thermo attacks on temperature side channels and heating
play

Thermo Attacks - On Temperature Side Channels and Heating Faults - PowerPoint PPT Presentation

May 29, 2023 •274 likes •528 views

Introduction SCA Faults Remanence Conclusions 1 / 24 Thermo Attacks - On Temperature Side Channels and Heating Faults Michael Hutter and J orn-Marc Schmidt February 28, 2014 Michael Hutter and J orn-Marc Schmidt Introduction SCA

  1. Introduction SCA Faults Remanence Conclusions 1 / 24 Thermo Attacks - On Temperature Side Channels and Heating Faults Michael Hutter and J¨ orn-Marc Schmidt February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  2. Introduction SCA Faults Remanence Conclusions 2 / 24 Related Work A. Shamir, E. Tromer, D. Genkin - “Acoustic cryptanalysis” [7, 14] ◮ Vibration of electronic components causes low-level acoustic noise ◮ Exploit the acoustic emissions to get information about processed data Several low-temperature attacks ◮ S. Skorobogatov [15] and D. Samyde et al. [13] ◮ Cooling down SRAM ( − 50 ◦ C) will freeze the data ◮ Allows reading out of data even after seconds after power down ◮ Similar to cold-boot attacks [12] J. Brouchier et al. - “Thermocommunication” (2009) [3, 4] ◮ Cooling fan can carry information about the processed data February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  3. Introduction SCA Faults Remanence Conclusions 3 / 24 Outline 1 Introduction 2 Temperature Side Channel 3 High-Temperature Fault Attacks 4 Exploiting Data-Remanence Effects 5 Conclusions February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  4. Introduction SCA Faults Remanence Conclusions 4 / 24 The Temperature Side Channel Electrical current causes heat Heat is proportional to the power consumption Temperature of the ATmega162 is measured using a Resistance Temperature Detector (PT100 RTD sensor) AD693 is an analog conditioning circuit to amplify the sensor signals (voltage to current converter, 4 ... 20 mA to 0 ... 104 ◦ C) PT100 AD693 Power DC 26V Amplifier Supply 390 Ω PC ATmega162 Digital- Oscilloscope storage control oscilloscope February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  5. Introduction SCA Faults Remanence Conclusions 5 / 24 The Measurement Setup Rear-side de-capsulated chip The silicon substrate offers a good thermal conductivity for the RTD sensor (about 150 W / m · K ) February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  6. Introduction SCA Faults Remanence Conclusions 6 / 24 Temperature Leakage Characterization We measured the temperature dissipation of various instructions, e.g. MOV , ADD , EOR , and MUL Evaluated the impact of thermal conductivity and capacitance ◮ Targeted one byte that is processed and stored in 24 internal registers (and cleared before writing) ◮ Executed the instructions in a loop Long acquisition window of 20 seconds ◮ First 10 seconds: process zero values ◮ Second 10 seconds: process all possible byte values (2 8 ) ◮ We averaged 100 traces per value to reduce noise February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  7. Introduction SCA Faults Remanence Conclusions 7 / 24 AVR Results 27 26.82 HW=0 26.8 HW=1 26.9 HW=2 26.78 Mean temperature [°C] HW=3 Temperature [°C] HW=4 26.76 HW=5 26.8 HW=6 26.74 HW=7 HW=8 26.72 26.7 26.7 26.6 26.68 26.66 26.5 4 6 8 10 12 0 50 100 150 200 250 Time [s] Possible values of the intermediate byte The temperature side-channel obviously leaks the Hamming weight of the processed data Data caused an averaged DC increase/decrease (0 . 3 ◦ C) February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  8. Introduction SCA Faults Remanence Conclusions 8 / 24 PIC16F84 Results 25.7 25.7 Mean temperature [C°] Mean temperature [C°] 25.68 25.68 25.66 25.66 25.64 25.64 25.62 25.62 25.6 25.6 0 5 10 15 20 0 5 10 15 20 Time [s] Time [s] Leakage of 0x00 → 0xFF (left plot) and 0xFF → 0x00 (right plot) No chip decapsulation RTD placed on top of package February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  9. Introduction SCA Faults Remanence Conclusions 9 / 24 Observed Characteristics Temperature variation is limited by the physical property of thermal conductivity Heat flow can be seen as a (low-pass) RC network with cut-off frequency of some kHz Junction Case (Heat sink) Transistor Ambient temperature Higher frequency leakages are filtered Temperature sensor has limitations in response time and acquisition resolution (100 ms and 0 . 