Nicolas Belleville 1 Damien Couroussé 1 Karine Heydemann 2 1 Univ Grenoble Alpes, CEA, List, F-38000 Grenoble, France Henri-Pierre Charles 1 firstname.lastname@cea.fr 2 Sorbonne Université, CNRS, LIP6, F-75005, Paris, France firstname.lastname@lip6.fr AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS
SIDE CHANNEL ATTACKS Electromagnetic emissions Power consumption … Ciphertexts produced Try to find the key using: • measurements • ciphertexts or plaintexts • a consumption model | 2
SIDE CHANNEL ATTACKS Electromagnetic emissions Power consumption … x1 Ciphertexts produced Try to find the key using: ??? • measurements • ciphertexts or plaintexts • a consumption model | 3
SIDE CHANNEL ATTACKS Electromagnetic emissions Power consumption … x10 Ciphertexts produced Try to find the key using: ??? • measurements • ciphertexts or plaintexts • a consumption model | 4
SIDE CHANNEL ATTACKS Electromagnetic emissions Power consumption … x100 Ciphertexts produced Try to find the key using: ??? • measurements • ciphertexts or plaintexts • a consumption model | 5
SIDE CHANNEL ATTACKS Electromagnetic emissions Power consumption … x290 Ciphertexts produced <5kB Try to find the key using: (less than a hello • world binary file) measurements • ciphertexts or plaintexts • a consumption model | 6
SIDE CHANNEL ATTACKS Electromagnetic emissions Power consumption … x290 Ciphertexts produced <5kB Make this Try to find the key using: (less than a hello ? • bigger! world binary file) measurements • ciphertexts or plaintexts • a consumption model | 7
SOFTWARE COUNTERMEASURES secret: 01001101 Masking Hiding split secret add noise into shares share 1: 10010001 share 2: 11011100 secret: 01001101 share1 xor share2 = secret Measurements Measurements are no more are noisy directly correlated to secret Attack is harder | 8
SOFTWARE COUNTERMEASURES secret: 01001101 Masking Hiding split secret add noise into shares share 1: 10010001 share 2: 11011100 secret: 01001101 share1 xor share2 = secret Measurements Measurements are no more are noisy directly correlated to secret Attack is harder | 9
CODE POLYMORPHISM WITH RUNTIME CODE GENERATION Electromagnetic emissions Function’s Power result consumption change this don’t change this | 10
CODE POLYMORPHISM WITH RUNTIME CODE GENERATION Electromagnetic Executed depends on impacts emissions Function’s instructions Power result Manipulated data consumption change this don’t change this | 11
CODE POLYMORPHISM WITH RUNTIME CODE GENERATION Electromagnetic Executed impacts impacts emissions Function’s instructions Power result Manipulated data consumption change this don’t change this | 12
CODE POLYMORPHISM WITH RUNTIME CODE GENERATION Electromagnetic Executed impacts impacts emissions Function’s instructions Power result Manipulated data consumption change this change this don’t change this | 13
CODE POLYMORPHISM WITH RUNTIME CODE GENERATION Electromagnetic Instructions Electromagnetic impacts impacts emissions Function’s Instructions Electromagnetic executed emissions Function’s Executed Power result executed emissions Function’s Data manipulated Power result instructions consumption Data manipulated Power result consumption Manipulated data consumption change this change this don’t change this | 14
CODE POLYMORPHISM WITH RUNTIME CODE GENERATION Electromagnetic Instructions Electromagnetic impacts impacts emissions Function’s Instructions Electromagnetic executed emissions Function’s Executed Power result executed emissions Function’s Data manipulated Power result instructions consumption Data manipulated Power result consumption Manipulated data consumption change this change this don’t change this Runtime code generation only use code regenerate a transformations that different code preserve program regularly semantics | 15
CODE POLYMORPHISM WITH RUNTIME CODE GENERATION Issues Our contributions Countermeasures are usually manually Automatic application of the applied countermeasure Countermeasures are usually given for Any code can be hardened particular ciphers Target a wide range of platforms (be Use static memory allocation lightweight) Allocation of a realistic size (don’t waste memory) Use specialized code generation An attacker may write on an executable Use the specialization of the generator to memory section manage memory permissions Hard to have a good trade-off between Highly configurable → possible to find a security and performance trade-off | 16
