reasoning about aggregation of information in timing
play

Reasoning about Aggregation of Information in Timing Attacks Boris - PowerPoint PPT Presentation

Mar 17, 2024 •525 likes •1.18k views

Reasoning about Aggregation of Information in Timing Attacks Boris Kpf Itsaka Rakotonirina Microsoft Research INRIA Nancy Grand-Est Choose a letter: A or B. Choose a letter: A or B. Does it occur more than 10 times in TARATATATARATATATA ?

  1. Reasoning about Aggregation of Information in Timing Attacks Boris Köpf Itsaka Rakotonirina Microsoft Research INRIA Nancy Grand-Est

  3. Choose a letter: A or B.

  4. Choose a letter: A or B. Does it occur more than 10 times in TARATATATARATATATA ?

  5. Choose a letter: A or B. Does it occur more than 10 times in TARATATATARATATATA ? 🤕

  6. Choose a letter: A or B. Does it occur more than 10 times in TARATATATARATATATA ? 🤕 No.

  7. Choose a letter: A or B. Does it occur more than 10 times in TARATATATARATATATA ? 🤕 No. Q : Which letter was chosen?

  8. Timing attacks 1996 on RSA (Kocher) 1998 on RSA (Dhem et al. ) 2005 on AES (Bernstein) 2007 on AES (Acıiçmez et al. ) 2013 Lucky Thirteen (AlFardan, Paterson) 2014 Flush+Reload (Yarom, Falkner) 2016 on ECDH (Kaufmann et al. ) 2018 Spectre (Kocher et al. ) 2018 Meltdown (Lipp et al. ) 2019 RIDL (van Schaik et al. ) 2019 ZombieLoad (Schwarz et al. ) � 3 24 …

  9. Timing attacks 1996 on RSA (Kocher) 1998 on RSA (Dhem et al. ) A long-term secret, and queries to an oracle 2005 on AES (Bernstein) O : public input ↦ execution time of a program Remote measurements 2007 on AES (Acıiçmez et al. ) 2013 Lucky Thirteen (AlFardan, Paterson) 2014 Flush+Reload (Yarom, Falkner) 2016 on ECDH (Kaufmann et al. ) 2018 Spectre (Kocher et al. ) 2018 Meltdown (Lipp et al. ) 2019 RIDL (van Schaik et al. ) 2019 ZombieLoad (Schwarz et al. ) � 3 24 …

  10. Timing attacks 1996 on RSA (Kocher) 1998 on RSA (Dhem et al. ) A long-term secret, and queries to an oracle 2005 on AES (Bernstein) O : public input ↦ execution time of a program Remote measurements 2007 on AES (Acıiçmez et al. ) 2013 Lucky Thirteen (AlFardan, Paterson) 2014 Flush+Reload (Yarom, Falkner) Exploit timing variations, and not the absolute execution time 2016 on ECDH (Kaufmann et al. ) Differential measurements 2018 Spectre (Kocher et al. ) 2018 Meltdown (Lipp et al. ) 2019 RIDL (van Schaik et al. ) 2019 ZombieLoad (Schwarz et al. ) � 3 24 …

  11. Timing attacks 1996 on RSA (Kocher) 1998 on RSA (Dhem et al. ) A long-term secret, and queries to an oracle 2005 on AES (Bernstein) O : public input ↦ execution time of a program Remote measurements 2007 on AES (Acıiçmez et al. ) 2013 Lucky Thirteen (AlFardan, Paterson) 2014 Flush+Reload (Yarom, Falkner) Exploit timing variations, and not the absolute execution time 2016 on ECDH (Kaufmann et al. ) Differential measurements 2018 Spectre (Kocher et al. ) 2018 Meltdown (Lipp et al. ) 2019 RIDL (van Schaik et al. ) The secret is recovered chunk by chunk Compositionality 2019 ZombieLoad (Schwarz et al. ) � 3 24 …

  12. Timing attacks A long-term secret, and queries to an oracle O : public input ↦ execution time of a program Remote measurements Attacker model Exploit timing variations, and not the absolute execution time Differential measurements Under what hypotheses? The secret is recovered chunk by chunk Compositionality � 4 24

  13. Contributions A model of timing attacks capturing the essence of compositional attacks Core hypotheses giving rise to efficient attacks under the form of independence properties Generic attack descriptions + cost analyses � 5 24

