software side channel analysis attack synthesis
play

Software Side-Channel Analysis: Attack Synthesis Lucas Bang - PowerPoint PPT Presentation

Mar 26, 2023 •142 likes •2.13k views

Software Side-Channel Analysis: Attack Synthesis Lucas Bang Dissertation Defense Committee: Tevfik Bultan (chair) Omer E gecio glu Ben Hardekopf 1 Publications during PhD Aydin, Bang , Bultan. [CAV 2015] Automata-Based Model

  1. Side Channels and Searching: Entropy secret s ∈ S S p 1 p 2 i ∈ I p 3 p 4 8 - 14

  2. Side Channels and Searching: Entropy secret s ∈ S S p 1 p 2 i ∈ I p 3 p 4 Quantify expected information gain measured in bits. 8 - 15

  3. Side Channels and Searching: Entropy secret s ∈ S S p 1 p 2 i ∈ I p 3 p 4 Quantify expected information gain measured in bits. 1 p j 8 - 16

  4. Side Channels and Searching: Entropy secret s ∈ S S p 1 p 2 i ∈ I p 3 p 4 Quantify expected information gain measured in bits. 1 log 2 p j 8 - 17

  5. Side Channels and Searching: Entropy secret s ∈ S S p 1 p 2 i ∈ I p 3 p 4 Quantify expected information gain measured in bits. � n 1 log 2 p j j =1 p j 8 - 18

  6. Side Channels and Searching: Entropy secret s ∈ S S p 1 p 2 i ∈ I p 3 p 4 Quantify expected information gain measured in bits. � n 1 H = log 2 p j j =1 p j 8 - 19

  7. Side Channels and Searching: Entropy secret s ∈ S S i ∈ I i Quantify expected information gain measured in bits. � n 1 H ( i ) = log 2 p j j =1 p j 8 - 20

  8. max H ( i ) ⇒ Binary Search o = 1 ⇒ s ≤ i o = 2 ⇒ s > i 9 - 1

  9. max H ( i ) ⇒ Binary Search o = 1 ⇒ s ≤ i o = 2 ⇒ s > i 9 - 2

  10. max H ( i ) ⇒ Binary Search o = 1 ⇒ s ≤ i o = 2 ⇒ s > i Password Checker Constraints 9 - 3

  11. max H ( i ) ⇒ Binary Search o = 1 ⇒ s ≤ i o = 2 ⇒ s > i 9 - 4

  12. max H ( i ) ⇒ Binary Search o = 1 ⇒ s ≤ i o = 2 ⇒ s > i max H ( i ) ⇒ Optimal Search any program constraints 9 - 5

  13. max H ( i ) ⇒ Binary Search o = 1 ⇒ s ≤ i o = 2 ⇒ s > i max H ( i ) ⇒ Optimal Search any program constraints H ( i ) ??? 9 - 6

  14. Symbolic Execution Execute program on symbolic rather than concrete inputs. Maintain path constraints , PCs, φ j over symbolic inputs. For branch instructions: φ c if(c) then s1; else s2; T F φ ← φ ∧ c φ ← φ ∧ ¬ c φ j ( s, i ) characterizes the relation between s , i , and o j 10 - 1

  15. Symbolic Execution Execute program on symbolic rather than concrete inputs. Maintain path constraints , PCs, φ j over symbolic inputs. Maintain path constraints , PCs, φ j over symbolic inputs. For branch instructions: φ c if(c) then s1; else s2; T F φ ← φ ∧ c φ ← φ ∧ ¬ c φ 1 φ j ( s, i ) characterizes the φ 2 relation between s , i , and o j φ 3 φ 4 10 - 2

  16. )= p ( s ∈ 11 - 1

  17. = # φ ( i ) φ φ )= p ( s ∈ 11 - 2

  18. Model { # φ j ( i ) } { φ j ( s, i ) } Counter = # φ ( i ) φ φ )= p ( s ∈ 11 - 3

  19. Model { # φ j ( i ) } { φ j ( s, i ) } Counter = # φ ( i ) φ φ # φ ( i ) is the number of satisfying solutions (models) for φ ( s, i ) for a given i . )= p ( s ∈ 11 - 4

  20. Model { # φ j ( i ) } { φ j ( s, i ) } Counter = # φ ( i ) φ φ # φ ( i ) is the number of satisfying solutions (models) for φ ( s, i ) for a given i . p ( i ) = # φ ( i ) )= p ( s ∈ | S | 11 - 5

  21. Model { # φ j ( i ) } { φ j ( s, i ) } Counter = # φ ( i ) φ φ # φ ( i ) is the number of satisfying solutions (models) for φ ( s, i ) for a given i . p ( i ) = # φ ( i ) )= p ( s ∈ | S | H ( i ) = � n 1 j =1 p j ( i ) log 2 p j ( i ) 11 - 6

