![Page 1: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/1.jpg)
Catch me if you canLocating (and fixing) side channel leaks (for dummies)
Elisabeth Oswald
![Page 2: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/2.jpg)
• Why:Therearemanymorenon-cryptoexperts,thancryptoexperts!
• What:Thistalkisabouttoolsandtechniquesfordetecting(andfixing)informationleaksthataredesignedfordeveloperswhoarenotcryptographers.
• How:WithalotofeffortbydevelopinganappropriatemodeloftheTOEthatintegratesinsome‘designflow’.
Outline
![Page 3: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/3.jpg)
• Developedaround1995,withpublicationsemergingfrom1996onwards,sidechannelattackshaveexploited• Executiontimes• Powerconsumption• EMradiation• Cachebehavior• RFemanation• Sound• Packetlength• ….
Context
![Page 4: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/4.jpg)
• Manyattacksrecoverinformationabout`chunks’ofasecretkey• Strongerattackstendtohavebetterdeviceleakagemodels
• Distinguisherneedstobechoseninconjunctionwiththedeviceleakagemodel
• Highqualitytracesnaturallyalsoimproveattackoutcomes
• Someattacksrecoverplaintextinformation
Attacks that Exploit Leakage
Data
Side channel
Data
Predicted Behaviour
Distinguisher
Key (Chunk)
Score associated with key guess
Model of
Device
![Page 5: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/5.jpg)
• Attacksonlyevergetbetter
Context, cont.
1999: attacks on block ciphers (DES, AES), exploiting physical leaks, simple implementations, trivial to break
2012: attacks on protocols (TLS), exploiting protocol leaks, non trivial attacks requiring profiling
![Page 6: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/6.jpg)
• Pastattacksonrealworldproducts• PayTV asa‘marketdriver’:protectingpeoplefromwatchingtoomuchtoobadtelly isclearlyveryimportant!
• Standards/evaluationschemesexisttoprotectchipcardsinthecontextofbankingapplications(CCprotectionprofiles,EMVCo scheme)
• Butalsoprintercartridges,andother‘gadgets’thathavestaticsecretkeysembeddedareroutinelyprotected
Theseapplicationsareallsomewhat‘closed’:specialistdeveloperswithaccesstocrypto/sidechannelexpertise+labsareavailable.Code/Implementations/Evaluationsremainconfidential.
Context, cont.
![Page 7: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/7.jpg)
• Buttheworldhaschanged:• Paymentsaregettingintegrated,e.g.insoftwareappsrunningonmobilephones
• Wehavemoreandmore`smart’devicesaroundthatinteractwithus,andsometimesconnectuswithotherdevices/apps/institutions/people
• Thesesystemsaremuchmore`open’inthesensethatthereexistmany(small)companiesthatproducesoftware.
Inthiscontext,accesstocrypto/sidechannelspecialists+lab,cannolongerbetakenforgranted.
Context, cont.
![Page 8: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/8.jpg)
• Researchintoattacks andmitigationstrategies(provableornot)hasmoreorlessassumed‘specialistdeveloper’sofar.• Wedevelop‘CryptographyforCryptographersonly’• Weneed‘CryptographyforEverybody’,andthisincludeswaystoimplementcryptographysecurelyintherealworld
• Alargepartofmyresearchinterestistofindwaysto`automate’implementingcryptosoastotakeaway(someof)theburdenfromdevelopers.
Context, cont.
![Page 9: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/9.jpg)
Let’snowfocusonmitigationofphysicalleaks:• Whatleaks?• (Whydoesitleak)?• Howcanitbefixed?
Questions:• Atwhichpointinthedesigncycletodothis?• Whatleaksdomatter?• Howtoincludedevelopers’decisions?
Automation
![Page 10: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/10.jpg)
`ClosedWorld’approachesfromthepastinclude:• Hardwarelevel:assumewebuildaprocessor/cryptomodule,havefulldesigndetails,aimforearlymitigation• Pros:hopetoremoveleakageentirely,impliesthatsoftwaredeveloperdoesnotneedtocareatall
• Cons:unabletoremoveleakageentirely,impracticalasformostapplicationsthefabricationofadedicatedsecurityICisnotanoption
• Softwarelevel:assumethatcryptorunsonaleakyprocessor,asimplisticleakagemodel(Hammingweight),andfocusonaspecificalgorithm• Pros:doesnotrelyoncontrol/exactknowledgeofhardwaredesign,potentiallymoreapplicabletoawiderangeofapplications,promisetoprovesecurity
• Cons:unabletocaptureanyleakthatdoesnotfitthemodel
Automation Approaches
![Page 11: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/11.jpg)
Compilerbasedapproaches:• 2012:wedevelopedacompilerextension,whichrequiredadomainspecificlanguage,thatwascapableoftakinga‘raw’AESimplementation,andtranslateitintoafirst-orderBooleanmaskedimplementationinThumbassemblyforanARM7TDMI.