  14. A model for timing leakage

  15. k o Program Long-term secret Observation constant across all invocations e.g. timing as a real number of the program m Public input chosen by the attacker � 7 24

  16. A simple example for i = 0 to n — 1 do 1 if k[i] ≠ m[i] then g() 2 done 3 � 8 24

  17. A simple example for i = 0 to n — 1 do 1 if k[i] ≠ m[i] then g() 2 done 3 execution time proportional to: n t(k,m) = Σ i=1 k[i] ⊕ m[i] = nb of bits where k and m differ Hamming distance � 8 24

  18. Aggregation of information 3 t(k,m) = Σ i=1 k[i] ⊕ m[i] Hamming distance k potential values of the long-term secret � 9 24

  19. Aggregation of information 3 t(k,m) = Σ i=1 k[i] ⊕ m[i] Hamming distance k 000 o = t(k,000) ∈ {0,1,2,3} ⟼ potential values of the long-term secret � 9 24

  20. Aggregation of information 3 t(k,m) = Σ i=1 k[i] ⊕ m[i] Hamming distance k 000 o = t(k,000) ∈ {0,1,2,3} ⟼ ⇒ k ∈ { k’ | t(k’,000) = o } potential values of the long-term secret � 9 24

  21. Aggregation of information 3 t(k,m) = Σ i=1 k[i] ⊕ m[i] Hamming distance k 000 o = t(k,000) ∈ {0,1,2,3} ⟼ ⇒ k ∈ { k’ | t(k’,000) = o } potential values of the long-term secret � 9 24

  22. Aggregation of information 3 t(k,m) = Σ i=1 k[i] ⊕ m[i] Hamming distance k 000 o = t(k,000) ∈ {0,1,2,3} ⟼ ⇒ k ∈ { k’ | t(k’,000) = o } 001 o’ = t(k,001) ⟼ potential values of the long-term secret � 9 24

  23. Aggregation of information 3 t(k,m) = Σ i=1 k[i] ⊕ m[i] k Hamming distance 000 o = t(k,000) ∈ {0,1,2,3} ⟼ ⇒ k ∈ { k’ | t(k’,000) = o } 001 o’ = t(k,001) ⟼ potential values of the long-term secret � 9 24

  24. Aggregation of information 3 t(k,m) = Σ i=1 k[i] ⊕ m[i] k Hamming distance 000 o = t(k,000) ∈ {0,1,2,3} ⟼ ⇒ k ∈ { k’ | t(k’,000) = o } 001 o’ = t(k,001) ⟼ potential values of 010 o’’ = t(k,010) the long-term secret ⟼ � 9 24

  25. Aggregation of information 3 t(k,m) = Σ i=1 k[i] ⊕ m[i] Hamming distance k 000 o = t(k,000) ∈ {0,1,2,3} ⟼ ⇒ k ∈ { k’ | t(k’,000) = o } 001 o’ = t(k,001) ⟼ potential values of 010 o’’ = t(k,010) the long-term secret ⟼ � 9 24

  26. Aggregation of information potential values of the long-term secret k � 10 24

  27. Aggregation of information potential values of the long-term secret k Compute this equivalence relation over the set of secrets static approach (security bounds) � 10 24

  28. Aggregation of information potential values of the long-term secret k Compute this equivalence relation Given an oracle to t(k, . ) , over the set of secrets retrieve the class enclosing k static approach dynamic approach (security bounds) (attacks) � 10 24

  29. A more practical model for timing leakage

  30. o 1 -o 2 k Program Difference of timings Long-term secret m 1 ,m 2 Two public inputs � 12 24

  31. Differential measurements Less powerful attacker, but… o 1 -o 2 k Program Closer to the models used in actual attack research m 1 ,m 2 Compositionality � 13 24

  32. Compositionality for differential measurements

  33. Compositional attacks for i = 0 to n — 1 do 1 if k[i] ≠ m[i] then g() 2 done 3 recovering k? with oracle to execution time m ↦ t(k,m) � 15 24

  34. Compositional attacks for i = 0 to n — 1 do 1 if k[i] ≠ m[i] then g() 2 done 3 recovering k? with oracle to execution time m ↦ t(k,m) if t(k,0) < t(k,2 i ) - � 15 24

