This post will give you an introduction to Side-channel Attacks by looking at some common vulnerabilities and concrete attacks that try to exploit those.
\nBut first: What actually is a Side-channel attack in general?<\/p>\n
A Side-channel Attack is an attack on a system, most probably a \u201csecure\u201d system, that does extract secret data by using special properties of the implementation rather that direct access by brute-force or theoretical weaknesses.
\nYou often try to derive the information by looking at properties that are maybe only indirectly coupled to the data. Most of the time those properties are of a physical nature, like time, magentic fields or accoustic waves but sometimes more abstract events like interrupts or traps of a CPU or MMU can be used.<\/p>\n
<\/p>\n
This is the most often exploited Side-channel and there are many attacks that are trying to gain information by the execution time of a program.<\/p>\n
A classical example for this type of attack is the exploitation of the non-constant execution time of most strcmp<\/a>, strncmp<\/a> or memcmp<\/a> implementations. Did you notice that the method ends the loop as soon as the first character missmatch happens?<\/p>\n If you use one of those functions to check the equality of a secret data input, for example to check that the entered password matches the one from the database, an attacker could easily loop over any valid char and pass it to your function. If the chars do not match, the loop finishes in the first iteration. If the char matches however, the loop will have a second iteration, resulting in a slightly increased execution time.<\/p>\n Of course this is a slightly constructed case which would need clear text password saving and the above, totally unoptimized strcmp implementation. A more realistic implementation would, for example, compare a whole page at a time if possible. However, it still shows the basic principle of a timing attack.<\/p>\n The basic idea of this type of attack is to use an antenna to receive the electro magnetic radiations from another device. The emissions maybe aren\u2019t even generated by an explicit RF frontend in the attacked device but are rather the emissions from the fast rising and falling edges of modern high speed busses. Remember Fourier? Note that an ideal square wave has an infinite number of harmonics at every integer multiple of the main frequency. Thats a broad band of emissions we can pick up. Just look for a harmonic in a spot of the spectrum where the noise floor is low enough so you get a nice SNR.<\/p>\n A typical example for this attack is called \u201cVan Eck-Phreaking\u201d, named after Wim van Eck who first had the Idea for this vulnerability<\/a>. This attack does use the magnetic field that is emitted by the deflection coils of CRTs to reconstruct the image that is currently displayed by the monitor. Since the electro magnetic field can relatively easy pass through walls, you can easily pick up the radiation from another, close by room that is out of sight.<\/p>\n Since CRTs are not in broad use anymore on could think this attack is obsolete. However, already in 2006 a group of security researchers of the Computer Laboratory at Cambridge have demonstrated a variant of this attack<\/a> where they were able to pick up the emissions of a TFT monitor 25 meters away and reconstruct the signal.<\/p>\n Just like the EM emissions used for the electro magnetic attacks, all electric devices radiate information in another spectrum as well; in form of acoustic waves. However, while electro magnetic radiation can be avoided relatively easy using different metal shields, acoustic radiation is much harder to block.<\/p>\n You may ask yourself where all these acoustic waves come from. The answer is: lots of small speakers inside every electronic device. No, really. Every device you use throughout the day has lots of inductors and capacitors inside. They are used for example in switch-mode power supplies to convert the battery voltage of your mobile to a usable level for the CPU or to decouple switching noise from nearby data lines that would otherwise introduce ripple on those power lines. With other words, without them your phone would constantly crash or not work at all. Do you know these little tweeters that are used in singing birthday cards? They use a physical effect called piezoelectricity. This effect causes certain materials to change their size if a voltage is applied to them. The tweeters have a piezoelectric crystal right under the metal cap that will then vibrate if you connect it to a signal source. The same effect works by the way the other way around to convert a physical impact into electricity. This is used in your electric lighter to create the spark to ignite the gas.<\/p>\n Nice to know, but what has this to do with capacitors? The most widely used type of capacitor is a ceramic capacitor. Ceramic capacitors are basically two electrodes in a electrolyte. This electrolyte, most of the time, is Barium Titanate (BaTiO3) which happens to be highly piezoelectric<\/a>.<\/p>\n An inductor on the other hand, is nothing but a coil, and a coil will produce a magnetic field when current is flowing through it. So it is basically also an electro magnet. This magnetic field then again will have a physical effect on the coil itself, in other words it will shrink or grow. Now, if the current through the inductor changes, it will also change the magnetic field. If this change in current happens between, say 20Hz to 20kHz it will result in the inductor emitting a faint humming sound. If the change in current is now related to the current state of your security system, you can be in risk of having a vulnerability.<\/p>\n All of this may sound very abstract and theoretical, but there are many known attacks that use exactly this \u201cleakage\u201d. In my opinion the most impressive of these attacks is an attack on the GnuPG implementation to extract the private key using nothing but the radiated \u201csound\u201d of a laptop<\/a>. The attack was developed by Adi Shamir, Daniel Genkin and Eran Tromer in 2013. This kind of attack is very widely defined and basically always involves to modify the device in a way it was not intended to be modified and watch if the output somehow is affected by the change.