transforming out timing leaks (agat’s approach) terkel k. tolstrup email: [email protected]...
Post on 21-Dec-2015
213 views
TRANSCRIPT
Transforming out Timing Leaks(Agat’s approach)
Terkel K. Tolstrup
Email: [email protected] and Mathematical ModellingTechnical University of Denmark
Security Leakage
Direct Leakage Indirect Leakage Termination Leakage
Special case of Timing Leakage Timing Leakage
Timing Leakage is normally considered aCovert Channel
Termination Leaks – Intuitively
What kind of programs leak through termination channels?
while h do skip? if h then skip else loop?
Timing Leaks – Intuitively
What kind of programs leak through timing channels?
while h>0 do h:=h-1? if h then h1:=h1+1; h1:=h1+1 … else skip?
Covert Channels
Unintentional leak of information (Covert Channel)
Attacker learns secrets by observing normal behavior of systems, wrt. Timing Power consumption Noise, Faults/Errors, Electromagnetic…
Often used to break implementations of cryptosystems
Timing Channels
Timing attacks: use observations of the timing behavior of system to guess secrets
Several accounts of practical attacks: [Kocher’96]: On Diffie-Hellman, RSA,
DSS… [Dhem et al’98]: Practical implementation
on Smartcard …
Timing Channels - Goals
Ultimate goal: Find the secret key, so that all cipher texts can be decrypted.
Distinguishability: Find probabilities that allows the attacker to distinguish between different plaintexts.
Made more powerful in combination with the exploitation of other side channels.
Performing a timing attack
The attacker knows the first m bits of the secret key
Initiate contact
Public Key
Guess: m+1’th bit
Reply
Time difference allows attack by varying guess
Q = Pfor i=0 to l do Q = 2 * Q if D(i) then Q = Q + P endif
Example of a timing channel
Attacker observer timing differences caused by (Multiply) and (Add), and learn secrets about D
Y = Xfor i=0 to l do Y = Y * Y if D(i) then Y = Y * X endif
Scalar multiplication in ECExponentiation in RSA
(Multiply) (Add)
Programming Language
Getting rid of Termination Leaks – Identifying the cause
Getting rid of Termination Leaks – Being conservative
Let modify the inference rule
How does this work? while h do skip? while l do skip? if h then while l do skip else skip?
Not Allowed Allowed
Allowed
Getting rid of Termination Leaks– This time for real
Let modify the inference rule
How does this work? while h do skip? while l do skip? if h then while l do skip else skip?
Not allowed Allowed
Not allowed
Getting rid of Timing Leaks– Identifying the cause
Did we get rid of Timing Leaks while taking care of Termination Leaks?
Not caused by while loops anymore, because they are only allowed to handled non-secret information.
But what about if h then h := h + 1; h := h + 1;… else skip?
Getting rid of Timing Leaks – Being conservative
Hold on! – We are begin too conservative
This approach results in only having secret information on the right-hand side of assignments: x := … h …
That probably won’t allow many useful/real programs.
Getting rid of Timing Leaks– Identifying the cause (cont.)
The cause of the timing leaks in if statement are that the branches have different execution time
Assume we knew the worst-case execution time of any piece of program!
Then we could write program like: if h then C1 else C2 ; …
“waste time until worst-case
Getting rid of Timing Leaks– Agat’s approach
Transform programs such that they waste time until both branches are done
What is worst-case? C1 ? C2 ?
How about the running time of C1;C2?
Getting rid of Timing Leaks– Agat’s approach
Transform programs such that they waste time until both branches are done
if h then C1 else C2
if h then C1;C2 else C1 ;C2
What is Agat’s problem?S2 S1
Getting rid of Timing Leaks– Making the slides
Assignments (to H):
Assignments (to L):
Getting rid of Timing Leaks– Making the slides (cont.)
Composition (C;D):
Loop (while e do C):
Getting rid of Timing Leaks– Making the slides (cont.)
Conditional (on H):
Conditional (on L):
Q = Pfor i=0 to l do Q = 2 * Q if D(i) then Q = Q + P endif
Example of a timing channel– Revisited
Attacker observer timing differences caused by (Multiply) and (Add), and learn secrets about D
Y = Xfor i=0 to l do Y = Y * Y if D(i) then Y = Y * X endif
Scalar multiplication in ECExponentiation in RSA
(Multiply) (Add)
Q = Pfor i=0 to l do Q = 2 * Q if D(i) then Q = Q + P else skipAsn Q (Q + P) endif
Example of a timing channel– Revisited
Attacker observer timing differences caused by (Multiply) and (Add), and learn secrets about D ––– Not anymore!
Y = Xfor i=0 to l do Y = Y * Y if D(i) then Y = Y * X else skipAsn Y (Y * X) endif
Scalar multiplication in ECExponentiation in RSA
(Multiply) (Add)
Food for thoughtLoosening the analysis (loops)
Can we apply Agat’s approach on while loops?
Let’s unroll the loops once and try: while h do C
if h then C; while h do C else skip What is our problem?
The Information Flow Challenge
The Information Flow Challenge is a web-based game that let the player try to outsmart an information flow analysis that becomes increasingly restrictive for each challenge the player finishes.
Play with what you have learned in this course!
The Information Flow Challenge
The Information Flow Challenge
The Information Flow Challenge