software side channel analysis attack synthesis
play

Software Side-Channel Analysis: Attack Synthesis Lucas Bang - PowerPoint PPT Presentation

Mar 26, 2023 •142 likes •2.13k views

Software Side-Channel Analysis: Attack Synthesis Lucas Bang Dissertation Defense Committee: Tevfik Bultan (chair) Omer E gecio glu Ben Hardekopf 1 Publications during PhD Aydin, Bang , Bultan. [CAV 2015] Automata-Based Model

  1. Side Channels and Searching: Entropy secret s ∈ S S p 1 p 2 i ∈ I p 3 p 4 8 - 14

  2. Side Channels and Searching: Entropy secret s ∈ S S p 1 p 2 i ∈ I p 3 p 4 Quantify expected information gain measured in bits. 8 - 15

  3. Side Channels and Searching: Entropy secret s ∈ S S p 1 p 2 i ∈ I p 3 p 4 Quantify expected information gain measured in bits. 1 p j 8 - 16

  4. Side Channels and Searching: Entropy secret s ∈ S S p 1 p 2 i ∈ I p 3 p 4 Quantify expected information gain measured in bits. 1 log 2 p j 8 - 17

  5. Side Channels and Searching: Entropy secret s ∈ S S p 1 p 2 i ∈ I p 3 p 4 Quantify expected information gain measured in bits. � n 1 log 2 p j j =1 p j 8 - 18

  6. Side Channels and Searching: Entropy secret s ∈ S S p 1 p 2 i ∈ I p 3 p 4 Quantify expected information gain measured in bits. � n 1 H = log 2 p j j =1 p j 8 - 19

  7. Side Channels and Searching: Entropy secret s ∈ S S i ∈ I i Quantify expected information gain measured in bits. � n 1 H ( i ) = log 2 p j j =1 p j 8 - 20

  8. max H ( i ) ⇒ Binary Search o = 1 ⇒ s ≤ i o = 2 ⇒ s > i 9 - 1

  9. max H ( i ) ⇒ Binary Search o = 1 ⇒ s ≤ i o = 2 ⇒ s > i 9 - 2

  10. max H ( i ) ⇒ Binary Search o = 1 ⇒ s ≤ i o = 2 ⇒ s > i Password Checker Constraints 9 - 3

  11. max H ( i ) ⇒ Binary Search o = 1 ⇒ s ≤ i o = 2 ⇒ s > i 9 - 4

  12. max H ( i ) ⇒ Binary Search o = 1 ⇒ s ≤ i o = 2 ⇒ s > i max H ( i ) ⇒ Optimal Search any program constraints 9 - 5

  13. max H ( i ) ⇒ Binary Search o = 1 ⇒ s ≤ i o = 2 ⇒ s > i max H ( i ) ⇒ Optimal Search any program constraints H ( i ) ??? 9 - 6

  14. Symbolic Execution Execute program on symbolic rather than concrete inputs. Maintain path constraints , PCs, φ j over symbolic inputs. For branch instructions: φ c if(c) then s1; else s2; T F φ ← φ ∧ c φ ← φ ∧ ¬ c φ j ( s, i ) characterizes the relation between s , i , and o j 10 - 1

  15. Symbolic Execution Execute program on symbolic rather than concrete inputs. Maintain path constraints , PCs, φ j over symbolic inputs. Maintain path constraints , PCs, φ j over symbolic inputs. For branch instructions: φ c if(c) then s1; else s2; T F φ ← φ ∧ c φ ← φ ∧ ¬ c φ 1 φ j ( s, i ) characterizes the φ 2 relation between s , i , and o j φ 3 φ 4 10 - 2

  16. )= p ( s ∈ 11 - 1

  17. = # φ ( i ) φ φ )= p ( s ∈ 11 - 2

  18. Model { # φ j ( i ) } { φ j ( s, i ) } Counter = # φ ( i ) φ φ )= p ( s ∈ 11 - 3

  19. Model { # φ j ( i ) } { φ j ( s, i ) } Counter = # φ ( i ) φ φ # φ ( i ) is the number of satisfying solutions (models) for φ ( s, i ) for a given i . )= p ( s ∈ 11 - 4

  20. Model { # φ j ( i ) } { φ j ( s, i ) } Counter = # φ ( i ) φ φ # φ ( i ) is the number of satisfying solutions (models) for φ ( s, i ) for a given i . p ( i ) = # φ ( i ) )= p ( s ∈ | S | 11 - 5

  21. Model { # φ j ( i ) } { φ j ( s, i ) } Counter = # φ ( i ) φ φ # φ ( i ) is the number of satisfying solutions (models) for φ ( s, i ) for a given i . p ( i ) = # φ ( i ) )= p ( s ∈ | S | H ( i ) = � n 1 j =1 p j ( i ) log 2 p j ( i ) 11 - 6

