systems security side channel attacks
play

Systems Security: Side-channel attacks Stjepan Picek - PowerPoint PPT Presentation

Sep 06, 2023 •323 likes •824 views

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

  1. Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018

  2. Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

  3. Side-channels Something that enables you to know something about something without directly observing that something. 3 / 48

  4. Side-channels 4 / 48

  5. Side-channels Figure: https://www.strava.com/heatmap#3.10/-108.57419/44.95226/hot/all 5 / 48

  6. Side-channels 6 / 48

  7. Side-channels 7 / 48

  8. Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 8 / 48

  9. Implementation Attacks “Researchers have extracted information from nothing more than the reflection of a computer monitor off an eyeball or the sounds emanating from a printer.” - Scientific American, May 2009. 9 / 48

  10. Cryptographic Theory vs Physical Reality ❼ Cryptographic algorithms are (supposed to be) theoretically secure. ❼ Implementations lean in physical world. 10 / 48

  11. Implementation Attack Categories ❼ Side-channel attacks. ❼ Faults. ❼ Microprobing. 11 / 48

  12. Taxonomy of Implementation Attacks ❼ Active vs passive. ❼ Active: 1 Active: the key is recovered by exploiting some abnormal behavior. 2 Insertion of signals. ❼ Passive: 1 The device operates within its specifications. 2 Reading hidden signals. 12 / 48

  13. Implementation Attacks Implementation attacks Implementation attacks do not aim at the weaknesses of the algorithm, but on its implementation. ❼ Side-channel attacks (SCAs) are passive, non-invasive attacks. ❼ SCAs represent one of the most powerful category of attacks on crypto devices. 13 / 48

  14. Examples of Implementation Attacks ❼ KeeLoq: eavesdropping from up to 100 m. ❼ PS3 hack due to ECDSA implementation failed. ❼ Attacks on Mifare Classic, Atmel CryptoMemory. ❼ Spectre and Meltdown. 14 / 48

  15. The Goals of Attackers ❼ Secret data. ❼ Location. ❼ Reverse engineering. ❼ Theoretical cryptanalysis. ❼ ... 15 / 48

  16. Physical Security in the Beginning ❼ Tempest – already known in 1960s that computers generate EM radiation that leaks information about the processed data. ❼ 1965: MI5 used a microphone positioned near the rotor machine used by Egyptian embassy to deduce the positions of rotors. ❼ 1996: first academic publication on SCA – timing. ❼ 1997: Bellcore attack. ❼ 1999: first publication of SCA – power. 16 / 48

  17. Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 17 / 48

  18. Power Analysis ❼ Direct attacks: 1 Simple Power Analysis – SPA. 2 Differential Power Analysis – DPA. 3 Correlation Power Analysis – CPA. 4 ... ❼ Two-stage attacks: 1 Template attack – TA. 2 Stochastic models. 3 Machine learning-based attacks. 4 ... 18 / 48

  19. Simple Power Analysis ❼ Based on one or a few measurements. ❼ Visual inspection of measurements. ❼ Discovery of data independent but instruction dependent properties. ❼ In symmetric crypto: 1 Number of rounds. 2 Memory access. ❼ In asymmetric crypto: 1 Key length. 2 Implementation details. 3 Key. 19 / 48

  20. SPA 20 / 48

  21. SPA 21 / 48

  22. SPA 22 / 48

  23. Assignment 1 ❼ Learn/remind about DES, AES, RSA. 23 / 48

  24. Differential Power Analysis ❼ Statistical analysis of measurements. 24 / 48

  25. Assignment 2 ❼ Implement DPA. 25 / 48

  26. Correlation Power Analysis ❼ Write a leakage model for the power consumption. ❼ Obtain measurements of power consumption while device is running encryption over different plaintexts. ❼ Attack subparts of the key (divide and conquer approach): 1 Consider all options for subkey. For each guess and trace, use plaintext and guessed subkey to calculate power consumption according to the model. 2 Use the Pearson correlation to differentiate between the modeled and actual power consumption. 3 Decide which subkey guess correlates best to the measured traces. ❼ Combine the best subkey guesses to obtain the secret key. 26 / 48

  27. Pearson’s Correlation ρ X , Y = cov ( X , Y ) E [( X − µ x )( Y − µ y )] = √ (1) E [( X − µ x ) 2 ] E [( Y − µ y ) 2 ] σ x σ y 27 / 48

  28. Leakage Models ❼ Recall, power has two components: static and dynamic. ❼ Static power is required to keep the device running and it depends on the number of transistors inside the device. ❼ Dynamic power depends on data processing. 28 / 48