  22. Symbolic Execution Model Counting H ( i ) Information Theory H ( i ) is a symbolic expression that measures the expected information an attacker gains when making input i . 12 - 1

  23. Symbolic Execution Model Counting H ( i ) Information Theory H ( i ) is a symbolic expression that measures the expected information an attacker gains when making input i . H ( i ) Maximize i ∗ Maximizing H ( i ) gives an optimal side-channel attack. [IEEE Computer Security Foundations 2017] 12 - 2

  24. 1. Fully Static Offline Approach Assumes an ideal observation model (i.e. instruction counts). Does not account for actual runtime behavior. 13 - 1

  25. 1. Fully Static Offline Approach Assumes an ideal observation model (i.e. instruction counts). Does not account for actual runtime behavior. 2. Static / Dynamic + Offline / Online Approach Automatically, dynamically estimates runtime observations. Uses Bayesian inference and weighted model counting to account for noise. 13 - 2

  26. Side-Channel Attack Synthesis Under Noisy Conditions [IEEE European Security & Privacy 2018] 14 - 1

  27. 1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } 14 - 2

  28. 1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 3

  29. 1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 4

  30. s ? 1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 5

  31. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 6

  32. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 7

  33. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 8

  34. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS s ≤ i ⇒ o = 1 14 - 9

  35. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS s ≤ i ⇒ o = 1 14 - 10

  36. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ s ≤ i Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS s ≤ i ⇒ o = 1 14 - 11

  37. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ s ≤ i s > i Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 12

  38. 15 - 1

  39. Attacker Belief s ? 15 - 2

  40. Attacker Belief s ? 1 8 1 2 3 4 5 6 7 8 15 - 3

  41. Attacker Belief Input Choice s ? i ∗ 1 8 1 2 3 4 5 6 7 8 15 - 4

  42. Attacker Belief Input Choice Observation Noise s ? i ∗ s ≤ i s > i 1 8 1 2 3 4 5 6 7 8 15 - 5

  43. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 15 - 6

  44. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 t = 4.12 15 - 7

  45. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 3 1 8 1 2 3 4 5 6 7 8 t = 4.12 15 - 8

  46. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 15 - 9

  47. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 more likely less likely 1 8 t = 2.3 1 2 3 4 5 6 7 8 15 - 10

  48. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 15 - 11

  49. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( s | o, i ∗ ) 15 - 12

  50. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( s | o, i ∗ ) p ( o | s, i ) 15 - 13

  51. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( o | s, i ) p ( s | o, i ∗ ) p ( o | s, i ) 15 - 14

  52. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( o | s, i ∗ ) p ( s | o, i ∗ ) p ( o | s, i ) 15 - 15

  53. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( o | s, i ∗ ) p ( s | o, i ∗ ) p ( o | s, i ) 15 - 16

  54. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( s | o, i ∗ ) p ( s | o, i ∗ ) p ( o | s, i ) 15 - 17

  55. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( s | o, i ∗ ) p ( s | o, i ∗ ) p ( o | s, i ) Bayes’ Rule 15 - 18

  56. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( s | o, i ∗ ) p ( s | o, i ∗ ) p ( o | s, i ) Bayes’ Rule 15 - 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras Side Channel Analysis Electro magnetic Radiation Fault injection Power consumption Timing channels Preventing Side Channel Attacks is

468 views • 34 slides
Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C

Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C edric Tavernier

625 views • 29 slides
A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler Federal Office for Information Security (BSI), Germany Lausanne, September 7, 2009 Outline r Introduction and Motivation r The Attack r Basic attack

514 views • 25 slides
Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020 Side Channel Attack Introduction A side-channel is any unintentional

375 views • 36 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to the basics!! details on power / EM leakage (low/high noise scenario) how/where to attack AES? di ff erent attacker models overview of

1.28k views • 74 slides
AES &amp; RSA Side Channel Attack with ChipWhisperer Cleveland State University EEC-581

AES &amp; RSA Side Channel Attack with ChipWhisperer Cleveland State University EEC-581

AES &amp; RSA Side Channel Attack with ChipWhisperer Cleveland State University EEC-581 Computer Architecture Andriy Kucher ChipWhisperer Open-source toolchain for hardware security research. Xilinx S6LX9 FPGA XMEGA MCU Target

105 views • 9 slides
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem CRT-RSA CRT-RSA having Low Hamming

403 views • 25 slides
Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides
A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan Lashermes 1 Yanis Linge 2 Gal Thomas 3 Jean Yves Zie 1 INRIA Rennes, LHS/PEC 2 STMicroelectronics 3 Orange Labs Issy Les Moulineaux October 25th, 2016

315 views • 17 slides
Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World Mengjia Yan , Read

Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World Mengjia Yan , Read

Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World Mengjia Yan , Read Sprabery, Bhargava Gopireddy, Christopher W. Fletcher, Roy Campbell, Josep Torrellas University of Illinois at Urbana-Champaign S&amp;P19 May

