something with implementations
play

Something with implementations Peter Schwabe June 23, 2016 - PowerPoint PPT Presentation

May 25, 2023 •806 likes •1.47k views

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Part I: How to make software secure Something with implementations 2 Timing Attacks General idea of those attacks Secret

  1. Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on Post-Quantum Cryptography 2017

  2. Part I: How to make software secure Something with implementations 2

  3. Timing Attacks General idea of those attacks ◮ Secret data has influence on timing of software ◮ Attacker measures timing ◮ Attacker computes influence − 1 to obtain secret data Something with implementations 3

  4. Timing Attacks General idea of those attacks ◮ Secret data has influence on timing of software ◮ Attacker measures timing ◮ Attacker computes influence − 1 to obtain secret data Two kinds of remote . . . ◮ Timing attacks are a type of side-channel attacks ◮ Unlike other side-channel attacks, they work remotely: ◮ Some need to run attack code in parallel to the target software ◮ Attacker can log in remotely (ssh) Something with implementations 3

  5. Timing Attacks General idea of those attacks ◮ Secret data has influence on timing of software ◮ Attacker measures timing ◮ Attacker computes influence − 1 to obtain secret data Two kinds of remote . . . ◮ Timing attacks are a type of side-channel attacks ◮ Unlike other side-channel attacks, they work remotely: ◮ Some need to run attack code in parallel to the target software ◮ Attacker can log in remotely (ssh) ◮ Some attacks work by measuring network delays ◮ Attacker does not even need an account on the target machine Something with implementations 3

  6. Timing Attacks General idea of those attacks ◮ Secret data has influence on timing of software ◮ Attacker measures timing ◮ Attacker computes influence − 1 to obtain secret data Two kinds of remote . . . ◮ Timing attacks are a type of side-channel attacks ◮ Unlike other side-channel attacks, they work remotely: ◮ Some need to run attack code in parallel to the target software ◮ Attacker can log in remotely (ssh) ◮ Some attacks work by measuring network delays ◮ Attacker does not even need an account on the target machine ◮ Can’t protect against timing attacks by locking a room ◮ This talk: don’t consider “local” side-channel attacks Something with implementations 3

  7. Problem No. 1 if(secret) { do_A(); } else { do_B(); } Something with implementations 4

  8. Examples ◮ Square-and-multiply (or double-and-add): “if s is one: multiply” Something with implementations 5

  9. Examples ◮ Square-and-multiply (or double-and-add): “if s is one: multiply” ◮ Modular reduction: “if a > q : subtract q from a ” Something with implementations 5

  10. Examples ◮ Square-and-multiply (or double-and-add): “if s is one: multiply” ◮ Modular reduction: “if a > q : subtract q from a ” ◮ Rejection sampling: “if a < q : accept a ” Something with implementations 5

  11. Examples ◮ Square-and-multiply (or double-and-add): “if s is one: multiply” ◮ Modular reduction: “if a > q : subtract q from a ” ◮ Rejection sampling: “if a < q : accept a ” ◮ Byte-array (tag) comparison: “if a [ i ] � = b [ i ] : return” Something with implementations 5

  12. Examples ◮ Square-and-multiply (or double-and-add): “if s is one: multiply” ◮ Modular reduction: “if a > q : subtract q from a ” ◮ Rejection sampling: “if a < q : accept a ” ◮ Byte-array (tag) comparison: “if a [ i ] � = b [ i ] : return” ◮ Sorting and permuting: “if a < b : branch into subroutine” Something with implementations 5

  13. Eliminating branches ◮ So, what do we do with code like this? if s then r ← A else r ← B end if Something with implementations 6

  14. Eliminating branches ◮ So, what do we do with code like this? if s then r ← A else r ← B end if ◮ Replace by r ← sA + (1 − s ) B Something with implementations 6

  15. Eliminating branches ◮ So, what do we do with code like this? if s then r ← A else r ← B end if ◮ Replace by r ← sA + (1 − s ) B ◮ Can expand s to all-one/all-zero mask and use XOR instead of addition, AND instead of multiplication Something with implementations 6

  16. Eliminating branches ◮ So, what do we do with code like this? if s then r ← A else r ← B end if ◮ Replace by r ← sA + (1 − s ) B ◮ Can expand s to all-one/all-zero mask and use XOR instead of addition, AND instead of multiplication ◮ For very fast A and B this can even be faster Something with implementations 6

