a new categorization system for side channel attacks on
play

A new categorization system for side-channel attacks on mobile - PowerPoint PPT Presentation

Nov 25, 2022 •189 likes •759 views

A new categorization system for side-channel attacks on mobile devices & more Veelasha Moonsamy Radboud University, The Netherlands 06 February 2017 University of Adelaide, Australia Radboud University, Nijmegen, NL 2 Digital Security

  1. A new categorization system for side-channel attacks on mobile devices & more Veelasha Moonsamy Radboud University, The Netherlands 06 February 2017 University of Adelaide, Australia

  2. Radboud University, Nijmegen, NL 2

  3. Digital Security (DiS) Group 3

  4. DiS research topics ◮ (Applied) Crypto ◮ Symmetric key crypto ◮ Identity-based applications ◮ Smart cards and RFID security ◮ Hardware security ◮ Side-channel analysis and countermeasures ◮ Fault attacks ◮ Efficient implementations of crypto: hardware and software ◮ Post-quantum crypto ◮ Lightweight crypto: protocols and implementations 4

  5. PhD research overview 5

  6. PhD research overview ◮ Postdoc research interests: hardware- and software-based side channel on mobile devices 5

  7. Outline of my talk ◮ Part I : Establishing a covert channel via USB charging cable on mobile devices 6

  8. Outline of my talk ◮ Part I : Establishing a covert channel via USB charging cable on mobile devices ◮ Part II : New categorization system for side-channel attacks on smartphones 6

  9. Part I No Free Charge Theorem: A Covert Channel via USB Charging Cable on Mobile Devices

  10. Acknowledgment ◮ Joint collaboration: ◮ Paper available at: https://arxiv.org/abs/1609.02750 8

  11. Motivation ◮ Increasing use of smartphones 9

  12. Motivation ◮ Increasing use of smartphones ◮ Battery-draining apps (e.g. Pokémon Go) 9

  13. Motivation ◮ Current situation: Airports, airplanes, shopping malls, gyms, museums, etc.. 10

  14. Motivation ◮ Emerging business model 11

  15. Research Question ◮ Is it possible to exfiltrate data from a device while it is connected to a public charging station? 12

  16. Research Question ◮ Is it possible to exfiltrate data from a device while it is connected to a public charging station? ◮ ... and the answer is YES!! 12

  17. Research Question ◮ Is it possible to exfiltrate data from a device while it is connected to a public charging station? ◮ ... and the answer is YES!! ◮ Contributions: ◮ Demonstrated the practicality of using only the power feature of USB charging cable as a covert channel to exfiltrate data from a device while it is connected to a public charging station. 12

  18. Research Question ◮ Is it possible to exfiltrate data from a device while it is connected to a public charging station? ◮ ... and the answer is YES!! ◮ Contributions: ◮ Demonstrated the practicality of using only the power feature of USB charging cable as a covert channel to exfiltrate data from a device while it is connected to a public charging station. ◮ Built a proof-of-concept app, PowerSnitch to communicate bits of information in the form of power bursts back to the adversary 12

  19. Research Question ◮ Is it possible to exfiltrate data from a device while it is connected to a public charging station? ◮ ... and the answer is YES!! ◮ Contributions: ◮ Demonstrated the practicality of using only the power feature of USB charging cable as a covert channel to exfiltrate data from a device while it is connected to a public charging station. ◮ Built a proof-of-concept app, PowerSnitch to communicate bits of information in the form of power bursts back to the adversary ◮ Implemented a decoder, which resides on the adversary’s side, i.e., public charging station, to retrieve the binary information embedded in the power bursts. 12

  20. Assumptions ◮ Energy supplier’s side (adversary) ◮ Has physical access to the power meter ◮ Able to monitor and store energy traces through the power meter 13

  21. Assumptions ◮ Energy supplier’s side (adversary) ◮ Has physical access to the power meter ◮ Able to monitor and store energy traces through the power meter ◮ Victim’s side ◮ Has installed the PowerSnitch app ◮ Features of PowerSnitch app : requires access to private data (e.g. contacts), does not rely on traditional permission to transmit data (e.g. WiFi, Bluetooth) 13

