Aydin, Phan, Pasareanu, Bultan. [FSE 2016] “String Analysis for Side Channels with Segmented Oracles.” Bang, Rosner, Bultan. [Euro S&P 2018] “Online Synthesis of Adaptive Side-Channel Attacks Based On Noisy Observations.” Bang, Aydin, Bultan. [FSE 2015] “Automatically Computing Path Complexity of Programs.” Aydin, Eiers, Bang, Brennan, Gavrilov, Yu, Bultan. [FSE 2018 (accepted)] “Parameterized Model Counting for String and Numeric Constraints.”

Submitted papers

Saha, Kadron, Eiers, Bang, Bultan. “Attack Synthesis for Strings via Incremental Model Counting and Meta-Heuristics.” Tsiskaridze, Bang, McMahan, Bultan, Sherwood. “Information Leakage in Arbiter Protocols.” Phan, Bang, Pasareanu, Malacaria, Bultan. [CSF 17] “Synthesis of Adaptive Side-Channel Attacks.” Aydin, Bang, Bultan. [CAV 2015] “Automata-Based Model Counting for String Constraints.”