  17. Problem No. 2 table[secret] Something with implementations 7

  18. Timing leakage part II T [0] . . . T [15] ◮ Consider lookup table of 32 -bit integers T [16] . . .T [31] ◮ Cache lines have 64 bytes T [32] . . .T [47] T [48] . . .T [63] ◮ Crypto and the attacker’s program run T [64] . . .T [79] on the same CPU T [80] . . .T [95] ◮ Tables are in cache T [96] . . .T [111] T [112] . . .T [127] T [128] . . .T [143] T [144] . . .T [159] T [160] . . .T [175] T [176] . . .T [191] T [192] . . .T [207] T [208] . . .T [223] T [224] . . .T [239] T [240] . . .T [255] Something with implementations 8

  19. Timing leakage part II T [0] . . . T [15] ◮ Consider lookup table of 32 -bit integers T [16] . . .T [31] ◮ Cache lines have 64 bytes attacker’s data attacker’s data ◮ Crypto and the attacker’s program run T [64] . . .T [79] on the same CPU T [80] . . .T [95] ◮ Tables are in cache attacker’s data ◮ The attacker’s program replaces some attacker’s data attacker’s data cache lines attacker’s data T [160] . . .T [175] T [176] . . .T [191] T [192] . . .T [207] T [208] . . .T [223] attacker’s data attacker’s data Something with implementations 8

  20. Timing leakage part II T [0] . . . T [15] ◮ Consider lookup table of 32 -bit integers T [16] . . .T [31] ◮ Cache lines have 64 bytes ??? ??? ◮ Crypto and the attacker’s program run T [64] . . .T [79] on the same CPU T [80] . . .T [95] ◮ Tables are in cache ??? ◮ The attacker’s program replaces some ??? ??? cache lines ??? ◮ Crypto continues, loads from table T [160] . . .T [175] again T [176] . . .T [191] T [192] . . .T [207] T [208] . . .T 223] ??? ??? Something with implementations 8

  21. Timing leakage part II T [0] . . . T [15] ◮ Consider lookup table of 32 -bit integers T [16] . . .T [31] ◮ Cache lines have 64 bytes ??? ??? ◮ Crypto and the attacker’s program run T [64] . . .T [79] on the same CPU T [80] . . .T [95] ◮ Tables are in cache ??? ◮ The attacker’s program replaces some ??? ??? cache lines ??? ◮ Crypto continues, loads from table T [160] . . .T [175] again T [176] . . .T [191] ◮ Attacker loads his data: T [192] . . .T [207] T [208] . . .T 223] ??? ??? Something with implementations 8

  22. Timing leakage part II T [0] . . . T [15] ◮ Consider lookup table of 32 -bit integers T [16] . . .T [31] ◮ Cache lines have 64 bytes ??? ??? ◮ Crypto and the attacker’s program run T [64] . . .T [79] on the same CPU T [80] . . .T [95] ◮ Tables are in cache ??? ◮ The attacker’s program replaces some attacker’s data ??? cache lines ??? ◮ Crypto continues, loads from table T [160] . . .T [175] again T [176] . . .T [191] ◮ Attacker loads his data: T [192] . . .T [207] ◮ Fast: cache hit (crypto did not just T [208] . . .T 223] load from this line) ??? ??? Something with implementations 8

  23. Timing leakage part II T [0] . . . T [15] ◮ Consider lookup table of 32 -bit integers T [16] . . .T [31] ◮ Cache lines have 64 bytes ??? ??? ◮ Crypto and the attacker’s program run T [64] . . .T [79] on the same CPU T [80] . . .T [95] ◮ Tables are in cache ??? ◮ The attacker’s program replaces some T [112] . . .T [127] ??? cache lines ??? ◮ Crypto continues, loads from table T [160] . . .T [175] again T [176] . . .T [191] ◮ Attacker loads his data: T [192] . . .T [207] ◮ Fast: cache hit (crypto did not just T [208] . . .T 223] load from this line) ??? ◮ Slow: cache miss (crypto just loaded ??? from this line) Something with implementations 8

  24. The general case Loads from and stores to addresses that depend on secret data leak secret data. Something with implementations 9

