formal fault analysis of branch predictors attacking
play

Formal Fault Analysis of Branch Predictors: Attacking - PowerPoint PPT Presentation

Mar 20, 2024 •151 likes •591 views

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August 20, 2016 PROOFS 2016 Sarani Bhattacharya

  1. Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August 20, 2016 PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 1 / 25

  2. Overview of the talk Introduction Motivation of the problem Exponentiation primitives for Public key cryptography Formalizing Differential of branch misses simulated from 2-bit predictor Developing the Attack Algorithm Experimental validation over Hardware Performance Counters Conclusion PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 2 / 25

  3. Introduction Asymmetric key algorithm have been threatened via timing side channels due to the behavior of the underlying branch predictors. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 3 / 25

  4. Introduction Asymmetric key algorithm have been threatened via timing side channels due to the behavior of the underlying branch predictors. Effect of faults on such predictors and the consequences thereof on security of crypto-algorithms have not been studied. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 3 / 25

  5. Introduction Asymmetric key algorithm have been threatened via timing side channels due to the behavior of the underlying branch predictors. Effect of faults on such predictors and the consequences thereof on security of crypto-algorithms have not been studied. We develop a formal analysis of such a bimodal predictor under the effect of faults. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 3 / 25

  6. Introduction Asymmetric key algorithm have been threatened via timing side channels due to the behavior of the underlying branch predictors. Effect of faults on such predictors and the consequences thereof on security of crypto-algorithms have not been studied. We develop a formal analysis of such a bimodal predictor under the effect of faults. Analysis shows that differences of branch misses under the effect of bit faults can be exploited to attack implementations of RSA-like asymmetric key algorithms, based on square and multiplication operations. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 3 / 25

  7. Introduction Asymmetric key algorithm have been threatened via timing side channels due to the behavior of the underlying branch predictors. Effect of faults on such predictors and the consequences thereof on security of crypto-algorithms have not been studied. We develop a formal analysis of such a bimodal predictor under the effect of faults. Analysis shows that differences of branch misses under the effect of bit faults can be exploited to attack implementations of RSA-like asymmetric key algorithms, based on square and multiplication operations. The attack is also threatening against Montgomery ladder of CRT-RSA (RSA implemented using Chinese Remainder Theorem). PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 3 / 25

  8. Contributions The difference of branch misses observed through HPCs between the correct and the faulty execution can be modeled efficiently to develop a key recovery attack. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 4 / 25

  9. Contributions The difference of branch misses observed through HPCs between the correct and the faulty execution can be modeled efficiently to develop a key recovery attack. We develop an iterative attack strategy, which simulates the branches corresponding to partially known exponent bits and observes the difference of branch misses from HPCs to reveal the next bit. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 4 / 25

  10. Contributions The difference of branch misses observed through HPCs between the correct and the faulty execution can be modeled efficiently to develop a key recovery attack. We develop an iterative attack strategy, which simulates the branches corresponding to partially known exponent bits and observes the difference of branch misses from HPCs to reveal the next bit. The theoretical simulations are validated on secret key-dependent modular exponentiation algorithms as well as on CRT-RSA implementation. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 4 / 25

  11. Vulnerability of system due to HPCs in presence of fault The scenario where the secret key gets flipped or corrupted can manifest as a fault. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 5 / 25

  12. Vulnerability of system due to HPCs in presence of fault The scenario where the secret key gets flipped or corrupted can manifest as a fault. However, fault can also be introduced by skipping some target instructions as well [1]. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 5 / 25

  13. Vulnerability of system due to HPCs in presence of fault The scenario where the secret key gets flipped or corrupted can manifest as a fault. However, fault can also be introduced by skipping some target instructions as well [1]. On platforms such as Xilinx Microblaze where the HPC accesses are provided [2], the instruction skip phenomenon can be exploited to reveal secret by monitoring events such as branching. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 5 / 25

