Side Channels and Physical Security

Prosecutor’s Fallacy

• Joe’s fingerprints found at the site of a crime• Prosecutor claims fingerprint test is 99.99%

accurate 0.01% false positive and 0.01% false negative

rates

• Was Joe guilty?

Bayesian Inference

Joe Guilty Joe Not Guilty

Prior probability

p (1-p)

Test Positive 0.9999p 0.0001(1-p)

Test Negative 0.0001p 0.9999(1-p)

Joe was innocent!

• E.g., Joe was selected from 1M fingerprint database subjects

Joe Guilty Joe Not Guilty

Prior probability

0.000001 0.999999

Test Positive 0.0000009999

0.0000999999

Outline

• Side channels Audio, RF, ...

• Secure deletion• Steganography

Reading

• Security Engineering, Ch. 15 http://www.cl.cam.ac.uk/~rja14/Papers/SE-15.pdf

• Soft TEMPEST research at Cambridge http://www.cl.cam.ac.uk/~mgk25/

• Secure deletion http://www.cs.auckland.ac.nz/~pgut001/

What are side channels?===============/

========================================================Advisory ID: CAU-2007-0001Release Date: 04/01/2007Title: Window Transparency Information DisclosureApplication/OS: Windows made from silica or plasticsTopic: Panes used in windows are usually transparent,

allowing sensitive information to be observed from the

outside.Vendor Status: Not NotifiedAttributes: Remote, Information DisclosureAdvisory URL: http://www.caughq.org/advisories/CAU-2007-0001.txtAuthor/Email: I)ruid <druid (at) caughq.org> ===============/

========================================================

Side channels

• Information disclosure through physical properties of the implementation

• Side channel examples? Timing Power RF emanations Acoustic leaks

• Get around a perfect policy and a bug-free implementation

Timing Attacks

• Execution time of operations varies depending on data Some code may not be executed Some instructions may take longer

• Attacker can measure timing, recover secret information

Example: Password checker

get user_passlook up real_passfor i=1 to 8 if user_pass[i] != real_pass[i] break

a aaaaaaaaaaaaaaaabcs aaaaaaaaaaaaaaaasa

“secret”

Example: RSA

• Decrypt: compute Cd (mod n)

decrypt(C,d,n) M := C; for i = 0 to log2 d

if bit i of d = 1 M := M * C mod n M := M*M mod n

Keystroke timings

User types p a s s w o r d

p a s s w o r dSSH sends

Keyboard acoustics

User types p a s s w o r d

Microphone

Acoustic noise

RF noise

• Computers emit RF noise, too Lots of it!

• With high-gain antenna, can monitor activity from a distance

• TEMPEST project Study RF emanations Certification for equipment shielding

• Red black

Open TEMPEST Research

Demonstration

Hidden Messages

Hidden messages

Power Analysis

• Computers & electronics leak information through power Different instructions take different power

• Power analysis is especially useful for smart cards E.g. satellite decoder cards contain secret keys

that users should not be able to steal Card under user’s precise control

Simple Power Analysis

Differential power analysis

• Make hypothesis of internal state• Look for power traces correlated with

hypothesis state

Defenses?

• Timing• Acoustic• RF• Power

Steganography

• Greek for covered writing• Embed hidden messages in other communication• Example:

PRESIDENT'S EMBARGO RULING SHOULD HAVE IMMEDIATE

NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW.

STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS.

YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT

IMMENSELY.

PRESIDENT'S EMBARGO RULING SHOULD HAVE IMMEDIATE

NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW.

STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS.

YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT

IMMENSELY.

PERSHING SAILS FROM NY JUNE I

Where to hide messages?

• Spaces• Word lengths

How I want a drink, alcoholic of course, after the heavy chapters involving quantum mechanics. One is, yes, adequate even enough to induce some fun and pleasure for an instant, miserably brief.

• Timings• Low bits of images/audio

Image Steganography

Secure Deletion

• How do you make sure a file is really gone?• Must eradicate all copies• First attempt:

“rm file”

• What about backups?

OS level issues

• What does the filesystem do when you erase a file?

Directory

file1

file2

file3

File 1 contents

Try #2

• Overwrite file with 0’s, *then* erase• Problems?

Copies of file in memory, cache, swap Study finds data remains on disk weeks after it’s

been erased

Disk level issues

• Magnetic information persists after overwrite “Ghost effects” Overwrite many time with different patterns Similar effects exist for RAM, too!

• CITES disk scrubbing docs: http://www.cites.uiuc.edu/security/diskscrub/dsfaq.html

• Smart disks remap sectors Sectors that have gone bad inacessible, though still

readable with effort

• Drive alignment issues

Better approach

• Never write confidential data to disk Keep crypto keys “pinned” in memory Encrypt confidential files

• Encrypting filesystems Encrypt all data stored on a computer BitLocker for Windows Many products for Linux FileVault under MacOS X

• Keep key in memory, or on smart card

Key Points

• Physical security is difficult Many side channels available

• Software / system design can help physical security E.g. encrypted filesystems

• Joe was innocent!