Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices Dennis R. E. Gnad, Jonas Krautter, Mehdi B. Tahoori I NSTITUT FÜR T ECHNISCHE I NFORMATIK – C HAIR OF D EPENDABLE N ANO C OMPUTING KIT – University of the State of Baden-Wuerttemberg and 1 www.kit.edu 2019-08-27 National Research Center of the Helmholtz Association
Leaky Noise ??? + Noise that leaks information? Yes, … 2 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Motivation Analog + Digital Future: sensitive causes Everything Mixed-Signal to noise noise Everything Networked / Multi-User 0 1 0 1 0 Component A 1 0 1 1 Internet logical 1 0 1 0 1 isolation 0 1 1 0 1 Component B New security threats? 1 0 1 0 1 0 digital circuits affect analog subsystem 3 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Analog Digital Paper at a Glance ADC 0 1 0 1 1 Attacker 1 0 1 1 0 Goal: Prove Information Leakage inside Chip: logical Digital (Attacker) → Analog → Digital (Victim) isolation Method: Victim Sample ADC during cryptographic algorithm Attacker: ADC Victim: Crypto Leakage Assessment + Correlation Power Analysis (CPA) Time Results: Most tested platforms leak Successful key recovery with CPA ADC=Analog-to-Digital Converter 4 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Outline Background & Related Work Experimental Setup Results Conclusion 5 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Outline Background & Related Work Experimental Setup Results Conclusion 6 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Background: Power Distribution Networks (PDNs) Supplies current to all transistors in a chip Complex network: Resistors (R), Capacitors (C), Inductors (L) Some by design , others unwanted = parasitic Circuit activity causes voltage fluctuations by current changes i(t) Package Analog Digital 𝑒i(t) Package V 𝑜𝑝𝑗𝑡𝑓 = 𝑀 𝑒𝑢 + i(t)𝑆 Pins Silicon Die 7 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Detailed Adversarial Model – Possible Attack Vectors Analog Digital ADC – or any sensor (e.g. Temperature) allowed Logical Isolation: Memory Protection, etc. 1. Attacker or ADC 0 1 0 1 1 Unsuspecting Attacker Victim leaks information into analog part 1 0 1 1 0 samples ADC Victim samples ADC Affects ADC! 1. Attacker: acquires leakage by ADC logical “Leaky Noise” isolation 2. Attacker Victim Cryptography with remote access to ADC data 8 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Background: Power Analysis and Leakage Assessment Power Analysis Side-Channel Attacks (Kocher et al. 1999) Secret key recovery by analyzing power measurement traces Correlation Power Analysis (CPA), Brier et al. 2004 Correlate power measurements with secret key-based hypothesis Leakage Assessment (Goodwill et al. 2011, Schneider et al. 2015) Welch’s t-test: Compare: µ 𝑠𝑏𝑜𝑒𝑝𝑛 − µ 𝑔𝑗𝑦𝑓𝑒 Set of power traces from random encryptions 𝑢 = Set of power traces from fixed (same) encryptions 2 2 𝑜 𝑠𝑏𝑜𝑒𝑝𝑛 + 𝑡 𝑔𝑗𝑦𝑓𝑒 𝑡 𝑠𝑏𝑜𝑒𝑝𝑛 𝑜 𝑔𝑗𝑦𝑓𝑒 Statistical difference indicates leakage, allow attacks |t| > 4.5 considered sufficient 9 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Selected related work “Inside Job” (Schellenberg et al. DATE’18), extended by (Zhao et al. S&P’18) CPA inside FPGA or FPGA-SoC Indirect voltage measurement “Screaming Channels” (Camurati et al. CCS’18) Mixed-Signal Chip, leak over radio, in proximity Digital → Analog Receiver (Attacker) “Side - channel leakage across borders” (Schmidt et al. CARDIS’10) Successful power analysis on I/O port pins of various chips Here: Digital → Analog → Digital possible on-chip? 10 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Outline Background & Related Work Experimental Setup Results Conclusion 11 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Experimental Setup Platforms Espressif ESP32 ESP32-devkitC – Dual-Core Xtensa CPU, Wifi, .. @ 