  22. Symbolic Execution Model Counting H ( i ) Information Theory H ( i ) is a symbolic expression that measures the expected information an attacker gains when making input i . 12 - 1

  23. Symbolic Execution Model Counting H ( i ) Information Theory H ( i ) is a symbolic expression that measures the expected information an attacker gains when making input i . H ( i ) Maximize i ∗ Maximizing H ( i ) gives an optimal side-channel attack. [IEEE Computer Security Foundations 2017] 12 - 2

  24. 1. Fully Static Offline Approach Assumes an ideal observation model (i.e. instruction counts). Does not account for actual runtime behavior. 13 - 1

  25. 1. Fully Static Offline Approach Assumes an ideal observation model (i.e. instruction counts). Does not account for actual runtime behavior. 2. Static / Dynamic + Offline / Online Approach Automatically, dynamically estimates runtime observations. Uses Bayesian inference and weighted model counting to account for noise. 13 - 2

  26. Side-Channel Attack Synthesis Under Noisy Conditions [IEEE European Security & Privacy 2018] 14 - 1

  27. 1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } 14 - 2

  28. 1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 3

  29. 1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 4

  30. s ? 1 private s = getMaxBytes(); 2 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 5

  31. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 6

  32. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 7

  33. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 8

  34. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS s ≤ i ⇒ o = 1 14 - 9

  35. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS s ≤ i ⇒ o = 1 14 - 10

  36. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ s ≤ i Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS s ≤ i ⇒ o = 1 14 - 11

  37. s ? 1 private s = getMaxBytes(); 2 input, i 3 4 public int compare(int i){ s ≤ i s > i Network 5 if(s <= i) 6 some computation; // 1 s 7 else 8 log.write("too many bytes");// 2s 9 return 0; 10 } Hardware + OS 14 - 12

  38. 15 - 1

  39. Attacker Belief s ? 15 - 2

  40. Attacker Belief s ? 1 8 1 2 3 4 5 6 7 8 15 - 3

  41. Attacker Belief Input Choice s ? i ∗ 1 8 1 2 3 4 5 6 7 8 15 - 4

  42. Attacker Belief Input Choice Observation Noise s ? i ∗ s ≤ i s > i 1 8 1 2 3 4 5 6 7 8 15 - 5

  43. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 15 - 6

  44. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 t = 4.12 15 - 7

  45. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 3 1 8 1 2 3 4 5 6 7 8 t = 4.12 15 - 8

  46. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 15 - 9

  47. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 more likely less likely 1 8 t = 2.3 1 2 3 4 5 6 7 8 15 - 10

  48. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 15 - 11

  49. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( s | o, i ∗ ) 15 - 12

  50. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( s | o, i ∗ ) p ( o | s, i ) 15 - 13

  51. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( o | s, i ) p ( s | o, i ∗ ) p ( o | s, i ) 15 - 14

  52. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( o | s, i ∗ ) p ( s | o, i ∗ ) p ( o | s, i ) 15 - 15

  53. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( o | s, i ∗ ) p ( s | o, i ∗ ) p ( o | s, i ) 15 - 16

  54. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( s | o, i ∗ ) p ( s | o, i ∗ ) p ( o | s, i ) 15 - 17

  55. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( s | o, i ∗ ) p ( s | o, i ∗ ) p ( o | s, i ) Bayes’ Rule 15 - 18

  56. Attacker Belief Input Choice Observation Noise s ? i ∗ = 5 s ≤ 5 s > 5 1 8 1 2 3 4 5 6 7 8 p ( s | o, i ∗ ) p ( s | o, i ∗ ) p ( o | s, i ) Bayes’ Rule 15 - 19

Recommend

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras Side Channel Analysis Electro magnetic Radiation Fault injection Power consumption Timing channels Preventing Side Channel Attacks is

468 views • 34 slides
Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C

Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C edric Tavernier

625 views • 29 slides
A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler Federal Office for Information Security (BSI), Germany Lausanne, September 7, 2009 Outline r Introduction and Motivation r The Attack r Basic attack

514 views • 25 slides
Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020 Side Channel Attack Introduction A side-channel is any unintentional

375 views • 36 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to the basics!! details on power / EM leakage (low/high noise scenario) how/where to attack AES? di ff erent attacker models overview of

1.28k views • 74 slides
AES &amp; RSA Side Channel Attack with ChipWhisperer Cleveland State University EEC-581

AES &amp; RSA Side Channel Attack with ChipWhisperer Cleveland State University EEC-581

