transforming out timing leaks (agat’s approach) terkel k. tolstrup email: tkt@imm.dtu.dk...

Transforming out Timing Leaks(Agat’s approach)

Terkel K. Tolstrup

Email: tkt@imm.dtu.dkInformatics and Mathematical ModellingTechnical University of Denmark

Security Leakage

Direct Leakage Indirect Leakage Termination Leakage

Special case of Timing Leakage Timing Leakage

Timing Leakage is normally considered aCovert Channel

Termination Leaks – Intuitively

What kind of programs leak through termination channels?

while h do skip? if h then skip else loop?

Timing Leaks – Intuitively

What kind of programs leak through timing channels?

while h>0 do h:=h-1? if h then h1:=h1+1; h1:=h1+1 … else skip?

Covert Channels

Unintentional leak of information (Covert Channel)

Attacker learns secrets by observing normal behavior of systems, wrt. Timing Power consumption Noise, Faults/Errors, Electromagnetic…

Often used to break implementations of cryptosystems

Timing Channels

Timing attacks: use observations of the timing behavior of system to guess secrets

Several accounts of practical attacks: [Kocher’96]: On Diffie-Hellman, RSA,

DSS… [Dhem et al’98]: Practical implementation

on Smartcard …

Timing Channels - Goals

Ultimate goal: Find the secret key, so that all cipher texts can be decrypted.

Distinguishability: Find probabilities that allows the attacker to distinguish between different plaintexts.

Made more powerful in combination with the exploitation of other side channels.

Performing a timing attack

The attacker knows the first m bits of the secret key

Initiate contact

Public Key

Guess: m+1’th bit

Reply

Time difference allows attack by varying guess

Q = Pfor i=0 to l do Q = 2 * Q if D(i) then Q = Q + P endif

Example of a timing channel

Attacker observer timing differences caused by (Multiply) and (Add), and learn secrets about D

Y = Xfor i=0 to l do Y = Y * Y if D(i) then Y = Y * X endif

Scalar multiplication in ECExponentiation in RSA

(Multiply) (Add)

Programming Language

Getting rid of Termination Leaks – Identifying the cause

Getting rid of Termination Leaks – Being conservative

Let modify the inference rule

How does this work? while h do skip? while l do skip? if h then while l do skip else skip?

Not Allowed Allowed

Allowed

Getting rid of Termination Leaks– This time for real

Let modify the inference rule

How does this work? while h do skip? while l do skip? if h then while l do skip else skip?

Not allowed Allowed

Not allowed

Getting rid of Timing Leaks– Identifying the cause

Did we get rid of Timing Leaks while taking care of Termination Leaks?

Not caused by while loops anymore, because they are only allowed to handled non-secret information.

But what about if h then h := h + 1; h := h + 1;… else skip?

Getting rid of Timing Leaks – Being conservative

Hold on! – We are begin too conservative

This approach results in only having secret information on the right-hand side of assignments: x := … h …

That probably won’t allow many useful/real programs.

Getting rid of Timing Leaks– Identifying the cause (cont.)

The cause of the timing leaks in if statement are that the branches have different execution time

Assume we knew the worst-case execution time of any piece of program!

Then we could write program like: if h then C1 else C2 ; …

“waste time until worst-case

Getting rid of Timing Leaks– Agat’s approach

Transform programs such that they waste time until both branches are done

What is worst-case? C1 ? C2 ?

How about the running time of C1;C2?

Getting rid of Timing Leaks– Agat’s approach

Transform programs such that they waste time until both branches are done

if h then C1 else C2

if h then C1;C2 else C1 ;C2

What is Agat’s problem?S2 S1

Getting rid of Timing Leaks– Making the slides

Assignments (to H):

Assignments (to L):

Getting rid of Timing Leaks– Making the slides (cont.)

Composition (C;D):

Loop (while e do C):

Getting rid of Timing Leaks– Making the slides (cont.)

Conditional (on H):

Conditional (on L):

Q = Pfor i=0 to l do Q = 2 * Q if D(i) then Q = Q + P endif

Example of a timing channel– Revisited

Attacker observer timing differences caused by (Multiply) and (Add), and learn secrets about D

Y = Xfor i=0 to l do Y = Y * Y if D(i) then Y = Y * X endif

Scalar multiplication in ECExponentiation in RSA

(Multiply) (Add)

Q = Pfor i=0 to l do Q = 2 * Q if D(i) then Q = Q + P else skipAsn Q (Q + P) endif

Example of a timing channel– Revisited

Attacker observer timing differences caused by (Multiply) and (Add), and learn secrets about D ––– Not anymore!

Y = Xfor i=0 to l do Y = Y * Y if D(i) then Y = Y * X else skipAsn Y (Y * X) endif

Scalar multiplication in ECExponentiation in RSA

(Multiply) (Add)

Food for thoughtLoosening the analysis (loops)

Can we apply Agat’s approach on while loops?

Let’s unroll the loops once and try: while h do C

if h then C; while h do C else skip What is our problem?

The Information Flow Challenge

The Information Flow Challenge is a web-based game that let the player try to outsmart an information flow analysis that becomes increasingly restrictive for each challenge the player finishes.

Play with what you have learned in this course!

The Information Flow Challenge

The Information Flow Challenge

The Information Flow Challenge