Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option...

27
Catch me if you can Locating (and fixing) side channel leaks (for dummies) Elisabeth Oswald

Transcript of Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option...

Page 1: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

Catch me if you canLocating (and fixing) side channel leaks (for dummies)

Elisabeth Oswald

Page 2: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Why:Therearemanymorenon-cryptoexperts,thancryptoexperts!

• What:Thistalkisabouttoolsandtechniquesfordetecting(andfixing)informationleaksthataredesignedfordeveloperswhoarenotcryptographers.

• How:WithalotofeffortbydevelopinganappropriatemodeloftheTOEthatintegratesinsome‘designflow’.

Outline

Page 3: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Developedaround1995,withpublicationsemergingfrom1996onwards,sidechannelattackshaveexploited• Executiontimes• Powerconsumption• EMradiation• Cachebehavior• RFemanation• Sound• Packetlength• ….

Context

Page 4: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Manyattacksrecoverinformationabout`chunks’ofasecretkey• Strongerattackstendtohavebetterdeviceleakagemodels

• Distinguisherneedstobechoseninconjunctionwiththedeviceleakagemodel

• Highqualitytracesnaturallyalsoimproveattackoutcomes

• Someattacksrecoverplaintextinformation

Attacks that Exploit Leakage

Data

Side channel

Data

Predicted Behaviour

Distinguisher

Key (Chunk)

Score associated with key guess

Model of

Device

Page 5: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Attacksonlyevergetbetter

Context, cont.

1999: attacks on block ciphers (DES, AES), exploiting physical leaks, simple implementations, trivial to break

2012: attacks on protocols (TLS), exploiting protocol leaks, non trivial attacks requiring profiling

Page 6: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Pastattacksonrealworldproducts• PayTV asa‘marketdriver’:protectingpeoplefromwatchingtoomuchtoobadtelly isclearlyveryimportant!

• Standards/evaluationschemesexisttoprotectchipcardsinthecontextofbankingapplications(CCprotectionprofiles,EMVCo scheme)

• Butalsoprintercartridges,andother‘gadgets’thathavestaticsecretkeysembeddedareroutinelyprotected

Theseapplicationsareallsomewhat‘closed’:specialistdeveloperswithaccesstocrypto/sidechannelexpertise+labsareavailable.Code/Implementations/Evaluationsremainconfidential.

Context, cont.

Page 7: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Buttheworldhaschanged:• Paymentsaregettingintegrated,e.g.insoftwareappsrunningonmobilephones

• Wehavemoreandmore`smart’devicesaroundthatinteractwithus,andsometimesconnectuswithotherdevices/apps/institutions/people

• Thesesystemsaremuchmore`open’inthesensethatthereexistmany(small)companiesthatproducesoftware.

Inthiscontext,accesstocrypto/sidechannelspecialists+lab,cannolongerbetakenforgranted.

Context, cont.

Page 8: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Researchintoattacks andmitigationstrategies(provableornot)hasmoreorlessassumed‘specialistdeveloper’sofar.• Wedevelop‘CryptographyforCryptographersonly’• Weneed‘CryptographyforEverybody’,andthisincludeswaystoimplementcryptographysecurelyintherealworld

• Alargepartofmyresearchinterestistofindwaysto`automate’implementingcryptosoastotakeaway(someof)theburdenfromdevelopers.

Context, cont.

Page 9: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

Let’snowfocusonmitigationofphysicalleaks:• Whatleaks?• (Whydoesitleak)?• Howcanitbefixed?

Questions:• Atwhichpointinthedesigncycletodothis?• Whatleaksdomatter?• Howtoincludedevelopers’decisions?

Automation

Page 10: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

`ClosedWorld’approachesfromthepastinclude:• Hardwarelevel:assumewebuildaprocessor/cryptomodule,havefulldesigndetails,aimforearlymitigation• Pros:hopetoremoveleakageentirely,impliesthatsoftwaredeveloperdoesnotneedtocareatall

• Cons:unabletoremoveleakageentirely,impracticalasformostapplicationsthefabricationofadedicatedsecurityICisnotanoption

• Softwarelevel:assumethatcryptorunsonaleakyprocessor,asimplisticleakagemodel(Hammingweight),andfocusonaspecificalgorithm• Pros:doesnotrelyoncontrol/exactknowledgeofhardwaredesign,potentiallymoreapplicabletoawiderangeofapplications,promisetoprovesecurity

• Cons:unabletocaptureanyleakthatdoesnotfitthemodel

Automation Approaches

Page 11: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

Compilerbasedapproaches:• 2012:wedevelopedacompilerextension,whichrequiredadomainspecificlanguage,thatwascapableoftakinga‘raw’AESimplementation,andtranslateitintoafirst-orderBooleanmaskedimplementationinThumbassemblyforanARM7TDMI.