  35. Compositional attacks for i = 0 to n — 1 do 1 if k[i] ≠ m[i] then g() 2 done 3 recovering k? with oracle to execution time m ↦ t(k,m) if t(k,0) < t(k,2 i ) then K := K ∩ { k | k[i] = 1 } else K := K ∩ { k | k[i] = 0 } � 15 24 Exploiting the i th iteration

  36. Sequential composition x = m 1 for i = 0 to n — 1 do 2 x = f i (k,x) 3 if Test i (k,x) = 1 then g() 4 done 5 � 16 24

  37. Sequential composition x = m 1 for i = 0 to n — 1 do 2 x = f i (k,x) 3 if Test i (k,x) = 1 then g() 4 done 5 Goal : writing this code under the form p = p 0 ; p 2 ; … ; p n-1 � 16 24

  38. Sequential composition x = m 1 for i = 0 to n — 1 do 2 x = f i (k,x) 3 if Test i (k,x) = 1 then g() 4 done 5 Goal : writing this code under the form p = p 0 ; p 2 ; … ; p n-1 p i computes f i : K x M → M with execution time Test i : K x M → {0,1} � 16 24

  39. Sequential composition p comp = p 1 ; p 2 � 17 24

  40. Sequential composition p comp = p 1 ; p 2 p ℓ computes f ℓ : K x M → M with execution time t ℓ : K x M → O � 17 24

  41. Sequential composition p comp = p 1 ; p 2 p ℓ computes f ℓ : K x M → M with execution time t ℓ : K x M → O f comp = f 2 ◦ f 1 States are composed � 17 24

  42. Sequential composition p comp = p 1 ; p 2 composition of public values, p ℓ computes f ℓ : K x M → M with i.e. (f ◦ g)(k,m) = f(k, g(k,m)) execution time t ℓ : K x M → O f comp = f 2 ◦ f 1 States are composed � 17 24

  43. Sequential composition p comp = p 1 ; p 2 composition of public values, p ℓ computes f ℓ : K x M → M with i.e. (f ◦ g)(k,m) = f(k, g(k,m)) execution time t ℓ : K x M → O f comp = f 2 ◦ f 1 t comp = t 1 + (t 2 ◦ f 1 ) States are composed Timings are summed � 17 24

  44. Key hypothesis: independence � 18 24

  45. Key hypothesis: independence Hypotheses t,t’ timing functions • Theorem Leak(t+t’) = Leak(t) ⋂ Leak(t’) � 18 24

  46. Key hypothesis: independence Hypotheses t,t’ timing functions • Theorem Leak(t+t’) = Leak(t) ⋂ Leak(t’) Leak(t) = the equivalence relation on secrets characterising timing leakage � 18 24

  47. Key hypothesis: independence Hypotheses t,t’ timing functions for all secrets k,k’, the distributions • • X distribution of public inputs t(k, X) and t’(k’, X) are independent • Theorem Leak(t+t’) = Leak(t) ⋂ Leak(t’) Leak(t) = the equivalence relation on secrets characterising timing leakage � 18 24

  48. Randomised compositional attack � 19 24

Recommend

FORMAL MODELING AND VERIFICATION FOR TIMING PREDICTABILITY Mathieu Jan, Mihail Asavoae, Belgacem

FORMAL MODELING AND VERIFICATION FOR TIMING PREDICTABILITY Mathieu Jan, Mihail Asavoae, Belgacem

FORMAL MODELING AND VERIFICATION FOR TIMING PREDICTABILITY Mathieu Jan, Mihail Asavoae, Belgacem Ben Hedia ERTS 2020 Toulouse Outline of the talk Motivations and goals Timing anomalies in Worst-Case Timing Reasoning An example of a timing

286 views • 16 slides
Aggregation functions and information fusion. Modeling decisions Vicen c Torra Universitat de

Aggregation functions and information fusion. Modeling decisions Vicen c Torra Universitat de

Aggregation functions and information fusion. Modeling decisions Vicen c Torra Universitat de Sk ovde (HiS, Sweden) July, 2017 Summary Aggregation functions There is life beyond the (weighted) mean Important concepts: the

1.41k views • 120 slides
Preditive Timing Models Pierre-Luc Bacon, Borja Balle, Doina Precup Reasoning and Learning Lab

Preditive Timing Models Pierre-Luc Bacon, Borja Balle, Doina Precup Reasoning and Learning Lab

