something with implementations
play

Something with implementations Peter Schwabe June 23, 2016 - PowerPoint PPT Presentation

May 25, 2023 •806 likes •1.47k views

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Part I: How to make software secure Something with implementations 2 Timing Attacks General idea of those attacks Secret

  1. Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on Post-Quantum Cryptography 2017

  2. Part I: How to make software secure Something with implementations 2

  3. Timing Attacks General idea of those attacks ◮ Secret data has influence on timing of software ◮ Attacker measures timing ◮ Attacker computes influence − 1 to obtain secret data Something with implementations 3

  4. Timing Attacks General idea of those attacks ◮ Secret data has influence on timing of software ◮ Attacker measures timing ◮ Attacker computes influence − 1 to obtain secret data Two kinds of remote . . . ◮ Timing attacks are a type of side-channel attacks ◮ Unlike other side-channel attacks, they work remotely: ◮ Some need to run attack code in parallel to the target software ◮ Attacker can log in remotely (ssh) Something with implementations 3

  5. Timing Attacks General idea of those attacks ◮ Secret data has influence on timing of software ◮ Attacker measures timing ◮ Attacker computes influence − 1 to obtain secret data Two kinds of remote . . . ◮ Timing attacks are a type of side-channel attacks ◮ Unlike other side-channel attacks, they work remotely: ◮ Some need to run attack code in parallel to the target software ◮ Attacker can log in remotely (ssh) ◮ Some attacks work by measuring network delays ◮ Attacker does not even need an account on the target machine Something with implementations 3

  6. Timing Attacks General idea of those attacks ◮ Secret data has influence on timing of software ◮ Attacker measures timing ◮ Attacker computes influence − 1 to obtain secret data Two kinds of remote . . . ◮ Timing attacks are a type of side-channel attacks ◮ Unlike other side-channel attacks, they work remotely: ◮ Some need to run attack code in parallel to the target software ◮ Attacker can log in remotely (ssh) ◮ Some attacks work by measuring network delays ◮ Attacker does not even need an account on the target machine ◮ Can’t protect against timing attacks by locking a room ◮ This talk: don’t consider “local” side-channel attacks Something with implementations 3

  7. Problem No. 1 if(secret) { do_A(); } else { do_B(); } Something with implementations 4

  8. Examples ◮ Square-and-multiply (or double-and-add): “if s is one: multiply” Something with implementations 5

  9. Examples ◮ Square-and-multiply (or double-and-add): “if s is one: multiply” ◮ Modular reduction: “if a > q : subtract q from a ” Something with implementations 5

  10. Examples ◮ Square-and-multiply (or double-and-add): “if s is one: multiply” ◮ Modular reduction: “if a > q : subtract q from a ” ◮ Rejection sampling: “if a < q : accept a ” Something with implementations 5

  11. Examples ◮ Square-and-multiply (or double-and-add): “if s is one: multiply” ◮ Modular reduction: “if a > q : subtract q from a ” ◮ Rejection sampling: “if a < q : accept a ” ◮ Byte-array (tag) comparison: “if a [ i ] � = b [ i ] : return” Something with implementations 5

  12. Examples ◮ Square-and-multiply (or double-and-add): “if s is one: multiply” ◮ Modular reduction: “if a > q : subtract q from a ” ◮ Rejection sampling: “if a < q : accept a ” ◮ Byte-array (tag) comparison: “if a [ i ] � = b [ i ] : return” ◮ Sorting and permuting: “if a < b : branch into subroutine” Something with implementations 5

  13. Eliminating branches ◮ So, what do we do with code like this? if s then r ← A else r ← B end if Something with implementations 6

  14. Eliminating branches ◮ So, what do we do with code like this? if s then r ← A else r ← B end if ◮ Replace by r ← sA + (1 − s ) B Something with implementations 6

  15. Eliminating branches ◮ So, what do we do with code like this? if s then r ← A else r ← B end if ◮ Replace by r ← sA + (1 − s ) B ◮ Can expand s to all-one/all-zero mask and use XOR instead of addition, AND instead of multiplication Something with implementations 6

  16. Eliminating branches ◮ So, what do we do with code like this? if s then r ← A else r ← B end if ◮ Replace by r ← sA + (1 − s ) B ◮ Can expand s to all-one/all-zero mask and use XOR instead of addition, AND instead of multiplication ◮ For very fast A and B this can even be faster Something with implementations 6

