ECEN 4133
Side channel attacks and defenses
Side channel
Measure something secret using other available indirect measurement
Secrets:
Passwords
Private keys
Confidentialinformation
Available data: Timing
Power
Heat
Sound
Pizza deliveries???
Panama invasion (1990)
Operation Desert Storm (1991)
Side channel example: passwords
bool check_password(char *pw, char *correct) { if (strlen(pw)!=strlen(correct))
return false;
for (int i=0; i
}
Side channel example: passwords
bool check_password(char *pw, char *correct) { if (strlen(pw)!=strlen(correct))
return false;
for (int i=0; i
How many guesses to get correct N-character password?
}
Side channel example: passwords
How should we fix this vulnerability?
Side channel solution: constant time
// Note: strlen(correct) must be equal to strlen(pw)
// This function still leaks the length of strlen(correct)! // (how could we fix?)
bool check_password(char *pw, char *correct) {
if (strlen(pw) != strlen(correct)) return false;
int diff = 0;
for (int i=0; i
if n%2==1: # n is odd y = x * y;
x = x * x;
n = (n 1) / 2;
# n is even
x = x * x;
n = n / 2;
else: return x * y
Power
Side channel example: repeated squaring
Time (us)
Square
Square and multiply
Solving the repeated squaring side channel?
Repeated squaring: Montgomerys Ladder:
x1 = x
x2 = x*x
for i = k 2 to 0:
if n_i == 0: x2 = x1 =
else:
x1 =
x2 =
# k bits in n, MSB (n_(k-1)) = 1
# bit is even x1*x2
x1*x1
# bit is odd
x1*x2 x2*x2
return x1
Alternative side channel defense: blinding
Given c = x^e mod N
Dont want to compute c^d mod N (might leak d!)
First blind: b = c*r^e mod N for random r (this is just (xr)^e mod N)
Then decrypt: a = b^d mod N = (xr)^ed mod N = xr mod N
Remove blinding: a*r^-1 mod N = xr*r^-1 mod N = x mod N
Since attacker doesnt know r, cant learn d during blinded decryption
Other side channels?
What other examples of side channels exist? How can we fix them?
Other side channels?
EM-emission
Sound
Accelerometer data
Timing of key presses
Shared resources:
Cache timing
Bandwidth / latency
IPID field in IP packets
Cache side channels
Caches improve performance by storing recently-accessed data close to the CPU
Potentially leaks what was recently accessed!
1. Attacker fills cache:
2. Victim process reads from 0xC8:
3. Attacker reads: 0xA0 (52ns) 0xA4 (55ns) 0xA8 (397ns) 0xAC (49ns)
Attacker learns 0xA8 was not in cache! (recently evicted by another process)
0xA0
0xA4
0xA8
0xAC
0xA0
0xA4
0xC8
0xAC
0xA8 is evicted
Reviews
There are no reviews yet.