• 2013:Bayrak,andAgosta independentlyproposeddifferentcompilerextensionsthat‘identified’vulnerableinstructionsandappliedsomecountermeasures

• 2013onwards:Dupressoir publishedaseriesofpapersinwhichformalverificationwasusedtoproveleakagepropertiesofcode

Allapproachesreliedonverysimplisticleakagemodels.

Automation Approaches, cont.

Page 12: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Simplificationsaregoodiftheyremoveunnecessarycomplexityonly

• Wehaveseenmanytimes(inthesidechannelcommunity)thatsimplifiedassumptionsrender‘proofs’(argumentsforsecurity)useless• EvenprovablysecureschemessuchasISW99failmiserablyinpracticeduetoglitches

• TIschemesequallymakestrongindependenceassumptionsonsmallcomponents

Importance of leakage models

Side channel attack outcomes using the HW assumption (top), and a statistically estimated leakage model (bottom).

Page 13: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Leakagebehaviorcanbeverycomplex:• Itdependsonthestatethattheprocessorisinpriortoa(target)instructionaswellaswhatthenextinstructionwillbe

• Itdependsonthepipelinearchitecture,functionalcomponents,busses,etc.

• Thusmodelling`an’instructionrequiresasequenceofinstructions.

Importance of leakage models, cont.

Pictures showing power traces of an XOR operation: surrounded by LDR (left) and LSL (right).

Page 14: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Whatleaks:withoutasophisticatedunderstandingofthetargetarchitecture’sleakage‘reasoning’aboutimplementationsispointless

• Whydoesitleak:withouta’whitebox’thiscannotreallybeanswered,butagoodleakagemodelcanpotentiallydescribehowtheleakagefunctionallylooks

• Howcanyoureliablydetectleakageinanewpieceofcodewithouthavingtoinstrumenteverythingallthetime

• Howcanyoumitigatearbitraryleaks

Automation challenges

Page 15: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

Wenowfocusmoreonthe`finding’thanthe`fixing’.• Detectinginformationleaksisnotanewtopic:detecting`pointsofinterest’hasbeenatopicfordiscussionsincetheadventof`higher-order’(inthiscasemeaningmultivariate)DPAattacks• Methodsthatareeasytousetendtobebasedonthet-test(leakagemodelassumesindividualbits’leakagediffer),andcorrelationanalysis(requiresapowermodel),whicharemomentbasedstatisticsthatproduceunreliableresultswhenusinginamultivariatesetting.

• StatisticallyrigorousmethodsweredevelopedbyChothia etal.basedonMutualInformation(nopowermodelrequired,copebetterinamultivariatesetting)

Leakage detection

Page 16: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Modellinghasbeendoneunderthedisguiseoftemplatematchingforalongtimeinthecommunity• Templatesconsistofthemean(vector)and(co)variance(matrix)ofa(multivariate)Gaussianthatrepresent(a)leakagepoint(s)

• Pro:capturespotentiallythefullleakage,Cons:lotsoftraces,matrixnotinvertible

• Thisisequivalenttoamultinomialrepresentationinwhichoneincludesallinteractionterms

• Pro:cantestwhichinteractiontermsarestatisticallysignificant,andthusremoveallothers,requirespotentiallyfewertracesforaverygoodestimationoftherelevanttermsusingregression

Leakage modelling

Page 17: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Beyondthechoiceofstatisticaltechnique,thereisabigquestionaboutthe‘levelofabstraction’,andhowtointegratemodelsintoadesignflow• Bayrak etal.’sapproachrequirestoinstrumenteachnewpieceofcodebeforeitcanbeanalysed

• (Maybe)amuchbetteridea:chooseAssemblylevelcodesnippetstodetermineandmodelleakage• Lengthandcompositionofsequences,choiceofleakagepointswithinthecorrespondingtraces,whatpotentialeffectstoinclude,etc.

Leakage modelling, cont.

