Your search keyword '"Side-channels"' showing total 87 results

1. Time Will Tell: Exploiting Timing Leaks Using HTTP Response Headers

Author

Vanderlinden, Vik, Goethem, Tom Van, Vanhoef, Mathy, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Tsudik, Gene, editor, Conti, Mauro, editor, Liang, Kaitai, editor, and Smaragdakis, Georgios, editor

Published

2024

2. TeeJam: Sub-Cache-Line Leakages Strike Back

Author

Florian Sieck, Zhiyuan Zhang, Sebastian Berndt, Chitchanok Chuengsatiansup, Thomas Eisenbarth, and Yuval Yarom

Subjects

Side-Channels, Microarchitectural Attacks, Trusted Execution Environments, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64

Abstract

The microarchitectural behavior of modern CPUs is mostly hidden from developers and users of computer software. Due to a plethora of attacks exploiting microarchitectural behavior, developers of security-critical software must, e.g., ensure their code is constant-time, which is cumbersome and usually results in slower programs. In practice, small leakages which are deemed not exploitable still remain in the codebase. For example, sub-cache-line leakages have previously been investigated in the CacheBleed and MemJam attacks, which are deemed impractical on modern platforms. In this work, we revisit and carefully analyze the 4k-aliasing effect and discover that the measurable delay introduced by this microarchitectural effect is higher than found by previous work and described by Intel. By combining the rediscovered effect with a high temporal resolution possible when single-stepping an SGX enclave, we construct a very precise, yet widely applicable attack with sub-cache-line leakage resolution. o demonstrate the significance of our findings, we apply the new attack primitive to break a hardened AES T-Table implementation that features constant cache line access patterns. The attack is up to three orders of magnitude more efficient than previous sub-cache-line attacks on AES in SGX. Furthermore, we improve upon the recent work of Sieck et al. which showed partial exploitability of very faint leakages in a utility function loading base64-encoded RSA keys. With reliable sub-cache-line resolution, we build an end-to-end attack exploiting the faint leakage that can recover 4096-bit keys in minutes on a laptop. Finally, we extend the key recovery algorithm to also work for RSA keys following the standard that uses Carmichael’s totient function, while previous attacks were restricted to RSA keys using Euler’s totient function.

Published

2023

3. A Side-Channel Based Disassembler for the ARM-Cortex M0

Author

van Geest, Jurian, Buhan, Ileana, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Zhou, Jianying, editor, Adepu, Sridhar, editor, Alcaraz, Cristina, editor, Batina, Lejla, editor, Casalicchio, Emiliano, editor, Chattopadhyay, Sudipta, editor, Jin, Chenglu, editor, Lin, Jingqiang, editor, Losiouk, Eleonora, editor, Majumdar, Suryadipta, editor, Meng, Weizhi, editor, Picek, Stjepan, editor, Shao, Jun, editor, Su, Chunhua, editor, Wang, Cong, editor, Zhauniarovich, Yury, editor, and Zonouz, Saman, editor

Published

2022

4. A Fast and Compact RISC-V Accelerator for Ascon and Friends

Author

Steinegger, Stefan, Primas, Robert, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Liardet, Pierre-Yvan, editor, and Mentens, Nele, editor

Published

2021

5. Software Diversification for WebAssembly

Author

Cabrera Arteaga, Javier and Cabrera Arteaga, Javier

Abstract

WebAssembly, now the fourth ocially recognized web language, enables web browsers to port native applications to the Web. Furthermore, WebAssembly has evolved into an essential element for backend scenarios such as cloud and edge computing. Therefore, WebAssembly finds use in a plethora of applications, including but not limited to, web browsers, blockchain, and cloud computing. Despite the emphasis on security since its design and specification, WebAssembly remains susceptible to various forms of attacks, including memory corruption and side-channels. Furthermore, WebAssembly has been manipulated to disseminate malware, particularly in cases of browser cryptojacking. Web page resources, including those containing WebAssembly binaries, are predominantly served from centralized data centers in the modern digital landscape. In conjunction with browser clients, thousands of edge devices operate millions of identical WebAssembly instantiations every second. This phenomenon creates a highly predictable ecosystem, wherein potential attackers can anticipate behavior either in browsers or backend nodes. Such predictability escalates the potential impact of vulnerabilities within these ecosystems, paving the way for high-impact side-channel and memory attacks. For instance, a flaw in a web browser, triggered by a defective WebAssembly program, holds the potential to aect millions of users. This work aims to harden the security within the WebAssembly ecosystem through the introduction of Software Diversification methods and tools. Software Diversification is a strategy designed to augment the costs of exploiting vulnerabilities by making software less predictable. The predictability within ecosystems can be diminished by automatically generating dierent, yet functionally equivalent, program variants. These variants strengthen observable properties that are typically used to launch attacks, and in many instances, can eliminate such vulnerabilities. This work introduces thre, WebAssembly, nu det fjärde ociellt erkända webbspråket, gör det möjligt för webbläsare att portera nativa applikationer till webben. Dessutom har WebAssembly utvecklats till en väsentlig komponent för backend-scenarier såsom molntjänster och edge-tjänster. Därmed används WebAssembly i en mängd olika applikationer, däribland webbläsare, blockchain och molntjänster. Trots sitt fokus på säkerhet från dess design till dess specifikation är WebAssembly fortfarande mottagligt för olika former av attacker, såsom minneskorruption och sidokanalattacker. Dessutom har WebAssembly manipulerats för att sprida skadlig programvara, särskilt otillåten cryptobrytning i webbläsare. Webbsideresurser, inklusive de som innehåller exekverbar WebAssembly, skickas i en modern digital kontext huvudsakligen från centraliserade datacenter. Tusentals edge-enheter, i samarbete med webbläsarklienter, kör miljontals identiska WebAssembly-instantieringar varje sekund. Detta fenomen skapar ett högst förutsägbart ekosystem, där potentiella angripare kan förutse beteenden antingen i webbläsare eller backend-noder. En sådan förutsägbarhet ökar potentialen för sårbarheter inom dessa ekosystem och öppnar dörren för sidkanal- och minnesattacker med stor påverkan. Till exempel kan en brist i en webbläsare, framkallad av ett defekt WebAssembly- program, ha potential att påverka miljontals användare. Denna avhandling syftar till att stärka säkerheten inom WebAssembly- ekosystemet genom införandet av metoder och verktyg för mjukvarudiversifiering. Mjukvarudiversifiering är en strategi som är utformad för att öka kostnaderna för att exploatera sårbarheter genom att göra programvaran oförutsägbar. Förutsägbarheten inom ekosystem kan minskas genom att automatiskt generera olika programvaruvarianter. Dessa varianter förstärker observerbara egenskaper som vanligtvis används för att starta attacker och kan i många fall helt eliminera sådana, QC 20240131

Published

2024

6. An Efficient and Provable Masked Implementation of qTESLA

Author

Gérard, François, Rossi, Mélissa, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Belaïd, Sonia, editor, and Güneysu, Tim, editor

Published

2020

7. A generalized approach to estimation of memoryless covert channel information leakage capacity

Author

Baki Berkay Yilmaz, Nader Sehatbakhsh, Moumita Dey, Chia-Lin Cheng, Milos Prvulovic, and Alenka Zajić

Subjects

Asynchronous wireless communication, Digital/analog covert channels, Leakage capacity, Security, Side-channels, Computer engineering. Computer hardware, TK7885-7895, Electronic computers. Computer science, QA75.5-76.95

Abstract

Estimating the amount of information that is leaked by covert channels is a necessity to comprehend and mitigate the severity of attacks exploiting these channels. Having such an estimation in design-state provides an opportunity for designers to adjust their systems to minimize information leakage. In this paper, we propose a methodology to estimate the worst-case information leakage (or capacity for the information leakage) through various memoryless covert channels – both analog and digital ones – exhibiting on–off keying structure. In that respect, we first model the communication channel as a deletion–insertion channel to account for the information losses due to software activities. Then, we derive the effective noise in covert channels as the combination of jitter noise caused by signaling time variation and Additive White Gaussian Noise (AWGN). Considering this effective noise, we propose a communication model which can be generalized for various covert channels and takes insertions, deletions, and asynchronous nature of covert channels into account. By leveraging the link between this communication model and information theory literature, we obtain the information leakage capacity that reveals the leakage limit for the worst-case scenarios. Finally, we provide experimental results to demonstrate that the proposed model is an effective and a generalized methodology to score the resilience of a given system to covert channel attacks.

Published

2022

8. REMOTE: Robust External Malware Detection Framework by Using Electromagnetic Signals.

Author

Sehatbakhsh, Nader, Nazari, Alireza, Alam, Monjur, Werner, Frank, Zhu, Yuanda, Zajic, Alenka, and Prvulovic, Milos

Subjects

*MALWARE, *MICROPROCESSORS, *MALWARE prevention, *ELECTRONIC equipment enclosures, *CYBER physical systems, *PID controllers, *DENIAL of service attacks

Abstract

Cyber-physical systems (CPS) are controlling many critical and sensitive aspects of our physical world while being continuously exposed to potential cyber-attacks. These systems typically have limited performance, memory, and energy reserves, which limits their ability to run existing advanced malware protection, and that, in turn, makes securing them very challenging. To tackle these problems, this paper proposes, Remote, a new robust framework to detect malware by externally observing Electromagnetic (EM) signals emitted by an electronic computing device (e.g., a microprocessor) while running a known application, in real-time and with a low detection latency, and without any a priori knowledge of the malware. Remote does not require any resources or infrastructure on, or any modifications to, the monitored system itself, which makes Remote especially suitable for malware detection on resource-constrained devices such as embedded devices, CPSs, and Internet of Things (IoT) devices where hardware and energy resources may be limited. To demonstrate the usability of Remote in real-world scenarios, we port two real-world programs (an embedded medical device and an industrial PID controller), each with a meaningful attack (a code-reuse and a code-injection attack), to four different hardware platforms. We also port shellcode-based DDoS and Ransomware attacks to five different standard applications on an embedded system. To further demonstrate the applicability of Remote to commercial CPS, we use Remote to monitor a Robotic Arm. Our results on all these different hardware platforms show that, for all attacks on each of the platforms, Remote successfully detects each instance of an attack and has $<$ < 0.1 percent false positives. We also systematically evaluate the robustness of Remote to interrupts and other system activity, to signal variation among different physical instances of the same device design, to changes over time, and to plastic enclosures and nearby electronic devices. This evaluation includes hundreds of measurements and shows that Remote achieves excellent accuracy ($<$ < 0.1 percent false positive and $>$ > 99.9 percent true positive rates) under all these conditions. We also compare Remote to prior work EDDIE and SYNDROME , and demonstrate that these prior work are unable to achieve high accuracy under these variations. [ABSTRACT FROM AUTHOR]

Published

2020

9. ReCon : Efficient Detection, Management, and Use of Non-Speculative Information Leakage

Author

Aimoniotis, Pavlos, Kvalsvik, Amund Bergland, Chen, Xiaoyue, Själander, Magnus, Kaxiras, Stefanos, Aimoniotis, Pavlos, Kvalsvik, Amund Bergland, Chen, Xiaoyue, Själander, Magnus, and Kaxiras, Stefanos