  17. Problem No. 2 table[secret] Something with implementations 7

  18. Timing leakage part II T [0] . . . T [15] ◮ Consider lookup table of 32 -bit integers T [16] . . .T [31] ◮ Cache lines have 64 bytes T [32] . . .T [47] T [48] . . .T [63] ◮ Crypto and the attacker’s program run T [64] . . .T [79] on the same CPU T [80] . . .T [95] ◮ Tables are in cache T [96] . . .T [111] T [112] . . .T [127] T [128] . . .T [143] T [144] . . .T [159] T [160] . . .T [175] T [176] . . .T [191] T [192] . . .T [207] T [208] . . .T [223] T [224] . . .T [239] T [240] . . .T [255] Something with implementations 8

  19. Timing leakage part II T [0] . . . T [15] ◮ Consider lookup table of 32 -bit integers T [16] . . .T [31] ◮ Cache lines have 64 bytes attacker’s data attacker’s data ◮ Crypto and the attacker’s program run T [64] . . .T [79] on the same CPU T [80] . . .T [95] ◮ Tables are in cache attacker’s data ◮ The attacker’s program replaces some attacker’s data attacker’s data cache lines attacker’s data T [160] . . .T [175] T [176] . . .T [191] T [192] . . .T [207] T [208] . . .T [223] attacker’s data attacker’s data Something with implementations 8

  20. Timing leakage part II T [0] . . . T [15] ◮ Consider lookup table of 32 -bit integers T [16] . . .T [31] ◮ Cache lines have 64 bytes ??? ??? ◮ Crypto and the attacker’s program run T [64] . . .T [79] on the same CPU T [80] . . .T [95] ◮ Tables are in cache ??? ◮ The attacker’s program replaces some ??? ??? cache lines ??? ◮ Crypto continues, loads from table T [160] . . .T [175] again T [176] . . .T [191] T [192] . . .T [207] T [208] . . .T 223] ??? ??? Something with implementations 8

  21. Timing leakage part II T [0] . . . T [15] ◮ Consider lookup table of 32 -bit integers T [16] . . .T [31] ◮ Cache lines have 64 bytes ??? ??? ◮ Crypto and the attacker’s program run T [64] . . .T [79] on the same CPU T [80] . . .T [95] ◮ Tables are in cache ??? ◮ The attacker’s program replaces some ??? ??? cache lines ??? ◮ Crypto continues, loads from table T [160] . . .T [175] again T [176] . . .T [191] ◮ Attacker loads his data: T [192] . . .T [207] T [208] . . .T 223] ??? ??? Something with implementations 8

  22. Timing leakage part II T [0] . . . T [15] ◮ Consider lookup table of 32 -bit integers T [16] . . .T [31] ◮ Cache lines have 64 bytes ??? ??? ◮ Crypto and the attacker’s program run T [64] . . .T [79] on the same CPU T [80] . . .T [95] ◮ Tables are in cache ??? ◮ The attacker’s program replaces some attacker’s data ??? cache lines ??? ◮ Crypto continues, loads from table T [160] . . .T [175] again T [176] . . .T [191] ◮ Attacker loads his data: T [192] . . .T [207] ◮ Fast: cache hit (crypto did not just T [208] . . .T 223] load from this line) ??? ??? Something with implementations 8

  23. Timing leakage part II T [0] . . . T [15] ◮ Consider lookup table of 32 -bit integers T [16] . . .T [31] ◮ Cache lines have 64 bytes ??? ??? ◮ Crypto and the attacker’s program run T [64] . . .T [79] on the same CPU T [80] . . .T [95] ◮ Tables are in cache ??? ◮ The attacker’s program replaces some T [112] . . .T [127] ??? cache lines ??? ◮ Crypto continues, loads from table T [160] . . .T [175] again T [176] . . .T [191] ◮ Attacker loads his data: T [192] . . .T [207] ◮ Fast: cache hit (crypto did not just T [208] . . .T 223] load from this line) ??? ◮ Slow: cache miss (crypto just loaded ??? from this line) Something with implementations 8

  24. The general case Loads from and stores to addresses that depend on secret data leak secret data. Something with implementations 9

  25. “Countermeasure” ◮ Observation: This simple cache-timing attack does not reveal the secret address, only the cache line ◮ Idea: Lookups within one cache line should be safe Something with implementations 10

  26. “Countermeasure” ◮ Observation: This simple cache-timing attack does not reveal the secret address, only the cache line ◮ Idea: Lookups within one cache line should be safe . . . or are they? Something with implementations 10

