ECEN 4133
Side channel attacks and defenses
Side channel
• Measure something secret using other available indirect measurement
• Secrets:
• Passwords
• Private keys
• Confidentialinformation
• Available data: • Timing
• Power
• Heat
• Sound
• Pizza deliveries…???
• Panama invasion (1990)
• Operation Desert Storm (1991)
Side channel example: passwords
bool check_password(char *pw, char *correct) { if (strlen(pw)!=strlen(correct))
return false;
for (int i=0; i
}
Side channel example: passwords
bool check_password(char *pw, char *correct) { if (strlen(pw)!=strlen(correct))
return false;
for (int i=0; i
How many guesses to get correct N-character password?
}
Side channel example: passwords
• How should we fix this vulnerability?
Side channel solution: constant time
// Note: strlen(correct) must be equal to strlen(pw)
// This function still leaks the length of strlen(correct)! // (how could we fix?)
bool check_password(char *pw, char *correct) {
if (strlen(pw) != strlen(correct)) return false;
int diff = 0;
for (int i=0; i
if n%2==1: # n is odd y = x * y;
x = x * x;
n = (n – 1) / 2;
# n is even
x = x * x;
n = n / 2;
else: return x * y
Power
Side channel example: repeated squaring
Time (us)
Square
Square and multiply
• Solving the repeated squaring side channel?
Repeated squaring: Montgomery’s Ladder:
x1 = x
x2 = x*x
for i = k – 2 to 0:
if n_i == 0: x2 = x1 =
else:
x1 =
x2 =
# k bits in n, MSB (n_(k-1)) = 1
# bit is even x1*x2
x1*x1
# bit is odd
x1*x2 x2*x2
return x1
Alternative side channel defense: blinding
• Given c = x^e mod N
• Don’t want to compute c^d mod N (might leak d!)
• First blind: b = c*r^e mod N for random r (this is just (xr)^e mod N)
• Then decrypt: a = b^d mod N = (xr)^ed mod N = xr mod N
• Remove blinding: a*r^-1 mod N = xr*r^-1 mod N = x mod N
• Since attacker doesn’t know r, can’t learn d during “blinded” decryption
Other side channels?
• What other examples of side channels exist? • How can we fix them?
Other side channels?
• EM-emission
• Sound
• Accelerometer data
• Timing of key presses
• Shared resources:
• Cache timing
• Bandwidth / latency
• IPID field in IP packets
Cache side channels
• Caches improve performance by storing recently-accessed data close to the CPU
• Potentially leaks what was recently accessed!
1. Attacker fills cache:
2. Victim process reads from 0xC8:
3. Attacker reads: 0xA0 (52ns) 0xA4 (55ns) 0xA8 (397ns) 0xAC (49ns)
Attacker learns 0xA8 was not in cache! (recently evicted by another process)
0xA0
0xA4
0xA8
0xAC
0xA0
0xA4
0xC8
0xAC
0xA8 is evicted