Abstract

In a speculative side-channel attack, a secret is improperly accessed and then leaked by passing it to a transmitter instruction. Several proposed defenses effectively close this security hole by either delaying the secret from being loaded or propagated, or by delaying dependent transmitters (e.g., loads) from executing when fed with tainted input derived from an earlier speculative load. This results in a loss of memory-level parallelism and performance. A security definition proposed recently, in which data already leaked in non-speculative execution need not be considered secret during speculative execution, can provide a solution to the loss of performance. However, detecting and tracking non-speculative leakage carries its own cost, increasing complexity. The key insight of our work that enables us to exploit non-speculative leakage as an optimization to other secure speculation schemes is that the majority of non-speculative leakage is simply due to pointer dereferencing (or base-address indexing) - essentially what many secure speculation schemes prevent from taking place speculatively. We present ReCon that: i) efficiently detects non-speculative leakage by limiting detection to pairs of directly-dependent loads that dereference pointers (or index a base-address); and ii) piggybacks non-speculative leakage information on the coherence protocol. In ReCon, the coherence protocol remembers and propagates the knowledge of what has leaked and therefore what is safe to dereference under speculation. To demonstrate the effectiveness of ReCon, we show how two state-of-the-art secure speculation schemes, Non-speculative Data Access (NDA) and speculative Taint Tracking (STT), leverage this information to enable more memorylevel parallelism both in a single core scenario and in a multicore scenario: NDA with ReCon reduces the performance loss by 28.7% for SPEC2017, 31.5% for SPEC2006, and 46.7% for PARSEC; STT with ReCon reduces the loss by 45.1%, 39%, and 78.6%, resp

Published

2023

10. On Certificate Transparency Verification and Unlinkability of Websites Visited by Tor Users

Author

Dahlberg, Rasmus and Dahlberg, Rasmus

Abstract

Certificate Transparency is an ecosystem of logs, monitors, and auditors that hold certificate authorities accountable while issuing certificates. We show how the amount of trust that TLS clients and domain owners need to place in Certificate Transparency can be reduced, both in the context of existing gradual deployments and the largely unexplored area of Tor. Our contributions include improved third-party monitoring, a gossip protocol plugging into Certificate Transparency over DNS, an incrementally deployable gossip-audit model tailored for Tor Browser, and using certificates with onion addresses. The methods used range from proof sketches to Internet measurements and prototype evaluations. An essential part of our evaluation in Tor is to assess how the protocols used during website visits—such as requesting an inclusion proof from a Certificate Transparency log—affect unlinkability between senders and receivers. We find that most false positives in website fingerprinting attacks can be eliminated for all but the most frequently visited sites. This is because the destination anonymity set can be reduced due to how Internet protocols work: communication is observable and often involves third-party interactions. Some of the used protocols can further be subject to side-channel analysis. For example, we show that remote (timeless) timing attacks against Tor’s DNS cache reliably reveal the timing of past exit traffic. The severity and practicality of our extension to website fingerprinting pose threats to the anonymity provided by Tor. We conclude that access to a so-called website oracle should be an assumed attacker capability when evaluating website fingerprinting defenses., Projektet Certificate Transparency är ett ekosystem av loggar, övervakare och granskare som håller certifikatutfärdare till svars för utfärdade webbcertifikat. Vi visar hur säkerheten kan höjas i ekosystemet för både domäninnehavare och TLS-klienter i nuvarande system samt som del av anonymitetsnätverket Tor. Bland våra större bidrag är förbättrad övervakning av loggarna, ett skvallerprotokollsom integrerats med DNS, ett skvaller- och granskningsprotokoll som utformats specifikt för Tors webbläsare och ett förslag på hur domännamn med adresser i Tor kan bli mer tillgängliga. De metoder som använts varierar från säkerhetsbevis till internetmätningar och utvärderingar av forskningsprototyper. En viktig del av vår utvärdering i Tor är att avgöra hur protokoll som används av webbläsare påverkar möjligheten att koppla ihop användare med besökta webbplatser. Detta inkluderar existerande protokoll samt nya tillägg för att verifiera om webbplatsers certifikat är transparensloggade. Våra resultat visar att i många fall kan falska positiva utslag filtreras bort vid mönsterigenkänning av Tor-användares krypterade trafik (eng: website fingerprinting). Orsaken är att besök till de flesta webbplatser kan uteslutas till följd av hur internetprotokoll fungerar: kommunikation är observerbar och involverar ofta interaktioner med tredjeparter. Vissa protokoll har dessutom sidokanaler som kan analyseras. Vi visar exempelvis att Tors DNS-cache kan undersökas med olika varianter av tidtagningsattacker. Dessa attacker är enkla att utföra över internet och avslöjar vilka domännamn som slagits upp vid angivna tidpunkter. De förbättrade mönsterigenkänningsattackerna mot webbplatser är realistiska och hotar därför Tors anonymitet. Vår slutsats är att framtida försvar bör utvärderas utifrån att angripare har tillgång till ett så kallat webbplatsorakel., HITS (4707), SURPRISE (SSF, RIT17-0005)

Published

2023

11. Timeless Timing Attacks and Preload Defenses in Tor's DNS Cache

Author

Dahlberg, Rasmus, Pulls, Tobias, Dahlberg, Rasmus, and Pulls, Tobias

Abstract

We show that Tor's DNS cache is vulnerable to a timeless timing attack, allowing anyone to determine if a domain is cached or not without any false positives. The attack requires sending a single TLS record. It can be repeated to determine when a domain is no longer cached to leak the insertion time. Our evaluation in the Tor network shows no instances of cached domains being reported as uncached and vice versa after 12M repetitions while only targeting our own domains. This shifts DNS in Tor from an unreliable side-channel---using traditional timing attacks with network jitter---to being perfectly reliable. We responsibly disclosed the attack and suggested two short-term mitigations. As a long-term defense for the DNS cache in Tor against all types of (timeless) timing attacks, we propose a redesign where only an allowlist of domains is preloaded to always be cached across circuits. We compare the performance of a preloaded DNS cache to Tor's current solution towards DNS by measuring aggregated statistics for four months from two exits (after engaging with the Tor Research Safety Board and our university ethical review process). The evaluated preload lists are variants of the following top-lists: Alexa, Cisco Umbrella, and Tranco. Our results show that four-months-old preload lists can be tuned to offer comparable performance under similar resource usage or to significantly improve shared cache-hit ratios (2--3x) with a modest increase in memory usage and resolver load compared to a 100 Mbit/s exit. We conclude that Tor's current DNS cache is mostly a privacy harm because the majority of cached domains are unlikely to lead to cache hits but remain there to be probed by attackers., SURPRISE (SSF, RIT17-0005)

Published

2023

12. Delay-on-Squash: Stopping Microarchitectural Replay Attacks in Their Tracks

Author

Christos Sakalis, Stefanos Kaxiras, and Magnus Själander

Subjects

replay attacks, Datavetenskap (datalogi), Computer Sciences, Hardware and Architecture, security, Microarchitecture, Software, side-channels, Information Systems

Abstract

MicroScope and other similar microarchitectural replay attacks take advantage of the characteristics of speculative execution to trap the execution of the victim application in a loop, enabling the attacker to amplify a side-channel attack by executing it indefinitely. Due to the nature of the replay, it can be used to effectively attack software that are shielded against replay, even under conditions where a side-channel attack would not be possible (e.g., in secure enclaves). At the same time, unlike speculative side-channel attacks, microarchitectural replay attacks can be used to amplify the correct path of execution, rendering many existing speculative side-channel defenses ineffective. In this work, we generalize microarchitectural replay attacks beyond MicroScope and present an efficient defense against them. We make the observation that such attacks rely on repeated squashes of so-called “replay handles” and that the instructions causing the side-channel must reside in the same reorder buffer window as the handles. We propose Delay-on-Squash, a hardware-only technique for tracking squashed instructions and preventing them from being replayed by speculative replay handles. Our evaluation shows that it is possible to achieve full security against microarchitectural replay attacks with very modest hardware requirements while still maintaining 97% of the insecure baseline performance.

Published

2022

13. Practicality of Using Side-Channel Analysis for Software Integrity Checking of Embedded Systems

Author

Liu, Hong, Li, Hongmin, Vasserman, Eugene Y., Akan, Ozgur, Series editor, Cao, Jiannong, Series editor, Coulson, Geoffrey, Series editor, Dressler, Falko, Series editor, Ferrari, Domenico, Series editor, Gerla, Mario, Series editor, Kobayashi, Hisashi, Series editor, Palazzo, Sergio, Series editor, Sahni, Sartaj, Series editor, Shen, Xuemin (Sherman), Series editor, Stan, Mircea, Series editor, Xiaohua, Jia, Series editor, Zomaya, Albert, Series editor, Bellavista, Paolo, Series editor, Thuraisingham, Bhavani, editor, Wang, XiaoFeng, editor, and Yegneswaran, Vinod, editor

Published

2015

14. Architectural Support for Securing Systems Against Software Vulnerabilities

Author

Khasawneh, Khaled N.

Subjects

Computer science, Computer engineering, Adversarial Attacks, Hardware Assisted Security, Malware Detection, Side-channels, Speculation Attacks