  22. Overview of the attack 14

  23. PowerSnitch app ◮ Used to establish a covert channel ◮ Covert channel can be considered as a secret channel used to exfiltrate information from a secured environment in an undetected manner ◮ Can be deployed as a standalone app or as a library in a repackaged app ◮ Runs as a background service ◮ Uses WAKE_LOCK permission to wake up the CPU while phone is in deep sleep mode in order to start transmitting the payload ◮ Works even when user authentication mechanisms (i.e PIN) are in place ◮ Does not use any conventional communication technology (e.g., Wi-Fi, Bluetooth, NFC); can exfiltrate information even if the phone is in airplane mode ◮ Defeats existing USB charging protection dongles, since app only requires the USB power pins to exfiltrate data. 15

  24. Components of the app 16

  25. How does it work? (victim’s side) 17

  26. Overview of the attack - Decoder 18

  27. How does it work? (adversary’s side) 19

  28. Decoder design ◮ Components of the decoder 20

  29. Components of the decoder ◮ 1. Data filtering: ◮ Received signal is passed through a low-pass filter to get rid of high-frequency noises ◮ Helps to smooth the signal and make threshold-based detection of peaks easier 21

  30. Components of the decoder ◮ Data filtering - an example: 22

  31. Components of the decoder ◮ 2. Threshold estimation & 3. Peak detection: ◮ Presence or absence of a peak at a certain time and for a specific period is translated to a corresponding bit 23

  32. Components of the decoder ◮ 2. Threshold estimation & 3. Peak detection: ◮ Presence or absence of a peak at a certain time and for a specific period is translated to a corresponding bit ◮ Peak detection is done by setting an appropriate threshold; anything above the threshold is a peak, else it is just noise 23

  33. Components of the decoder ◮ 2. Threshold estimation & 3. Peak detection: ◮ Presence or absence of a peak at a certain time and for a specific period is translated to a corresponding bit ◮ Peak detection is done by setting an appropriate threshold; anything above the threshold is a peak, else it is just noise ◮ We make use of a ‘start’ and ‘end’ of transmission preamble to set the threshold 23

  34. Evaluation ◮ Android phones: Nexus 4 with Android 5.1.1 (API 22), Nexus 5 with Android 6.0 (API 23), Nexus 6 with Android 6.0 (API 23) and Samsung S5 with Android 5.1.1 (API 22) ◮ Transmitted a payload (from the device) comprising of letters and numbers of ASCII code for a total of 512 bits ◮ Results in terms of Bit Error Ratio (BER) in the transmission of the payload; the lower the BER, the better the quality of the transmission 24

  35. Making PowerSnitch more incognito... ◮ Keep a duty cycle (i.e. the time of power burst in a period) under 50% ◮ Temperature of the device could increase significantly ◮ If attack takes place during battery charge phase, battery will take more time to recharge due to high amount of energy consumed by the CPU 25

  36. Making PowerSnitch more incognito... ◮ Keep a duty cycle (i.e. the time of power burst in a period) under 50% ◮ Temperature of the device could increase significantly ◮ If attack takes place during battery charge phase, battery will take more time to recharge due to high amount of energy consumed by the CPU ◮ Android Debug Bridge (ADB) ◮ It is possible to monitor the CPU power consumption via the ADB ◮ PowerSnitch could easily detect whether ADB setting is active through Settings.Global.ADB_ENABLED , once again provided by an Android API 25

  37. Part II New categorization system for side-channel attacks on smartphones

  38. Side Channel Analysis (SCA) ◮ Previous work: ◮ Smudge attacks on smartphone touch screens (WOOT 2010) ◮ Inferring Keystrokes on Touch Screen from Smartphone Motion (HotSec 2011) ◮ Practicality of accelerometer side channels on smartphones (ACSAC 2012) ◮ ACCessory: Password Inference using Accelerometers on Smartphones (HotMobile 2012) 27

  39. Side Channel Analysis (SCA) ◮ Previous work: ◮ Smudge attacks on smartphone touch screens (WOOT 2010) ◮ Inferring Keystrokes on Touch Screen from Smartphone Motion (HotSec 2011) ◮ Practicality of accelerometer side channels on smartphones (ACSAC 2012) ◮ ACCessory: Password Inference using Accelerometers on Smartphones (HotMobile 2012) ◮ (Smart)watch your taps: side-channel keystroke inference attacks using smartwatches (ISWC 2015) ◮ An empirical study of cryptographic misuse in android applications (CCS 2013) 27