304 views • 16 slides
EM Analysis in the IoT Context: Lessons Learned from an Attack on Thread Daniel Dinu 1 , Ilya

EM Analysis in the IoT Context: Lessons Learned from an Attack on Thread Daniel Dinu 1 , Ilya

EM Analysis in the IoT Context: Lessons Learned from an Attack on Thread Daniel Dinu 1 , Ilya Kizhvatov 2 1 Virginia Tech 2 Radboud University Nijmegen CHES 2018 Outline 1 Introduction 2 Side-Channel Vulnerability Analysis 3 The Most Feasible

629 views • 42 slides
A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg Michael Hutter Mark E. Marson Possible path for post-quantum security Error-correcting codes Quantum computers may threaten the mathematical

892 views • 66 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

535 views • 31 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&amp;P), 2019 (Dustin)

726 views • 44 slides
Meltdown &amp; Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown &amp; Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown &amp; Spectre Attacks Overview An analogy CPU cache and use it as side channel Meltdown attack Spectre attack Microsoft Interview Question Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room CPU

732 views • 30 slides
Pure Exploration Stochastic Multi-armed Bandits Jian Li Institute for Interdisciplinary

Pure Exploration Stochastic Multi-armed Bandits Jian Li Institute for Interdisciplinary

CAS2016 Pure Exploration Stochastic Multi-armed Bandits Jian Li Institute for Interdisciplinary Information Sciences Tsinghua University Outline Introduction Optimal PAC Algorithm (Best-Arm, Best-k-Arm): Median/Quantile Elimination

657 views • 53 slides
Approximate Relational Reasoning for Probabilistic Programs PhD Candidate: Federico Olmedo

Approximate Relational Reasoning for Probabilistic Programs PhD Candidate: Federico Olmedo

Approximate Relational Reasoning for Probabilistic Programs PhD Candidate: Federico Olmedo Supervisor: Gilles Barthe IMDEA Software Institute PhD Examination Technical University of Madrid January 9, 2014 Selecting Locations for

959 views • 77 slides
Optimum Source Resolvability Rate with Respect to f -Divergences Using the Smooth Rnyi Entropy

Optimum Source Resolvability Rate with Respect to f -Divergences Using the Smooth Rnyi Entropy

Optimum Source Resolvability Rate with Respect to f -Divergences Using the Smooth Rnyi Entropy Ryo Nomura (Waseda University, Japan) Hideki Yagi (The Universtiy of Electro-Communications, Japan) ISIT2020, June 21-26, 2020 Outline

956 views • 51 slides
Variational regularisation for inverse problems with imperfect forward operators and general

Variational regularisation for inverse problems with imperfect forward operators and general

Variational regularisation for inverse problems with imperfect forward operators and general noise models Leon Bungert 1 , Martin Burger 1 , Yury Korolev 2 and Carola Sch onlieb 2 1 Department Mathematik, University of Erlangen-N urnberg,

252 views • 23 slides
Word Embeddings through Hellinger PCA Rmi Lebret and Ronan Collobert Idiap Research Institute /

Word Embeddings through Hellinger PCA Rmi Lebret and Ronan Collobert Idiap Research Institute /

Word Embeddings through Hellinger PCA Rmi Lebret and Ronan Collobert Idiap Research Institute / EPFL EACL, 29 April 2014 Word Embeddings Continuous vector-space models. Represent word meanings with vectors capturing semantic +

831 views • 46 slides
General estimation theory We have shown that it is possible to win over the shot noise in optical

General estimation theory We have shown that it is possible to win over the shot noise in optical

General estimation theory We have shown that it is possible to win over the shot noise in optical interferometry, by using states with specific quantum features, like states with well-defined number of photons or squeezed states. In these

613 views • 32 slides
Some Tricks for Deep Learning in Complex Dynamical Systems Stuart Gordon Reid Chief Scientist

Some Tricks for Deep Learning in Complex Dynamical Systems Stuart Gordon Reid Chief Scientist

2018-05-21 Some Tricks for Deep Learning in Complex Dynamical Systems Stuart Gordon Reid Chief Scientist NMRQL Research Perfect World 1 t = 0 t = 100 Train Test 1 t = 0 t = 200 Predict 1 2018-05-21 t = 0 t = 100 Concept drift

192 views • 17 slides
Grouping techniques for facing Volume and Velocity in Big Data How to do it using HistDAWass

Grouping techniques for facing Volume and Velocity in Big Data How to do it using HistDAWass

Grouping techniques for facing Volume and Velocity in Big Data How to do it using HistDAWass package for clustering Histogram-valued data Antonio Irpino, PhD University of Campania L. Vanvitelli Dept. of Mathematics and Physics Caserta,

679 views • 52 slides

More recommend