Abstract

Cyberattacks are the fastest growing crime in the U.S., and they are increasing in size, sophistication, and cost. These attacks use vulnerabilities to compromise systems to leak Information (Yahoo 2016, Marriott 2018, and Facebook 2019), steal identity information (Equifax 2017), or even effecting politics (by attacking the governmental election process). Traditionally, security researchers and practitioners have viewed security as a software problem -- originating in software and to be solved by software. Recently, the Spectre and Meltdown attacks have shown that hardware should also be considered when evaluating the system security. Conversely, because many aspects of security are computationally expensive, hardware can play a role in promoting software security through computational support as well as the development of new abstractions that promote security. Under this general umbrella, the research in this dissertation pursues two research directions that demonstrate how hardware can promote software security, and how we can design hardware that is secure against Spectre and Meltdown attacks. In the first direction, security exploits and ensuant malware pose an increasing challenge to computing systems as the variety and complexity of attacks continue to increase. In response, software-based malware detection tools have grown in complexity, thus making it computationally difficult to use them to protect systems in real-time. Against this drawback, hardware-based malware detectors (HMDs) are a promising new approach to defend against malware. HMDs collect low-level architectural features and use them to classify malware from normal programs. With simple hardware support, HMDs can be always on, operating as a first line of defense that prioritizes the application of more expensive and more accurate software-detector. In this dissertation, our goal is to make HMDs practical for deployment in two ways: (1) Improving the detection accuracy of HMDs: We use specialized detectors targeted towards a specific type of malware to improve the detection of each type. Next, we use ensemble learning techniques to improve the overall accuracy by combining detectors. We explore detectors based on logistic regression (LR) and neural networks (NN). The proposed detectors reduce the false-positive rate by more than half compared to using a single detector, while increasing their sensitivity. We develop metrics to estimate detection overhead; the proposed detectors achieve more than 16.6x overhead reduction during online detection compared to an idealized software-only detector, with an 8x improvement in relative detection time. NN detectors outperform LR detectors in accuracy, overhead (by 40\%), and time-to-detection of the hardware component (by 5x). Finally, we characterize the hardware complexity by extending an open-core and synthesizing it on an FPGA platform, showing that the overhead is minimal. (2) Make them resilient to evasion attacks: we explore the question of how well evasive malware can avoid detection by HMDs. We show that existing HMDs can be effectively reverse-engineered and subsequently evaded, allowing malware to hide from detection without substantially slowing it down (which is important for certain types of malware). This result demonstrates that the current generation of HMDs can be easily defeated by evasive malware. Next, we explore how well a detector can evolve if it is exposed to this evasive malware during training. We show that simple detectors, such as logistic regression, cannot detect the evasive malware even with retraining. More sophisticated detectors can be retrained to detect evasive malware, but the retrained detectors can be reverse-engineered and evaded again. To address these limitations, we propose a new type of Resilient HMDs (RHMDs) that stochastically switch between different detectors. These detectors can be shown to be provably more difficult to reverse engineer based on resent results in probably approximately correct (PAC) learnability theory. We show that indeed such detectors are resilient to both reverse engineering and evasion, and that the resilience increases with the number and diversity of the individual detectors. Our results demonstrate that these HMDs offer effective defense against evasive malware at low additional complexity. In the second direction, the recent Spectre and Meltdown attacks show that speculative execution, which is used pervasively in modern CPUs, can leave side effects in the processor caches and other structures even when the speculated instructions do not commit and their direct effect is not visible. Therefore, they utilize this behavior to expose privileged information accessed speculatively to an unprivileged attacker. In particular, the attack forces the speculative execution of a code gadget that will carry out the illegal read, which eventually gets squashed, but which leaves a side-channel trail that can be used by the attacker to infer the value. Several attack variations are possible, allowing arbitrary exposure of the full kernel memory to an unprivileged attacker. In this dissertation, we introduce a new model (SafeSpec) for supporting speculation in a way that is immune to the side- channel leakage necessary for attacks such as Meltdown and Spectre. In particular, SafeSpec stores side effects of speculation in separate structures while the instructions are speculative. The speculative state is then either committed to the main CPU structures if the branch commits, or squashed if it does not, making all direct side effects of speculative code invisible. The solution must also address the possibility of a covert channel from speculative instructions to committed instructions before these instructions are committed (i.e., while they share the speculative state). We show that SafeSpec prevents all three variants of Spectre and Meltdown, as well as new variants that we introduce. We also develop a cycle accurate model of modified design of an x86-64 processor and show that the performance impact is negligible (in fact a small performance improvement is achieved). We build prototypes of the hardware support in a hardware description language to show that the additional overhead is acceptable. SafeSpec completely closes this class of attacks, retaining the benefits of speculation, and is practical to implement.

Published

2019

15. Lightweight and Side-channel Secure 4 × 4 S-Boxes from Cellular Automata Rules

Author

Ashrujit Ghoshal, Rajat Sadhukhan, Sikhar Patranabis, Nilanjan Datta, Stjepan Picek, and Debdeep Mukhopadhyay

Subjects

Lightweight, Block Ciphers, Side-channels, Threshold Implementation, Cellular Automata, Optimal S-Box, Computer engineering. Computer hardware, TK7885-7895

Abstract

This work focuses on side-channel resilient design strategies for symmetrickey cryptographic primitives targeting lightweight applications. In light of NIST’s lightweight cryptography project, design choices for block ciphers must consider not only security against traditional cryptanalysis, but also side-channel security, while adhering to low area and power requirements. In this paper, we explore design strategies for substitution-permutation network (SPN)-based block ciphers that make them amenable to low-cost threshold implementations (TI) - a provably secure strategy against side-channel attacks. The core building blocks for our strategy are cryptographically optimal 4×4 S-Boxes, implemented via repeated iterations of simple cellular automata (CA) rules. We present highly optimized TI circuits for such S-Boxes, that consume nearly 40% less area and power as compared to popular lightweight S-Boxes such as PRESENT and GIFT. We validate our claims via implementation results on ASIC using 180nm technology. We also present a comparison of TI circuits for two popular lightweight linear diffusion layer choices - bit permutations and MixColumns using almost-maximum-distance-separable (almost-MDS) matrices. We finally illustrate design paradigms that combine the aforementioned TI circuits for S-Boxes and diffusion layers to obtain fully side-channel secure SPN block cipher implementations with low area and power requirements.

Published

2018

16. Masking Feedforward Neural Networks Against Power Analysis Attacks

Author

A. Adam Ding, Konstantinos Athanasiou, Yunsi Fei, and Thomas Wahl

Subjects

Ethics, Masking (art), Computer science, Speech recognition, QA75.5-76.95, masking, neural networks, BJ1-1725, side-channels, Power analysis, Electronic computers. Computer science, General Earth and Planetary Sciences, Feedforward neural network, General Environmental Science

Abstract

Recent advances in machine learning have enabled Neural Network (NN) inference directly on constrained embedded devices. This local approach enhances the privacy of user data, as the inputs to the NN inference are not shared with third-party cloud providers over a communication network. At the same time, however, performing local NN inference on embedded devices opens up the possibility of Power Analysis attacks, which have recently been shown to be effective in recovering NN parameters, as well as their activations and structure. Knowledge of these NN characteristics constitutes a privacy threat, as it enables highly effective Membership Inference and Model Inversion attacks, which can recover information about the sensitive data that the NN model was trained on. In this paper we address the problem of securing sensitive NN inference parameters against Power Analysis attacks. Our approach employs masking, a countermeasure well-studied in the context of cryptographic algorithms. We design a set of gadgets, i.e., masked operations, tailored to NN inference. We prove our proposed gadgets secure against power attacks and show, both formally and experimentally, that they are composable, resulting in secure NN inference. We further propose optimizations that exploit intrinsic characteristics of NN inference to reduce the masking’s runtime and randomness requirements. We empirically evaluate the performance of our constructions, showing them to incur a slowdown by a factor of about 2–5.

Published

2021

17. Delay-on-Squash : Stopping Microarchitectural Replay Attacks in Their Tracks

Author

Sakalis, Christos, Kaxiras, Stefanos, Sjalander, Magnus, Sakalis, Christos, Kaxiras, Stefanos, and Sjalander, Magnus

Abstract

MicroScope and other similar microarchitectural replay attacks take advantage of the characteristics of speculative execution to trap the execution of the victim application in a loop, enabling the attacker to amplify a side-channel attack by executing it indefinitely. Due to the nature of the replay, it can be used to effectively attack software that are shielded against replay, even under conditions where a side-channel attack would not be possible (e.g., in secure enclaves). At the same time, unlike speculative side-channel attacks, microarchitectural replay attacks can be used to amplify the correct path of execution, rendering many existing speculative side-channel defenses ineffective. In this work, we generalize microarchitectural replay attacks beyond MicroScope and present an efficient defense against them. We make the observation that such attacks rely on repeated squashes of so-called "replay handles" and that the instructions causing the side-channel must reside in the same reorder buffer window as the handles. We propose Delay-on-Squash, a hardware-only technique for tracking squashed instructions and preventing them from being replayed by speculative replay handles. Our evaluation shows that it is possible to achieve full security against microarchitectural replay attacks with very modest hardware requirements while still maintaining 97% of the insecure baseline performance.

Published

2022

18. Secure Compilation (Dagstuhl Seminar 21481)

Author

David Chisnall and Deepak Garg and Catalin Hritcu and Mathias Payer, Chisnall, David, Garg, Deepak, Hritcu, Catalin, Payer, Mathias, David Chisnall and Deepak Garg and Catalin Hritcu and Mathias Payer, Chisnall, David, Garg, Deepak, Hritcu, Catalin, and Payer, Mathias

Abstract

Secure compilation is an emerging field that puts together advances in security, programming languages, compilers, verification, systems, and hardware architectures in order to devise more secure compilation chains that eliminate many of today’s security vulnerabilities and that allow sound reasoning about security properties in the source language. For a concrete example, all modern languages provide a notion of structured control flow and an invoked procedure is expected to return to the right place. However, today’s compilation chains (compilers, linkers, loaders, runtime systems, hardware) cannot efficiently enforce this abstraction against linked low-level code, which can call and return to arbitrary instructions or smash the stack, blatantly violating the high-level abstraction. Other problems arise because today’s languages fail to specify security policies, such as data confidentiality, and the compilation chains thus fail to enforce them, especially against powerful side-channel attacks. The emerging secure compilation community aims to address such problems by identifying precise security goals and attacker models, designing more secure languages, devising efficient enforcement and mitigation mechanisms, and developing effective verification techniques for secure compilation chains. This seminar strived to take a broad and inclusive view of secure compilation and to provide a forum for discussion on the topic. The goal was to identify interesting research directions and open challenges by bringing together people working on building secure compilation chains, on designing security enforcement and attack-mitigation mechanisms in both software and hardware, and on developing formal verification techniques for secure compilation.

Published

2022

19. Cryptographic Key Reliable Lifetimes: Bounding the Risk of Key Exposure in the Presence of Faults

Author

De Gregorio, Alfonso, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Dough, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Breveglieri, Luca, editor, Koren, Israel, editor, Naccache, David, editor, and Seifert, Jean-Pierre, editor

Published

2006

20. enSecure Compilation (Dagstuhl Seminar 21481)

Author

Chisnall, David, Garg, Deepak, Hritcu, Catalin, and Payer, Mathias

Subjects

attacker models, hyperproperties, enforcement mechanisms, full abstraction, security architectures, secure compilation, low-level attacks, source-level reasoning, compartmentalization, Security and privacy → Formal security models, side-channels

Abstract

Secure compilation is an emerging field that puts together advances in security, programming languages, compilers, verification, systems, and hardware architectures in order to devise more secure compilation chains that eliminate many of today’s security vulnerabilities and that allow sound reasoning about security properties in the source language. For a concrete example, all modern languages provide a notion of structured control flow and an invoked procedure is expected to return to the right place. However, today’s compilation chains (compilers, linkers, loaders, runtime systems, hardware) cannot efficiently enforce this abstraction against linked low-level code, which can call and return to arbitrary instructions or smash the stack, blatantly violating the high-level abstraction. Other problems arise because today’s languages fail to specify security policies, such as data confidentiality, and the compilation chains thus fail to enforce them, especially against powerful side-channel attacks. The emerging secure compilation community aims to address such problems by identifying precise security goals and attacker models, designing more secure languages, devising efficient enforcement and mitigation mechanisms, and developing effective verification techniques for secure compilation chains. This seminar strived to take a broad and inclusive view of secure compilation and to provide a forum for discussion on the topic. The goal was to identify interesting research directions and open challenges by bringing together people working on building secure compilation chains, on designing security enforcement and attack-mitigation mechanisms in both software and hardware, and on developing formal verification techniques for secure compilation., DagRep, Volume 11, Issue 10, pages 173-204