• 2013:Bayrak,andAgosta independentlyproposeddifferentcompilerextensionsthat‘identified’vulnerableinstructionsandappliedsomecountermeasures
• 2013onwards:Dupressoir publishedaseriesofpapersinwhichformalverificationwasusedtoproveleakagepropertiesofcode
Allapproachesreliedonverysimplisticleakagemodels.
Automation Approaches, cont.
![Page 12: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/12.jpg)
• Simplificationsaregoodiftheyremoveunnecessarycomplexityonly
• Wehaveseenmanytimes(inthesidechannelcommunity)thatsimplifiedassumptionsrender‘proofs’(argumentsforsecurity)useless• EvenprovablysecureschemessuchasISW99failmiserablyinpracticeduetoglitches
• TIschemesequallymakestrongindependenceassumptionsonsmallcomponents
Importance of leakage models
Side channel attack outcomes using the HW assumption (top), and a statistically estimated leakage model (bottom).
![Page 13: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/13.jpg)
• Leakagebehaviorcanbeverycomplex:• Itdependsonthestatethattheprocessorisinpriortoa(target)instructionaswellaswhatthenextinstructionwillbe
• Itdependsonthepipelinearchitecture,functionalcomponents,busses,etc.
• Thusmodelling`an’instructionrequiresasequenceofinstructions.
Importance of leakage models, cont.
Pictures showing power traces of an XOR operation: surrounded by LDR (left) and LSL (right).
![Page 14: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/14.jpg)
• Whatleaks:withoutasophisticatedunderstandingofthetargetarchitecture’sleakage‘reasoning’aboutimplementationsispointless
• Whydoesitleak:withouta’whitebox’thiscannotreallybeanswered,butagoodleakagemodelcanpotentiallydescribehowtheleakagefunctionallylooks
• Howcanyoureliablydetectleakageinanewpieceofcodewithouthavingtoinstrumenteverythingallthetime
• Howcanyoumitigatearbitraryleaks
Automation challenges
![Page 15: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/15.jpg)
Wenowfocusmoreonthe`finding’thanthe`fixing’.• Detectinginformationleaksisnotanewtopic:detecting`pointsofinterest’hasbeenatopicfordiscussionsincetheadventof`higher-order’(inthiscasemeaningmultivariate)DPAattacks• Methodsthatareeasytousetendtobebasedonthet-test(leakagemodelassumesindividualbits’leakagediffer),andcorrelationanalysis(requiresapowermodel),whicharemomentbasedstatisticsthatproduceunreliableresultswhenusinginamultivariatesetting.
• StatisticallyrigorousmethodsweredevelopedbyChothia etal.basedonMutualInformation(nopowermodelrequired,copebetterinamultivariatesetting)
Leakage detection
![Page 16: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/16.jpg)
• Modellinghasbeendoneunderthedisguiseoftemplatematchingforalongtimeinthecommunity• Templatesconsistofthemean(vector)and(co)variance(matrix)ofa(multivariate)Gaussianthatrepresent(a)leakagepoint(s)
• Pro:capturespotentiallythefullleakage,Cons:lotsoftraces,matrixnotinvertible
• Thisisequivalenttoamultinomialrepresentationinwhichoneincludesallinteractionterms
• Pro:cantestwhichinteractiontermsarestatisticallysignificant,andthusremoveallothers,requirespotentiallyfewertracesforaverygoodestimationoftherelevanttermsusingregression
Leakage modelling
![Page 17: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/17.jpg)
• Beyondthechoiceofstatisticaltechnique,thereisabigquestionaboutthe‘levelofabstraction’,andhowtointegratemodelsintoadesignflow• Bayrak etal.’sapproachrequirestoinstrumenteachnewpieceofcodebeforeitcanbeanalysed
• (Maybe)amuchbetteridea:chooseAssemblylevelcodesnippetstodetermineandmodelleakage• Lengthandcompositionofsequences,choiceofleakagepointswithinthecorrespondingtraces,whatpotentialeffectstoinclude,etc.
Leakage modelling, cont.
