fully automated differential fault analysis on software
play

Fully Automated Differential Fault Analysis on Software - PowerPoint PPT Presentation

Mar 23, 2023 •249 likes •513 views

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab,

  1. Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab, Singapore 3 Max Planck Institute, Karlsruhe, Germany CHES’19, 28 Aug 2019

  2. Data Flow Graph of Software Implementation of AES 2

  3. Our Contribution • We developed a method that works on assembly implementations of block ciphers, it identifies spots vulnerable to differential fault analysis (DFA) by bit flips, and verifies whether those spots are exploitable • Our method is sound – if it marks the spot as exploitable, it is provably exploitable – The prototype tool outputs the identified attack • Furthermore, we developed a way to check how many rounds should be protected by a countermeasure to be able to avoid DFA to vulnerable spots 3

  4. Tool for Automated DFA on Assembly 4

  5. Tool for Automated DFA on Assembly – TADA • The main idea – feed the assembly code to the tool and get the vulnerabilities, together with a way how to exploit them • Static analysis module analyzes the propagation of the fault and determines what information can be extracted from known data • SMT solver module solves the DFA equations, verifying whether an attack exists Analyze Generate Construct Find the assembly custom DFA key file DFG attack 5

  6. TADA – Detailed Process Flow 6

  7. Sample Cipher and DFG Construction # Instruction 0 LD r0 X+ 1 LD r1 X+ 2 LD r2 key1+ 3 LD r3 key1+ 4 AND r0 r1 5 EOR r0 r2 6 EOR r1 r3 7 ST x+ r0 8 ST x+ r1 7

  8. Properties of the DFG – Explained Linear edge Non-linear edge 1 Node r3 (3) affects node r1 (6) 0 0 Distance between r0 (0) and r0 (4) is 1 Distance between r0 (0) and x+ (7) is also 1 8

  9. TADA – Detailed Process Flow 9

  10. Vulnerable Instructions • For a vulnerable instruction, each of its input nodes that is not known can be a target node or/and a vulnerable node • A fault will be injected into the vulnerable node so that it might reveal information about the target node • TADA creates a subgraph for each pair of target and vulnerable node 10

  11. Find Vulnerable Instruction # Instruction 0 LD r0 X+ 1 LD r1 X+ 2 LD r2 key1+ 3 LD r3 key1+ 4 AND r0 r1 5 EOR r0 r2 6 EOR r1 r3 7 ST x+ r0 Recall that r2 (2) and r3 (3) are the key nodes 8 ST x+ r1 11

  12. TADA – Detailed Process Flow 12

  13. TADA – Detailed Process Flow 13

  14. Update Known Nodes 14

  15. TADA – Detailed Process Flow Not yet! 15

  16. One More Iteration 16

  17. TADA – Detailed Process Flow 17

  18. Evaluation Results [TBM14] H. Tupsamudre, S. Bisht, and D. Mukhopadhyay. Differential fault analysis on the families of Simon and Speck ciphers. FDTC 2014. [Gir05] Christophe Giraud. DFA on AES. Conference on AES 2005. 18

  19. Countermeasures How many rounds to protect?

  20. Standard Duplication/Triplication Countermeasure Plaintext • Popular in industrial applications • Either area or time redundancy • Expensive overheads Encrypt Encrypt • Resources can be saved in case it is not necessary to protect the entire Ciphertext Ciphertext cipher Compare 20

  21. Countermeasure implementation based on TADA • After the previous analysis, the target and the vulnerable nodes change to target and exploitable nodes – the latter one was proven to be exploitable by TADA • We are now trying to find the earliest node possible to affect the target node, such that there are no collisions • This information will tell us what is the earliest round where the fault can be injected 21

  22. Results – AES SR SB MC SB SR MC R8 R8 R8 R9 R9 R9 MC SB SR D. Saha, D. Mukhopadhyay, and D. RoyChowdhury. A Diagonal Fault Attack on the R10 R10 R10 Advanced Encryption Standard, Cryptology ePrint Archive: Report 2009/581. 22