Published

2022

21. Compilation vérifiée et sécurisée contre les canaux cachés temporels

Author

Hutin, Rémi, Université de Rennes (UR), École normale supérieure - Rennes (ENS Rennes), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT), Software certification with semantic analysis (CELTIQUE), Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-LANGAGE ET GÉNIE LOGICIEL (IRISA-D4), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), École normale supérieure de Rennes, Sandrine Blazy, and David Pichardie

Subjects

[INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], CompCert, Canaux cachés, Secure Compilation, Compilation sécurisée, Side-Channels, Coq, Vérification formelle, Formal Verification

Abstract

Our society is increasingly dependent on computer systems. Ensuring their security is essential to avoid the dramatic consequences of attacks against these systems. In this thesis, we focus on a class of attacks called timing sidechannel attacks. We study existing protections against these attacks, such as the constant-time and the constant-resource policies, and focus on their interaction with compilation. Compilation is the process of transforming a program written by a human in a source language, into machine code executable by a computer. Our goal is to ensure that compilation does not introduce any vulnerability in the compiled code, with respect to the security policies we focus on; this is called secure compilation. Our work also relies on formal methods to give formal guarantees on the results we present. One of our contribution relies on the formally verified CompCert compiler. All the results presented in this thesis are mechanically verified using the Coq proof assistant.; Notre société est de plus en plus dépendante des systèmes informatiques. Assurer leur sécurité est essentiel pour éviter les conséquences dramatiques des attaques contre ces systèmes. Dans cette thèse, nous nous concentrons sur une classe d’attaques appelée attaques par canaux cachés temporels. Nous étudions les protections existantes contre ces attaques, telles que les politiques constant-time et constant-resource, et nous nous concentrons sur leur interaction avec la compilation. La compilation est le processus de transformation d’un programme écrit par un humain dans un langage source, en code machine exécutable par un ordinateur. Notre objectif est de s’assurer que la compilation n’introduit aucune vulnérabilité dans le code compilé, par rapport aux politiques de sécurité auxquelles nous nous intéressons ; c’est ce qu’on appelle la compilation sécurisée. Notre travail s’appuie également sur des méthodes formelles pour donner des garanties formelles sur les résultats que nous présentons. Une de nos contributions s’appuie sur le compilateur formellement vérifié CompCert. Tous les résultats présentés dans cette thèse sont également vérifiés mécaniquement en utilisant l’assistant de preuve Coq.

Published

2021

22. Solver-Aided Constant-Time Hardware Verification

Author

Klaus von Gleissenthall, Deian Stefan, Ranjit Jhala, Rami Gökhan Kıcı, Theoretical Computer Science, and Network Institute

Subjects

Modularity (networks), Computer science, business.industry, chemistry.chemical_element, Solver, Modular design, side-channels, Set (abstract data type), Constant (computer programming), Xenon, chemistry, Verilog, hardware, constant-time, SDG 7 - Affordable and Clean Energy, business, verification, computer, Computer hardware, computer.programming_language, Electronic circuit

Abstract

We present Xenon, a solver-aided, interactive method for formally verifying that Verilog hardware executes in constant-time. Xenon scales to realistic hardware designs by drastically reducing the effort needed to localize the root cause of verification failures via a new notion of constant-time counterexamples, which Xenon uses to synthesize a minimal set of secrecy assumptions in an interactive verification loop. To reduce verification time Xenon exploits modularity in Verilog code via module summaries, thereby avoiding duplicate work across multiple module instantiations. We show how Xenon's assumption synthesis and summaries enable us to verify different kinds of circuits, including a highly modular AES- 256 implementation where modularity cuts verification from six hours to under three seconds, and the ScarVside-channel hardened RISC-V micro-controller whose size exceeds previously verified designs by an order of magnitude. In a small study, we also find that Xenon helps non-expert users complete verification tasks correctly and faster than previous state-of-art tools.

Published

2021

23. Alluviation of a side-channel by bed material load: field measurements and modelling

Author

Carles Ferrer-Boix, J.P. Martín-Vide, Alfredo Ollero, Júlia Boix Oliva, Universitat Politècnica de Catalunya. Departament d’Enginyeria Gràfica i de Disseny, and Universitat Politècnica de Catalunya. Departament d'Enginyeria Civil i Ambiental

Subjects

Hydrology, Alluviation, Enginyeria civil::Geologia::Hidrologia [Àrees temàtiques de la UPC], 010504 meteorology & atmospheric sciences, Flood myth, Chutes, Context (language use), 010502 geochemistry & geophysics, Gállego River (Spain), Side-channels, 01 natural sciences, Current (stream), Alluvial streams, Bifurcations, Channel pattern, Bedload transport, Cursos d'aigua -- Sediments, Gravel-bed rivers, Meander, Geology, Bank erosion, Beach morphodynamics, 0105 earth and related environmental sciences, Earth-Surface Processes, Bed material load

Abstract

In this research, we explore the alluviation process of an artificial side-channel built in August 2015 and designed to alleviate bank erosion risks on the main river. The study area is located on the lower Gállego River, a meandering-wandering gravel-bed river draining the Southern Pyrenees. This river reach is still dynamic (i.e. chutes, meander migration and other riverine processes are often observed during floods) despite the presence of three dams in the upper catchment, encroachments and extensive mining during the 1960s–80s that led to severe incision. In this research, we focus on the effects of bankfull-like flood events (Qpeak¿=¿354¿m3/s) between February 2016 and February 2017, which alluviated 62% of the side-channel. This research aims at finding the physical mechanisms that explain the alluviation process and at putting them in the general context of the current geomorphic trend of the Gállego River in response to past and ongoing impacts. The causes of the alluviation are studied through collecting and analysing field data, which in turn, are used as input in a novel modelling strategy that includes one-dimensional hydraulic modelling, semi-empirical expressions to obtain the sediment supply entering the side-channel system and a morphodynamic model able to deal with granular sediment mixtures in compound channels. The analyses of the numerical results along with the recent history of impacts and general channel pattern adjustments help us understand about the morphodynamics mechanisms responsible for the alluviation of the side-channel.

Published

2021

24. Evaluating Hamming Distance as a Metric for the Detection of CRC-based Side-channel Communications in MANETs.

Author

Moore, Brent, Martin, Miguel Vargas, and Liscano, Ramiro

Subjects

HAMMING distance, AD hoc computer networks, MALWARE, WIRELESS communications, ETHERNET, DATA transmission systems, SUPPORT vector machines, COMPUTER network security

Abstract

Side-channel communication is a form of traffic in which malicious parties communicate secretly over a wireless network. This is often established through the modification of Ethernet frame header fields, such as the Frame Check Sequence (FCS). The FCS is responsible for determining whether or not a frame has been corrupted in transmission, and contains a value calculated through the use of a predetermined polynomial. A malicious party may send messages that appear as nothing more than naturally corrupted noise on a network to those who are not the intended recipient. We use a metric known as Hamming distance in an attempt to differentiate purposely corrupted frames from naturally corrupted ones. In theory, it should be possible to recognize purposely corrupted frames based on how high this Hamming distance value is, as it signifies how many bits are different between the expected and the received FCS values. It is hypothesized that a range of threshold values based off of this metric exist, which may allow for the detection of side-channel communication across all scenarios. We ran an experiment with human subjects in a foot platoon formation and analyzed the data using a support vector machine. Our results show promise on the use of Hamming distance for side-channel detection in MANETs. [ABSTRACT FROM AUTHOR]

Published

2016

25. Evaluating Hamming Distance as a CRC-based Side-channel Detection Measure in Wi-Fi Networks.

Author

Chea, Visal, Martin, Miguel Vargas, and Liscano, Ramiro

Subjects

HAMMING distance, CYCLIC redundancy check codes, WIRELESS Internet, COMPUTER networks, WIRELESS communications, WIRELESS sensor nodes, MACHINE learning

Abstract

Wireless technology has become a main player in communication through its desirable mobility characteristic. However, like many technologies, there are ways that it can be exploited. One of these ways is through side-channel communication, whereby secret messages are passed along by the purposeful corruption of frames. These side channels can be established by intentionally corrupting the Frame Check Sequence (FCS) field by using a Cyclic Redundancy Check (CRC) polynomial that is different from the standard CRC polynomial. Malicious nodes can exploit the fact that normal unsuspecting nodes will drop these frames since they appear as naturally corrupted frames. This paper presents a CRC Hamming distance metric as a feature for the detection of this type of side-channel communication. We previously proposed the use of Hamming distance as a metric to compare CRC values that are generated by different CRC polynomials. The hypothesis is that the mean Hamming distance between two CRC values generated by two different CRC polynomials would be significantly far apart than the mean Hamming distance of a CRC value of a frame that was naturally corrupted but was generated by the same CRC polynomial. Previously, to test that hypothesis, we used F-Scores on real data experiments under varying noisy conditions and side-channel throughput to show that there is a consistent and significant difference between the mean Hamming values of naturally corrupted frames to those that use the Koopman polynomial to calculate the CRC for side-channel communications. In the present work we evaluate the Hamming distance using Perceptron Learning and the Pocket Algorithm to classify packets as side-channel or otherwise. [ABSTRACT FROM AUTHOR]

Published

2016

26. Towards attack-tolerant trusted execution environments : Secure remote attestation in the presence of side channels

Author

Crone, Max and Crone, Max

Abstract

In recent years, trusted execution environments (TEEs) have seen increasing deployment in computing devices to protect security-critical software from run-time attacks and provide isolation from an untrustworthy operating system (OS). A trusted party verifies the software that runs in a TEE using remote attestation procedures. However, the publication of transient execution attacks such as Spectre and Meltdown revealed fundamental weaknesses in many TEE architectures, including Intel Software Guard Exentsions (SGX) and Arm TrustZone. These attacks can extract cryptographic secrets, thereby compromising the integrity of the remote attestation procedure. In this work, we design and develop a TEE architecture that provides remote attestation integrity protection even when confidentiality of the TEE is compromised. We use the formally verified seL4 microkernel to build the TEE, which ensures strong isolation and integrity. We offload cryptographic operations to a secure co-processor that does not share any vulnerable microarchitectural hardware units with the main processor, to protect against transient execution attacks. Our design guarantees integrity of the remote attestation procedure. It can be extended to leverage co-processors from Google and Apple, for wide-scale deployment on mobile devices., Under de senaste åren används betrodda exekveringsmiljöer (TEE) allt mera i datorutrustning för att skydda säkerhetskritisk programvara från attacker och för att isolera dem från ett opålitligt operativsystem. En betrodd part verifierar programvaran som körs i en TEE med hjälp av fjärrattestering. Nyliga mikroarkitekturella anfall, t.ex. Spectre och Meltdown, har dock visat grundläggande svagheter i många TEE-arkitekturer, inklusive Intel SGX och Arm TrustZone. Dessa attacker kan avslöja kryptografiska hemligheter och därmed äventyra integriteten av fjärrattestning. I det här arbetet utvecklar vi en arkitektur för en betrodd exekveringsmiljö (TEE) som ger integritetsskydd genom fjärrattestering även när TEE:s konfidentialitet äventyras. Vi använder den formellt verifierade seL4-mikrokärnan för att bygga TEE:n som garanterar stark isolering och integritet. För att skydda kryptografiska operationer, overför vi dem till en säker samprocessor som inte delar någon sårbar mikroarkitektur med huvudprocessorn. Vår arktektur garanterar fjärrattesteringens integritet och kan utnyttja medprocessorer från Google och Apple för att användas i stor skala på mobila enheter.

