catch me if you can - wordpress.com · fabrication of a dedicated security ic is not an option...
TRANSCRIPT
Catch me if you canLocating (and fixing) side channel leaks (for dummies)
Elisabeth Oswald
• Why:Therearemanymorenon-cryptoexperts,thancryptoexperts!
• What:Thistalkisabouttoolsandtechniquesfordetecting(andfixing)informationleaksthataredesignedfordeveloperswhoarenotcryptographers.
• How:WithalotofeffortbydevelopinganappropriatemodeloftheTOEthatintegratesinsome‘designflow’.
Outline
• Developedaround1995,withpublicationsemergingfrom1996onwards,sidechannelattackshaveexploited• Executiontimes• Powerconsumption• EMradiation• Cachebehavior• RFemanation• Sound• Packetlength• ….
Context
• Manyattacksrecoverinformationabout`chunks’ofasecretkey• Strongerattackstendtohavebetterdeviceleakagemodels
• Distinguisherneedstobechoseninconjunctionwiththedeviceleakagemodel
• Highqualitytracesnaturallyalsoimproveattackoutcomes
• Someattacksrecoverplaintextinformation
Attacks that Exploit Leakage
Data
Side channel
Data
Predicted Behaviour
Distinguisher
Key (Chunk)
Score associated with key guess
Model of
Device
• Attacksonlyevergetbetter
Context, cont.
1999: attacks on block ciphers (DES, AES), exploiting physical leaks, simple implementations, trivial to break
2012: attacks on protocols (TLS), exploiting protocol leaks, non trivial attacks requiring profiling
• Pastattacksonrealworldproducts• PayTV asa‘marketdriver’:protectingpeoplefromwatchingtoomuchtoobadtelly isclearlyveryimportant!
• Standards/evaluationschemesexisttoprotectchipcardsinthecontextofbankingapplications(CCprotectionprofiles,EMVCo scheme)
• Butalsoprintercartridges,andother‘gadgets’thathavestaticsecretkeysembeddedareroutinelyprotected
Theseapplicationsareallsomewhat‘closed’:specialistdeveloperswithaccesstocrypto/sidechannelexpertise+labsareavailable.Code/Implementations/Evaluationsremainconfidential.
Context, cont.
• Buttheworldhaschanged:• Paymentsaregettingintegrated,e.g.insoftwareappsrunningonmobilephones
• Wehavemoreandmore`smart’devicesaroundthatinteractwithus,andsometimesconnectuswithotherdevices/apps/institutions/people
• Thesesystemsaremuchmore`open’inthesensethatthereexistmany(small)companiesthatproducesoftware.
Inthiscontext,accesstocrypto/sidechannelspecialists+lab,cannolongerbetakenforgranted.
Context, cont.
• Researchintoattacks andmitigationstrategies(provableornot)hasmoreorlessassumed‘specialistdeveloper’sofar.• Wedevelop‘CryptographyforCryptographersonly’• Weneed‘CryptographyforEverybody’,andthisincludeswaystoimplementcryptographysecurelyintherealworld
• Alargepartofmyresearchinterestistofindwaysto`automate’implementingcryptosoastotakeaway(someof)theburdenfromdevelopers.
Context, cont.
Let’snowfocusonmitigationofphysicalleaks:• Whatleaks?• (Whydoesitleak)?• Howcanitbefixed?
Questions:• Atwhichpointinthedesigncycletodothis?• Whatleaksdomatter?• Howtoincludedevelopers’decisions?
Automation
`ClosedWorld’approachesfromthepastinclude:• Hardwarelevel:assumewebuildaprocessor/cryptomodule,havefulldesigndetails,aimforearlymitigation• Pros:hopetoremoveleakageentirely,impliesthatsoftwaredeveloperdoesnotneedtocareatall
• Cons:unabletoremoveleakageentirely,impracticalasformostapplicationsthefabricationofadedicatedsecurityICisnotanoption
• Softwarelevel:assumethatcryptorunsonaleakyprocessor,asimplisticleakagemodel(Hammingweight),andfocusonaspecificalgorithm• Pros:doesnotrelyoncontrol/exactknowledgeofhardwaredesign,potentiallymoreapplicabletoawiderangeofapplications,promisetoprovesecurity
• Cons:unabletocaptureanyleakthatdoesnotfitthemodel
Automation Approaches
Compilerbasedapproaches:• 2012:wedevelopedacompilerextension,whichrequiredadomainspecificlanguage,thatwascapableoftakinga‘raw’AESimplementation,andtranslateitintoafirst-orderBooleanmaskedimplementationinThumbassemblyforanARM7TDMI.