  14. Vulnerability of system due to HPCs in presence of fault The scenario where the secret key gets flipped or corrupted can manifest as a fault. However, fault can also be introduced by skipping some target instructions as well [1]. On platforms such as Xilinx Microblaze where the HPC accesses are provided [2], the instruction skip phenomenon can be exploited to reveal secret by monitoring events such as branching. In recent processors, Rowhammer is a term coined for disturbances observed in DRAM devices, where repeated row activation causes the DRAM cells to electrically interact within themselves [3, 4]. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 5 / 25

  15. Vulnerability of system due to HPCs in presence of fault The scenario where the secret key gets flipped or corrupted can manifest as a fault. However, fault can also be introduced by skipping some target instructions as well [1]. On platforms such as Xilinx Microblaze where the HPC accesses are provided [2], the instruction skip phenomenon can be exploited to reveal secret by monitoring events such as branching. In recent processors, Rowhammer is a term coined for disturbances observed in DRAM devices, where repeated row activation causes the DRAM cells to electrically interact within themselves [3, 4]. Authors in [5] has exploited this Rowhammer vulnerability to flip secret exponent bits residing in the memory of a x86 system. This motivates the study of differential analysis of HPCs when there is a fault. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 5 / 25

  16. In fault analysis attacks as well as their countermeasures, the adversary may be prevented in getting useful information but the hardware events reflects the systems internal state which may have a dependence on the secret. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 6 / 25

  17. In fault analysis attacks as well as their countermeasures, the adversary may be prevented in getting useful information but the hardware events reflects the systems internal state which may have a dependence on the secret. HPCs can be of potential threat with respect to fault analysis attacks and more notably against their countermeasures. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 6 / 25

  18. Exponentiation and Underlying Multiplication Primitive Inputs( M ) are encrypted and decrypted by performing modular exponentiation with modulus N on public or private keys represented as n bit binary string. Square and Multiply Exponentiation Algorithm 1 : Binary version of Square and Multiply Exponentiation Algorithm S ← M ; for i from 1 to n − 1 do S ← S ∗ S mod N ; if d i = 1 then S ← S ∗ M mod N ; end end return S ; Conditional execution of instruction and their dependence on secret exponent is exploited by the simple power and timing side-channels [6]. PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 7 / 25

  19. Montgomery Ladder Exponentiation Algorithm A na¨ ıve modification is to have a balanced ladder structure having equal number of squarings and multiplications. Most popular exponentiation primitive for Asymmetric-key cryptographic implementations. Algorithm 2 : Montgomery Ladder Algorithm R 0 ← 1 ; R 1 ← M ; for i from 0 to n − 1 do if d i = 0 then R 1 ← ( R 0 ∗ R 1 ) mod N ; R 0 ← ( R 0 ∗ R 0 ) mod N ; end else R 0 ← ( R 0 ∗ R 1 ) mod N ; R 1 ← ( R 1 ∗ R 1 ) mod N ; end end return R 0 ; PROOFS 2016 Sarani Bhattacharya Formal Fault Analysis of Branch Predictors 8 / 25

Recommend

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow attacks modify the control flow of a

1.6k views • 17 slides
Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T.

Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T.

Institut Mines-Tlcom Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T. Porteboeuf PROOFS September 17, 2015 Presentation Outline Introduction, Motivation Multi-level Formal Verification

485 views • 27 slides
BRANCH PREDICTORS Mahdi Nazm Bojnordi Assistant Professor School of Computing University of

BRANCH PREDICTORS Mahdi Nazm Bojnordi Assistant Professor School of Computing University of

BRANCH PREDICTORS Mahdi Nazm Bojnordi Assistant Professor School of Computing University of Utah CS/ECE 6810: Computer Architecture Overview Announcements Homework 2 release: Sept. 26 th This lecture Dynamic branch prediction

782 views • 49 slides
1 Tournament Branch Predictor Accuracy of Return Address Predictor Used in Alpha 21264: Track

1 Tournament Branch Predictor Accuracy of Return Address Predictor Used in Alpha 21264: Track

Correlating Branch Predictor General form: (m, n) Branch address (4 bits) predictor Lecture 10: Branch Prediction and m bits for global 2-bits per branch Instruction Delivery history, n bits for local local predictors history

227 views • 3 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev

Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev

Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev Pascal Fradet 09/30/15, Austin, TX, USA @ FMCAD'15 Outline For a given (fault-tolerance) transformation T , we want to prove a property of the form