  40. Acknowledgment ◮ Paper available at: https://arxiv.org/pdf/1611.03748v1.pdf 28

  41. Traditional SCA categorization ◮ Active vs. Passive ◮ Invasive vs. semi-invasive vs. non-invasive 29

  42. Traditional SCA categorization ◮ Active vs. Passive ◮ Depending on whether the attacker actively influences the behavior of the device or only passively observes leaking information ◮ Invasive vs. semi-invasive vs. non-invasive 29

  43. Traditional SCA categorization ◮ Active vs. Passive ◮ Depending on whether the attacker actively influences the behavior of the device or only passively observes leaking information ◮ Invasive vs. semi-invasive vs. non-invasive ◮ Depending on whether or not the attacker removes the passivation layer of the chip, depackages the chip, or does not manipulate the packaging at all 29

Recommend

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus

System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz MIT CSAIL Microsoft Research Security is a big concern in cloud adoption Why are cache-based side channel

588 views • 38 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
SoC it to EM: electromagnetic side-channel attacks on a complex system-on-chip Jake Longo 1 Elke

SoC it to EM: electromagnetic side-channel attacks on a complex system-on-chip Jake Longo 1 Elke

SoC it to EM: electromagnetic side-channel attacks on a complex system-on-chip Jake Longo 1 Elke De Mulder 2 Dan Page 1 Mike Tunstall 2 1 University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB. UK. 2 Rambus

630 views • 51 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security Rodmap STMicroelectronics 2018/12/06 2 ST Who are we ? STMicroelectronics 3 A global semiconductor leader 2017 revenues of $8.35B

1.32k views • 107 slides
Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks

Performing Low-cost Electromagnetic Side-channel Attacks using RTL-SDR and Neural Networks Pieter Robyns Motivation and introduction Motivation Information about performing EM side-channel attacks using SDR is quite scarce A few

758 views • 42 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

535 views • 31 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS SIDE CHANNEL ATTACKS

Nicolas Belleville 1 Damien Courouss 1 Karine Heydemann 2 1 Univ Grenoble Alpes, CEA, List, F-38000 Grenoble, France Henri-Pierre Charles 1 firstname.lastname@cea.fr 2 Sorbonne Universit, CNRS, LIP6, F-75005, Paris, France

715 views • 53 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World Crypto & Privacy ibenik , Croatia Outline Why physical attacks matter Implementation attacks and power analysis Leakage Detection

972 views • 52 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet

Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet

Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet GREYC - LMNO Universit e de Caen Darmstadt 29th of April 2010 1 / 59 Outline Pairing over elliptic curves 1 Definition and properties of

1.55k views • 111 slides
Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer

Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer

Open Source Enclave Workshop 2019 Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer Science & Engineering The Ohio State University Userland TEEs on Commodity Processors Application VM VM

154 views • 14 slides
Side-Channel Attacks and Human Secrets Yossi Oren, BGU https://iss.oy.ne.ro @yossioren

Side-Channel Attacks and Human Secrets Yossi Oren, BGU https://iss.oy.ne.ro @yossioren

Side-Channel Attacks and Human Secrets Yossi Oren, BGU https://iss.oy.ne.ro @yossioren CROSSING Conference,TU Darmstadt, Germany September 2019 Joint work with Anatoly Shusterman, Lachlan Kang, Yosef Meltser, Yarden Haskal, Prateek Mittal

288 views • 27 slides
The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of Illinois at Chicago The standard model of senders, receivers, attackers, etc.: 1. Parties perform computation, send messages to other parties.

550 views • 32 slides
Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA August 2, 2007 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

533 views • 41 slides
LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me PhD student at Hasselt University since 2014 Since 2016 on FWO SBO research grant Researching wireless security Protocol security,

803 views • 57 slides
Optimal Attacks for Multivariate and Multimodel Side-Channel Leakages Nicolas Bruneau, Sylvain

Optimal Attacks for Multivariate and Multimodel Side-Channel Leakages Nicolas Bruneau, Sylvain

Introduction Solution Results Conclusions and perspectives Optimal Attacks for Multivariate and Multimodel Side-Channel Leakages Nicolas Bruneau, Sylvain Guilley, Annelie Heuser, Damien Marion and Olivier Rioul Saturday August 20, 2016

1.11k views • 36 slides

More recommend