• 2013:Bayrak,andAgosta independentlyproposeddifferentcompilerextensionsthat‘identified’vulnerableinstructionsandappliedsomecountermeasures
• 2013onwards:Dupressoir publishedaseriesofpapersinwhichformalverificationwasusedtoproveleakagepropertiesofcode
Allapproachesreliedonverysimplisticleakagemodels.
Automation Approaches, cont.
• Simplificationsaregoodiftheyremoveunnecessarycomplexityonly
• Wehaveseenmanytimes(inthesidechannelcommunity)thatsimplifiedassumptionsrender‘proofs’(argumentsforsecurity)useless• EvenprovablysecureschemessuchasISW99failmiserablyinpracticeduetoglitches
• TIschemesequallymakestrongindependenceassumptionsonsmallcomponents
Importance of leakage models
Side channel attack outcomes using the HW assumption (top), and a statistically estimated leakage model (bottom).
• Leakagebehaviorcanbeverycomplex:• Itdependsonthestatethattheprocessorisinpriortoa(target)instructionaswellaswhatthenextinstructionwillbe
• Itdependsonthepipelinearchitecture,functionalcomponents,busses,etc.
• Thusmodelling`an’instructionrequiresasequenceofinstructions.
Importance of leakage models, cont.
Pictures showing power traces of an XOR operation: surrounded by LDR (left) and LSL (right).
• Whatleaks:withoutasophisticatedunderstandingofthetargetarchitecture’sleakage‘reasoning’aboutimplementationsispointless
• Whydoesitleak:withouta’whitebox’thiscannotreallybeanswered,butagoodleakagemodelcanpotentiallydescribehowtheleakagefunctionallylooks
• Howcanyoureliablydetectleakageinanewpieceofcodewithouthavingtoinstrumenteverythingallthetime
• Howcanyoumitigatearbitraryleaks
Automation challenges
Wenowfocusmoreonthe`finding’thanthe`fixing’.• Detectinginformationleaksisnotanewtopic:detecting`pointsofinterest’hasbeenatopicfordiscussionsincetheadventof`higher-order’(inthiscasemeaningmultivariate)DPAattacks• Methodsthatareeasytousetendtobebasedonthet-test(leakagemodelassumesindividualbits’leakagediffer),andcorrelationanalysis(requiresapowermodel),whicharemomentbasedstatisticsthatproduceunreliableresultswhenusinginamultivariatesetting.
• StatisticallyrigorousmethodsweredevelopedbyChothia etal.basedonMutualInformation(nopowermodelrequired,copebetterinamultivariatesetting)
Leakage detection
• Modellinghasbeendoneunderthedisguiseoftemplatematchingforalongtimeinthecommunity• Templatesconsistofthemean(vector)and(co)variance(matrix)ofa(multivariate)Gaussianthatrepresent(a)leakagepoint(s)
• Pro:capturespotentiallythefullleakage,Cons:lotsoftraces,matrixnotinvertible
• Thisisequivalenttoamultinomialrepresentationinwhichoneincludesallinteractionterms
• Pro:cantestwhichinteractiontermsarestatisticallysignificant,andthusremoveallothers,requirespotentiallyfewertracesforaverygoodestimationoftherelevanttermsusingregression
Leakage modelling
• Beyondthechoiceofstatisticaltechnique,thereisabigquestionaboutthe‘levelofabstraction’,andhowtointegratemodelsintoadesignflow• Bayrak etal.’sapproachrequirestoinstrumenteachnewpieceofcodebeforeitcanbeanalysed
• (Maybe)amuchbetteridea:chooseAssemblylevelcodesnippetstodetermineandmodelleakage• Lengthandcompositionofsequences,choiceofleakagepointswithinthecorrespondingtraces,whatpotentialeffectstoinclude,etc.
Leakage modelling, cont.