  27. “Countermeasure” ◮ Observation: This simple cache-timing attack does not reveal the secret address, only the cache line ◮ Idea: Lookups within one cache line should be safe . . . or are they? ◮ Bernstein, 2005: “Does this guarantee constant-time S-box lookups? No!” Something with implementations 10

  28. “Countermeasure” ◮ Observation: This simple cache-timing attack does not reveal the secret address, only the cache line ◮ Idea: Lookups within one cache line should be safe . . . or are they? ◮ Bernstein, 2005: “Does this guarantee constant-time S-box lookups? No!” ◮ Osvik, Shamir, Tromer, 2006: “This is insufficient on processors which leak low address bits” Something with implementations 10

Recommend

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations :

Contracts vs. Implementations: Where? Common Eiffel Errors: Instructions for Implementations : inst 1 , inst 2 Contracts vs. Implementations Boolean expressions for Contracts: exp 1 , exp 2 , exp 3 , exp 4 , exp 5 feature -- Commands

231 views • 6 slides
Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array

Stack Implementations Tiziana Ligorio 1 Todays Plan Stack Implementations: Array Vector Linked Chain 2 Stack ADT #ifndef STACK_H_ #define STACK_H_ template&lt;&lt;typename ItemType&gt; class

1.19k views • 71 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Introduction Methodology Implementations Results Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla Kishore Kumar Surapathi Bilal Habib Susheel Vadlamudi Smriti Gurung John Pham Cryptographic

461 views • 29 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Re-indexing the DFT (n and k) We can investigate the various implementations of the DFT by

Re-indexing the DFT (n and k) We can investigate the various implementations of the DFT by

Re-indexing the DFT (n and k) We can investigate the various implementations of the DFT by looking at ways to re-index values of n and k. Idea: Using properties of addition and multiplication we can rewrite the equation. 1

541 views • 22 slides
Privacy of Geolocation Implementations Marcos Cceres, Opera Software ASA W3C Workshop on

Privacy of Geolocation Implementations Marcos Cceres, Opera Software ASA W3C Workshop on

Privacy of Geolocation Implementations Marcos Cceres, Opera Software ASA W3C Workshop on Privacy of Advance Web APIs 12 July, 2010. London, United Kingdom. Implementations iOS 4 Firefox 3.6 Chrome 6 Opera 10.6 Critical

445 views • 20 slides
Common Eiffel Errors: Contracts vs. Implementations EECS3311 A: Software Design Fall 2018 C HEN

Common Eiffel Errors: Contracts vs. Implementations EECS3311 A: Software Design Fall 2018 C HEN

Common Eiffel Errors: Contracts vs. Implementations EECS3311 A: Software Design Fall 2018 C HEN -W EI W ANG Contracts vs. Implementations: Definitions In Eiffel, there are two categories of constructs: Implementations are step-by-step

246 views • 23 slides
Performance Comparison of DTN Bundle Protocol Implementations ottner , Johannes Morgenroth,

Performance Comparison of DTN Bundle Protocol Implementations ottner , Johannes Morgenroth,

Performance Comparison of DTN Bundle Protocol Implementations ottner , Johannes Morgenroth, Sebastian Schildt, Lars Wolf Wolf-Bastian P September 23, 2011: CHANTS Workshop, Las Vegas, NV Motivation Several Bundle Protocol (BP) implementations

874 views • 17 slides
Multi-rate Signal Processing 4. Multistage Implementations 5. Multirate Application: Subband

Multi-rate Signal Processing 4. Multistage Implementations 5. Multirate Application: Subband

4 Multistage Implementations 5 Some Multirate Applications Multi-rate Signal Processing 4. Multistage Implementations 5. Multirate Application: Subband Coding Electrical &amp; Computer Engineering University of Maryland, College Park

891 views • 24 slides
Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox,

Verification of Implementations of Distributed Systems under Churn Ryan Doenges , James R. Wilcox, Doug Woos, Zachary Tatlock, and Karl Palmskog We should verify implementations of distributed systems... ...and we have! Framework Prover

1.41k views • 86 slides
The PKIX Standards and PKI Implementations Simos Xenitellis University of London

The PKIX Standards and PKI Implementations Simos Xenitellis University of London

The PKIX Standards and PKI implementations The PKIX Standards and PKI Implementations Simos Xenitellis University of London S.Xenitellis@rhbnc.ac.uk 1 16th May, 2000, University of London The PKIX Standards and PKI implementations Agenda

513 views • 29 slides
Testing Qt Model-View Implementations Stephen Kelly July 2010 T esting Model-View