80MHz ST Microelectronics STM32 L4 IoT Node – Single-Core ARM CPU, Wifi On-Board, .. @ 80MHz F407 Discovery – Single-Core ARM CPU, Ethernet @ 168MHz Software provided by both vendors: mbedTLS – AES and modular exponentiation (used in RSA, ..) FreeRTOS GCC with standard c ompiler optimization “ -Os ” 12 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Experimental Setup Microcontroller Workstation *Victim Task* *Attacker Task* Helper signal on encryption Measurement Leakage Assessment Encryption ADC trace or CPA Voltage Noise, Crosstalk, .. “Leaky Noise” ADC trace UART TX ADC UART RX Encryption Request {Vdd, GND, N/C} ADC=Analog-to-Digital Converter 13 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Outline Background & Related Work Experimental Setup Results Conclusion 14 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Basic Test: Compare ADC with Oscilloscope –– Average V dd Value for 1000 traces Voltage (V) Average STM32F407 Discovery Time (µs) ADC not connected (‘N/C’) stress phases idle phases 1,000 traces –– Average ADC Value for 1000 traces ADC Value Average ADC 0 1 0 1 1 0 1 1 Time (µs) 15 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Leakage Assessment Prerequisites Modular Exponentiation –– Average ADC Value for Fixed Traces 1,000 traces averaged Fixed + Random Encryptions ADC Average t-test: –– Average ADC Value for Random Traces µ 𝑠𝑏𝑜𝑒𝑝𝑛 − µ 𝑔𝑗𝑦𝑓𝑒 𝑢 = 2 2 𝑡 𝑔𝑗𝑦𝑓𝑒 𝑡 𝑠𝑏𝑜𝑒𝑝𝑛 𝑜 𝑠𝑏𝑜𝑒𝑝𝑛 + 𝑜 𝑔𝑗𝑦𝑓𝑒 Samples over Time 16 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Leakage Assessment Results Summary AES: 1,000,000 traces, Modular Exponentiation: 100,000 traces ADC not always noisy ( σ =0) Most cases with noise leaky, |t| >> 4.5 Platform Leakage detected ? AES-128 (Fast ADC) Modular Exponentiation (Slow ADC) Vdd GND N/C Vdd GND N/C ESP32-devkitC σ =0 no σ =0 no yes yes STM32L4 IoT Node σ =0 σ =0 σ =0 yes yes yes 2x STM32F407 Discovery yes yes yes yes yes yes 18 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Correlation Power Analysis Attack on AES STM32F407 Discovery CPA: 10 Million traces, simple alignment applied Ciphertext-based 1. Default setup: ADC@GND, 168MHz, -Os Optimization Less than 25 ADC samples for full AES 2 secret key bytes recovered with high confidence 2. Simplified setup: ADC@Vdd, 56MHz, -O0 Optimization: ~60 samples for full AES 6 secret key bytes recovered with high confidence 19 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Correlation Power Analysis results (best bytes) GND, -Os Optimization: “Hard” ~ 2 Million Traces Vdd, -O0 Optimization “Easy” ~ 500k Traces 20 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Outline Background & Related Work Experimental Setup Results Conclusion 21 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
“Leaky Noise” – Conclusion Analog Digital ADC Internet 0 1 0 1 1 Attacker 1 0 1 1 0 Data-dependent noise Attacker can recover the data Victim Feasible: Attacks across security domains in Mixed-Signal Chips Remote power analysis attacks Application developers: Prevent ADC-use during cryptography SoC integrators: Consider digital noise a security risk Potentially: Always apply power analysis countermeasures (?!) 22 2019-08-27 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019
Thanks for your Attention! Acknowledgements: Kevin Schäfer from Rutronik & All Reviewers Questions? 23 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Following: Backup Slides 24 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Tasks Experimental Setup in FreeRTOS Simplified Flow: 25 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Experimental Setup – Software Details 26 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Experimental Setup – Sampling Details 27 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27
Recommend
More recommend