Published

2021

27. Alluviation of a side-channel by bed material load: field measurements and modelling

Author

Universitat Politècnica de Catalunya. Departament d’Enginyeria Gràfica i de Disseny, Universitat Politècnica de Catalunya. Departament d'Enginyeria Civil i Ambiental, Ferrer Boix, Carles, Martín Vide, Juan Pedro, Boix Oliva, Júlia, Ollero, A., Universitat Politècnica de Catalunya. Departament d’Enginyeria Gràfica i de Disseny, Universitat Politècnica de Catalunya. Departament d'Enginyeria Civil i Ambiental, Ferrer Boix, Carles, Martín Vide, Juan Pedro, Boix Oliva, Júlia, and Ollero, A.

Abstract

In this research, we explore the alluviation process of an artificial side-channel built in August 2015 and designed to alleviate bank erosion risks on the main river. The study area is located on the lower Gállego River, a meandering-wandering gravel-bed river draining the Southern Pyrenees. This river reach is still dynamic (i.e. chutes, meander migration and other riverine processes are often observed during floods) despite the presence of three dams in the upper catchment, encroachments and extensive mining during the 1960s–80s that led to severe incision. In this research, we focus on the effects of bankfull-like flood events (Qpeak¿=¿354¿m3/s) between February 2016 and February 2017, which alluviated 62% of the side-channel. This research aims at finding the physical mechanisms that explain the alluviation process and at putting them in the general context of the current geomorphic trend of the Gállego River in response to past and ongoing impacts. The causes of the alluviation are studied through collecting and analysing field data, which in turn, are used as input in a novel modelling strategy that includes one-dimensional hydraulic modelling, semi-empirical expressions to obtain the sediment supply entering the side-channel system and a morphodynamic model able to deal with granular sediment mixtures in compound channels. The analyses of the numerical results along with the recent history of impacts and general channel pattern adjustments help us understand about the morphodynamics mechanisms responsible for the alluviation of the side-channel., Peer Reviewed, Postprint (author's final draft)

Published

2021

28. Tracking Anonymized Bluetooth Devices

Author

David Li, Johannes K. Becker, and David Starobinski

Subjects

information leakage, Computer science, 0211 other engineering and technologies, 02 engineering and technology, bluetooth, privacy, Tracking (particle physics), law.invention, Bluetooth, law, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, General Environmental Science, Ethics, 021110 strategic, defence & security studies, business.industry, Information technology, QA75.5-76.95, tracking, BJ1-1725, side-channels, correlation attacks, traffic analysis, Electronic computers. Computer science, General Earth and Planetary Sciences, business, Computer hardware

Abstract

Bluetooth Low Energy (BLE) devices use public (non-encrypted) advertising channels to announce their presence to other devices. To prevent tracking on these public channels, devices may use a periodically changing, randomized address instead of their permanent Media Access Control (MAC) address. In this work we show that many state-of-the-art devices which are implementing such anonymization measures are vulnerable to passive tracking that extends well beyond their address randomization cycles. We show that it is possible to extract identifying tokens from the pay-load of advertising messages for tracking purposes. We present an address-carryover algorithm which exploits the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device. We furthermore identify an identity-exposing attack via a device accessory that allows permanent, non-continuous tracking, as well as an iOS side-channel which allows insights into user activity. Finally, we provide countermeasures against the presented algorithm and other privacy flaws in BLE advertising.

Published

2019

29. vulnerability Analysis Techniques of Hardware and Software Implementations of Cryptographic Algorithms

Author

Roman Gevorkovich Korkikian, Evgeny Yurievich Rodionov, and Alexander Vladimirovich Mamaev

Subjects

vulnerability, cryptographic protocol, physical properties, side-channels, induced faults, Information technology, T58.5-58.64, Information theory, Q350-390

Abstract

The article is a brief survey of hardware vulnerability analysis methods that might be applicable against cryptographic algorithm implementations. Those methods are based on physical properties of a device processing the algorithm. Focusing on mathematical algorithm’s background the article would help mastering various implementation-based attacks.

Published

2014

30. Cyber-Physical Security for Additive Manufacturing Systems

Author

Sturm, Logan Daniel and Sturm, Logan Daniel

Abstract

Additive manufacturing (AM) is a growing section of the advanced manufacturing field and is being used to fabricate an increasing number of critical components, from aerospace components to medical implants. At the same time, cyber-physical attacks targeting manufacturing systems have continued to rise. For this reason, there is a need to research new techniques and methods to ensure the integrity of parts fabricated on AM systems. This work seeks to address this need by first performing a detailed analysis of vulnerabilities in the AM process chain and how these attack vectors could be used to execute malicious part sabotage attacks. This work demonstrated the ability of an internal void attack on the .STL file to reduce the yield load of a tensile specimen by 14% while escaping detection by operators. To mitigate these vulnerabilities, a new impedance-based approach for in situ monitoring of AM systems was created. Two techniques for implementing this approach were investigated, direct embedding of sensors in AM parts, and the use of an instrumented fixture as a build plate. The ability to detect changes in material as small as 1.38% of the printed volume (53.8 mm3) on a material jetting system was demonstrated. For metal laser powder bed fusion systems, a new method was created for representing side-channel meltpool emissions. This method reduces the quantity of data while remaining sensitive enough to detect changes to the toolpath and process parameters caused by malicious attacks. To enable the SCMS to validate part quality during fabrication required a way to receive baseline part quality information across an air-gap. To accomplish this a new process noise tolerant method of cyber-physical hashing for continuous data sets was presented. This method was coupled with new techniques for the storage, transmission, and reconstructing of the baseline quality data was implemented using stacks of "ghost" QR codes stored in the toolpath to transmit information throug

Published

2020

31. Detecção de ataques por canais laterais na camada física

Author

Coelho, Daniel Martins and Ferreira, Paulo

Subjects

One-class classification, Network monitoring, Machine learning, Radio signal monitoring, Anomaly detection, Side-channels

Abstract

Today, with the advent of IoT and the resulting fragmentation of wireless technologies, they bring not only benefits, but also concerns. Daily, several individuals communicate with each other using various communication methods. Individuals use a variety of devices for innocuous day-to-day activities; however, there are some malicious individuals (dishonest agents) whose aim is to cause harm, with the exfiltration of information being one of the biggest concerns. Since the security of Wi-Fi communications is one of the areas of greatest investment and research regarding Internet security, dishonest agents make use of side channels to exfiltrate information, namely Bluetooth. Most current solutions for anomaly detection on networks are based on analyzing frames or packets, which, inadvertently, can reveal user behavior patterns, which they consider to be private. In addition, solutions that focus on inspecting physical layer data typically use received signal power (RSSI) as a distance metric and detect anomalies based on the relative position of the network nodes, or use the spectrum values directly on models classification without prior data processing. This Dissertation proposes mechanisms to detect anomalies, while ensuring the privacy of its nodes, which are based on the analysis of radio activity in the physical layer, measuring the behavior of the network through the number of active and inactive frequencies and the duration of periods of silence and activity. After the extraction of properties that characterize these metrics,an exploration and study of the data is carried out, followed by the use of the result to train One-Class Classification models. The models are trained with data taken from a series of interactions between a computer, an AP, and a mobile phone in an environment with reduced noise, in an attempt to simulate a simplified home automation scenario. Then, the models were tested with similar data but containing a compromised node, which periodically sent a file to a local machine via a Bluetooth connection. The data show that, in both situations, it was possible to achieve detection accuracy rates in the order of 75 % and 99 %. This work ends with some ideas of resource work, namely changes in the level of pre-processing, ideas of new tests and how to reduce the percentage of false negatives. Hoje, com o advento da IoT e a resultante fragmentação das tecnologias sem fio, elas trazem não apenas benefícios, mas também preocupações. Diariamente vários indivíduos se comunicam entre si usando vários métodos de comunicação. Os indivíduos usam uma variedade de dispositivos para atividades inócuas do dia-adia; no entanto, existem alguns indivíduos mal-intencionados (agentes desonestos) cujo objetivo é causar danos, sendo a exfiltração de informação uma das maiores preocupações. Sendo a segurança das comunicações Wi-Fi uma das áreas de maior investimento e investigação no que toca a segurança na Internet, os agentes desonestos fazem uso de canais laterais para exfiltrar informação, nomeadamente o Bluetooth. A maioria das soluções atuais para deteção de anomalias em redes baseiam-se em analisar tramas ou pacotes, o que, inadvertidamente, pode revelar padrões de comportamento dos utilizadores, que estes considerem privados. Além disso, as soluções que se focam em inspecionar dados da camada física normalmente usam a potência de sinal recebido (RSSI) como uma métrica de distância e detetam anomalias baseadas na posição relativa dos nós da rede, ou usam os valores do espetro diretamente em modelos de classificação sem prévio tratamento de dados. Esta Dissertação propõe mecanismos para deteção de anomalias, assegurando simultaneamente a privacidade dos seus nós, que se baseiam na análise de atividade rádio na camada física, medindo os comportamentos da rede através do número de frequências ativas e inativas e a duração de períodos de silêncio e atividade. Depois da extração de propriedades que caracterizam estas métricas, é realizada uma exploração dos dados e um estudo das mesmas, sendo depois usadas para treinar modelos de classificação mono-classe. Os modelos são treinados com dados retirados de uma série de interações entre um computador, um AP, e um telemóvel num ambiente com ruído reduzido, numa tentativa de simular um cenário de automação doméstica simplificado. De seguida, os modelos foram testados com dados semelhantes mas contendo um nó comprometido, que periodicamente enviava um ficheiro para uma máquina local através de uma ligação Bluetooth. Os dados mostram que, em ambas as situações, foi possível atingir taxas de precisão de deteção na ordem dos 75% e 99%. Este trabalho finaliza com algumas ideias de trabalho futuro, nomeadamente alterações ao nível do pré-processamento, ideias de novos testes e como diminuir a percentagem de falsos negativos. Mestrado em Engenharia de Computadores e Telemática

Published

2021

32. Cyber reconnaissance techniques

Author

Luca Caviglione and Wojciech Mazurczyk

Subjects

021110 strategic, defence & security studies, General Computer Science, Computer science, network security, 0211 other engineering and technologies, 0202 electrical engineering, electronic engineering, information engineering, cyber deception, 020206 networking & telecommunications, covert channels, 02 engineering and technology, Cyber Reconnaissance, network scanning, side-channels

Abstract

The number of cyber attacks is increasing on a daily basis also due to the availability of many tools to compromise hosts, network appliances and Internet of Things devices in a simple and effective manner. Moreover, Crime-as-a-Service business models are becoming popular, thus making cyber security a global concern for home users, institutions, enterprises and organizations. Despite the type and the scope of attacks, the first stage usually involves a reconnaissance phase, which aims at acquiring as much information as possible on the potential victim, e.g., the used hardware, network addressing schemes or personal bits of data. Unfortunately, attackers can now rely upon a vast range of opportunities, since information useful to craft tools or launch social engineering campaigns can be retrieved from publicly accessible databases, online social networks, ad-hoc search engines, or gathered by using a variety of applications like traffic sniffers, port scanners or phishing mechanisms. In this perspective, this work classifies and reviews the existing reconnaissance techniques and presents how they evolved in time. Also, it showcases the main countermeasures and discusses potential future research directions in this area.