Preditive Timing Models Pierre-Luc Bacon, Borja Balle, Doina Precup Reasoning and Learning Lab McGill University From bad models to good policies (NIPS 2014) Motivation Learning good models can be challenging (think of the Atari domain for

485 views • 25 slides
Approximate Stream Reasoning with Incomplete State Information Fourth Stream Reasoning Workshop,

Approximate Stream Reasoning with Incomplete State Information Fourth Stream Reasoning Workshop,

Approximate Stream Reasoning with Incomplete State Information Fourth Stream Reasoning Workshop, Link oping, Sweden Daniel de Leng Artificial Intelligence and Integrated Computer Systems Department of Computer and Information Science Link

504 views • 29 slides
Multirobot autonomous landmine detection aggregation Simulation using distributed multisensor

Multirobot autonomous landmine detection aggregation Simulation using distributed multisensor

Motivation Problem Background Market-based Multirobot autonomous landmine detection aggregation Simulation using distributed multisensor information Results Conclusion aggregation Janyl Jumadinova, Raj Dasgupta C-MANTIC Research Group

511 views • 24 slides
Crises and Prices: Information Aggregation, Multiplicity, and Volatility by George-Marios

Crises and Prices: Information Aggregation, Multiplicity, and Volatility by George-Marios

Crises and Prices: Information Aggregation, Multiplicity, and Volatility by George-Marios Angeletos and Iv an Werning (AER, 2007) Pau Roldan NYU February 26, 2014 1 / 23 Motivation Exogenous versus endogenous information Crises are

347 views • 23 slides
Elmwood Park: Electricity Aggregation Developing an Opt-In Municipal Aggregation Program to

Elmwood Park: Electricity Aggregation Developing an Opt-In Municipal Aggregation Program to

Elmwood Park: Electricity Aggregation Developing an Opt-In Municipal Aggregation Program to Serve Residents of Elmwood Park What is Electricity Aggregation? Purchasing authority for local governments The option for the Village to

226 views • 12 slides
CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based

CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based

CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based Systems ! syntax and semantics ! shallow and deep reasoning ! validity and satisfiability ! forward and backward ! logic languages chaining ! alternative

616 views • 23 slides
simplifying the customer experience through account aggregation Sim Sangha Business Development

simplifying the customer experience through account aggregation Sim Sangha Business Development

simplifying the customer experience through account aggregation Sim Sangha Business Development Director total account aggregation James Born 29th June 2007 What is account aggregation? Why is account aggregation important to your

605 views • 11 slides
CSC2542 Topics in Knowledge Representation &amp; Reasoning: Automated Planning &amp; Reasoning

CSC2542 Topics in Knowledge Representation &amp; Reasoning: Automated Planning &amp; Reasoning

CSC2542 Topics in Knowledge Representation &amp; Reasoning: Automated Planning &amp; Reasoning About Action Fall 2010 General Information URL: http://www.cs.toronto.edu/~sheila/2542/f10 Lectures: Thursday 2:00 4:00 PM, BA3116 (for now)

167 views • 15 slides
Applications of BNE: Information aggregation among several players. Felix Munoz-Garcia Strategy

Applications of BNE: Information aggregation among several players. Felix Munoz-Garcia Strategy

Applications of BNE: Information aggregation among several players. Felix Munoz-Garcia Strategy and Game Theory - Washington State University The Lemons Problem Watson : Ch. 27 You go to buy a used car. Of course, the seller tells you that the

946 views • 53 slides
The Axiomatic Method in Social Choice Theory: Preference Aggregation, Judgment Aggregation, Graph

The Axiomatic Method in Social Choice Theory: Preference Aggregation, Judgment Aggregation, Graph

Axiomatic Method Lorentz Center, June 2015 The Axiomatic Method in Social Choice Theory: Preference Aggregation, Judgment Aggregation, Graph Aggregation Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam Ulle

393 views • 20 slides
Probabilistic Reasoning; Probabilistic Reasoning; Network-based reasoning Network-based

Probabilistic Reasoning; Probabilistic Reasoning; Network-based reasoning Network-based

Probabilistic Reasoning; Probabilistic Reasoning; Network-based reasoning Network-based reasoning COMPSCI 276, Fall 2014 Set 1: Introduction and Background Rina Dechter (Reading: Pearl chapter 1-2, Darwiche chapters 1,3) 1 Why/What/How

