Introduction to Computer Systems 15-213/18-243, spring 2009

Introduction to Computer Systems 15-213/18-243, spring 2009

Computer Security 2014 Side channel attacks Background An algorithm or software can be designed to be provably secure. E.g. cryptosystems, small OS kernels, TPM modules, ... Involves proving that certain situations cannot arise Or that breaking them would be just as hard as doing something incredibly tedious Such as factoring large numbers

But what about the environment in which these algorithms or software 2 Side channel attacks Attacks that exploit the physical implementation of a system Correlation between physical measurements during computation (side channel) and the internal state of the computer 3 Side channel attacks

Timing attacks Measure time between computations Power monitoring attacks Measure varying power consumption during computation Electromagnetic attacks Measure radiation from devices (e.g. monitors) Acoustic attacks

Listen to sounds emitted during computation Differential fault analysis Deliberately provoke faults in computation to discover secrets Data remanence Resurrect data that was thought to have been deleted Such as the memset() of the password example from first class 4 Early attacks 1956: Operation ENGULF

British&US did not want to fund Egyptian President Nasser to build the Ashwan High Dam so he turned to the Soviets Nasser takes over the Suez Canal, formerly under British&French control, to collect tolls on ships MI5 places bugs in the Egyptian embassy to listen to 2-3 rotors of Hagelin cipher machines that were communicating sensitive information with French and Soviets Soviets helped sweep the embassy for bugs, but left the MI5 one! Relies on an attack of the physical implementation of the Hagelin cipher machine: a side channel attack What was the side channel? 5

Early attacks 1946-1952: The Thing Soviets gave US ambassador to the USSR 2 hand crafted seal for his office. Ingenious passive listening device inside based on a spring by Theremin Spies shot radiowaves at 330MHz at distance to activate microphone and listen in for 6 years Discovered by a stroke of luck by a technician 6

Early attacks 1947-ish: Laser microphone (Buran) Theremin also developed a technique for showning a low power infrared beam on glass windows to detect vibrations from sound at distance Used by precursor of KGB to spy on U.S., U.K. and French embassies in Moscow Works best with smooth surfaces, hence the use of rippled glass by security agencies... 7

Early attacks 1980: Soviets accused of planting bugs in IBM Selectric printers to listen to the sound of the type ball as it rotates and strikes the paper Allows the spies to listen to what was being printed 8 Early attacks 1985: Wim van Eck eavesdrops CRT/LCD emissions Oscillating electronic currents inside video

displays generate electromagnetic radiation in the radio frequency range that correlated with the image being shown on the screen. CRT: Cost ~$15. LCD (2004): Cost ~$2000 9 Early countermeasures TEMPEST: NSA specification for protection against side-channel attacks. Been partially declassified. U.S. initially playing catch-up to Soviet intelligence on exploiting emanations

Sets up zones depending on how physically close an attacker can get (0-100m) Add extra noise (shielding) when required: 10 More modern attacks Loughry & Umphress (2002): Information Leakage from Optical Emanations 1991: Briol shows that sounds from dot-matrix printers leak significant details on the contents being printed 2002: Loughry and Umphress show

that the LED lights on networking equipment are heavily correlated with the data they are transmitting Could effectively listen in on all network traffic Mostly theoretical 11 More modern attacks Zhuang et al: 2004: Asonov and Agrawal of IBM show that keyboard and keypads (such as on ATMs) emit different sounds for different keys

Practical experiments by Berkeley in 2005 for covert listening for passwords, PINs, etc. Needs a training phase (each key 100 times) 2005: Zhuang, Zhou and Tygar recover 96% of English text from keyboard sound recording No training required, if recording is at least 10 min. 12 Timing attacks 2004: Shamir and Tromer use timing attacks against CPUs

Different operations cause variable ultrasonic noise from the capacitors/inductors 2013: Shamir, Tromer and Genkin use techniques to listen to GnuPG via a cell phone Able to extract 4096-bit private key by listening to the computation 13 More recent attacks

2007: Bortz, Boneh and Nandy show observing timing data of TCP packets (even HTTPS) allows you to infer: number of Facebook friends (effectively), contents of shopping cart, and so forth Recent discussions about impact on TOR: check whether a connection exists between a user and a server Think oppressed journalist and Twitter via TOR Spoof TCP packets to halve the window size of a connection 14