  29. Leakage Models ❼ Transition = the Hamming distance model. ❼ Counts the number of transitions between 0 → 1 and 1 → 0. ❼ Typical model for ASIC. ❼ Requires j=knowledge of a previous (or succeeding) value. ❼ The Hamming weight model is typical on a precharged data bus in a microcontroller. 29 / 48

  30. The Distinguishers ❼ Difference of Means. ❼ T-test. ❼ Variance test. ❼ Pearson correlation. ❼ Spearman’s rank correlation. ❼ MIA. ❼ ... 30 / 48

  31. Example ❼ Let us consider AES-128 where we use the Hamming weight model. ❼ After the first S-box operation, state = sbox [ input XOR key ] . ❼ Our modeled power consumption for one byte of plaintext p is then h p = Hamming ( sbox [ input p XOR key ]) . ❼ How many key guesses do we need to do for each subkey? ❼ How many in total? 31 / 48

  32. Profiled Attacks ❼ Profiled attacks have a prominent place as the most powerful among side channel attacks. ❼ Within profiling phase the adversary estimates leakage models for targeted intermediate computations, which are then exploited to extract secret information in the actual attack phase. ❼ Template Attack (TA) is the most powerful attack from the information theoretic point of view. ❼ Some machine learning (ML) techniques also belong to the profiled attacks. 32 / 48

  33. Profiled Attacks 33 / 48

  34. Profiled Attacks ❼ Two stage (profiled) attacks are more complicated than the direct attacks. ❼ The attacker must have access to a copy of the device to be attacked. 34 / 48

  35. Template Attack ❼ Using the copy of device, record a large number of measurements using different plaintexts and keys. We require information about every possible subkey value. ❼ Create a template of device’s operation. A template is a set of probability distributions that describe what the power traces look like for many different keys. ❼ On device that is to be attacked, record a (small) number of measurements (called attack traces) using different plaintexts. ❼ Apply the template to the attack traces. For each subkey, record what value is the most likely to be the correct subkey. 35 / 48

  36. Template Attack ❼ When using high-quality templates made from many traces, it is possible to attack a system with a single trace. ❼ Template attack can become unstable if there are more points of interest than measurements per value. 36 / 48

  37. Assignment 3 ❼ Implement TA. 37 / 48

  38. Machine Learning-based Attacks ❼ In symmetric crypto, machine learning-based attacks are mostly supervised learning approaches. ❼ Up to now, various techniques have been used with great success: SVM, Random Forest, Multi layer Perceptron, CNNs. ❼ The attack goes in two phases: 1 Train a model from the training set (measurements with labels). 2 Apply the model to the testing set (measurements without labels). 38 / 48

  39. Reality Is More Complicated ❼ Pre-processing. ❼ Feature engineering. ❼ Model Selection. ❼ Hyper parameter optimization. ❼ Fighting with countermeasures. ❼ ... 39 / 48

  40. Reality Is More Complicated ❼ Constraints for implementing countermeasures (software and hardware). ❼ Optimization can make SCA easier. ❼ Trade-off between practical and academic attacks. 40 / 48

  41. Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 41 / 48

  42. Fault Injection ❼ Alter the correct functioning of a system. ❼ Often called perturbation attacks. ❼ Fault injection is very hard (accuracy, reproducibility). ❼ The equipment is expensive. 42 / 48

  43. Methods ❼ Variations in supply voltage. ❼ Variation in external clock. ❼ Change in temperature. ❼ White light. ❼ X-rays and ion beams. 43 / 48

  44. Goals ❼ Insert computational fault (null key, wrong crypto result). ❼ Change software decision (force approval of wrong PIN, enforce access rights). ❼ ... 44 / 48

  45. Force Approval of Wrong PIN 45 / 48

  46. Types of Fault Injection ❼ Non invasive: glitching (clock, power supply). ❼ Semi invasive: UV lights, laser, optical fault injection. ❼ Invasive: microprobing, FIB probing. 46 / 48

  47. Differential Fault Analysis – DFA ❼ The attacker obtains a pair of ciphertexts derived by encrypting the same plaintext. ❼ One is correct value and one is faulty. ❼ Two encryptions are identical up to the point where the fault occurred. ❼ Two ciphertexts can be regarded as outputs of round reduced ciphers where the inputs are unknown but show a small differential. 47 / 48

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA August 2, 2007 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

533 views • 41 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI Laboratory for Embedded Security Emmanuel Prouff emmanuel.prouff@ssi.gouv.fr Agence Nationale de la S ecurit e des Syst` emes dInformation