AES &amp; RSA Side Channel Attack with ChipWhisperer Cleveland State University EEC-581 Computer Architecture Andriy Kucher ChipWhisperer Open-source toolchain for hardware security research. Xilinx S6LX9 FPGA XMEGA MCU Target

105 views • 9 slides
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem CRT-RSA CRT-RSA having Low Hamming

403 views • 25 slides
Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides
A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan Lashermes 1 Yanis Linge 2 Gal Thomas 3 Jean Yves Zie 1 INRIA Rennes, LHS/PEC 2 STMicroelectronics 3 Orange Labs Issy Les Moulineaux October 25th, 2016

315 views • 17 slides
Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World Mengjia Yan , Read

Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World Mengjia Yan , Read

Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World Mengjia Yan , Read Sprabery, Bhargava Gopireddy, Christopher W. Fletcher, Roy Campbell, Josep Torrellas University of Illinois at Urbana-Champaign S&amp;P19 May

304 views • 16 slides
EM Analysis in the IoT Context: Lessons Learned from an Attack on Thread Daniel Dinu 1 , Ilya

EM Analysis in the IoT Context: Lessons Learned from an Attack on Thread Daniel Dinu 1 , Ilya

EM Analysis in the IoT Context: Lessons Learned from an Attack on Thread Daniel Dinu 1 , Ilya Kizhvatov 2 1 Virginia Tech 2 Radboud University Nijmegen CHES 2018 Outline 1 Introduction 2 Side-Channel Vulnerability Analysis 3 The Most Feasible

629 views • 42 slides
A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg Michael Hutter Mark E. Marson Possible path for post-quantum security Error-correcting codes Quantum computers may threaten the mathematical

892 views • 66 slides
AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 |

Nicolas Belleville Damien Courouss Karine Heydemann Henri-Pierre Charles AUTOMATED SOFTWARE PROTECTION FOR THE MASSES AGAINST SIDE-CHANNEL ATTACKS PHISIC 2018 | Belleville Nicolas INTRODUCTION Focus on power/EM based side channel

535 views • 31 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&amp;P), 2019 (Dustin)

726 views • 44 slides
Meltdown &amp; Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown &amp; Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown &amp; Spectre Attacks Overview An analogy CPU cache and use it as side channel Meltdown attack Spectre attack Microsoft Interview Question Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room CPU

732 views • 30 slides
Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015 Montreal, QC. Overview W.t.f is side-channel power analysis (again) Example: IEEE 802.15.4 Node Example: AES-256 Bootloader W.t.f.

633 views • 47 slides
Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of side-channel countermeasures Anh-Tuan Hoang, Neil Hanley and Mire ONeill CHES 2020 14-18 September 2020 Outline

622 views • 21 slides
s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space:

s c a l e When Hardware Attacks Hardwear.io 27 September 2019 1 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require: Hardware

360 views • 24 slides
Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas

Behind the Scene of Side Channel Attacks ASIACRYPT 2013 Victor LOMNE, Emmanuel PROUFF and Thomas ROCHE ANSSI (French Network and Information Security Agency) Thursday, December 3rd, 2013 Side Channel Attacks (SCA)| Linear Regression Attack

340 views • 32 slides
A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1 Emmanuel Prouff 2, 3 Lo C 1 Univ. Grenoble Alpes, CEA, LETI, DSYS, CESTI, F-38000

1.39k views • 86 slides
DifFuzz: Differential Fuzzing for Side-Channel Analysis Shirin Nilizadeh Yannic Noller Corina

DifFuzz: Differential Fuzzing for Side-Channel Analysis Shirin Nilizadeh Yannic Noller Corina

DifFuzz: Differential Fuzzing for Side-Channel Analysis Shirin Nilizadeh Yannic Noller Corina S. Pasareanu yannic.noller@hu-berlin.de International Conference on Software Engineering (ICSE) 2019 ! 1 Problem Background Solution Example

438 views • 25 slides
Walls Have Ears: Traffic-based Side-channel Attack in Video Streaming Jiaxi Gu , Jiliang Wang

Walls Have Ears: Traffic-based Side-channel Attack in Video Streaming Jiaxi Gu , Jiliang Wang

Walls Have Ears: Traffic-based Side-channel Attack in Video Streaming Jiaxi Gu , Jiliang Wang , Zhiwen Yu , Kele Shen Northwestern Polytechnical University, P .R. China Tsinghua University, P .R. China 1 Outline

1.15k views • 32 slides
s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance

s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance

When Hardware Attacks s c a l e Marc Witteman Croatian Summer school 2017 Attack exploitation space: time vs distance Remote key brute software protocol force relay attack side Fast Slow mitm channel Hardware attacks require:

688 views • 25 slides

More recommend