attacks
play

Attacks August 28, 2019 Conference on Cryptographic Hardware and - PowerPoint PPT Presentation

Dec 08, 2022 •19 likes •369 views

Shaping th the Glit litch: Claudio Bozzato 4 Riccardo Focardi 12 Francesco Palmarini 13 Optimizing Volt ltage 1 Ca Foscari University of Venice, 2 Cryptosense, Fault In Inje jection 3 Yarix, 4 Talos Attacks August 28, 2019 Conference on

  1. Shaping th the Glit litch: Claudio Bozzato 4 Riccardo Focardi 12 Francesco Palmarini 13 Optimizing Volt ltage 1 Ca’ Foscari University of Venice, 2 Cryptosense, Fault In Inje jection 3 Yarix, 4 Talos Attacks August 28, 2019 Conference on Cryptographic Hardware and Atlanta, USA Embedded Systems 2019

  2. Fau ault lt what? t? • Exploits hardware vulnerabilities to “create” new bugs • Influence (inject) a system with internal / external stimuli • Alter the intended execution flow / behavior • Skip instructions , influence branch decisions, corrupt memory locations, etc. • Bypass security checks, leak data or crypto material, create side- channels, etc. • Non-invasive to invasive techniques: clock, voltage, EM, FIB, laser, heat, flash, etc.

  3. Voltage Fault Injection… Th The MOSFET Way ay  The most widespread Voltage Fault Injection setup [OC14]  Very easy to setup and low-cost × Low control over glitch parameters × Unpredictable: the glitch characteristics depends on circuit properties, MOSFET, etc.

  4. Voltage Fault Injection… Th The MOSFET Way ay  The most widespread Voltage Fault Injection setup [OC14]  Very easy to setup and low-cost × Low control over glitch parameters × Unpredictable: the glitch characteristics depends on circuit properties, MOSFET, etc.

  5. Voltage Fault Injection… Th The MOSFET Way ay  The most widespread Voltage Fault Injection setup [OC14]  Very easy to setup and low-cost × Low control over glitch parameters × Unpredictable: the glitch characteristics depends on circuit properties, MOSFET, etc.

  6. Voltage Fault Injection… Th The MOSFET Way ay  The most widespread Voltage Fault Injection setup [OC14]  Very easy to setup and low-cost × Low control over glitch parameters × Unpredictable: the glitch characteristics depends on circuit properties, MOSFET, etc.

  7. DAC-based glitch generator Our Our Ide dea: Arbitr Arbitrary ry Glitch Waveforms DESIDERATA  Stable and repeatable results  High degree of freedom in glitch generation  Software managed attack parameters  Low-cost and easy to build setup

  8. DAC-based glitch generator Our Our Ide dea: Arbitr Arbitrary ry Glitch Waveforms

  9. DAC-based glitch generator Our Our Ide dea: Arbitr Arbitrary ry Glitch Waveforms  Rising and falling edges affect V-FI performance [ZDCR14] ? What if different devices / attacks need different glitch waveforms ? ? How do we identify the best match ?

  10. AGW: : wit ith big big po power com omes lots lots of of par parameters • Power supply voltage with < 10mV resolution • Glitch shape and voltage in 2048 points • Injection timing with ~20ns accuracy • Glitch frequency / duration ➔ Need for automatic parameter search and optimization!

  11. AGW: : wit ith big big po power com omes lots lots of of par parameters • Power supply voltage with < 10mV resolution • Glitch shape and voltage in 2048 points • Injection timing with ~20ns accuracy • Glitch frequency / duration ➔ Genetic Algoritm (Selection, Crossover, Mutation, Replacement)

  12. AGW: : wit ith big big po power com omes lots lots of of par parameters • Power supply voltage with < 10mV resolution • Glitch shape and voltage in 2048 points • Injection timing with ~20ns accuracy • Glitch frequency / duration ➔ Cubic interpolation

  13. AGW: : wit ith big big po power com omes lots lots of of par parameters • Power supply voltage with < 10mV resolution • Glitch shape and voltage in 2048 points • Injection timing with ~20ns accuracy • Glitch frequency / duration ➔ Digital-to-Analog conversion

  14. AGW: : wit ith big big po power com omes lots lots of of par parameters • Power supply voltage with < 10mV resolution • Glitch shape and voltage in 2048 points • Injection timing with ~20ns accuracy • Glitch frequency / duration ➔ Precise glitch triggering

  15. Case ase Stu tudy: Ren enesas 78K K Fir Firmware Extr Extraction ● Widely used by the automotive industry ● 32 to 256KB integrated flash memory for firmware / data ● Internal bootloader for flash programming via PC ● No knowledge on the firmware / bootloader code → Blackbox ● Bootloader protocol exposes a set of API via serial interface ○ Program ○ Erase ○ Checksum ○ Verify ● Built-in security mechanisms : ○ Commands operate on 256 bytes aligned memory blocks ○ All programming and erasing commands can be disabled ○ Voltage Supervisor / BOR

  16. Step ep I: I: Fin Findin ing Vuln lnerabil ilit itie ies No read command… Fail  ● Use FI to verify just one byte… Fail  ● Use FI to calculate the checksum of one byte… Fail  ● Use FI to calculate the checksum of 4 bytes (aligned)... ● Use FI to verify 4 bytes (aligned)... ● B1 B2 B3 B4 B5 B6 B7 B8 B9 B10 B11 B12 ... ... B255 B256 Checksum(B1, B256) = 0x10000 - B1 - B2 - B3 - ... - B255 - B256