  25. “Countermeasure” ◮ Observation: This simple cache-timing attack does not reveal the secret address, only the cache line ◮ Idea: Lookups within one cache line should be safe Something with implementations 10

  26. “Countermeasure” ◮ Observation: This simple cache-timing attack does not reveal the secret address, only the cache line ◮ Idea: Lookups within one cache line should be safe . . . or are they? Something with implementations 10

  27. “Countermeasure” ◮ Observation: This simple cache-timing attack does not reveal the secret address, only the cache line ◮ Idea: Lookups within one cache line should be safe . . . or are they? ◮ Bernstein, 2005: “Does this guarantee constant-time S-box lookups? No!” Something with implementations 10

  28. “Countermeasure” ◮ Observation: This simple cache-timing attack does not reveal the secret address, only the cache line ◮ Idea: Lookups within one cache line should be safe . . . or are they? ◮ Bernstein, 2005: “Does this guarantee constant-time S-box lookups? No!” ◮ Osvik, Shamir, Tromer, 2006: “This is insufficient on processors which leak low address bits” Something with implementations 10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations : inst 1 , inst 2 Contracts vs. Implementations Boolean expressions for Contracts: exp 1 , exp 2 , exp 3 , exp 4 , exp 5 feature -- Commands

231 views • 6 slides
Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array Vector Linked Chain 2 Stack ADT #ifndef STACK_H_ #define STACK_H_ template&lt;&lt;typename ItemType&gt; class

1.19k views • 71 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Introduction Methodology Implementations Results Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla Kishore Kumar Surapathi Bilal Habib Susheel Vadlamudi Smriti Gurung John Pham Cryptographic

461 views • 29 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Re-indexing the DFT (n and k) We can investigate the various implementations of the DFT by

Re-indexing the DFT (n and k) We can investigate the various implementations of the DFT by

Re-indexing the DFT (n and k) We can investigate the various implementations of the DFT by looking at ways to re-index values of n and k. Idea: Using properties of addition and multiplication we can rewrite the equation. 1

541 views • 22 slides
Privacy of Geolocation Implementations Marcos Cceres, Opera Software ASA W3C Workshop on

Privacy of Geolocation Implementations Marcos Cceres, Opera Software ASA W3C Workshop on

Privacy of Geolocation Implementations Marcos Cceres, Opera Software ASA W3C Workshop on Privacy of Advance Web APIs 12 July, 2010. London, United Kingdom. Implementations iOS 4 Firefox 3.6 Chrome 6 Opera 10.6 Critical

445 views • 20 slides
Common Eiffel Errors: Contracts vs. Implementations EECS3311 A: Software Design Fall 2018 C HEN

Common Eiffel Errors: Contracts vs. Implementations EECS3311 A: Software Design Fall 2018 C HEN

Common Eiffel Errors: Contracts vs. Implementations EECS3311 A: Software Design Fall 2018 C HEN -W EI W ANG Contracts vs. Implementations: Definitions In Eiffel, there are two categories of constructs: Implementations are step-by-step

246 views • 23 slides
Performance Comparison of DTN Bundle Protocol Implementations ottner , Johannes Morgenroth,

Performance Comparison of DTN Bundle Protocol Implementations ottner , Johannes Morgenroth,

Performance Comparison of DTN Bundle Protocol Implementations ottner , Johannes Morgenroth, Sebastian Schildt, Lars Wolf Wolf-Bastian P September 23, 2011: CHANTS Workshop, Las Vegas, NV Motivation Several Bundle Protocol (BP) implementations

874 views • 17 slides
Multi-rate Signal Processing 4. Multistage Implementations 5. Multirate Application: Subband

Multi-rate Signal Processing 4. Multistage Implementations 5. Multirate Application: Subband

4 Multistage Implementations 5 Some Multirate Applications Multi-rate Signal Processing 4. Multistage Implementations 5. Multirate Application: Subband Coding Electrical &amp; Computer Engineering University of Maryland, College Park

891 views • 24 slides
Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox, Doug Woos, Zachary Tatlock, and Karl Palmskog We should verify implementations of distributed systems... ...and we have! Framework Prover

1.41k views • 86 slides
The PKIX Standards and PKI Implementations Simos Xenitellis University of London

The PKIX Standards and PKI Implementations Simos Xenitellis University of London

The PKIX Standards and PKI implementations The PKIX Standards and PKI Implementations Simos Xenitellis University of London S.Xenitellis@rhbnc.ac.uk 1 16th May, 2000, University of London The PKIX Standards and PKI implementations Agenda