Testing Qt Model-View Implementations Stephen Kelly July 2010 T esting Model-View

Testing Qt Model-View Implementations Stephen Kelly July 2010 T esting Model-View Implementations Designing testable code High-level Model-View design T est-drivers and mock objects Unit test execution KDE ItemViews

268 views • 23 slides
Erlang SCCP/TCAP/MAP Implementations Harald Welte &lt;laforge@gnumonks.org&gt; gnumonks.org

Erlang SCCP/TCAP/MAP Implementations Harald Welte &lt;laforge@gnumonks.org&gt; gnumonks.org

The GSM core network Erlang in Osmocom Core Network protocol implementations Erlang SCCP/TCAP/MAP Implementations Harald Welte &lt;laforge@gnumonks.org&gt; gnumonks.org hmw-consulting.de sysmocom GmbH October 13, 2012 - OSDC.fr - Paris /

1.06k views • 35 slides
Optimization of HPSG Grammar Implementations in Trale Georgiana Dinu Optimization of HPSG

Optimization of HPSG Grammar Implementations in Trale Georgiana Dinu Optimization of HPSG

Optimization of HPSG Grammar Implementations in Trale Georgiana Dinu Optimization of HPSG Grammar Implementations in Trale p. 1/2 Summary The optimization problem Background Examples Optimization of HPSG Grammar Implementations

754 views • 26 slides
of SSH Implementations Paul Fiterau, Toon Lenaerts, Erik Poll, Joeri de Ruiter, Frits Vaandrager,

of SSH Implementations Paul Fiterau, Toon Lenaerts, Erik Poll, Joeri de Ruiter, Frits Vaandrager,

Model Learning and Model Checking of SSH Implementations Paul Fiterau, Toon Lenaerts, Erik Poll, Joeri de Ruiter, Frits Vaandrager, Patrick Verleg Introduction protocols: SSH, TLS, SMTP, FTP, TCP, UDP many implementations per

1.22k views • 73 slides
X11 and Wayland A tale of two implementations 1 / 20 Concepts What is hikari and what am I

X11 and Wayland A tale of two implementations 1 / 20 Concepts What is hikari and what am I

X11 and Wayland A tale of two implementations 1 / 20 Concepts What is hikari and what am I trying to achieve? window manager / compositor and Goals started 1.5 years ago written from scratch stacking / tiling hybrid approach inspired by cwm

249 views • 21 slides
Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of Factoring Algorithms Factoring Large Numbers with the TWIRL Device Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer Adi

469 views • 42 slides
A Study of Erlang ETS Table Implementations and Performance Or: Judy Arrays Are Amazing Data

A Study of Erlang ETS Table Implementations and Performance Or: Judy Arrays Are Amazing Data

A Study of Erlang ETS Table Implementations and Performance Or: Judy Arrays Are Amazing Data Structures Scott Lystig Fritchie &lt;slfritchie@snookles.com&gt; Snookles Music Consulting A Study of Erlang ETS Table Implementations and Performance

552 views • 23 slides
Distributed Implementations of Adaptive Collective Decision Making Krzysztof R. Apt CWI and

Distributed Implementations of Adaptive Collective Decision Making Krzysztof R. Apt CWI and

Distributed Implementations of Adaptive Collective Decision Making Krzysztof R. Apt CWI and University of Amsterdam Distributed Implementations of Adaptive Collective Decision Making p.1/17 Let us Introduce Ourselves Project leaders:

529 views • 17 slides
BGP A study into the BGP protocol as well as BGP implementations to improve Route Server

BGP A study into the BGP protocol as well as BGP implementations to improve Route Server

BGP A study into the BGP protocol as well as BGP implementations to improve Route Server scalability. Parallelization Jenda Brands Patrick de Niet Insert content in this area 2 The internet is growing B Active BGP entries in FIB From

624 views • 25 slides
Rosenbrock-like Problems: SMF Versus Other SBO Implementations A.S. Mohamed, S. Koziel, J.W.

Rosenbrock-like Problems: SMF Versus Other SBO Implementations A.S. Mohamed, S. Koziel, J.W.

Rosenbrock-like Problems: SMF Versus Other SBO Implementations A.S. Mohamed, S. Koziel, J.W. Bandler, M.H. Bakr, and Q.S. Cheng Simulation Optimization Systems Research Laboratory Electrical and Computer Engineering Department, McMaster

701 views • 40 slides
TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno Bck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Find and fix security vulnerabilities and bugs in free soware (Fuzzing Project,

693 views • 44 slides

More recommend