01 ◦ C) February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  10. Introduction SCA Faults Remanence Conclusions 10 / 24 Attack Scenarios 1 Loops and continuous leakages ◮ Implementation repeatedly checks a password (as similarly argued by Brouchier et al. [3, 4]) ◮ Password is written continuously from memory into registers ◮ Or target RSA similar to [14] ◮ The dissipated temperature can then be exploited to reveal the password 2 Exploiting static leakage ◮ Assuming a device is leaking information in the static power consumption (Moradi [11], Giogetti et al. [8], or Lin et al. [10]) ◮ The clock signal can then be stopped, e.g., after the first AES S-box operation (note: on many smart cards this is not always possible!) ◮ Secret key material (or intermediate values related to the key) can be extracted from the temperature side channel ◮ Advantage : plenty of time available to measure the temperature leak February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  11. Introduction SCA Faults Remanence Conclusions 11 / 24 Exploiting Heating Faults Well known attack, but less details available in literature The device is exposed to extensive heating ( > 150 ◦ C) ◮ ATmega162 operated beyond the maximum ratings ◮ Target implementation was CRT-RSA Bellcore attack [2] ◮ CRT allows computing two exponentiations in smaller sub-groups (faster) ◮ Signature S ≡ CRT (( m d mod p ) , ( m d mod q )) mod n ◮ Injection of a random fault ∆ causes the device to output a faulty S ≡ CRT (( m mod p ) d , ( m mod q ) d + ∆) mod n signature ˜ ◮ Now p = gcd(˜ S − S , n ) can be calculated to factorize p and to reveal the RSA primes p and q February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  12. Introduction SCA Faults Remanence Conclusions 12 / 24 The Used Setup Laboratory heating plate from Schott instruments (SLK 1) ◮ ATmega162 placed directly on top of the hot-plate surface ◮ Temperature measured with two PT100s “Flying” connections ◮ Exposed wires to avoid any contact to the hot plate: serial connection , power supply , clock signal , and reset Controller ◮ Spartan-3 FPGA-based board ◮ Allows turning off/on signals February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  13. Introduction SCA Faults Remanence Conclusions 13 / 24 Results ATmega162 does not respond after 160 ◦ C Faults occurred between 152 and 158 ◦ C ◮ Within 70 minutes, we got 100 faults ◮ 31 revealed one of the prime modulus: 15 revealed p , 16 revealed q ◮ 7 faults produced the same RSA output Same result also for other 10 ATmega162 devices Frequency of fault occurrence 8 ◮ E.g., 182 faults within 30 minutes 6 ◮ Mean and fault temperature 4 varies per device 2 0 150 152 154 156 158 160 Temperature [°C] February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  14. Introduction SCA Faults Remanence Conclusions 14 / 24 Exploiting Data-Remanence Effects Data stored in SRAM for a long period of time leaves a permanent mark, cf. P. Gutmann [9] Can be recovered by reading out the preferred power-up values ◮ Practically exploited by R. Anderson and M. Kuhn [1] in 1997, recovered over 90 % of a DES key of a late 1980s bank card ◮ Harder on newer SRAM structures, 18 % recoverable (cf. Cakir [5]) Effect is due to aging where transistor parameters change (speed, current drive, noise margin) Extensive heating accelerates aging ◮ Negative Bias Temperature Instability (NBTI) ◮ SRAM cells get “weaker” and tend to a certain bit value Two NBTI degradation components: permanent and transient damage [6] February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  15. Introduction SCA Faults Remanence Conclusions 15 / 24 Permanent Data Remanence Effect 1 Tests performed on new ATmega162; preferred power-up values are around 50 % 2 We wrote randomly distributed data to SRAM (3 072 bits to “1” and 3 072 bits to “0”, 6 144 out of 8 192 bits total) 3 Exposed the device to extensive burn-in stress ◮ 100 ◦ C for 36 hours at 5.5 volts 70 ◮ SRAM cells got biased: 65 52 . 24 % → 1, 47 . 75 % → 0 ◮ 919 bits (15 %) changed their Success rate [%] 60 state, i.e., 30 % are unstable ◮ > 95 % of the bits tended to the 55 correct value Predicting a "1" 50 Predicting a "0" ◮ In total, we can predict 63 % correctly 45 0 5 10 15 20 25 30 35 Burn−in stress time [h] February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