<\/p>\n A really good example of a attack that uses differential-fault analysis was given by Dmitry Nedospasov (@nedos<\/a>) on The Amp Hour #303<\/a>. As a part of his PhD he extracted private keys out of smartcards by decapping the embedded ICs and using an focused ion beam<\/a> to modify the silicon. The problem was that there was no way of directly extracting the saved private key. However, it was possible to set specific bits of the key in an intermediate stage during the encryption. Now it was simply a matter of encrypting the same message to get a deterministic result, but setting one bit at a time of the private key in the intermediate stage.<\/p>\n If the encryption then yielded another message than the encryption cycles before, the bit in the key was a 0. If the cycle yielded the same message, the bit already was a 1. Repeat this process, one bit at a time and you get the whole key, although you never had direct access to the key.<\/p>\n Walther Kriha<\/a> told me another attack that uses this method. A password check in an old UNIX System would involve a strcmp between the entered and the correct password. The user of course had no access to the memory where the correct password was stored. However the strcmp method would use the exact string the user provided. In other words, the user had full control over the allocation of the string where the password was stored, and then strcmp worked on exactly that string. Now it was possible to allocate the string over a page boundary where the next page was not allocated. This would cause the MMU to trigger a SEGFAULT if and only if the strcmp tried to access the non allocated page. This then means all the letters in the string until the page boundary matched the correct password, because otherwise the strcmp would not have tried to access this page. This attack would work even if it is a constant-time implementation of strcmp as described in the first attack.<\/p>\n This type of attack works on data that is not securely deleted or somehow expected to “not be there anymore”\u00a9. The first thing that comes to mind when thinking of remanence is possibly the multi-wipe method of hard disks with random data to \u201csecurely\u201d wipe them. However, this technique is not that big of a risk with modern hard drives<\/a>.<\/p>\n However there are still some attacks that rely on data remanence. For example there is an attack called FROST<\/a> that allowed the extraction of the key used for the whole disk encryption feature in android phones. The attack involved freezing the phone under attack while the phone was restarted into a special recovery ROM. Normally the RAM that holds the keys is a volatile memory that looses its content during the power cycle, however due to the lowered temperature of the die, the data remains in the cells and can then be searched for the keys by the recovery ROM. The attacks that are featured in this article are only a small excerpt of all the possibilities your software or hardware may be vulnerable to.<\/p>\n There are certain standards for hardware like TEMPEST<\/a>, an NSA specification and NATO certification for devices that do not leak information in the form of EM-, RF- or audible emisions.<\/p>\n For software there are several coding guidlines, like the Coding Rules<\/a> from cryptocoding.net<\/a>.<\/p>\n Although it is a good idea to follow those rules when implementing a high security product, there is no way to ever make sure your product isn\u2019t vulnerable to any form of a Side-channel Attack. Also don\u2019t ever dare to implement a common cryptographic algorithm yourself, even if you may think you just have to follow those rules. Always prefer a well-aged implementation to your custom one. They probably learned it the hard way so you don\u2019t have to.<\/p>\n So the only real conclusion can be that instead of prematurely changing all of your code base to use secure implementations of strcmp, malloc and other functions in the stdlib and coating you product with a big layer of lead to avid any radiation, you should design the architecture of your product in a way that even if an attacker gets access to your system in a way he should not be able to access it, the damage stays as small as possible.<\/p>\n This post will give you an introduction to Side-channel Attacks by looking at some common vulnerabilities and concrete attacks that try to exploit those. But first: What actually is a Side-channel attack in general? A Side-channel Attack is an attack on a system, most probably a \u201csecure\u201d system, that does extract secret data by using […]<\/p>\n","protected":false},"author":48,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1,26,651],"tags":[],"ppma_author":[697],"class_list":["post-718","post","type-post","status-publish","format-standard","hentry","category-allgemein","category-secure-systems","category-system-designs"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":1017,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2016\/07\/25\/machine-learning-in-secure-systems\/","url_meta":{"origin":718,"position":0},"title":"Machine Learning in secure systems","author":"Claudius Messerschmidt","date":"25. July 2016","format":false,"excerpt":"Sadly today's security systems often be hacked and sensitive informations get stolen. To protect a company against cyber-attacks security experts define a \"rule set\" to detect and prevent any attack. This \u201canalyst-driven solutions\u201d are build up from human experts with their domain knowledge. This knowledge is based on experiences and\u2026","rel":"","context":"In "Allgemein"","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/07\/Machine_learning_SeSy_robot_landscape.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/07\/Machine_learning_SeSy_robot_landscape.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/07\/Machine_learning_SeSy_robot_landscape.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/07\/Machine_learning_SeSy_robot_landscape.jpg?