Published

2021

33. A Tale of TwoWorlds: Assessing the Vulnerability of Enclave Shielding Runtimes

Author

Bulck, J., Oswald, D., Marin, E., Aldoseri, A., Garcia, F., and Piessens, F.

Subjects

memory safety, Intel SGX, Trusted execution, TEE, side-channels

Abstract

This paper analyzes the vulnerability space arising in Trusted Execution Environments (TEEs) when interfacing a trusted enclave application with untrusted, potentially malicious code. Considerable research and industry effort has gone into developing TEE runtime libraries with the purpose of transparently shielding enclave application code from an adversarial environment. However, our analysis reveals that shielding requirements are generally not well-understood in real-world TEE runtime implementations. We expose several sanitization vulnerabilities at the level of the Application Binary Interface (ABI) and the Application Programming Interface (API) that can lead to exploitable memory safety and sidechannel vulnerabilities in the compiled enclave. Mitigation of these vulnerabilities is not as simple as ensuring that pointers are outside enclave memory. In fact, we demonstrate that state-of-the-art mitigation techniques such as Intel’s edger8r, Microsoft’s “deep copy marshalling”, or even memory-safe languages like Rust fail to fully eliminate this attack surface. Our analysis reveals 35 enclave interface sanitization vulnerabilities in 8 major open-source shielding frameworks for Intel SGX, RISC-V, and Sancus TEEs. We practically exploit these vulnerabilities in several attack scenarios to leak secret keys from the enclave or enable remote code reuse. We have responsibly disclosed our findings, leading to 5 designated CVE records and numerous security patches in the vulnerable open-source projects, including the Intel SGX-SDK, Microsoft Open Enclave, Google Asylo, and the Rust compiler.

Published

2020

34. Recommendations for a radically secure ISA

Author

Escouteloup, Mathieu, Lashermes, Ronan, Lanet, Jean-Louis, Fournier, Jacques Jean-Alain, Centre National de la Recherche Scientifique (CNRS), Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES), Confidentialité, Intégrité, Disponibilité et Répartition (CIDRE), CentraleSupélec-Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-SYSTÈMES LARGE ÉCHELLE (IRISA-D1), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Université de Rennes (UNIV-RENNES)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes 1 (UR1), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT), Service Expérimentation et Développement (SED [Rennes]), Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Laboratoire de Haute Sécurité (LHS - Inria), Institut National de Recherche en Informatique et en Automatique (Inria)-Direction générale de l'Armement (DGA), Université Grenoble Alpes (UGA), Commissariat à l'énergie atomique et aux énergies alternatives - Laboratoire d'Electronique et de Technologie de l'Information (CEA-LETI), Direction de Recherche Technologique (CEA) (DRT (CEA)), Commissariat à l'énergie atomique et aux énergies alternatives (CEA)-Commissariat à l'énergie atomique et aux énergies alternatives (CEA), Département Systèmes (DSYS), Commissariat à l'énergie atomique et aux énergies alternatives (CEA)-Commissariat à l'énergie atomique et aux énergies alternatives (CEA)-Direction de Recherche Technologique (CEA) (DRT (CEA)), Université de Rennes (UR), Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), and Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique)

Subjects

[INFO.INFO-AR]Computer Science [cs]/Hardware Architecture [cs.AR], [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Hardware Security Context, Instruction Set Architecture, Hardware_CONTROLSTRUCTURESANDMICROPROGRAMMING, Side-channels

Abstract

International audience; The rising number of attacks targeting processors at micro-architecture level encourages more research on hardware level solutions.In this position paper, we specify a new RV32S “secure” instruction set architecture (ISA) derived from the RV32I RISC-V ISA.We propose modifications in the ISA to prevent timing side-channels, strengthen control flow integrity and ensure micro-architectural state isolation.The goal is to provide a new minimal hardware/software approach through which software attacks exploiting hardware vulnerabilities can be circumvented.

Published

2020

35. Managing confidentiality leaks through private algorithms on Software Guard eXtensions (SGX) enclaves: Minimised TCB on secret-code execution with Early Private Mode (EPM)

Author

Küçük, Kubilay Ahmet, Grawrock, David, and Martin, Andrew

Published

2019

36. RIDL: Rogue in-flight data load

Author

Van Schaik, Stephan, Milburn, Alyssa, Osterlund, Sebastian, Frigo, Pietro, Maisuradze, Giorgi, Razavi, Kaveh, Bos, Herbert, Giuffrida, Cristiano, Van Schaik, Stephan, Milburn, Alyssa, Osterlund, Sebastian, Frigo, Pietro, Maisuradze, Giorgi, Razavi, Kaveh, Bos, Herbert, and Giuffrida, Cristiano

Abstract

We present Rogue In-flight Data Load (RIDL), a new class of speculative unprivileged and constrained attacks to leak arbitrary data across address spaces and privilege boundaries (e.g., process, kernel, SGX, and even CPU-internal operations). Our reverse engineering efforts show such vulnerabilities originate from a variety of micro-optimizations pervasive in commodity (Intel) processors, which cause the CPU to speculatively serve loads using extraneous CPU-internal in-flight data (e.g., in the line fill buffers). Contrary to other state-of-the-art speculative execution attacks, such as Spectre, Meltdown and Foreshadow, RIDL can leak this arbitrary in-flight data with no assumptions on the state of the caches or translation data structures controlled by privileged software. The implications are worrisome. First, RIDL attacks can be implemented even from linear execution with no invalid page faults, eliminating the need for exception suppression mechanisms and enabling system-wide attacks from arbitrary unprivileged code (including JavaScript in the browser). To exemplify such attacks, we build a number of practical exploits that leak sensitive information from victim processes, virtual machines, kernel, SGX and CPU-internal components. Second, and perhaps more importantly, RIDL bypasses all existing 'spot' mitigations in software (e.g., KPTI, PTE inversion) and hardware (e.g., speculative store bypass disable) and cannot easily be mitigated even by more heavyweight defenses (e.g., L1D flushing or disabling SMT). RIDL questions the sustainability of a per-variant, spot mitigation strategy and suggests more fundamental mitigations are needed to contain ever-emerging speculative execution attacks.

Published

2019

37. RIDL: Rogue In-Flight Data Load

Author

Alyssa Milburn, Kaveh Razavi, Sebastian Österlund, Pietro Frigo, Stephan van Schaik, Herbert Bos, Giorgi Maisuradze, Cristiano Giuffrida, Systems and Network Security, Network Institute, and Computer Systems

Subjects

Speculative-execution-attacks, SDG 16 - Peace, Out-of-order execution, Exploit, Page fault, Network security, business.industry, Computer science, SDG 16 - Peace, Justice and Strong Institutions, Speculative execution, 02 engineering and technology, Side-channels, Computer security, computer.software_genre, Data structure, Justice and Strong Institutions, 020202 computer hardware & architecture, Virtual machine, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Central processing unit, business, computer

Abstract

We present Rogue In-flight Data Load (RIDL), a new class of speculative unprivileged and constrained attacks to leak arbitrary data across address spaces and privilege boundaries (e.g., process, kernel, SGX, and even CPU-internal operations). Our reverse engineering efforts show such vulnerabilities originate from a variety of micro-optimizations pervasive in commodity (Intel) processors, which cause the CPU to speculatively serve loads using extraneous CPU-internal in-flight data (e.g., in the line fill buffers). Contrary to other state-of-the-art speculative execution attacks, such as Spectre, Meltdown and Foreshadow, RIDL can leak this arbitrary in-flight data with no assumptions on the state of the caches or translation data structures controlled by privileged software. The implications are worrisome. First, RIDL attacks can be implemented even from linear execution with no invalid page faults, eliminating the need for exception suppression mechanisms and enabling system-wide attacks from arbitrary unprivileged code (including JavaScript in the browser). To exemplify such attacks, we build a number of practical exploits that leak sensitive information from victim processes, virtual machines, kernel, SGX and CPU-internal components. Second, and perhaps more importantly, RIDL bypasses all existing 'spot' mitigations in software (e.g., KPTI, PTE inversion) and hardware (e.g., speculative store bypass disable) and cannot easily be mitigated even by more heavyweight defenses (e.g., L1D flushing or disabling SMT). RIDL questions the sustainability of a per-variant, spot mitigation strategy and suggests more fundamental mitigations are needed to contain ever-emerging speculative execution attacks.

Published

2019

38. Vérification d'implémentations constant-time dans une chaîne de compilation vérifiée

Author

Trieu, Alix, Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT), Software certification with semantic analysis (CELTIQUE), Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-LANGAGE ET GÉNIE LOGICIEL (IRISA-D4), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Université de Rennes, Sandrine Blazy, David Pichardie, Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-CentraleSupélec-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), and Université Rennes 1

Subjects

Formal verification, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], CompCert, Canaux cachés, Analyse statique, Constant-Time, Side-Channels, Coq, Vérification formelle, Compilation, Static analysis, Verasco

Abstract

Side-channel attacks are an especially dangerous form of attack. In this thesis, we focus on the timing side-channel. A program is said to be constant-time if it is not vulnerable to timing attacks. We present in this thesis two methods relying on static analysis in order to ensure that a program is constant-time. These methods use formal verification in order to gain the highest possible level of assurance by relying on a verified compilation toolchain made up of the CompCert compiler and the Verasco static analyzer. We also propose a proof methodology in order to ensure that a compiler preserves constant-time security during compilation.; Les attaques par canaux cachés sont une forme d'attaque particulièrement dangereuse. Dans cette thèse, nous nous intéressons au canal caché temporel. Un programme est dit ''constant-time'' lorsqu'il n'est pas vulnérable aux attaques par canal caché temporel. Nous présentons dans ce manuscrit deux méthodes reposant sur l'analyse statique afin de s'assurer qu'un programme est constant-time. Ces méthodes se placent dans le cadre de vérification formelle afin d'obtenir le plus haut niveau d'assurance possible en s'appuyant sur une chaîne de compilation vérifiée composée du compilateur CompCert et de l'analyseur statique Verasco. Nous proposons aussi une méthode de preuve afin de s'assurer qu'un compilateur préserve la propriété de constant-time lors de la compilation d'un programme.