1.11k views • 79 slides
FaultTracer: A Change Impact and Regression Fault Analysis Tool for Evolving Java Programs

FaultTracer: A Change Impact and Regression Fault Analysis Tool for Evolving Java Programs

FaultTracer: A Change Impact and Regression Fault Analysis Tool for Evolving Java Programs Lingming Zhang , Miryung Kim, Sarfraz Khurshid University of Texas at Austin zhanglm@utexas.edu FSE Formal Research Demo Track Nov 14, 2012 1 Scenario

381 views • 20 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
1 Predictor for a Single Branch Branch History Table of 1-bit Predictor BHT also Called Branch

1 Predictor for a Single Branch Branch History Table of 1-bit Predictor BHT also Called Branch

Reducing Branch Penalty Branch penalty in dynamically scheduled processors: wasted cycles due to pipeline flushing on mis- predicted branches Lecture 9: Branch Prediction I Reduce branch penalty: 1. Prediction analysis, 1-bit predictor,

378 views • 3 slides
Is branch prediction important for performance? Daniel J. Bernstein Spectre paper: Modern

Is branch prediction important for performance? Daniel J. Bernstein Spectre paper: Modern

1 Is branch prediction important for performance? Daniel J. Bernstein Spectre paper: Modern processors use branch prediction and speculative execution to maximize performance. Wikipedia: Branch predictors play a critical role in

1.61k views • 43 slides
Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Reliability Maintenance and Managing Risk Conference 2019 Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya Supportability Systems Engineer Northrop Grumman Alpana.Gangopadhyaya@ngc.com Phone Number

466 views • 18 slides
RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

Introduction Fault Model Strategies Scheduling Analysis Performance Conclusions RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5 November 2010 RTNS: Scheduling Analysis under Fault Bursts 1 / 25

259 views • 21 slides
Fault-tolerant matrix factorisation: a formal model and proof Camille Coti, Laure Petrucci,

Fault-tolerant matrix factorisation: a formal model and proof Camille Coti, Laure Petrucci,

Daniel Torres Fault-tolerant matrix factorisation: a formal model and proof 1/26 Fault-tolerant matrix factorisation: a formal model and proof Camille Coti, Laure Petrucci, Daniel Alberto Torres Gonz alez Laboratoire dInformatique de

683 views • 49 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal verification uses algorithms to rigorously prove properties of hardware or software design. 20 years ago, we had the FDIV bug: 42.0 / 7.0 = 8.0 Formal

576 views • 6 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stphanie Delaune

Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stphanie Delaune

Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stphanie Delaune / Steve Kremer / Mark D. Ryan Some desired properties of e-voting systems Eligibility: only eligible voters can vote, and only once.

545 views • 18 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking, Theorem Proving SMT Solving, Abstraction, and Static Analysis With SAL, PVS, and Yices, and more John Rushby Computer Science Laboratory SRI

1.89k views • 161 slides
Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal and Automated Theorem Proving and Applications. Belgrade, February 3-4, 2012. Marko Malikovi Mirko ubrilo Predrag Janii Faculty of Humanities

406 views • 27 slides
PREDICTORS OF HOUSEHOLD DIETARY DIVERSITY IN ETHIOPIA: ANALYSIS OF THE 2011 WELFARE MONITORING

PREDICTORS OF HOUSEHOLD DIETARY DIVERSITY IN ETHIOPIA: ANALYSIS OF THE 2011 WELFARE MONITORING

PREDICTORS OF HOUSEHOLD DIETARY DIVERSITY IN ETHIOPIA: ANALYSIS OF THE 2011 WELFARE MONITORING SURVEY (WMS) DATA, Abdulhalik Workicho, Garumma Tolu, Beyene Wondafrash, Shibani Ghosh, Jennifer Coates October,2014 Adama, Ethiopia 1 Background

623 views • 23 slides
San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition

San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition

San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition at Depth On Fault Mechanics Background San Andreas Fault Observatory at Depth (SAFOD) Sample recovery of cores containing the two

410 views • 8 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides

More recommend