side channels and physical security. prosecutor’s fallacy joe’s fingerprints found at the site...
TRANSCRIPT
Side Channels and Physical Security
Prosecutor’s Fallacy
• Joe’s fingerprints found at the site of a crime• Prosecutor claims fingerprint test is 99.99%
accurate 0.01% false positive and 0.01% false negative
rates
• Was Joe guilty?
Bayesian Inference
Joe Guilty Joe Not Guilty
Prior probability
p (1-p)
Test Positive 0.9999p 0.0001(1-p)
Test Negative 0.0001p 0.9999(1-p)
Joe was innocent!
• E.g., Joe was selected from 1M fingerprint database subjects
Joe Guilty Joe Not Guilty
Prior probability
0.000001 0.999999
Test Positive 0.0000009999
0.0000999999
Outline
• Side channels Audio, RF, ...
• Secure deletion• Steganography
Reading
• Security Engineering, Ch. 15 http://www.cl.cam.ac.uk/~rja14/Papers/SE-15.pdf
• Soft TEMPEST research at Cambridge http://www.cl.cam.ac.uk/~mgk25/
• Secure deletion http://www.cs.auckland.ac.nz/~pgut001/
What are side channels?===============/
========================================================Advisory ID: CAU-2007-0001Release Date: 04/01/2007Title: Window Transparency Information DisclosureApplication/OS: Windows made from silica or plasticsTopic: Panes used in windows are usually transparent,
allowing sensitive information to be observed from the
outside.Vendor Status: Not NotifiedAttributes: Remote, Information DisclosureAdvisory URL: http://www.caughq.org/advisories/CAU-2007-0001.txtAuthor/Email: I)ruid <druid (at) caughq.org> ===============/
========================================================
Side channels
• Information disclosure through physical properties of the implementation
• Side channel examples? Timing Power RF emanations Acoustic leaks
• Get around a perfect policy and a bug-free implementation
Timing Attacks
• Execution time of operations varies depending on data Some code may not be executed Some instructions may take longer
• Attacker can measure timing, recover secret information
Example: Password checker
get user_passlook up real_passfor i=1 to 8 if user_pass[i] != real_pass[i] break
a aaaaaaaaaaaaaaaabcs aaaaaaaaaaaaaaaasa
“secret”
Example: RSA
• Decrypt: compute Cd (mod n)
decrypt(C,d,n) M := C; for i = 0 to log2 d
if bit i of d = 1 M := M * C mod n M := M*M mod n
Keystroke timings
User types p a s s w o r d
p a s s w o r dSSH sends
Keyboard acoustics
User types p a s s w o r d
Microphone
Acoustic noise
RF noise
• Computers emit RF noise, too Lots of it!
• With high-gain antenna, can monitor activity from a distance
• TEMPEST project Study RF emanations Certification for equipment shielding
• Red black
Open TEMPEST Research
Demonstration
Hidden Messages
Hidden messages
Power Analysis
• Computers & electronics leak information through power Different instructions take different power
• Power analysis is especially useful for smart cards E.g. satellite decoder cards contain secret keys
that users should not be able to steal Card under user’s precise control
Simple Power Analysis
Differential power analysis
• Make hypothesis of internal state• Look for power traces correlated with
hypothesis state
Defenses?
• Timing• Acoustic• RF• Power
Steganography
• Greek for covered writing• Embed hidden messages in other communication• Example:
PRESIDENT'S EMBARGO RULING SHOULD HAVE IMMEDIATE
NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW.
STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS.
YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT
IMMENSELY.
PRESIDENT'S EMBARGO RULING SHOULD HAVE IMMEDIATE
NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW.
STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS.
YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT
IMMENSELY.
PERSHING SAILS FROM NY JUNE I
Where to hide messages?
• Spaces• Word lengths
How I want a drink, alcoholic of course, after the heavy chapters involving quantum mechanics. One is, yes, adequate even enough to induce some fun and pleasure for an instant, miserably brief.
• Timings• Low bits of images/audio
Image Steganography
Secure Deletion
• How do you make sure a file is really gone?• Must eradicate all copies• First attempt:
“rm file”
• What about backups?
OS level issues
• What does the filesystem do when you erase a file?
Directory
file1
file2
file3
File 1 contents
Try #2
• Overwrite file with 0’s, *then* erase• Problems?
Copies of file in memory, cache, swap Study finds data remains on disk weeks after it’s
been erased
Disk level issues
• Magnetic information persists after overwrite “Ghost effects” Overwrite many time with different patterns Similar effects exist for RAM, too!
• CITES disk scrubbing docs: http://www.cites.uiuc.edu/security/diskscrub/dsfaq.html
• Smart disks remap sectors Sectors that have gone bad inacessible, though still
readable with effort
• Drive alignment issues
Better approach
• Never write confidential data to disk Keep crypto keys “pinned” in memory Encrypt confidential files
• Encrypting filesystems Encrypt all data stored on a computer BitLocker for Windows Many products for Linux FileVault under MacOS X
• Keep key in memory, or on smart card
Key Points
• Physical security is difficult Many side channels available
• Software / system design can help physical security E.g. encrypted filesystems
• Joe was innocent!