  23. How Many Rounds to Protect? Resources for countermeasures can be saved as follows: – SIMON – over 90% (3 out of 32 rounds) – SPECK – over 81% (4 out of 22 rounds) – AES – over 60% (4 out of 10 rounds) – PRIDE – over 80% (4 out of 20 rounds) 23

  24. Conclusion 24

  25. Conclusion • We showed a way to automate differential fault analysis on block cipher implementations • Analysis works on a modified data flow graph, vulnerabilities are checked with SMT solver for exploitability • Countermeasure implementations can be done more efficiently with the support of automated evaluation – number of rounds can be reduced • For future, it would be good to extend the method to other fault models and other fault analysis techniques 25

  26. J. Breier, X. Hou, S. Bhasin (eds.): Automated Methods in Cryptographic Fault Analysis, Springer, 2019. Thank you for your interest! Questions? 26

Recommend

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Using Likely Invariants For Automated Software Fault Localization Swarup Sahoo, John Criswell,

Using Likely Invariants For Automated Software Fault Localization Swarup Sahoo, John Criswell,

Using Likely Invariants For Automated Software Fault Localization Swarup Sahoo, John Criswell, Chase Geigle, Vikram Adve Presented By: Matthew Perez and Thomas Rupp Motivation Detecting software bugs is time consuming and difficult Lots

150 views • 13 slides
Automated fault detection for Automated fault detection for Autosub6000: Autosub6000: What we've

Automated fault detection for Automated fault detection for Autosub6000: Autosub6000: What we've

Automated fault detection for Automated fault detection for Autosub6000: Autosub6000: What we've achieved in a year? TSEM talk @ Institute of Cybernetics, Tallinn, Estonia Juhan Ernits, March 9, 2010 Overview of todays talk Overview of today s

490 views • 26 slides
my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA COLLECTION AND ANALYTICS There is a high demand for reliable Traffic Data but Static data single-purpose data Invasive costly deployment &

404 views • 18 slides
EASY-TO-USE, READY-TO-PRODUCE by ALL-IN-ONE HARDWARE + SOFTWARE SOLUTION 3U

EASY-TO-USE, READY-TO-PRODUCE by ALL-IN-ONE HARDWARE + SOFTWARE SOLUTION 3U

Jan. 2017 CONF FULLY AUTOMATED CONFERENCE CAPTURE EASY-TO-USE, READY-TO-PRODUCE by ALL-IN-ONE HARDWARE + SOFTWARE SOLUTION 3U rackable Video Server PTZ touret cameras VIDEO FILMING FULLY AUTOMATED The system is connected

432 views • 16 slides
Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006 References Bull & Innovatron Patents 2 Fault I njection Equipment: Laser 3 Bull & Innovatron Patents Fault I njection Equipment: CLI O

423 views • 39 slides
Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM

Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM

Outline Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM Information Security Group Universit e Catholique de Louvain, Belgium August 21, 2010 Chong Hee KIM, Universit e Catholique de Louvain

797 views • 76 slides
Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols

Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols

Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols IACR Real World Crypto Nadim Kobeissi Symposium 2019 Karthikeyan Bhargavan San Jose, California Noise Protocol Framework: What is it? A

586 views • 23 slides
Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer Center, University of Bergen, Norway 2National Security Authority, Czech Republic 3Department of Algebra, Charles University in Prague, Czech

390 views • 19 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low complexity differential cryptanalysis

844 views • 34 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 48 Introduction We present a survey of low complexity differential cryptanalysis

716 views • 48 slides
Automated Credit-Loan Platform based on AI-technology A fully automated processes The Corex.ai

Automated Credit-Loan Platform based on AI-technology A fully automated processes The Corex.ai