700 views • 45 slides
Aggregation Announcements Aggregation Aggregate Functions So far, all SQL expressions have

Aggregation Announcements Aggregation Aggregate Functions So far, all SQL expressions have

Aggregation Announcements Aggregation Aggregate Functions So far, all SQL expressions have referred to the values in a single row at a time [expression] as [name], [expression] as [name], ... select [columns] from [table] where [expression]

242 views • 10 slides
1 Three Dimensional Aggregation (con.t) Three Dimensional Aggregation (con.t) If we need to

1 Three Dimensional Aggregation (con.t) Three Dimensional Aggregation (con.t) If we need to

Data Cube: A Relational Aggregation Operator Topic Outline Generalizing Group-By, Cross-Tab, and Sub-Totals J. Gray, al, Microsoft Research F. Pellow, al, IBM Research Visualization and dimension reduction The relational representation of

367 views • 4 slides
Evidential and Causal Reasoning Much reasoning in AI can be seen as evidential reasoning ,

Evidential and Causal Reasoning Much reasoning in AI can be seen as evidential reasoning ,

Evidential and Causal Reasoning Much reasoning in AI can be seen as evidential reasoning , (observations to a theory) followed by causal reasoning (theory to predictions). Diagnosis Given symptoms, evidential reasoning leads to hypotheses about

243 views • 8 slides
Aggregation: A Brief Overview January 2011 () Aggregation January 2011 1 / 20 Macroeconomic

Aggregation: A Brief Overview January 2011 () Aggregation January 2011 1 / 20 Macroeconomic

Aggregation: A Brief Overview January 2011 () Aggregation January 2011 1 / 20 Macroeconomic Aggregates Consumption, investment, real GDP, labour productivity, TFP, physical capital, human capital (quantity and quality), price level,

448 views • 20 slides
Robust Aggregation in Sensor Robust Aggregation in Sensor Networks Networks Jie Gao Computer

Robust Aggregation in Sensor Robust Aggregation in Sensor Networks Networks Jie Gao Computer

Robust Aggregation in Sensor Robust Aggregation in Sensor Networks Networks Jie Gao Computer Science Department Stony Brook University 1 Papers Papers [Nath04] Suman Nath, Phillip B. Gibbons, Zachary Anderson, and Srinivasan Seshan,

616 views • 43 slides
SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING +

SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING +

OUTLINE SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING + Backward Reasoning Weaker vs. Stronger statements Version control VERSION CONTROL CSE 331 Summer 2018 slides borrowed and

763 views • 11 slides
Linked Data and RDF Integrating information sources Inference Reasoning over the

Linked Data and RDF Integrating information sources Inference Reasoning over the

Building a Semantic Web Annotation Associating metadata with resources Integration Linked Data and RDF Integrating information sources Inference Reasoning over the information we have. Could be light-weight

717 views • 22 slides
Reasoning and Meta-reasoning Sonia Marin IT-University of Copenhagen, Denmark 85-211

Reasoning and Meta-reasoning Sonia Marin IT-University of Copenhagen, Denmark 85-211

Reasoning and Meta-reasoning Sonia Marin IT-University of Copenhagen, Denmark 85-211 Cognitive Psychology, Guest lecture CMU Qatar November 28, 2018 1 / 15 What is reasoning? Reasoning is the process of drawing conclusions from

911 views • 59 slides
Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University http://dedis.cs.yale.edu/ USENIX HotCloud, June 13, 2012 The Long History of Timing Attacks Cooperative attacks apply to: Mandatory Access

359 views • 21 slides
Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Introduction to Digital VLSI Logic Synthesis Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups according to the clock associated with the endpoint of the path. There is a default path group that

541 views • 18 slides
RBridge Aggregation Mingui Zhang, Donald Eastlake zhangmingui@huawei.com RBridge Aggregation 1

RBridge Aggregation Mingui Zhang, Donald Eastlake zhangmingui@huawei.com RBridge Aggregation 1

RBridge Aggregation Mingui Zhang, Donald Eastlake zhangmingui@huawei.com RBridge Aggregation 1 Single AF: Loop Avoidance To avoid loops involving native frames, TRILL allows only a single Appointed Forwarder for one VLAN on a local link.

554 views • 13 slides

More recommend