Page 18: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Leakagemodellingmethodology• Initialscoutingofindividualinstructionswiththeaimofclusteringinstructions– verificationbycross-checkingwithknownarchitecturalinformation(greyboxmodelling)

• Generationofcontrolledsequencesofspecificallydesignedinstructiontriplets(withthetargetinstructioninthemiddle)toproducedataformodelling

• Model:• WetestsignificanceforthetermswithF-testandlookatR2

• Wealsotestforeffectsofboard,registerchoices,andthepotentialofhigherorderterms(includedthenforsomeinstructions)

ELMO

Page 19: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Leakagemodellingmethodology• Model:

• Ip (previousinstruction),Is(subsequentinstruction)• D(dummiesforbitsandtransitionsofoperands)• DxIp (HWandHDtermsplusinteractionswithpreviousinstruction),DxIs

ELMO

Page 20: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

Thesemodelswereintegratedinanopensource,instructionsetemulatorforthetargetarchitecture(anM0):• Wepiggybackonthe‘Thumbulator’dataflowgraphtoextracttheinputandoutputdataforeachinstructionasitisexecutedonthetargetarchitecture

• Weanalyse tripletsto`plugin’thecorrespondingleakagemodelfromourdatabaseofmodels

• Thisenablesustoproduceinstruction(orcycle)accurateleakagetracesforarbitrarycode

ELMO

Page 21: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• ELMOcanthusproducenearly`bestcase’leakagetraces• Theyarenoisefree,butlimitedbyourmodelchoices

• ELMOhasfunctionalitytoautomateleakagedetection• Atpresentweonlyfacilitateat-test

• ELMOhoweverenablesdeveloperstounanimouslyattributeleakstoinstructions• Itinstrumentsleakagedetectionaccordingtobestpracticebyinterleaving`acquisitions’toavoidanypotentialstatisticalbias

• Itcan(inprinciple)selecttheappropriatenumberof`acquisitions’toachieveaspecificpowerofatest

• Itsignificantlyspeedsupsecond-orderleakagedetectionbecauseitcanattributemaskstoinstructions,andthus`knows’whichpairsofpointstoselect

ELMO

Page 22: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

ELMO traces

Page 23: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• ELMOcanalsotrace`masks’throughassemblycodeandcanthuspointoutifsomeinstructionsareunmaskedorifmasksgettakenoff

• Inprinciple(testedontheAESinmBed TLS)onecanwriteCcode,compiletoARMThumb,andthenanalyse thisviaELMO

• InprinciplethetoolcanbeusedtorandomlyinsertinstructionsthatfoilHWleakageandlowerotherleakage(certainsequencescanenhanceorworsenleakageofatarget)(testedonAES)

• InprincipleanyofthepublishedworkwouldbemuchfacilitatedbyELMO

ELMO

Page 24: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• What’smissing?• Wedidnotprofileaddressleakage• WedidnotexhaustallThumbinstructions• Wemadenoefforttoinvestigateifthereisleakagefromwithinthemultiplier

• Wedidnotentertainhowtoevendecideiflongersequenceswouldbemoreadequate

Clearlythisisnotanindustrialtool,itisnomorethanapromisingfirststep.

Next steps

Page 25: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Whatelseismissing?• ELMOisa‘standalone’toolandnotpartofacompilertoolchain,thusitassumesthatadevelopercanidentifypotentiallycriticalpiecesofcodeandrunitthroughELMO

• Theidealsolutionforthenon-expertwouldbetobeabletoannotatehigherlevelcode(i.e.Cformostembeddedsystems),andthenforatooltodotherest

• WehaveanongoingcollaborationwithEmbecosm,theoneandonly(UK)compilercompanythathasrealised thedisruptivepowerthatasecurityawarecompilercouldhave

Next steps

Page 26: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• Theycurrentlyworkonsomeideasreautomatingtechniquesthatensureconstanttimeaswellascachesafeimplementationsofsymmetricprimitivesonembeddeddevices,withthegoaltoupstreamtheresults• Inthefuturegcc-armshouldincludeoptionsthatautomaticallyimprovethesecurityofcode

• Wehopetolearnfromthisprocessandthusscoutouttheappetiteformoreleakage-awarecompilationoptions

Embecosm

Page 27: Catch me if you can - WordPress.com · fabrication of a dedicated security IC is not an option •Software level: assume that crypto runs on a leaky processor, a simplistic leakage

• CryptographyisnotonlyforCryptographers• Makingcryptographyworkinpracticeisahugechallenge• Compilersareintegraltosoftwaredevelopmentandtheyshouldbeleakageaware

• ELMOisopensourceandwearerestartingworkonit:

github.com/bristol-sca/elmo“TowardsPracticalToolsforSideChannelAwareSoftwareEngineering:'GreyBox'ModellingforInstructionLeakages”,Usenix 2017,McCann,Oswald,Whitnall

Wrap up