  16. Introduction SCA Faults Remanence Conclusions 16 / 24 Transient Data Remanence Effect 1 Read out the SRAM content every 4 seconds during burn-in stress 2 Heated up to 170 ◦ C and turned off heating afterwards 80 ◮ “Weak” SRAM cells tend to “0” "1" values "0" values during heating 70 Bit value probability [%] heating cooling ◮ They move back to preferred 60 state after cooling 50 ◮ Can be used to identify “unstable” bits 40 ◮ Around 30 % have been 30 identified to be unstable 20 0 100 200 300 400 Burn−in stress time [seconds] February 28, 2014 Michael Hutter and J¨ orn-Marc Schmidt

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Temperature Side Channel and Heating Fault Attacks Michael Hutter and J orn-Marc Schmidt

The Temperature Side Channel and Heating Fault Attacks Michael Hutter and J orn-Marc Schmidt

Introduction SCA Faults Remanence Conclusions 1 / 24 The Temperature Side Channel and Heating Fault Attacks Michael Hutter and J orn-Marc Schmidt Michael Hutter and J orn-Marc Schmidt CARDIS 2013, November 27-29, 2013 Introduction

687 views • 24 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

818 views • 53 slides
Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab Assignment Handout on course website Each (regular) student will receive an email Solo or 2-person group Individual GitHub repo

978 views • 42 slides
Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab Assignment Handout on course website Each (regular) student will receive an email Solo or 2-person group Individual GitHub repo

1.24k views • 102 slides
CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Dan Boneh, Stefan Savage Reminder: Side-channel attacks You saw before how timing

1.37k views • 81 slides
PS THERMO Effortless control and healthy climate with a single touch WHAT IS PS THERMO? PS

PS THERMO Effortless control and healthy climate with a single touch WHAT IS PS THERMO? PS

PRO SMART AD PS THERMO Effortless control and healthy climate with a single touch WHAT IS PS THERMO? PS THERMO IS A SMART THERMOSTAT THAT ALLOWS YOU TO CONTROL YOUR HEATING AND COOLING FROM YOUR ROOM OR FROM ACCROSS THE WORLD VIA THE

149 views • 10 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
Loose Ends: Side Channels, Government Surveillance & Targeted

Loose Ends: Side Channels, Government Surveillance & Targeted

CSE 484 / CSE M 584: Computer Security and Privacy Loose Ends: Side Channels, Government Surveillance & Targeted Attacks Spring 2015 Franziska

622 views • 27 slides
Temperature Optimisation for Low Temperature District Heating across Europe Dirk Vanhoudt

Temperature Optimisation for Low Temperature District Heating across Europe Dirk Vanhoudt

This project has received funding from the European Unions Horizon 2020 research and innovation programme under grant agreement No 768936. Temperature Optimisation for Low Temperature District Heating across Europe Dirk Vanhoudt

937 views • 18 slides
Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon, Vyas Sekar Michael K. Reiter Co-residency side-channel attacks in clouds Stealing secrets (e.g., keys) VM VM VM Machine Machine Many

1.03k views • 69 slides
Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, Aurlien Francillon Whats this all about? - A nov novel attack ex exploiting g EM side

886 views • 77 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
mouldy thermo-, baro-, hygrometer with prometheus Hi! Nicolai von Neudeck

mouldy thermo-, baro-, hygrometer with prometheus Hi! Nicolai von Neudeck

mouldy thermo-, baro-, hygrometer with prometheus Hi! Nicolai von Neudeck nicolai@vonneudeck.com My apartment had a mouldy spot Dewpoint!? Temperature when the water vapor in the air condenses. Depends on: Temperature Air

