SOFTWARE TESTING WHITE BOX TESTING 1. GLASS BOX/WHITE BOX TESTING 2.
Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not...
Transcript of Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not...
![Page 1: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/1.jpg)
COMPANY CONFIDENTIAL
Hiding your White-Box Designs is Not Enough
TROOPERS16
Philippe Teuwen
16/03/2016
![Page 2: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/2.jpg)
Philippe Teuwen aka @doegox aka yobibe
– @
– ♥ free software, security, CTFs, photography
– 웹 http://wiki.yobi.be
Notice:
Research presented here was conducted when I was working for NXP Semiconductors
whoami
![Page 3: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/3.jpg)
• Introduction to white-box cryptography
• Software execution traces
• Differential Computation Analysis
Outline
![Page 4: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/4.jpg)
INTRODUCTION TO WHITE-BOX CRYPTOGRAPHY
![Page 5: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/5.jpg)
Black box model
![Page 6: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/6.jpg)
Black box model
![Page 7: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/7.jpg)
Black box model
![Page 8: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/8.jpg)
Grey box model
![Page 9: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/9.jpg)
Grey box model
Artwork derived from CC BY-SA Mark Pellegrini work on Wikimedia Commons
![Page 10: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/10.jpg)
Grey box model
![Page 11: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/11.jpg)
White box model
![Page 12: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/12.jpg)
White box model
![Page 13: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/13.jpg)
Sole line of defense:
Implementation
White box model
![Page 14: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/14.jpg)
Code obfuscation
Integrity checks
Anti-debug tricks
Usual countermeasures
Illustrations: by @xoreaxeaxeax about M/o/Vfuscator and blog.quarkslab.com about OLLVM
![Page 15: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/15.jpg)
What if you need to do some crypto in such hostile environment?
– DRM schemes ↔ criminals users
– Mobile payment, HCE ↔ malwares
Cryptography under White-box model
Source: “l'industrie du film” Source: Business Insider
![Page 16: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/16.jpg)
What if you need to do some crypto in such hostile environment?
– DRM schemes ↔ criminals users
– Mobile payment, HCE ↔ malwares
Obfuscation techniques alone are mostly insufficient
– Obfuscation mainly about securing code but here: standard crypto algo in need for strong key protection
– E.g. entropy attack on RSA by Shamir and Van Someren (1999)
Cryptography under White-box model
![Page 17: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/17.jpg)
Chow et al. (2002)
– “Ideal” WB AES implementation: One big lookup table4.94 x 1027 TB
– Practical WB AES: Network of smaller tables752kBEncoding on intermediate values
White-box cryptography
Illustration from “A Tutorial on White-box AES” by James A. Muir
![Page 18: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/18.jpg)
White-box cryptography
History:
– Academic attacks → new designs → ...
– Today, all academic schemes have been broken
![Page 19: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/19.jpg)
White-box cryptography
History:
– Academic attacks → new designs → ...
– Today, all academic schemes have been broken
Industry response:
– Keep white-box designs secret
– Bury white-box implementation under layers of code obfuscation, integrity checks, anti-debug tricks
– Some claim to be equivalent to a Secure Element
![Page 20: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/20.jpg)
“Academic” attacks?
Require reversing of all the obfuscation layersRequire knowledge on the designThen apply attack:
Excerpts:● “Two Attacks on a White-Box AES”● “Cryptanalysis of a Perturbated White-Box AES Implementation”● “Attacking an obfuscated cipher by injecting faults”
![Page 21: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/21.jpg)
“Academic” attacks?
= a lot of effortthen, anyway, for me:
![Page 22: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/22.jpg)
Our goal
Recover white-box keys
● without much reverse-engineering effort
● without much intellectual effort ^^
![Page 23: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/23.jpg)
SOFTWARE EXECUTION
TRACES
![Page 24: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/24.jpg)
Record all instructions and memory accesses
Examples:
– Intel PIN (x86, x86-64, Linux, Windows, Wine/Linux)
– Valgrind (idem+ARM, Android)
– Add hooks to VM (Java, Python,…)
– Add hooks to emulators
Tracing binaries
![Page 25: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/25.jpg)
Trace convention: 's pTra waterfall
time
memory addresses
stack data
instruction
mem read
mem write
mem r+w
code
![Page 26: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/26.jpg)
Visual crypto identification: code
9x4
![Page 27: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/27.jpg)
Visual crypto identification: code?
![Page 28: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/28.jpg)
Visual crypto identification: code? data!
1+15
![Page 29: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/29.jpg)
Visual crypto identification: code? data?
![Page 30: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/30.jpg)
Visual crypto identification: data?
![Page 31: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/31.jpg)
Visual crypto identification: stack!
1+15
![Page 32: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/32.jpg)
Visual crypto identification: stack!
9x4x4
![Page 33: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/33.jpg)
Visual crypto identification: stack!
9x4x410
![Page 34: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/34.jpg)
Visual crypto identification: stack!
9x16
![Page 35: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/35.jpg)
Where is my key?
![Page 36: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/36.jpg)
DIFFERENTIAL COMPUTATION
ANALYSIS
![Page 37: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/37.jpg)
Remember?
![Page 38: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/38.jpg)
All started withDifferential Power Analysis
by P. Kocher et al. (1998)
– Probable correlations: power consumption vs.Hamming weight of internal values
– Record many traces while providing different inputs
time
volta
ge
![Page 39: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/39.jpg)
Differential Power Analysis
Some intermediate values in first (or last) round depend only on known dataand a fraction of the round key
E.g. for AES:
![Page 40: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/40.jpg)
Differential Power Analysis
1) Make a guess on that fraction of key
2) Evaluate targeted intermediate value for each plaintext: 0 or 1?