790 views • 68 slides
LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me PhD student at Hasselt University since 2014 Since 2016 on FWO SBO research grant Researching wireless security Protocol security,

803 views • 57 slides
Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel Medwed Franois-Xavier Standaert Johann

814 views • 28 slides
Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December 2010 Amir Moradi E Embedded Security Group, Ruhr University Bochum b dd d S it G R h U i it B h m, Germany G Embedded Security Group Outline

495 views • 26 slides
Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with Emmanuel Prouff EUROCRYPT 2013 May 27th Outline 1 Introduction and Previous Works 2 Our Contribution 3 Model of Leaking Computation 4

526 views • 36 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security Rodmap STMicroelectronics 2018/12/06 2 ST Who are we ? STMicroelectronics 3 A global semiconductor leader 2017 revenues of $8.35B

1.32k views • 107 slides
System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz MIT CSAIL Microsoft Research Security is a big concern in cloud adoption Why are cache-based side channel

588 views • 38 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel

The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel

The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks David Molnar , Matt Piotrowski, David Schultz, and David Wagner UC-Berkeley and MIT Regular Cryptographic Attacks Key k Idealized

423 views • 11 slides
Fi Fingerprinting t g the C Check cker Po Policies of Pa Parallel File Systems Runzhou Han ,

Fi Fingerprinting t g the C Check cker Po Policies of Pa Parallel File Systems Runzhou Han ,

PDSW 2020:5TH INTERNATIONAL PARALLEL DATA SYSTEMS WORKSHOP Fi Fingerprinting t g the C Check cker Po Policies of Pa Parallel File Systems Runzhou Han , Duo Zhang, Mai Zheng Parallel File Systems (PFSes) PFS is the cornerstone of high

1.08k views • 59 slides
KeY Version for MISRA C Daniel Larsson KeY Symposium Gteborg, June 2005 KeY Version for MISRA

KeY Version for MISRA C Daniel Larsson KeY Symposium Gteborg, June 2005 KeY Version for MISRA

KeY Version for MISRA C Daniel Larsson KeY Symposium Gteborg, June 2005 KeY Version for MISRA C p.1/11 CEDES CEDES ( C ost E fficient D ependable E lectronic S ystems) Software-based methods for fault tolerance & fault handling

989 views • 11 slides
FAUL T TOLERANCE FOR M UL TI-CORE AND M ANY-CORE PROCESSORS Vanessa VARGAS PhD candidate in

FAUL T TOLERANCE FOR M UL TI-CORE AND M ANY-CORE PROCESSORS Vanessa VARGAS PhD candidate in

FAUL T TOLERANCE FOR M UL TI-CORE AND M ANY-CORE PROCESSORS Vanessa VARGAS PhD candidate in Nano Electronics and Nano T echnologies Universit de Grenoble Alpes - France Professor at Universidad de las Fuerzas Armadas ESPE Department of

658 views • 40 slides
Software Quality & Software Quality Assurance p. 1 Software Quality A definition of

Software Quality & Software Quality Assurance p. 1 Software Quality A definition of

Software Quality & Software Quality Assurance p. 1 Software Quality A definition of quality should emphasize three important points: 1. Software requirements are the foundation from which quality is measured. Lack of conformance to

326 views • 13 slides
Challenging Anti-fragile Blockchain systems Miguel Gonzlez Univ. Lille 1 1 What is

Challenging Anti-fragile Blockchain systems Miguel Gonzlez Univ. Lille 1 1 What is

Challenging Anti-fragile Blockchain systems Miguel Gonzlez Univ. Lille 1 1 What is Anti-fragile? Harmed by Resilient to Benefits and Learns disorder disorder from disorder 2 Systems considered anti-fragile Financial system

386 views • 16 slides
Experimental Performability Evaluation of Middleware for Large-Scale Distributed Systems L.

Experimental Performability Evaluation of Middleware for Large-Scale Distributed Systems L.

Experimental Performability Evaluation of Middleware for Large-Scale Distributed Systems L. Soares J. Pereira losoares@di.uminho.pt jop@di.uminho.pt Distributed Systems Group Informatics Department University of Minho PORTUGAL L. Soares

461 views • 17 slides
Keynote

Keynote

Keynote Agile, Lean, Rugged The Paper Edition!

796 views • 51 slides
Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow

Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow

Lazart: a symbolic approach for evaluating the robustness of secured codes against control flow fault injections M. L. Potet L. Mounier M. Puys L. Dureuil VERIMAG University of Grenoble Alpes, France SDTA 2014 First presented in ICST 2014

565 views • 21 slides

More recommend