359 views • 11 slides
FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny,

FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny,

FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny, Ashutosh Trivedi *University of Colorado Boulder Functional Case Motivation Side Channels Studies Functional Case Motivation Side Channels

366 views • 24 slides
Delaware Electric Cooperative Efficiency, Conservation, Demand Side Management Efficiency &

Delaware Electric Cooperative Efficiency, Conservation, Demand Side Management Efficiency &

Delaware Electric Cooperative Efficiency, Conservation, Demand Side Management Efficiency & Conserv rvation LED Lighting LED vs Incandescent = 80% savings LED vs Mercury Vapor = 75% LED vs High Pressure Sodium =60% CFL Lighting CFL =

763 views • 19 slides
Residential Developments Presentation by the PAs to the EEAC September 2019 Agenda 1:25

Residential Developments Presentation by the PAs to the EEAC September 2019 Agenda 1:25

Residential Developments Presentation by the PAs to the EEAC September 2019 Agenda 1:25 1:50 PM: Introduction & Overview 1:50 2:45 PM: Residential Coordinated Delivery (Leah and Bob) 2:45 3:05 PM: Break 3:05 -

1.27k views • 102 slides
An Introduction to Bayesian Optimisation and (Potential) Applications in Materials Science

An Introduction to Bayesian Optimisation and (Potential) Applications in Materials Science

An Introduction to Bayesian Optimisation and (Potential) Applications in Materials Science Kirthevasan Kandasamy Machine Learning Dept, CMU Electrochemical Energy Symposium Pittsburgh, PA, November 2017 Designing Electrolytes in Batteries

924 views • 59 slides
Materials Innovation for Next-Generation Batteries Corsin Battaglia SCCER HaE Annual Symposium

Materials Innovation for Next-Generation Batteries Corsin Battaglia SCCER HaE Annual Symposium

Willkommen Welcome Bienvenue Materials Innovation for Next-Generation Batteries Corsin Battaglia SCCER HaE Annual Symposium 2018 SCCER Heat and Electricity Storage www.sccer-hae.ch Next-generation lithium-ion batteries Cathode Anode Team

347 views • 15 slides
Electron and Ion Sources Layout Electron Sources Thermionic Photo-Cathodes

Electron and Ion Sources Layout Electron Sources Thermionic Photo-Cathodes

Electron and Ion Sources Layout Electron Sources Thermionic Photo-Cathodes Child-Langmuir Current Limitation Ion Sources Particle motion in plasmas Penning Ion Source ECR Ion Source Negative Ions Richard

624 views • 30 slides
and Prospect to Inertial Fusion Energy in Japan High Energy Density Science Laser Development

and Prospect to Inertial Fusion Energy in Japan High Energy Density Science Laser Development

Fast Ignition Realization Experiment and Prospect to Inertial Fusion Energy in Japan High Energy Density Science Laser Development Laser Astro/Planets Fusion Hiroshi AZECHI Director, Institute of Laser Engineering, Osaka University Fusion

279 views • 23 slides
EET 413 EET413 HIGH VOLTAGE ENGINEERING 1 CHAPTER 4 CONDUCTION & BREAKDOWN IN SOLID

EET 413 EET413 HIGH VOLTAGE ENGINEERING 1 CHAPTER 4 CONDUCTION & BREAKDOWN IN SOLID

HIGH VOLTAGE ENGINEERING EET 413 EET413 HIGH VOLTAGE ENGINEERING 1 CHAPTER 4 CONDUCTION & BREAKDOWN IN SOLID DIELECTRIC EET413 HIGH VOLTAGE ENGINEERING 2 On completion of this lesson, a student should be able to: Ability to analyze

1.08k views • 54 slides
Measuring and controlling quantum transport of heat in trapped-ion crystals August 14th 2013

Measuring and controlling quantum transport of heat in trapped-ion crystals August 14th 2013

Measuring and controlling quantum transport of heat in trapped-ion crystals August 14th 2013 Alejandro Bermudez Martin Bruderer Martin B. Plenio Nanoscale Electronic Transport Electrode Electrode Nano System (Source) (Drain)

298 views • 18 slides

More recommend