3) Sort traces accordingly in two buckets and average them
4) Compute differences between those averages
If the key guess is correct, it'll show up:
![Page 41: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/41.jpg)
Very powerful grey box attack!
Requirements:
– Either known input or known output
– Ability to trace power consumption (or EM radiations)
– Some leakage
Differential Power Analysis
![Page 42: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/42.jpg)
Port the white-box to a smartcard and measure power consumption
Differential Computation Analysis
![Page 43: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/43.jpg)
Port the white-box to a smartcard and measure power consumption
Software execution traces → “power traces”
Memory accesses / data / stack writes / …
E.g. build a trace of all 8-bit data reads:
Differential Computation Analysis
![Page 44: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/44.jpg)
→ Build Hamming weight traces?
Differential Computation Analysis
![Page 45: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/45.jpg)
→ Serialize bytes in a succession of bits
Differential Computation Analysis
![Page 46: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/46.jpg)
Looks weird but works great!
As if:
Differential Computation Analysis
Image source: Brightsight
![Page 47: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/47.jpg)
Next step
Feed traces in your favorite DPA tool
– Riscure Inspector SCA software
– ChipWhisperer opensource software
– Matlab…
– Daredevil !
![Page 48: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/48.jpg)
What to trace?
– Stack writes
– Data reads
– Accessed addresses
plaintexts and/or ciphertexts
– May require binary instrumentation
Large white-box? Minimize amount of traced information
– Trace only first (or last) round
– Standard deviation analysis to compress the trace
Tips
![Page 49: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/49.jpg)
Wyseur challenge
by Brecht Wyseur, 2007
DES implementation based on Chow “plus some personal improvements”
Downloading Linux binary…
1h and 65 traces later (of a full binary execution), key got broken!
![Page 50: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/50.jpg)
Hack.lu 2009 challenge
Windows crackme by Jean-Baptiste BédruneAES implementation based on Chow
Laziness → Wine/Linux + xdotool (kbd+mouse emulation)
16 traces
(CTF challenge, no internal encodings)
![Page 51: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/51.jpg)
SSTIC 2012 challenge
Python white-box by Axel TillequinDES implementation in a marshalled object
Python + PIN = Boom
→ Instrumenting “Bits” helper class
Again, 16 traces
Again, no internal encodings
![Page 52: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/52.jpg)
Karroumi
Latest academic attempt to “fix” Chow (2011)
Dual Ciphers, i.e. isomorphic AES ciphers:
Our own binary challenge…
2000 traces, 500 traces after some tuning
![Page 53: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/53.jpg)
Some proprietary white-boxes
DES & AES
Broken in 200 to 2500 traces
![Page 54: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/54.jpg)
Known key analysis
1) Identify first leaking samples (the original source)
2) Find the corresponding instruction
3) Find the corresponding source code line
Back to White-Box design
![Page 55: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/55.jpg)
Applied on a standard AES implementation
Works also on obfuscated VMs: M/o/Vfuscator2
![Page 56: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/56.jpg)
Auto-correlation reveals structure:
Huge traces, compressed by looking at standard deviation4Mb -> 6.6kb
First round Sbox output
20 – 30 traces
http://wiki.yobi.be/wiki/MoVfuscator_Writeup
M/o/Vfuscator2 on AES
![Page 57: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/57.jpg)
Yes!
Wide intermediate non-linear encodings (8x8)blind the SBox non-linerarity
Can DCA fail?
![Page 58: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/58.jpg)
Yes!
Wide intermediate non-linear encodings (8x8)blind the SBox non-linerarity
But very large tables!
→ Trend to reuse those tables → reuse encodings→ other types of attack
cf my write-ups of NoSuchCon 2013 and CHES 2015http://wiki.yobi.be/wiki/CHES2015_Writeup
Can DCA fail?
![Page 59: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/59.jpg)
Runtime randomness?
– Here, no trustworthy TRNG available
Runtime random delays?
– Trace instructions → realign
Building proper white-box technology is a delicate matter…Forget about “perfect” security, but if cost of an attack is larger than the benefit for the attacker, you achieved your goal.
Oops, it seems our cheap attack raised the bar...
Other countermeasures?
![Page 60: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/60.jpg)
Other grey box attacks within reach:Higher order DPA, CPA, DFA,…
![Page 61: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/61.jpg)
“Now this is not the end.
It's not even the beginning of the end. But it is, perhaps, the end of the beginning.”
Take also care of code lifting, inversing f(),...
![Page 62: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/62.jpg)
Side-Channel Marvels
release!
https://github.com/SideChannelMarvels
Tracer- TracerGrind- TracerPIN- TraceGraph
Deadpool- White-boxes- Attack automation
Daredevil- Side-channel analysis (CPA)
![Page 63: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/63.jpg)
Side-Channel Marvels
release!
https://github.com/SideChannelMarvels
Current team:
Charles Hubain (Quarkslab)
Joppe Bos (NXP)
Michael Eder (TUM, Fraunhofer AISEC)
Paul Bottinelli (EPFL)
Philippe Teuwen (Quarkslab)
Van Huynh Le (U.Twente, NXP)
Wil Michiels (NXP, TU/e)
Orka- Docker images
Oh, BTW...
![Page 64: Hiding your White-Box Designs is Not Enough · 2019-09-03 · Hiding your White-Box Designs is Not Enough TROOPERS16 ... Find the corresponding source code line Back to White-Box](https://reader034.fdocuments.us/reader034/viewer/2022042315/5f04087a7e708231d40bfc74/html5/thumbnails/64.jpg)
THANK YOU!QUESTIONS?
https://eprint.iacr.org/2015/753@doegox
Image source: “A Beautiful Mind”