1 / 29

Transforming out Timing Leaks (Agat’s approach)

Transforming out Timing Leaks (Agat’s approach). Terkel K. Tolstrup Email: tkt@imm.dtu.dk Informatics and Mathematical Modelling Technical University of Denmark. Security Leakage. Direct Leakage Indirect Leakage Termination Leakage Special case of Timing Leakage Timing Leakage

bobby
Download Presentation

Transforming out Timing Leaks (Agat’s approach)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Transforming out Timing Leaks(Agat’s approach) Terkel K. Tolstrup Email: tkt@imm.dtu.dk Informatics and Mathematical Modelling Technical University of Denmark

  2. Security Leakage • Direct Leakage • Indirect Leakage • Termination Leakage • Special case of Timing Leakage • Timing Leakage Timing Leakage is normally considered a Covert Channel

  3. Termination Leaks – Intuitively • What kind of programs leak through termination channels? • while h do skip? • if h then skip else loop?

  4. Timing Leaks – Intuitively • What kind of programs leak through timing channels? • while h>0 do h:=h-1? • if h then h1:=h1+1; h1:=h1+1 … else skip?

  5. Covert Channels • Unintentional leak of information (Covert Channel) • Attacker learns secrets by observing normal behavior of systems, wrt. • Timing • Power consumption • Noise, Faults/Errors, Electromagnetic… • Often used to break implementations of cryptosystems

  6. Timing Channels • Timing attacks: use observations of the timing behavior of system to guess secrets • Several accounts of practical attacks: • [Kocher’96]: On Diffie-Hellman, RSA, DSS… • [Dhem et al’98]: Practical implementation on Smartcard • …

  7. Timing Channels - Goals • Ultimate goal: Find the secret key, so that all cipher texts can be decrypted. • Distinguishability: Find probabilities that allows the attacker to distinguish between different plaintexts. • Made more powerful in combination with the exploitation of other side channels.

  8. Time difference allows attack by varying guess Performing a timing attack • The attacker knows the first m bits of the secret key Initiate contact Public Key Guess: m+1’th bit Reply

  9. Example of a timing channel Exponentiation in RSA Scalar multiplication in EC Y = X for i=0 to l do Y = Y * Y if D(i) then Y = Y * X endif Q = P for i=0 to l do Q = 2 * Q if D(i) then Q = Q + P endif (Multiply) (Add) • Attacker observer timing differences caused by (Multiply) and (Add), and learn secrets about D

  10. Programming Language

  11. Getting rid of Termination Leaks – Identifying the cause

  12. Getting rid of Termination Leaks– Being conservative • Let modify the inference rule • How does this work? • while h do skip? • while l do skip? • if h then while l do skip else skip? Not Allowed  Allowed  Allowed

  13. Getting rid of Termination Leaks– This time for real • Let modify the inference rule • How does this work? • while h do skip? • while l do skip? • if h then while l do skip else skip? Not allowed  Allowed  Not allowed

  14. Getting rid of Timing Leaks– Identifying the cause • Did we get rid of Timing Leaks while taking care of Termination Leaks? • Not caused by while loops anymore, because they are only allowed to handled non-secret information. • But what about • if h then h := h + 1; h := h + 1;… else skip?

  15. Getting rid of Timing Leaks – Being conservative

  16. Hold on! – We are begin too conservative • This approach results in only having secret information on the right-hand side of assignments: • x := … h … • That probably won’t allow many useful/real programs.

  17. Getting rid of Timing Leaks– Identifying the cause (cont.) • The cause of the timing leaks in if statement are that the branches have different execution time • Assume we knew the worst-case execution time of any piece of program! • Then we could write program like: • if h then C1 else C2 ; … “waste time until worst-case

  18. Getting rid of Timing Leaks– Agat’s approach • Transform programs such that they waste time until both branches are done • What is worst-case? • C1 ? • C2 ? • How about the running time of C1;C2?

  19. Getting rid of Timing Leaks– Agat’s approach • Transform programs such that they waste time until both branches are done • if h then C1 else C2 • if h then C1;C2 else C1 ;C2 • What is Agat’s problem? S2 S1

  20. Getting rid of Timing Leaks– Making the slides • Assignments (to H): • Assignments (to L):

  21. Getting rid of Timing Leaks– Making the slides (cont.) • Composition (C;D): • Loop (while e do C):

  22. Getting rid of Timing Leaks– Making the slides (cont.) • Conditional (on H): • Conditional (on L):

  23. Example of a timing channel– Revisited Exponentiation in RSA Scalar multiplication in EC Y = X for i=0 to l do Y = Y * Y if D(i) then Y = Y * X endif Q = P for i=0 to l do Q = 2 * Q if D(i) then Q = Q + P endif (Multiply) (Add) • Attacker observer timing differences caused by (Multiply) and (Add), and learn secrets about D

  24. Example of a timing channel– Revisited Exponentiation in RSA Scalar multiplication in EC Y = X for i=0 to l do Y = Y * Y if D(i) then Y = Y * X else skipAsn Y (Y * X) endif Q = P for i=0 to l do Q = 2 * Q if D(i) then Q = Q + P else skipAsn Q (Q + P) endif (Multiply) (Add) • Attacker observer timing differences caused by (Multiply) and (Add), and learn secrets about D –––Not anymore!

  25. Food for thoughtLoosening the analysis (loops) • Can we apply Agat’s approach on while loops? • Let’s unroll the loops once and try: • while h do C • if h then C; while h do C else skip • What is our problem?

  26. The Information Flow Challenge • The Information Flow Challenge is a web-based game that let the player try to outsmart an information flow analysis that becomes increasingly restrictive for each challenge the player finishes. • Play with what you have learned in this course!

  27. The Information Flow Challenge

  28. The Information Flow Challenge

  29. The Information Flow Challenge

More Related