1 / 29

Acoustic Surveillance of Physically Unmodified PCs

Michael D. LeMay and Dr. Jack Tan Computer Science Department University of Wisconsin-Eau Claire. Funding: Center of Excellence for Faculty/Student Research Collaboration. Acoustic Surveillance of Physically Unmodified PCs. Outline. Introduction Side-channel attacks

didier
Download Presentation

Acoustic Surveillance of Physically Unmodified PCs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Michael D. LeMay and Dr. Jack Tan Computer Science Department University of Wisconsin-Eau Claire Funding: Center of Excellence for Faculty/Student Research Collaboration Acoustic Surveillance of Physically Unmodified PCs

  2. Outline • Introduction • Side-channel attacks • Past efforts in acoustic cryptanalysis • Methods • Equipment used • Instruction sequence analysis • GNU MP modular exponentiation analysis • Acoustic keylogging • Discussion and recommendations • Future directions

  3. Side-channel attacks CPU CPU

  4. Acoustic cryptanalysis • Adi Shamir and Eran Tromer • tp://www.wisdom.weizmann.ac.il/~tromer/acoustic/ • Explored the acoustic emanations caused by: • GnuPG (GNU Privacy Guard) signature generation • loops of HLT, MUL, FMUL, ADD, MOV and NOP instructions • Neglected to explore: • loops of SSE2 instructions • actual attack scenarios

  5. Experimental Apparatus

  6. Capacitors www.dashdist.com/1u2u/company/capacitor.html

  7. Instruction sequences // andpd asm("movupd vec_x, %%xmm0\n" "movupd vec_y, %%xmm1\n" "top_andpd:\n" "andpd %%xmm0, %%xmm1\n" "loop top_andpd\n" : : "c"(repCnt) );

  8. 300MHz (12.5% duty) Spectrogram

  9. 600MHz (25% duty)

  10. Capacitor plate oscillation + -

  11. 2400MHz (100% duty)

  12. Acoustic Keylogging

  13. Quaternary Encoding BSWAP (0) CMPXCHG8B (3) BOUND (2) BT (1)

  14. Hello World! =====BASE2===BASE4 H: 0100 1000: 1020 e: 0110 0101: 1211 l: 0110 1110: 1232 l: 0110 1110: 1232 o: 0110 1111: 1233 : 0010 0000: 0200 W: 0101 0111: 1113 o: 0110 1111: 1233 r: 0111 0010: 1302 l: 0110 1100: 1230 d: 0110 0100: 1210 !: 0010 0001: 0201

  15. Manchester Encoding 1 0 NRZ (Non-Return to Zero) Manchester 1 0 0 0 1 1 1 NRZ (Non-Return to Zero) Manchester

  16. Quaternary Improved Encoding ORIG[2] ORIG[16] NEW[4] 0000 0: 0101 0001 1: 0102 0010 2: 0103 0011 3: 0121 0100 4: 0123 0101 5: 0131 0110 6: 0132 0111 7: 0201 1000 8: 0202 1001 9: 0203 1010 A: 0212 1011 B: 0213 1100 C: 0231 1101 D: 0232 1110 E: 0301 1111 F: 0302 SYNC: 0312

  17. Acoustic Keylogger for Linux • LKL Linux KeyLogger • ttp://ourceforgenet/projects/kl

  18. h: 0132 0202

  19. e: 0132 0131

  20. X10 Spy Cameras

  21. Camera Head Close-up

  22. Wireless A/V Receiver

  23. h: 0132 0202

  24. e: 0132 0131

  25. Recommendations • Disable CPU frequency scaling on critical systems.

  26. Future Directions • Determine why there is spectral overlap between instruction sequences • Explore effects of multicore processors on acoustic emanations • Determine how easily applications within virtual machines can modulate emanations

More Related