Published

2018

39. Alluviation of a side-channel by bed material load. Field measurements and modelling.

Author

Ferrer-Boix, Carles, Boix Oliva, Júlia, Martín-Vide, Juan P., and Ollero, Alfredo

Subjects

*BED load, *AGGRADATION & degradation, *NUMERICAL analysis, *HYDRAULIC models, *EROSION, *FLUVIAL geomorphology

Abstract

In this research, we explore the alluviation process of an artificial side-channel built in August 2015 and designed to alleviate bank erosion risks on the main river. The study area is located on the lower Gállego River, a meandering-wandering gravel-bed river draining the Southern Pyrenees. This river reach is still dynamic (i.e. chutes, meander migration and other riverine processes are often observed during floods) despite the presence of three dams in the upper catchment, encroachments and extensive mining during the 1960s–80s that led to severe incision. In this research, we focus on the effects of bankfull-like flood events (Q peak = 354 m3/s) between February 2016 and February 2017, which alluviated 62% of the side-channel. This research aims at finding the physical mechanisms that explain the alluviation process and at putting them in the general context of the current geomorphic trend of the Gállego River in response to past and ongoing impacts. The causes of the alluviation are studied through collecting and analysing field data, which in turn, are used as input in a novel modelling strategy that includes one-dimensional hydraulic modelling, semi-empirical expressions to obtain the sediment supply entering the side-channel system and a morphodynamic model able to deal with granular sediment mixtures in compound channels. The analyses of the numerical results along with the recent history of impacts and general channel pattern adjustments help us understand about the morphodynamics mechanisms responsible for the alluviation of the side-channel. [ABSTRACT FROM AUTHOR]

Published

2021

40. Lightweight and Side-channel Secure 4 × 4 S-Boxes from Cellular Automata Rules

Author

Ghoshal, Ashrujit (author), Sadhukhan, Rajat (author), Patranabis, Sikhar (author), Datta, Nilanjan (author), Picek, S. (author), Mukhopadhyay, D (author), Ghoshal, Ashrujit (author), Sadhukhan, Rajat (author), Patranabis, Sikhar (author), Datta, Nilanjan (author), Picek, S. (author), and Mukhopadhyay, D (author)

Abstract

This work focuses on side-channel resilient design strategies for symmetrickey cryptographic primitives targeting lightweight applications. In light of NIST’s lightweight cryptography project, design choices for block ciphers must consider not only security against traditional cryptanalysis, but also side-channel security, while adhering to low area and power requirements. In this paper, we explore design strategies for substitution-permutation network (SPN)-based block ciphers that make them amenable to low-cost threshold implementations (TI) - a provably secure strategy against side-channel attacks. The core building blocks for our strategy are cryptographically optimal 4×4 S-Boxes, implemented via repeated iterations of simple cellular automata (CA) rules. We present highly optimized TI circuits for such S-Boxes, that consume nearly 40% less area and power as compared to popular lightweight S-Boxes such as PRESENT and GIFT. We validate our claims via implementation results on ASIC using 180nm technology. We also present a comparison of TI circuits for two popular lightweight linear diffusion layer choices - bit permutations and MixColumns using almost-maximum-distance-separable (almost-MDS) matrices. We finally illustrate design paradigms that combine the aforementioned TI circuits for S-Boxes and diffusion layers to obtain fully side-channel secure SPN block cipher implementations with low area and power requirements., Cyber Security

Published

2018

41. Secure Compilation (Dagstuhl Seminar 18201)

Author

Amal Ahmed and Deepak Garg and Catalin Hritcu and Frank Piessens, Ahmed, Amal, Garg, Deepak, Hritcu, Catalin, Piessens, Frank, Amal Ahmed and Deepak Garg and Catalin Hritcu and Frank Piessens, Ahmed, Amal, Garg, Deepak, Hritcu, Catalin, and Piessens, Frank

Abstract

Secure compilation is an emerging field that puts together advances in security, programming languages, verification, systems, and hardware architectures in order to devise secure compilation chains that eliminate many of today's vulnerabilities. Secure compilation aims to protect a source language's abstractions in compiled code, even against low-level attacks. For a concrete example, all modern languages provide a notion of structured control flow and an invoked procedure is expected to return to the right place. However, today's compilation chains (compilers, linkers, loaders, runtime systems, hardware) cannot efficiently enforce this abstraction: linked low-level code can call and return to arbitrary instructions or smash the stack, blatantly violating the high-level abstraction. The emerging secure compilation community aims to address such problems by devising formal security criteria, efficient enforcement mechanisms, and effective proof techniques. This seminar strived to take a broad and inclusive view of secure compilation and to provide a forum for discussion on the topic. The goal was to identify interesting research directions and open challenges by bringing together people working on building secure compilation chains, on developing proof techniques and verification tools, and on designing security mechanisms.

Published

2018

42. Securing Compilation Against Memory Probing

Author

Frédéric Besson, Alexandre Dang, Thomas Jensen, Software certification with semantic analysis (CELTIQUE), Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-LANGAGE ET GÉNIE LOGICIEL (IRISA-D4), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT), Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-CentraleSupélec-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes 1 (UR1), and Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique)

Subjects

Dead store, Information-flow Preservation, [INFO.INFO-PL]Computer Science [cs]/Programming Languages [cs.PL], Computer science, Secure Compilation, Formal security models, 020207 software engineering, 02 engineering and technology, Source level, Computer security, computer.software_genre, Side-channels, Regis-ter Allocation, Transformation (function), Order (business), 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Logic and verification, Dead Store Elimination, Compiler, Information flow (information theory), computer, Formal description, Software security engineering, Register allocation

Abstract

International audience; A common security recommendation is to reduce the in-memory lifetime of secret values, in order to reduce the risk that an attacker can obtain secret data by probing memory. To mitigate this risk, secret values can be overwritten, at source level, after their last use. The problem we address here is how to ensure that a compiler preserve these mitigation efforts and thus that secret values are not easier to obtain at assembly level than at source level. We propose a formal definition of Information Flow Preserving program Transformations in which we model the information leak of a program using the notion of Attacker Knowledge. Program transformations are validated by relating the knowledge of the attacker before and after the transformation. We consider two classic compiler passes (Dead Store Elimination and Register Allocation) and show how to validate and, if needed, modify these transformations in order to be information flow preserving.

Published

2018

43. Lightweight and Side-channel Secure 4 × 4 S-Boxes from Cellular Automata Rules

Author

Ghoshal, Ashrujit, Sadhukhan, Rajat, Patranabis, Sikhar, Datta, Nilanjan, Picek, S., and Mukhopadhyay, D

Subjects

lcsh:Computer engineering. Computer hardware, Lightweight, Applied Mathematics, lcsh:TK7885-7895, 020206 networking & telecommunications, Cellular Automata, 0102 computer and information sciences, 02 engineering and technology, Side-channels, 01 natural sciences, Computer Science Applications, Computational Mathematics, Optimal S-Box, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, Block Ciphers, Threshold Implementation, Software

Abstract

This work focuses on side-channel resilient design strategies for symmetrickey cryptographic primitives targeting lightweight applications. In light of NIST’s lightweight cryptography project, design choices for block ciphers must consider not only security against traditional cryptanalysis, but also side-channel security, while adhering to low area and power requirements. In this paper, we explore design strategies for substitution-permutation network (SPN)-based block ciphers that make them amenable to low-cost threshold implementations (TI) - a provably secure strategy against side-channel attacks. The core building blocks for our strategy are cryptographically optimal 4×4 S-Boxes, implemented via repeated iterations of simple cellular automata (CA) rules. We present highly optimized TI circuits for such S-Boxes, that consume nearly 40% less area and power as compared to popular lightweight S-Boxes such as PRESENT and GIFT. We validate our claims via implementation results on ASIC using 180nm technology. We also present a comparison of TI circuits for two popular lightweight linear diffusion layer choices - bit permutations and MixColumns using almost-maximum-distance-separable (almost-MDS) matrices. We finally illustrate design paradigms that combine the aforementioned TI circuits for S-Boxes and diffusion layers to obtain fully side-channel secure SPN block cipher implementations with low area and power requirements., IACR Transactions on Symmetric Cryptology, Volume 2018, Issue 3

Published

2018

44. Security and Privacy Threats on Mobile Devices through Side-Channels Analysis

Author

Spolaor, Riccardo

Subjects

machine learning, Settore INF/01 - Informatica, analysis, security, security, privacy, machine learning, side-channels, analysis, privacy, INF/01 Informatica, side-channels

Abstract

In recent years, mobile devices (such as smartphones and tablets) have become essential tools in everyday life for billions of people all around the world. Users continuously carry such devices with them and use them for daily communication activities and social network interactions. Hence, such devices contain a huge amount of private and sensitive information. For this reason, mobile devices become popular targets of attacks. In most attack settings, the adversary aims to take local or remote control of a device to access user sensitive information. However, such violations are not easy to carry out since they need to leverage a vulnerability of the system or a careless user (i.e., install a malware app from an unreliable source). A different approach that does not have these shortcomings is the side-channels analysis. In fact, side-channels are physical phenomenon that can be measured from both inside or outside a device. They are mostly due to the user interaction with a mobile device, but also to the context in which the device is used, hence they can reveal sensitive user information such as identity and habits, environment, and operating system itself. Hence, this approach consists of inferring private information that is leaked by a mobile device through a side-channel. Besides, side-channel information is also extremely valuable to enforce security mechanisms such as user authentication, intrusion and information leaks detection. This dissertation investigates novel security and privacy challenges on the analysis of side-channels of mobile devices. This thesis is composed of three parts, each focused on a different side-channel: (i) the usage of network traffic analysis to infer user private information; (ii) the energy consumption of mobile devices during battery recharge as a way to identify a user and as a covert channel to exfiltrate data; and (iii) the possible security application of data collected from built-in sensors in mobile devices to authenticate the user and to evade sandbox detection by malware. In the first part of this dissertation, we consider an adversary who is able to eavesdrop the network traffic of the device on the network side (e.g., controlling a WiFi access point). The fact that the network traffic is often encrypted makes the attack even more challenging. Our work proves that it is possible to leverage machine learning techniques to identify user activity and apps installed on mobile devices analyzing the encrypted network traffic they produce. Such insights are becoming a very attractive data gathering technique for adversaries, network administrators, investigators and marketing agencies. In the second part of this thesis, we investigate the analysis of electric energy consumption. In this case, an adversary is able to measure with a power monitor the amount of energy supplied to a mobile device. In fact, we observed that the usage of mobile device resources (e.g., CPU, network capabilities) directly impacts the amount of energy retrieved from the supplier, i.e., USB port for smartphones, wall-socket for laptops. Leveraging energy traces, we are able to recognize a specific laptop user among a group and detect intruders (i.e., user not belonging to the group). Moreover, we show the feasibility of a covert channel to exfiltrate user data which relies on temporized energy consumption bursts. In the last part of this dissertation, we present a side-channel that can be measured within the mobile device itself. Such channel consists of data collected from the sensors a mobile device is equipped with (e.g., accelerometer, gyroscope). First, we present DELTA, a novel tool that collects data from such sensors, and logs user and operating system events. Then, we develop MIRAGE, a framework that relies on sensors data to enhance sandboxes against malware analysis evasion.

