CS计算机代考程序代写 cache ECEN 4133

ECEN 4133
Side channel attacks and defenses

Side channel
• Measure something secret using other available indirect measurement
• Secrets:
• Passwords
• Private keys
• Confidentialinformation
• Available data: • Timing
• Power
• Heat
• Sound
• Pizza deliveries…???
• Panama invasion (1990)
• Operation Desert Storm (1991)

Side channel example: passwords
bool check_password(char *pw, char *correct) { if (strlen(pw)!=strlen(correct))
return false;
for (int i=0; i 10us check_password(“aaaaaa”, “s3cr37”) => 15us check_password(“baaaaa”, “s3cr37”) => 15us check_password(“saaaaa”, “s3cr37”) => 20us
}

Side channel example: passwords
bool check_password(char *pw, char *correct) { if (strlen(pw)!=strlen(correct))
return false;
for (int i=0; i 20us check_password(“s3aaaa”, “s3cr37”) => 25us
How many guesses to get correct N-character password?
}

Side channel example: passwords
• How should we fix this vulnerability?

Side channel solution: constant time
// Note: strlen(correct) must be equal to strlen(pw)
// This function still leaks the length of strlen(correct)! // (how could we fix?)
bool check_password(char *pw, char *correct) {
if (strlen(pw) != strlen(correct)) return false;
int diff = 0;
for (int i=0; i 1:
if n%2==1: # n is odd y = x * y;
x = x * x;
n = (n – 1) / 2;
# n is even
x = x * x;
n = n / 2;
else: return x * y

Power
Side channel example: repeated squaring
Time (us)
Square
Square and multiply

• Solving the repeated squaring side channel?

Repeated squaring: Montgomery’s Ladder:
x1 = x
x2 = x*x
for i = k – 2 to 0:
if n_i == 0: x2 = x1 =
else:
x1 =
x2 =
# k bits in n, MSB (n_(k-1)) = 1
# bit is even x1*x2
x1*x1
# bit is odd
x1*x2 x2*x2
return x1

Alternative side channel defense: blinding
• Given c = x^e mod N
• Don’t want to compute c^d mod N (might leak d!)
• First blind: b = c*r^e mod N for random r (this is just (xr)^e mod N)
• Then decrypt: a = b^d mod N = (xr)^ed mod N = xr mod N
• Remove blinding: a*r^-1 mod N = xr*r^-1 mod N = x mod N
• Since attacker doesn’t know r, can’t learn d during “blinded” decryption

Other side channels?
• What other examples of side channels exist? • How can we fix them?

Other side channels?
• EM-emission
• Sound
• Accelerometer data
• Timing of key presses
• Shared resources:
• Cache timing
• Bandwidth / latency
• IPID field in IP packets

Cache side channels
• Caches improve performance by storing recently-accessed data close to the CPU
• Potentially leaks what was recently accessed!
1. Attacker fills cache:
2. Victim process reads from 0xC8:
3. Attacker reads: 0xA0 (52ns) 0xA4 (55ns) 0xA8 (397ns) 0xAC (49ns)
Attacker learns 0xA8 was not in cache! (recently evicted by another process)
0xA0
0xA4
0xA8
0xAC
0xA0
0xA4
0xC8
0xAC
0xA8 is evicted