More modern attacks 2011: Thermal imaging Mowery et al. show how ATM keypads can be broken by looking at residual heat from keypressed by a target user Works up to a minute after the user enters the password Reduces search space

from 10,000 to about 24 for 4-digit PIN 15 More modern attacks 2011: Traynor et al. from Gatech show how the accelerometer on a cell phone can decode vibrations emitted from a nearby keyboard Effectively a listening device for any app on the phone Sampling rate much smaller than with previous gizmos Perhaps 100Hz on iPhone 4, or 400x less then Asonov et al. Instead, modeled keypress events

Models proximity between keys, left/right, duration of keystroke, ... This timing attack was investigated in depth for SSH passwords in 2002 16 More modern attacks 2009: Vuagnoux and Pasini capture electromagnetic emanations directly from keyboards at 20m distance No need for other wires providing physical support for emanations

Demo: 17 Whats happening today 2014: Timing attack to identify Google users Want to know if a particular Gmail address being used? Link to a picture that only the

authenticated user could access Triggers onerror() in Javascript in 891ms if image was accessible, but 573ms if not. 18 Whats happening today 19 SAP flaw 20 SAP flaw

Roughly equal to the following C code: int passwordCheck(char *truepw, char *pw) { while (*truepw) { if (*truepw != *pw) { printf ("Password check failed\n"); return -1; } } return 0; } Whats the flaw? How would you exploit it? 21 SAP flaw

2014: SAP Router Password Timing Attack Router disallows connections based on a table, unless the correct password is specified. Just walk linearly through the passwords, asking: Hey, is the next character A? No? How about B? ... Illustrates a general problem for cryptosystems (and caches) 22

Countermeasures Side-channel attacks rely on merging information from the side channel to the original data Approach 1: Eliminate side channels Put government buildings in a Faraday cage (antiTEMPEST) Jam the channels / add random delays Let execution paths not depend on secret information (PC-secure) Myers et al. (2011) Predictively mitigate timing attacks Approach 2: Remove correlation between

side channel and original data Blinding in cryptography In RSA, multiply encrypted ciphertext with a random 23

Recently Viewed Presentations

  • The Poisson Distribution

    The Poisson Distribution

    The Poisson Distribution We can use the Poisson distribution to estimate the probability of arrivals at a car wash in one hour or the number of leaks in 100 miles of pipeline.
  • New Technologies Course - Boston University

    New Technologies Course - Boston University

    Modality Principle. People learn better when words are presented as narration rather than text. Limited amount of "working memory" means that in certain situations you should use printed text to support sensemaking, e.g. if words are: Technical.
  • Fiscal frameworks, Fiscal Compact and Independent Fiscal ...

    Fiscal frameworks, Fiscal Compact and Independent Fiscal ...

    Fiscal frameworks, Fiscal Compact and Independent Fiscal Institutions ... Two-Pack Fiscal Compact Fiscal Frameworks Directive 2011/85/EU. Part of the "Six-pack" (Nov 2011) Minimum requirements in 5 main areas: Accounting & Statistics.


    * NATURAL CLASSES OF SOUNDS: NASALS /m/ /n/ and /η/ are in a natural class called nasals. Natural classes are important so that linguists can make generalizations, like "In English, vowels become nasal in the environment of nasal consonants. *...
  • Deadlocks - UNC Charlotte FAQ - UNC Charlotte

    Deadlocks - UNC Charlotte FAQ - UNC Charlotte

    The Ostrich Algorithm. Hope one of the processes times out and lets the other continue. Deadlock Detection With Single Resource Type. Construct a resource graph looking for a cycle. Deadlock Detection With Unique Resources. Existing resource vector, available resource vector,...
  • Queries raised regarding use of SOLAR February 2019

    Queries raised regarding use of SOLAR February 2019

    Yes each Centre should have test student accounts (check with your SQA co-ordinator). A dummy test can be set up, tutor can then go in and access the test as a marker which then provides access to the marking schemes...
  • The Tragedy of Julius Caesar

    The Tragedy of Julius Caesar

    Poetics Continued "The plot, too, should be one, just as in other arts of imitation there is a unified imitation of one thing. Since it is an imitation of action, it should be about one whole action; the parts should...


    Technical Presentation. Access to the work area during the shutdown period (from July 21 to Sep. 2, 2018). WMATA's Department of Track and Structures (TRST) will be performing rail re-profiling of the IB and OB tracks at Rhode Island Avenue...