• Leakagemodellingmethodology• Initialscoutingofindividualinstructionswiththeaimofclusteringinstructions– verificationbycross-checkingwithknownarchitecturalinformation(greyboxmodelling)
• Generationofcontrolledsequencesofspecificallydesignedinstructiontriplets(withthetargetinstructioninthemiddle)toproducedataformodelling
• Model:• WetestsignificanceforthetermswithF-testandlookatR2
• Wealsotestforeffectsofboard,registerchoices,andthepotentialofhigherorderterms(includedthenforsomeinstructions)
ELMO
• Leakagemodellingmethodology• Model:
• Ip (previousinstruction),Is(subsequentinstruction)• D(dummiesforbitsandtransitionsofoperands)• DxIp (HWandHDtermsplusinteractionswithpreviousinstruction),DxIs
ELMO
Thesemodelswereintegratedinanopensource,instructionsetemulatorforthetargetarchitecture(anM0):• Wepiggybackonthe‘Thumbulator’dataflowgraphtoextracttheinputandoutputdataforeachinstructionasitisexecutedonthetargetarchitecture
• Weanalyse tripletsto`plugin’thecorrespondingleakagemodelfromourdatabaseofmodels
• Thisenablesustoproduceinstruction(orcycle)accurateleakagetracesforarbitrarycode
ELMO
• ELMOcanthusproducenearly`bestcase’leakagetraces• Theyarenoisefree,butlimitedbyourmodelchoices
• ELMOhasfunctionalitytoautomateleakagedetection• Atpresentweonlyfacilitateat-test
• ELMOhoweverenablesdeveloperstounanimouslyattributeleakstoinstructions• Itinstrumentsleakagedetectionaccordingtobestpracticebyinterleaving`acquisitions’toavoidanypotentialstatisticalbias
• Itcan(inprinciple)selecttheappropriatenumberof`acquisitions’toachieveaspecificpowerofatest
• Itsignificantlyspeedsupsecond-orderleakagedetectionbecauseitcanattributemaskstoinstructions,andthus`knows’whichpairsofpointstoselect
ELMO
ELMO traces
• ELMOcanalsotrace`masks’throughassemblycodeandcanthuspointoutifsomeinstructionsareunmaskedorifmasksgettakenoff
• Inprinciple(testedontheAESinmBed TLS)onecanwriteCcode,compiletoARMThumb,andthenanalyse thisviaELMO
• InprinciplethetoolcanbeusedtorandomlyinsertinstructionsthatfoilHWleakageandlowerotherleakage(certainsequencescanenhanceorworsenleakageofatarget)(testedonAES)
• InprincipleanyofthepublishedworkwouldbemuchfacilitatedbyELMO
ELMO
• What’smissing?• Wedidnotprofileaddressleakage• WedidnotexhaustallThumbinstructions• Wemadenoefforttoinvestigateifthereisleakagefromwithinthemultiplier
• Wedidnotentertainhowtoevendecideiflongersequenceswouldbemoreadequate
Clearlythisisnotanindustrialtool,itisnomorethanapromisingfirststep.
Next steps
• Whatelseismissing?• ELMOisa‘standalone’toolandnotpartofacompilertoolchain,thusitassumesthatadevelopercanidentifypotentiallycriticalpiecesofcodeandrunitthroughELMO
• Theidealsolutionforthenon-expertwouldbetobeabletoannotatehigherlevelcode(i.e.Cformostembeddedsystems),andthenforatooltodotherest
• WehaveanongoingcollaborationwithEmbecosm,theoneandonly(UK)compilercompanythathasrealised thedisruptivepowerthatasecurityawarecompilercouldhave
Next steps
• Theycurrentlyworkonsomeideasreautomatingtechniquesthatensureconstanttimeaswellascachesafeimplementationsofsymmetricprimitivesonembeddeddevices,withthegoaltoupstreamtheresults• Inthefuturegcc-armshouldincludeoptionsthatautomaticallyimprovethesecurityofcode
• Wehopetolearnfromthisprocessandthusscoutouttheappetiteformoreleakage-awarecompilationoptions
Embecosm
• CryptographyisnotonlyforCryptographers• Makingcryptographyworkinpracticeisahugechallenge• Compilersareintegraltosoftwaredevelopmentandtheyshouldbeleakageaware
• ELMOisopensourceandwearerestartingworkonit:
github.com/bristol-sca/elmo“TowardsPracticalToolsforSideChannelAwareSoftwareEngineering:'GreyBox'ModellingforInstructionLeakages”,Usenix 2017,McCann,Oswald,Whitnall
Wrap up