  17. Step ep I: I: Fin Findin ing Vuln lnerabil ilit itie ies No read command… Fail  ● Use FI to verify just one byte… Fail  ● Use FI to calculate the checksum of one byte… Fail  ● Use FI to calculate the checksum of 4 bytes (aligned)... Success  ● Use FI to verify 4 bytes (aligned)... Success  ● 00 11 22 33 ? ? ? ? AA BB CC DD ? ? ? ? 0x10000 - {B1...B4} = 0xFF9A Verify(0xAA...0xDD) = True/False

  18. Step ep II II: : Leak eakin ing Fla Flash Mem emory ry Con ontent More leaks required  more faults ● Side-channel from the checksum computation? ● def checksum(start, end): if (end != start + 256): raise result = 0x10000 00 11 22 33 for i in range(start, end + 1): result = result - flash[i] return result 0x10000 - {B1...B4} = 0xFF9A

  19. Step ep II II: : Leak eakin ing Fla Flash Mem emory ry Con ontent More leaks required  more faults ● Side-channel from the checksum computation? ● def checksum(start, end): if (end != start + 256): raise result = 0x10000 00 11 22 33 for i in range(start, end + 1): result = result - flash[i] return result 0x10000 - B1 - B3 - B4 = 0xFFAB 0xFF9A - 0xFFAB = 0x11

  20. ● Just inject a fault for every byte, right? Nope . Step St ep III: De Deal With th Timi Timing Err Error ors • What is the extracted value for B3 ? • 0x22 with ~10% probability • 0x33 with ~4% probability • 0x11 with ~3% probability • 0x00 with <1% probability • 0x55 with <1% probability • Plus the false positives! Glitch trigger

  21. Step ep IV IV: Mou ount t the the Fu Full ll Attack ack ● 00 11 22 33 Calculate the sum of B1+B2+B3+B4 = 0x66 ● For each extracted candidate byte Bx : ○ Find all the 4-bytes permutations with Bx ○ Discard permutations which do not sum to 0x66 ○ Glitch the verify command to test each new permutation ○ Stop when the verify is successful ● Iterate for {B5…B8} {B9…B12} … until the flash is dumped! MANY hours later… Candidate #1 Candidate #2 Candidate #3 Candidate #4 11 33 00 22 00 00 22 78 01 32 00 33 00 11 22 33

  22. ● Let the attack go day and night, right? Not that easy. St Step ep V: : Co Comp mpensate for or Temp emperatu ture Err Error ors Bootloader runs from internal oscillator The RC oscillator drift with temperature The rate is about 0.1% / ◦ C With +6 ◦ C the trigger moved by > 4 us Solved by software compensation Glitch trigger

  23. Comparison of the Renesas attack performance for three major V-FI techniques. Evaluation & Comparison • Speed : our technique is 32% faster than PULSE and 63% faster than MOSFET • Efficiency : PULSE used ~2x the number of glitches and MOSFET ~5x • Reliability: AGW produces 30% the number of false positives than MOSFET

  24. Comparison of the Renesas attack performance for three major V-FI techniques. Evaluation & Comparison • Speed : our technique is 32% faster than PULSE and 63% faster than MOSFET • Efficiency : PULSE used ~2x the number of glitches and MOSFET ~5x • Reliability: AGW produces 30% the number of false positives than MOSFET

  25. Comparison of the Renesas attack performance for three major V-FI techniques. Evaluation & Comparison • Speed : our technique is 32% faster than PULSE and 63% faster than MOSFET • Efficiency : PULSE used ~2x the number of glitches and MOSFET ~5x • Reliability: AGW produces 30% the number of false positives than MOSFET

  26. Comparison of the Renesas attack performance for three major V-FI techniques. Just 60KB! Evaluation & Comparison • Speed : our technique is 32% faster than PULSE and 63% faster than MOSFET • Efficiency : PULSE used ~2x the number of glitches and MOSFET ~5x • Reliability: AGW produces 30% the number of false positives than MOSFET

  27. Comparison of the Renesas attack performance for three major V-FI techniques. Evaluation & Comparison • Speed : our technique is 32% faster than PULSE and 63% faster than MOSFET • Efficiency : PULSE used ~2x the number of glitches and MOSFET ~5x • Reliability: AGW produces 30% the number of false positives than MOSFET

  28. Comparison of the Renesas attack performance for three major V-FI techniques. Evaluation & Comparison • Speed : our technique is 32% faster than PULSE and 63% faster than MOSFET • Efficiency : PULSE used ~2x the number of glitches and MOSFET ~5x • Reliability: AGW produces 30% the number of false positives than MOSFET

Recommend

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides
History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks First noted in 1990 as a result of fuzz testing on csh First used as an attack

488 views • 28 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

DD O S D ETECTION AND A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in the SURFnet network Mostly flooding attacks Customers are heavily affected and complain These attacks are cheap and

767 views • 17 slides
Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik Matuschke Tom McCormick Gianpaolo Oriolo TU Berlin UBC Vancouver Tor Vergata Britta Peis Martin Skutella RWTH Aachen TU Berlin Robust flows

531 views • 28 slides
Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

ITS335 DoS Attacks DoS Attacks Classic DoS Flooding &amp; DDoS Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013

409 views • 26 slides
Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova, Ventzislav Nikov, and Vincent Rijmen Introduction Physical Attacks Active Passive (Fault Attacks) (Observing Attacks) Side Channel Attacks

644 views • 45 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University of Kansas 1 Speculative Execution Attacks Attacks exploiting microarchitectural side-effects of

499 views • 21 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Introduction Logical attacks Combined attacks Conclusion Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien Iguchi-Cartigny Jean-Louis Lanet Smart Secure Devices (SSD) Team Xlim Labs Universit e

902 views • 53 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

681 views • 51 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

923 views • 51 slides
MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS12 ACM CCS'12 C Peng (UCLA)

480 views • 27 slides

More recommend