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":1568,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2016\/09\/08\/secure-systems-2016-an-overview-walter-kriha\/","url_meta":{"origin":718,"position":1},"title":"Secure Systems 2016 – An Overview, Walter Kriha","author":"Walter Kriha","date":"8. September 2016","format":false,"excerpt":"This is an attempt to provide an overview of the topics in \"Secure Systems\", a seminar held during the summer term 2016 at the Stuttgart Media University HdM. Presentations have been given and blog entries into our new MI blog were made. With the chosen topics we have been quite\u2026","rel":"","context":"In "Allgemein"","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"securesystems","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/09\/securesystems-205x300.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":661,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2016\/06\/22\/keyless-gone-vulnerabilities-in-keyless-car-systems\/","url_meta":{"origin":718,"position":2},"title":"Keyless Gone – Vulnerabilities in keyless car systems","author":"Antonia B\u00f6ttinger","date":"22. June 2016","format":false,"excerpt":"(written by Antonia B\u00f6ttinger and Andreas Gold) Introduction Modern cars embed complex technologies to improve the drivers comfort and safety. In 1999 the automobil industry introduced the smart key system that more and more cars use. Even if manufacturers make use of various designations like Keyless Go, KeyFree Power or\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/06\/keylessgo.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/06\/keylessgo.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/06\/keylessgo.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/06\/keylessgo.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/06\/keylessgo.jpg?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/06\/keylessgo.jpg?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":736,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2016\/07\/05\/how-is-xss-still-a-thing\/","url_meta":{"origin":718,"position":3},"title":"How is XSS still a thing?","author":"Mario Erazo","date":"5. July 2016","format":false,"excerpt":"Back in 2005, the words \u2018But most of all, samy is my hero\u2019 caused great agitation among MySpace engineers as Samy Kamkar injected a Cross Site Scripting (XSS) worm into the social network. The attack consisted in an infected user, publishing a post in their myspace page showing these words\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/07\/52_s9fTmrNTxuCmSF-BL5Dl72eJkfbmt4t8yenImKBVvK0kTmF0xjctABnaLJIm9-1.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":10415,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2020\/08\/19\/ai-cyberattacks-deepfakes\/","url_meta":{"origin":718,"position":4},"title":"The Dark Side of AI – Part 1: Cyberattacks and Deepfakes","author":"Micha Christ","date":"19. August 2020","format":false,"excerpt":"Introduction Who hasn't seen a cinema production in which an AI-based robot threatens individual people or the entire human race? It is in the stars when or if such a technology can really be developed. With this series of blog entries we want to point out that AI does not\u2026","rel":"","context":"In "Allgemein"","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/screen-shot-2018-08-03-at-10-34-32-1.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/screen-shot-2018-08-03-at-10-34-32-1.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/screen-shot-2018-08-03-at-10-34-32-1.jpg?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":10442,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2020\/08\/19\/adversarial-attacks\/","url_meta":{"origin":718,"position":5},"title":"The Dark Side of AI – Part 2: Adversarial Attacks","author":"Florian Wintel","date":"19. August 2020","format":false,"excerpt":"Find out how AI may become an attack vector! Could an attacker use your models against your? Also, what\u2019s the worst that could happen? Welcome to the domain of adversarial AI!","rel":"","context":"In "Allgemein"","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/fgsm_panda_image_preds_1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/fgsm_panda_image_preds_1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/fgsm_panda_image_preds_1.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/fgsm_panda_image_preds_1.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/fgsm_panda_image_preds_1.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/fgsm_panda_image_preds_1.png?resize=1400%2C800&ssl=1 4x"},"classes":[]}],"jetpack_sharing_enabled":true,"authors":[{"term_id":697,"user_id":48,"is_guest":0,"slug":"dg070","display_name":"Daniel Grie\u00dfhaber","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/5e8005f20a6dd28d83c35b3134a5d0c4ed6be8d386fef5e9ee77e780ca27f67d?s=96&d=mm&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/718","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/users\/48"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/comments?post=718"}],"version-history":[{"count":7,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/718\/revisions"}],"predecessor-version":[{"id":24673,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/718\/revisions\/24673"}],"wp:attachment":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/media?parent=718"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/categories?post=718"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/tags?post=718"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/ppma_author?post=718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nA typical implementation of strcmp could look like this:<\/p>\nint strcmp(const char* s1, const char* s2){\n while(*s1 && (*s1++ == *s2++));\n\n return *(const unsigned char*)s2-*(const unsigned char*)s2;\n}<\/pre>\n<\/a>Elecro-Magnetic Attacks<\/h2>\n
<\/a>Acoustic Crypto-analysis<\/h2>\n
\nSo, you need them, but why should they be speakers?<\/p>\n
\nThey were able to perform this attack using the microphone of a simple mobile phone if they could get within 30cm of the laptop, or from up to 4m away when using a (maybe more suspiciously looking) parabolic microphone.<\/p>\n<\/a>Differential-Fault Analysis<\/h2>\n
<\/a>Data remanence<\/h2>\n
\nThe attack however was only possible with the 4.0 Version of Android.<\/p>\n<\/a>Conclusion<\/h2>\n
Further Questions and Research Topics<\/h2>\n
\n