SIDE CHANNEL ATTACKS Unprotected Electromagnetic emissions Power consumption … x290 Ciphertexts produced 5kB Try to find the key using: (less than a hello • world binary file) measurements • ciphertexts or plaintexts • a consumption model | 17
SIDE CHANNEL ATTACKS Protected Electromagnetic emissions Power consumption x2.5 overhead … x290 Ciphertexts produced 5kB Try to find the key using: (less than a hello ??? • world binary file) measurements • ciphertexts or plaintexts • a consumption model | 18
SIDE CHANNEL ATTACKS Protected Electromagnetic emissions Power consumption x2.5 overhead … x1 000 Ciphertexts produced 16kB Try to find the key using: (one second ??? • of an mp3 file) measurements • ciphertexts or plaintexts • a consumption model | 19
SIDE CHANNEL ATTACKS Protected Electromagnetic emissions Power consumption x2.5 overhead … x10 000 Ciphertexts produced 160kB Try to find the key using: (10 seconds ??? • of an mp3 file) measurements • ciphertexts or plaintexts • a consumption model | 20
SIDE CHANNEL ATTACKS Protected Electromagnetic emissions Power consumption x2.5 overhead … x100 000 Ciphertexts produced 1.6MB Try to find the key using: (our paper) ??? • measurements • ciphertexts or plaintexts • a consumption model | 21
SIDE CHANNEL ATTACKS Protected Electromagnetic emissions Power consumption x2.5 overhead … x1 000 000 Ciphertexts produced 16MB Try to find the key using: (a 20Mpixels ??? • jpeg image) measurements • ciphertexts or plaintexts • a consumption model | 22
SIDE CHANNEL ATTACKS Protected Electromagnetic emissions Power consumption x2.5 overhead … x3 800 000 Ciphertexts produced 60MB Try to find the key using: (a 3minutes long • full HD video) measurements • ciphertexts or plaintexts • a consumption model | 23
SIDE CHANNEL ATTACKS Protected Electromagnetic emissions Power consumption x2.5 overhead … x3 800 000 x13 000 Ciphertexts improvement! produced 60MB Try to find the key using: (a 3minutes long • full HD video) measurements • ciphertexts or plaintexts • a consumption model | 24
OUTLINE • Background • Side channel attacks • Software countermeasures • Code polymorphism • Automated application of code polymorphism • Overview • Code transformations used • Memory management • Experimental evaluation • Performance evaluation • Security evaluation | 25
OUTLINE • Background • Side channel attacks • Software countermeasures • Code polymorphism • Automated application of code polymorphism • Overview • Code transformations used • Memory management • Experimental evaluation • Performance evaluation • Security evaluation | 26
OVERVIEW STATICALLY Modified .c .c Compiler binary compiler Annotated Specialized Wrapper function runtime code generator Main idea: The annotated function is replaced by a wrapper and a generator | 27
OVERVIEW STATICALLY Modified .c .c Compiler binary compiler Annotated Wrapper s Specialized function s runtime code generator s Main idea: Each annotated function has its own generator (with shared code segments) | 28
OVERVIEW STATICALLY Modified .c .c Compiler binary compiler Annotated Wrapper s Specialized function s runtime code generator s Main idea: Each annotated function has its own generator (with shared code segments) | 29
OVERVIEW STATICALLY Modified .c .c Compiler binary compiler Annotated Wrapper s Specialized function s runtime code generator s Main idea: Each annotated function has its own generator (with shared code segments) | 30
OVERVIEW STATICALLY Modified .c .c Compiler binary compiler Annotated Specialized Wrapper function runtime code generator | 31
OVERVIEW STATICALLY Modified .c .c Compiler binary compiler Annotated Specialized Wrapper function runtime code generator Main idea: RUNTIME At runtime, a new polymorphic instance is Wrapper generated at each call ③ calls ① calls Runtime code polymorphic ② generates polymorphic polymorphic polymorphic polymorphic polymorphic polymorphic generator instance instance instance instance instance instance instance | 32
Recommend
More recommend