![Page 18: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/18.jpg)
• Leakagemodellingmethodology• Initialscoutingofindividualinstructionswiththeaimofclusteringinstructions– verificationbycross-checkingwithknownarchitecturalinformation(greyboxmodelling)
• Generationofcontrolledsequencesofspecificallydesignedinstructiontriplets(withthetargetinstructioninthemiddle)toproducedataformodelling
• Model:• WetestsignificanceforthetermswithF-testandlookatR2
• Wealsotestforeffectsofboard,registerchoices,andthepotentialofhigherorderterms(includedthenforsomeinstructions)
ELMO
![Page 19: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/19.jpg)
• Leakagemodellingmethodology• Model:
• Ip (previousinstruction),Is(subsequentinstruction)• D(dummiesforbitsandtransitionsofoperands)• DxIp (HWandHDtermsplusinteractionswithpreviousinstruction),DxIs
ELMO
![Page 20: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/20.jpg)
Thesemodelswereintegratedinanopensource,instructionsetemulatorforthetargetarchitecture(anM0):• Wepiggybackonthe‘Thumbulator’dataflowgraphtoextracttheinputandoutputdataforeachinstructionasitisexecutedonthetargetarchitecture
• Weanalyse tripletsto`plugin’thecorrespondingleakagemodelfromourdatabaseofmodels
• Thisenablesustoproduceinstruction(orcycle)accurateleakagetracesforarbitrarycode
ELMO
![Page 21: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/21.jpg)
• ELMOcanthusproducenearly`bestcase’leakagetraces• Theyarenoisefree,butlimitedbyourmodelchoices
• ELMOhasfunctionalitytoautomateleakagedetection• Atpresentweonlyfacilitateat-test
• ELMOhoweverenablesdeveloperstounanimouslyattributeleakstoinstructions• Itinstrumentsleakagedetectionaccordingtobestpracticebyinterleaving`acquisitions’toavoidanypotentialstatisticalbias
• Itcan(inprinciple)selecttheappropriatenumberof`acquisitions’toachieveaspecificpowerofatest
• Itsignificantlyspeedsupsecond-orderleakagedetectionbecauseitcanattributemaskstoinstructions,andthus`knows’whichpairsofpointstoselect
ELMO
![Page 22: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/22.jpg)
ELMO traces
![Page 23: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/23.jpg)
• ELMOcanalsotrace`masks’throughassemblycodeandcanthuspointoutifsomeinstructionsareunmaskedorifmasksgettakenoff
• Inprinciple(testedontheAESinmBed TLS)onecanwriteCcode,compiletoARMThumb,andthenanalyse thisviaELMO
• InprinciplethetoolcanbeusedtorandomlyinsertinstructionsthatfoilHWleakageandlowerotherleakage(certainsequencescanenhanceorworsenleakageofatarget)(testedonAES)
• InprincipleanyofthepublishedworkwouldbemuchfacilitatedbyELMO
ELMO
![Page 24: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/24.jpg)
• What’smissing?• Wedidnotprofileaddressleakage• WedidnotexhaustallThumbinstructions• Wemadenoefforttoinvestigateifthereisleakagefromwithinthemultiplier
• Wedidnotentertainhowtoevendecideiflongersequenceswouldbemoreadequate
Clearlythisisnotanindustrialtool,itisnomorethanapromisingfirststep.
Next steps
![Page 25: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/25.jpg)
• Whatelseismissing?• ELMOisa‘standalone’toolandnotpartofacompilertoolchain,thusitassumesthatadevelopercanidentifypotentiallycriticalpiecesofcodeandrunitthroughELMO
• Theidealsolutionforthenon-expertwouldbetobeabletoannotatehigherlevelcode(i.e.Cformostembeddedsystems),andthenforatooltodotherest
• WehaveanongoingcollaborationwithEmbecosm,theoneandonly(UK)compilercompanythathasrealised thedisruptivepowerthatasecurityawarecompilercouldhave
Next steps
![Page 26: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/26.jpg)
• Theycurrentlyworkonsomeideasreautomatingtechniquesthatensureconstanttimeaswellascachesafeimplementationsofsymmetricprimitivesonembeddeddevices,withthegoaltoupstreamtheresults• Inthefuturegcc-armshouldincludeoptionsthatautomaticallyimprovethesecurityofcode
• Wehopetolearnfromthisprocessandthusscoutouttheappetiteformoreleakage-awarecompilationoptions
Embecosm
![Page 27: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage](https://reader033.vdocuments.us/reader033/viewer/2022042222/5ec8491d07ed553d46287f84/html5/thumbnails/27.jpg)
• CryptographyisnotonlyforCryptographers• Makingcryptographyworkinpracticeisahugechallenge• Compilersareintegraltosoftwaredevelopmentandtheyshouldbeleakageaware
• ELMOisopensourceandwearerestartingworkonit:
github.com/bristol-sca/elmo“TowardsPracticalToolsforSideChannelAwareSoftwareEngineering:'GreyBox'ModellingforInstructionLeakages”,Usenix 2017,McCann,Oswald,Whitnall
Wrap up