Side Channels: Hardware or Software threat?

Transcription

1 Side Channels: Hardware or Software threat? Job de Haas Riscure

2 Who am I Job de Haas Principal Security Analyst at Riscure Testing security on: Set-top-boxes, mobile phones, smart cards, payment terminals, ADSL routers, VoIP modems, smart meters, airbag controllers, USB tokens, Before: Pentesting network security (since 1991) Riscure Services: Security Test Lab Product: Side Channel Testing Tools Full range testing: detailed hardware to white-box crypto and obfuscation

3 Overview Side Channel Attacks, what are they? State of attacks and hardware testing Developments in software testing

4 Side channel attacks Slice of Life: Pizza Orders Soar in D.C. January 16, 1991 Associated Press SPRINGFIELD, Va. a quick read on the state of world affairs, one need only look at pizza deliveries to the Pentagon, White House and CIA. "The news media doesn't always know when something big is going to happen because they're in bed, but our deliverers are out there at 2 in the morning," said Frank Meeks, owner of the 43 Domino's outlets in the Washington area. Since Jan. 7, late-night deliveries to the Pentagon have increased steadily, from three to 101 Tuesday night, he said. At the White House, 55 pizzas were delivered from 10 p.m. Tuesday to 2 a.m. today. Wikipedia: The initial conflict to expel Iraqi troops from Kuwait began with an aerial bombardment on 17 January 1991

5 What are side channels? (Physical) phenomena related to a process of interest Time Power consumption Light emission Temperature Sound Electro-Magnetic radiation

6 Principle of timing analysis Start Decision Process 1 t = 10ms t = 20ms Process 2 End

7 Power consumption PIN entry Signal leakage from busses, registers, ALUs, etc PIN verification attempts

8 But is it for real?

9 Every payment & HDTV decoder chip is tested Configure / Retrieve Commands / data Signal + Trigger

10 ChipWhisperer Open source project Kickstarter project (331 backers) restricted

11 What is under attack? Retrieve secrets Reverse engineer Key PIN Unlock code Program flow Crypto protocol Algorithm

12 What to test? Different industries use certification schemes mandating tests Testing for different channels: Timing variations Power consumption EM emanations Photon emissions But what about software products?

13 Overview Side Channel Attacks, what are they? History of attacks and hardware testing Developments in software testing

14 Software side channels Most dominant: Timing Sometimes: Error responses, counting events, etc. 3 example cases Remote web database attack Remote AES key attack RSA attack in the cloud

15 Case 1: Web Database Attacks Black Hat 2007: Timing Attacks for Recovering Private Entries From Database Engines, Core Security Explores a timing effect on database inserts Is able to determine existing keys in a database Tested under lab conditions

16 Database index B-tree

17 Timing effect inserting

18 Alternative web attacks 2013: Pixel Perfect Timing Attacks with HTML5, Paul Stone On leaking client side information such as cached content 2014: Time Trial Racing Towards Practical Remote Timing Attacks, Daniel A. Mayer, Joel Sandin A tool to investigate remote timing leakages 2015: Web Timing Attacks Made Practical, Timothy D. Morgan, Jason W. Morgan Improving statistical testing of timing differences

19 Time Trial results

20 Case 2: AES Cache Timing Attacks 2005: Cache-timing attacks on AES, Daniel J. Bernstein Timing execution of a known implementation with a known key Comparing to timing of the same with an unknown key The key can be broken

21 AES

22 AES SBOX

23 CPU & Cache Process 1 Process 2 AES key Process 3 Type 1 Type 2 Measure Timing reveals information on table index & key!

24 Case 3: Cloud attack 2015: Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud Mehmet Sinan Inci, Berk Gulmezoglu, Gorka Irazoqui, Thomas Eisenbarth, Berk Sunar Determine co-location on a cloud server Prime and Probe attack use Last Level Cache (LLC) Recover a 2048 bit RSA key in the Amazon Cloud

25 Running in the cloud

26 RSA key break Sliding window Precomputed coefficients Value leaks information on key bits Cache timing reveals coefficients Which entry is cached 4000 encryptions with same data breaks key

27 Future of software attacks Software security is gaining over hardware security More tools to explore side channels will appear No awareness with developers at the moment 2015 BlackHat Europe Unboxing the White-Box, Practical attacks against Obfuscated Ciphers, Riscure

28 Conclusion Side channel attacks are often advanced attacks Known to be practical for valuable hardware assets But, many software solutions are vulnerable too Consider if your solutions might be sensitive to these attacks

29 Contact: Job de Haas Principal Security Analyst Riscure B.V. Frontier Building, Delftechpark XJ Delft The Netherlands Phone: Riscure North America 550 Kearny St. Suite 330 San Francisco, CA (650)