513 views • 29 slides
Testing Qt Model-View Implementations Stephen Kelly July 2010 T esting Model-View

Testing Qt Model-View Implementations Stephen Kelly July 2010 T esting Model-View

Testing Qt Model-View Implementations Stephen Kelly July 2010 T esting Model-View Implementations Designing testable code High-level Model-View design T est-drivers and mock objects Unit test execution KDE ItemViews

268 views • 23 slides
Erlang SCCP/TCAP/MAP Implementations Harald Welte &lt;laforge@gnumonks.org&gt; gnumonks.org

Erlang SCCP/TCAP/MAP Implementations Harald Welte &lt;laforge@gnumonks.org&gt; gnumonks.org

The GSM core network Erlang in Osmocom Core Network protocol implementations Erlang SCCP/TCAP/MAP Implementations Harald Welte &lt;laforge@gnumonks.org&gt; gnumonks.org hmw-consulting.de sysmocom GmbH October 13, 2012 - OSDC.fr - Paris /

1.06k views • 35 slides
Optimization of HPSG Grammar Implementations in Trale Georgiana Dinu Optimization of HPSG

Optimization of HPSG Grammar Implementations in Trale Georgiana Dinu Optimization of HPSG

Optimization of HPSG Grammar Implementations in Trale Georgiana Dinu Optimization of HPSG Grammar Implementations in Trale p. 1/2 Summary The optimization problem Background Examples Optimization of HPSG Grammar Implementations

754 views • 26 slides
A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien

A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien

A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien Courouss, Jean-Louis Lanet and Ronan Lashermes July 27th 2016 A template attack against Verify PIN algorithms Le Bouder et al. July 27th 2016 1/23

590 views • 30 slides
Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services Agenda Security Advisories @ Apache Issues associated with the advisory process Apache CXF advisories + lessons learned

394 views • 28 slides
FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 7: Hacking Techniques I

1.11k views • 25 slides
,kicking ng &amp; s &amp; scream eaming ng Sibin Mohan Dagstuhl 2016 Dept. of Computer

,kicking ng &amp; s &amp; scream eaming ng Sibin Mohan Dagstuhl 2016 Dept. of Computer

n ,kicking ng &amp; s &amp; scream eaming ng Sibin Mohan Dagstuhl 2016 Dept. of Computer Science Information Trust Institute sibin@illinois.edu @sibinmohan Physically isolated Attacks on Industrial Control Systems [Stuxnet!]

766 views • 48 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Just like fishing, it can be frustrating at times most needed multiple attempts, which is fine casting

483 views • 19 slides
TLAPS : The TLA + Proof System Stephan Merz joint work with K. Chaudhuri, D. Cousineau, D.

TLAPS : The TLA + Proof System Stephan Merz joint work with K. Chaudhuri, D. Cousineau, D.

TLAPS : The TLA + Proof System Stephan Merz joint work with K. Chaudhuri, D. Cousineau, D. Doligez, L. Lamport INRIA Nancy Microsoft Research - INRIA Joint Centre Saclay http://www.msr-inria.inria.fr/Projects/tools-for-formal-specs Deduction

486 views • 36 slides
Making TLA + Model Checking Symbolic Igor Konnov Joining Interchain Foundation in August Jure

Making TLA + Model Checking Symbolic Igor Konnov Joining Interchain Foundation in August Jure

Making TLA + Model Checking Symbolic Igor Konnov Joining Interchain Foundation in August Jure Kukovec Thanh-Hai Tran VeriDis + Matryoushka seminar, Amsterdam, June 2019 Why TLA + ? Rich specification language TLA + is used in industry, e.g.,

699 views • 46 slides
Model Checking TLA+ Specifications Shiji Bijo shijib@ifi.uio.no Institutt for informatikk,

Model Checking TLA+ Specifications Shiji Bijo shijib@ifi.uio.no Institutt for informatikk,

Model Checking TLA+ Specifications Shiji Bijo shijib@ifi.uio.no Institutt for informatikk, Universitetet i Oslo June 2, 2015 1 / 37 Introduction TLA: temporal logic of actions combination of Logic of actions standard temporal logics

597 views • 37 slides

More recommend