Automated Credit-Loan Platform based on AI-technology A fully automated processes The Corex.ai system is a fully automated loan management system. This solution extends the productivity of Your loan business to the maximum. Easily integrates

541 views • 27 slides
Approaching Automation Necessary for introducing a task Prioritize automation steps based

Approaching Automation Necessary for introducing a task Prioritize automation steps based

Learning objectives Understand the main purposes of automating software analysis and testing Identify activities that can be fully or partially Automating Analysis and Test automated Understand cost and benefit trade-offs in

799 views • 12 slides
Automated Transplantation and Differential Testing for Clones Tianyi Zhang, Miryung Kim

Automated Transplantation and Differential Testing for Clones Tianyi Zhang, Miryung Kim

Automated Transplantation and Differential Testing for Clones Tianyi Zhang, Miryung Kim University of California, Los Angeles 1 Problem Statement Code clones are common in modern software systems. Developers often find it difficult to

715 views • 29 slides
Towards an Automated Fault Localizer while Designing Meta-models Adel Ferdjoukh and Jean-Marie

Towards an Automated Fault Localizer while Designing Meta-models Adel Ferdjoukh and Jean-Marie

Towards an Automated Fault Localizer while Designing Meta-models Adel Ferdjoukh and Jean-Marie Mottu MDEbug@MODELS 2018, Copenhagen (Kbenhavn) null Motivation Automated fault localization Tooling Ideas for improving Conclusion Synopsis 1

586 views • 25 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
An approach to fully coupled FBSDEs via functional differential equations Matteo Casserini

An approach to fully coupled FBSDEs via functional differential equations Matteo Casserini

Brownian FBSDEs as functional differential equations Fully coupled forwardbackward stochastic dynamics Existence and uniqueness of solutions Related discretization algorithms for Brownian FBSDEs An approach to fully coupled FBSDEs via

760 views • 44 slides
Improving the Quality of Software Using Testing and Fault Prediction Professor Iftekhar Ahmed

Improving the Quality of Software Using Testing and Fault Prediction Professor Iftekhar Ahmed

Improving the Quality of Software Using Testing and Fault Prediction Professor Iftekhar Ahmed Department of Informatics https://www.ics.uci.edu/~iftekha/ 1 About me Research focus: Software testing and analysis. 4 years of industry

335 views • 33 slides
Semi-Automated Analysis Software for a Novel Biochemistry Assay A thesis submitted in partial

Semi-Automated Analysis Software for a Novel Biochemistry Assay A thesis submitted in partial

Semi-Automated Analysis Software for a Novel Biochemistry Assay A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Computer Science Joseph Vesco Special Thanks Dr. Frederick C. Harris, Jr.

785 views • 54 slides
Motivation Theoretical description of SM process at the LHC What is needed? Fully differential

Motivation Theoretical description of SM process at the LHC What is needed? Fully differential

Motivation Theoretical description of SM process at the LHC What is needed? Fully differential cross-sections for the production of jets, heavy quarks and gauge bosons 1 Thursday, September 10, 2009 I. Leading order calculations

724 views • 34 slides
Automated Software Analysis Andreas Podelski University of Freiburg Germany Dienstag, 12. Juli

Automated Software Analysis Andreas Podelski University of Freiburg Germany Dienstag, 12. Juli

Automated Software Analysis Andreas Podelski University of Freiburg Germany Dienstag, 12. Juli 16 1 new paradigm for automatic verification given a program P , learn a set of correct programs P 1 , ... , P n check whether every behavior

696 views • 58 slides
Confirming Differential Gene Expression in Honeybee flight muscles RNA seq analysis

Confirming Differential Gene Expression in Honeybee flight muscles RNA seq analysis

Confirming Differential Gene Expression in Honeybee flight muscles RNA seq analysis From raw RNAseq data to transcriptome and differential expression analysis. Software for analysis TopHat alignment TopHat alignment in IGV

468 views • 11 slides

More recommend