Published

2018

45. Hardware Security Threat and Mitigation Techniques for Network-on-Chips

Author

Boraten, Travis Henry

Subjects

Computer Engineering, Electrical Engineering, Network-on-Chip, Hardware Security, Hardware Trojans, Side-Channels, Denial-of-Service

Abstract

Today, hardware security for state-of-the-art integrated circuits (ICs) is a growing concern because semi-conductor supply-chains are increasingly complex and the industry is shifting to third-party fabrication plants on the global market. While the globalization of the semi-conductor industry allows for cutting cost, it opens the door for adversarial governments to steal intellectual property (IP), produce clones, counterfeits, and maliciously alter designs during the fabrication process. Since Network-on-Chip (NoC) architectures handle all communication between cores on-and-off chip, NoCs are one of the many likely targets attackers may try to compromise in future Multi-Processor System-on-Chips (MPSoCs). In this dissertation I propose a comprehensive set of threat detection and mitigation techniques to enhance the reliability NoC data-paths, control-paths, and application flows so that they can localize threats and gracefully degrade performance until they can be replaced. Specifically, I will show how to (1) overcome maliciously injected faults on links intended to compromise data integrity and induce Denial-of-Service attacks (securing data-paths), (2) identify security points-of-interest within the router micro-architecture and design Secure Model Checkers (SMCs) to validate functional correctness of those interest and prevent malicious gaming of resources in a compromised NoC (securing control-paths), and (3) to use Non-interference Based Routing (NIBR) to prevent network traffic induced side-channels (securing application flows). In my evaluation, I will show that the proposed Target-Activated Sequential-Payload (TASP) hardware trojans are cable of inducing a Denial-of-Service (DoS) attack and deadlocking a NoC within a few thousand cycles. To circumvent TASP and any other snooping 4 link HT, my proposed threat detector and switch-to-switch (s2s) obfuscation units allow for continual use of links instead of rerouting around them with only a 1-3 cycle performance penalty. The cost of mitigation is limited to an additional 2% in area overhead and 6% excess power consumption in the router micro-architecture. For HTs in the router micro-architecture logic, I identified 10 additional invariant rules over the existing 32 rules identified by [1]. These rules are enforced using SMCs with near instantaneous detection and provide greater threat coverage as SMCs now have access to state information in each router stage, not just the current stage. SMCs are capable of enhancing the security of control logic with only a 1.1% and 1.5% additional total router area overhead and power consumption respectively. Finally, with NIBR, I will show that routing on-demand coupled with reverse priority throttling can be used to prevent interference leaking information to the low domain and sustain performance in the high domain instead of reducing it. While prior work has shown to successfully prevent interference, most techniques do so at the cost of performance. I will show that NIBR improves performance by 2-20% over existing techniques with only a 1.84% power consumption penalty. By combining each of these approaches, NoCs can improve security on data-paths, control-paths, and application flows.

Published

2020

46. Side Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution (Invited Talk)

Author

Tevfik Bultan, Bultan, Tevfik, Tevfik Bultan, and Bultan, Tevfik

Abstract

A crucial problem in software security is the detection of side-channels. Information gained by observing non-functional properties of program executions (such as execution time or memory usage) can enable attackers to infer secret information (such as a password). In this talk, I will discuss how symbolic execution, combined with a model counting constraint solver, can be used for quantifying side-channel leakage in Java programs. In addition to computing information leakage for a single run of a program, I will also discuss computation of information leakage for multiple runs for a type of side channels called segmented oracles. In segmented oracles, the attacker is able to explore each segment of a secret (for example each character of a password) independently. For segmented oracles, it is possible to compute information leakage for multiple runs using only the path constraints generated from a single run symbolic execution. These results have been implemented as an extension to the symbolic execution tool Symbolic Path Finder (SPF) using the SMT solver Z3 and two model counting constraint solvers LattE and ABC.

Published

2016

47. OJIT: A Novel Obfuscation Approach Using Standard Just-In-Time Compiler Transformations

Author

Muhammad Hataba, Ahmed El-Mahdy, Erven Rohou, Egypt-Japan University of Science and Technology [Alexandrie] (E-JUST), Amdahl's Law is Forever (ALF), Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-ARCHITECTURE (IRISA-D3), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), CentraleSupélec-Télécom Bretagne-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-Université de Rennes (UNIV-RENNES)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Rennes (ENS Rennes)-Université de Bretagne Sud (UBS)-Centre National de la Recherche Scientifique (CNRS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-CentraleSupélec-Télécom Bretagne-Université de Rennes 1 (UR1), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Université de Rennes (UNIV-RENNES)-Université de Rennes (UNIV-RENNES)-École normale supérieure - Rennes (ENS Rennes)-Université de Bretagne Sud (UBS)-Centre National de la Recherche Scientifique (CNRS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA), PHC IMHOTEP 27469YJ, Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), and Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)

Subjects

Code Optimizations, Obfuscation, Side-Channels, [INFO.INFO-OH]Computer Science [cs]/Other [cs.OH], Just-In-Time Compilation, Cloud Computing

Abstract

International audience; With the adoption of cloud computing, securing remote program execution becomes an important issue. Relying on standard data encryption is not enough, since code execution happens on remote servers, possibly allowing for eavesdropping from potential adversaries; thus the full execution process requires protection from such threats. In this paper, we introduce OJIT system as a novel approach for obfuscating programs, making it difficult for adversaries to reverse-engineer. The system exploits the JIT compilation technology to dynamically transform the code, making it constantly changing, thereby complicating the execution state. This paper quantitatively studies the effect of this approach by considering a set of obfuscation metrics borrowed from the software engineering field. The paper constructs a testbed system using the LLVM compilation framework that frequently applies random sequences of standard compiler optimizations on the currently running program. Results on using selected benchmarks from the SPEC CPU 2006 suite show a significant sustainable increase in obfuscation for a large number of standard optimizations over the run-time course of the programs.

Published

2015

48. Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations

Author

José B. Almeida, Manuel Barbosa, François Dupressoir, Gilles Barthe, and Universidade do Minho

Subjects

Computer science, Distributed computing, Cryptography, 02 engineering and technology, computer.software_genre, Encryption, formal proof, 0202 electrical engineering, electronic engineering, information engineering, Concrete security, PKCS #1, business.industry, Programming language, certified compilation, PKCS, 020207 software engineering, computer.file_format, Adversary, Formal methods, side-channels, 020201 artificial intelligence & image processing, PKCS#1, Compiler, Executable, business, computer, Machine code

Abstract

We present a computer-aided framework for proving concrete security bounds for cryptographic machine code implementations. The front-end of the framework is an interactive verification tool that extends the EasyCrypt framework to reason about relational properties of C-like programs extended with idealised probabilistic operations in the style of code-based security proofs. The framework also incorporates an extension of the CompCert certified compiler to support trusted libraries providing complex arithmetic calculations or instantiating idealized components such as sampling operations. This certified compiler allows us to carry to executable code the security guarantees established at the high-level, and is also instrumented to detect when compilation may interfere with side-channel countermeasures deployed in source code. We demonstrate the applicability of the framework by applying it to the RSA-OAEP encryption scheme, as standard- ized in PKCS#1 v2.1. The outcome is a rigorous analysis of the advantage of an adversary to break the security of as- sembly implementations of the algorithms specified by the standard. The example also provides two contributions of independent interest: it bridges the gap between computer-assisted security proofs and real-world cryptographic implementations as described by standards such as PKCS,and demonstrates the use of the CompCert certified compiler in the context of cryptographic software development., ONR -Office of Naval Research(N000141210914)

Published

2013

49. Layout Dependent Phenomena A New Side-channel Power Model

Author

Knut Wold, Geir Olav Dyrkolbotn, and Einar Snekkenes

Subjects

General Computer Science, business.industry, Computer science, CMOS, Electrical engineering, Hardware_PERFORMANCEANDRELIABILITY, Permission, crosstalk, side-channels, Mathematics and natural science: 400::Information and communication science: 420::Security and vulnerability: 424 [VDP], Power model, Hardware_INTEGRATEDCIRCUITS, Side channel attack, business, Telecommunications, power model, Open access journal, Hardware_LOGICDESIGN

Abstract

This is the journal's version originally published in Journal of Computers: http://dx.doi.org/10.4304/jcp.7.4.827-837. This is an open access journal. Reprinted with permission from Academy Publisher. The energy dissipation associated with switching in CMOS logic gates can be used to classify the microprocessor’s activity. In VLSI design, layout dependent phenomena, such as capacitive crosstalk, become a major contributor to the power consumption and delays of on-chip busses as transistor technology get smaller. These effects may be known to the security community but have received little attention. In a recent paper we presented a new power model, taking into consideration capacitive crosstalk. We have shown that capacitive crosstalk has a significant effect on gate energy dissipation. Our results confirm that the dissipated energy from CMOS switching gates depends not only on the hamming distance (HD), but also on the direction of switching activity on nearby data lines. We show that for an 8 bit data bus, crosstalk may improve detection performance from 2.5 bits (HD based detector) to a theoretical 5.7 bits and simulated 5.0 bits (crosstalk based detector) of information per sample. In this paper we elaborate on the theory and simulations of layout dependent phenomena and how they must be considered when analyzing security implications of power and electromagnetic side-channels. We have also added a small case study, i.e. the electromagnetic side-channel of a smart card, that supports our simulations/theoretical results.

Published

2012

50. Private Communication Detection via Side-Channel Attacks

Author

Jong, Chang-Han and Jong, Chang-Han

Abstract

Private communication detection (PCD) enables an ordinary network user to discover communication patterns (e.g., call time, length, frequency, and initiator) between two or more private parties. Analysis of communication patterns between private parties has historically been a powerful tool used by intelligence, military, law-enforcement and business organizations because it can reveal the strength of tie between these parties. Ordinary users are assumed to have neither eavesdropping capabilities (e.g., the network may employ strong anonymity measures) nor the legal authority (e.g. no ability to issue a warrant to network providers) to collect private-communication records. We show that PCD is possible by ordinary users merely by sending packets to various network end-nodes and analyzing the responses. Three approaches for PCD are proposed based on a new type of side channels caused by resource contention, and defenses are proposed. The Resource-Saturation PCD exploits the resource contention (e.g., a fixed-size buffer) by sending carefully designed packets and monitoring different responses. Its effectiveness has been demonstrated on three commercial closed-source VoIP phones. The Stochastic PCD shows that timing side channels in the form of probing responses, which are caused by distinct resource-contention responses when different applications run in end nodes, enable effective PCD despite network and proxy-generated noise (e.g., jitter, delays). It was applied to WiFi and Instant Messaging for resource contention in the radio channel and the keyboard, respectively. Similar analysis enables practical Sybil node detection. Finally, the Service-Priority PCD utilizes the fact that 3G/2G mobile communication systems give higher priority to voice service than data service. This allows detection of the busy status of smartphones, and then discovery of their call records by correlating the busy status. This approach was successfully applied to iPhone and Android phones

Published

2012