MicroWalk: A Framework for Finding Side Channels in Binaries

Microarchitectural side channels expose unprotected software to information leakage attacks where a software adversary is able to track runtime behavior of a benign process and steal secrets such as cryptographic keys. As suggested by incremental software patches for the RSA algorithm against variants of side-channel attacks within different versions of cryptographic libraries, protecting security-critical algorithms against side channels is an intricate task. Software protections avoid leakages by operating in constant time with a uniform resource usage pattern independent of the processed secret. In this respect, automated testing and verification of software binaries for leakage-free behavior is of importance, particularly when the source code is not available. In this work, we propose a novel technique based on Dynamic Binary Instrumentation and Mutual Information Analysis to efficiently locate and quantify memory based and control-flow based microarchitectural leakages. We develop a software framework named \tool~for side-channel analysis of binaries which can be extended to support new classes of leakage. For the first time, by utilizing \tool, we perform rigorous leakage analysis of two widely-used closed-source cryptographic libraries: \emph{Intel IPP} and \emph{Microsoft CNG}. We analyze $15$ different cryptographic implementations consisting of $112$ million instructions in about $105$ minutes of CPU time. By locating previously unknown leakages in hardened implementations, our results suggest that \tool~can efficiently find microarchitectural leakages in software binaries

The Power of Telemetry: Uncovering Software-Based Side-Channel Attacks on Apple M1/M2 Systems

Power analysis is a class of side-channel attacks, where power consumption data is used to infer sensitive information and extract secrets from a system. Traditionally, such attacks required physical access to the target, as well as specialized devices to measure the power consumption with enough precision. The PLATYPUS attack has shown that on-chip power meter capabilities exposed to a software interface might form a new class of power side-channel attacks. This paper presents a software-based power side-channel attack on Apple Silicon M1/M2 platforms, exploiting the System Management Controller (SMC) and its power-related keys, which provides access to the on-chip power meters through a software interface to user space software. We observed data-dependent power consumption reporting from such keys and analyzed the correlations between the power consumption and the processed data. Our work also demonstrated how an unprivileged user mode application successfully recovers bytes from an AES encryption key from a cryptographic service supported by a kernel mode driver in macOS. Furthermore, we discuss the impact of software-based power side-channels in the industry, possible countermeasures, and the overall implications of software interfaces for modern on-chip power management systems.Comment: 6 pages, 4 figures, 5 table

CacheZoom: How SGX Amplifies The Power of Cache Attacks

In modern computing environments, hardware resources are commonly shared, and parallel computation is widely used. Parallel tasks can cause privacy and security problems if proper isolation is not enforced. Intel proposed SGX to create a trusted execution environment within the processor. SGX relies on the hardware, and claims runtime protection even if the OS and other software components are malicious. However, SGX disregards side-channel attacks. We introduce a powerful cache side-channel attack that provides system adversaries a high resolution channel. Our attack tool named CacheZoom is able to virtually track all memory accesses of SGX enclaves with high spatial and temporal precision. As proof of concept, we demonstrate AES key recovery attacks on commonly used implementations including those that were believed to be resistant in previous scenarios. Our results show that SGX cannot protect critical data sensitive computations, and efficient AES key recovery is possible in a practical environment. In contrast to previous works which require hundreds of measurements, this is the first cache side-channel attack on a real system that can recover AES keys with a minimal number of measurements. We can successfully recover AES keys from T-Table based implementations with as few as ten measurements.Comment: Accepted at Conference on Cryptographic Hardware and Embedded Systems (CHES '17

Countermeasure implementation and effectiveness analysis for AES resistance against side channel attacks

Side Channel Analysis (SCA) is composed of a bunch of techniques employed to extract secret information from hardware operations through statistical analyses of execution data. For instance, the secret key of a crypto-algorithmic implementation could be targeted and its value could be retrieved. The data is obtained by measuring the power consumption or electromagnetic radiation of a device while performing an operation due to the linear relationship between the currents flowing through the circuitry during the execution of chip operations. Side channel is one of the most widely used attack methods in cryptanalysis. In order to avoid such attacks, the algorithmic implementations can be protected from side channel leakage with the use of different countermeasures. These countermeasures can be built on either software or hardware. The objective is to reduce, or even completely eliminate, the leakage of the device related to confidential data. Generally speaking, there are two main approaches to do so. The first aims to reduce the side channel observability, while the second intends to undermine the predictability of the data. This project focuses on designing and implementing different countermeasures that protect cryptographic implementations from side channel attacks, and test and analyze them afterwards. The countermeasures will be implemented in software and then tested though Correlation Power Analysis in a hardware device. The Advanced Encryption Standard (AES) algorithm will be used as a base structure, in order to improve its cryptographic security with the different countermeasures designed. However, the election of AES does not reduce the scope of this project since the implemented countermeasures could be applied to other cryptographic algorithms as well

Towards Secure Cryptographic Software Implementation Against Side-Channel Power Analysis Attacks

Side-channel attacks have been a real threat against many critical embedded systems that rely on cryptographic algorithms as their security engine. A commonly used algorithmic countermeasure, random masking, incurs large execution delay and resource overhead. The other countermeasure, operation shuffling or permutation, can mitigate side-channel leakage effectively with minimal overhead. In this paper, we target utilizing the independence among operations in cryptographic algorithms and randomizing their execution order. We design a tool to automatically detect such independence between statements at the source code level and devise an algorithm for automatic operation shuffling. We test our algorithm on the new SHA3 standard, Keccak. Results show that the tool has effectively implemented operation-shuffling to reduce the side-channel leakage significantly, and therefore can guide automatic secure cryptographic software implementations against differential power analysis attacks

EM Side Channel Analysis on Complex SoC architectures

The EM side channel analysis is a very effective technique to attack cryptographic systems due to its non invasive nature and capability to launch an attack even with limited resources. The EM leakage from devices can give information about computations on the processor, which can in turn reveal the internal state of the algorithm. For security sensitive algorithms, these EM radiations can be exploited by the adversary to extract secret key dependent operations hence EM side channel must be studied for evaluating the security of these algorithms. Modern embedded devices composed of System-on-Chip architectures are considered hard targets for EM side channel analysis mainly due to their complex architecture. This thesis explores the viability of EM side channel attacks on such targets. There is a comprehensive literature overview of EM side channel analysis followed by a practical side channel attack on a SoC device using well know cryptographic library OpenSSL. The attack successfully extracts the secret key dependent operation which can be used to retrieve the private key in security protocols such as TLS and SSH. The thesis concludes, with practical single trace attacks, that cryptographic implementations can still be broken using EM side channel analysis, and a complex nature of the device have no significant effect when combined with signal processing methods for extracting side channel information, hence the cryptographic software implementations must address these issues

Apple vs. EMA: Electromagnetic Side Channel Attacks on Apple CoreCrypto

Cryptographic instruction set extensions are commonly used for ciphers which would otherwise face unacceptable side channel risks. A prominent example of such an extension is the ARMv8 Cryptographic Extension, or ARM CE for short, which defines dedicated instructions to securely accelerate AES. However, while these extensions may be resistant to traditional digital side channel attacks, they may still vulnerable to physical side channel attacks. In this work, we demonstrate the first such attack on a standard ARM CE AES implementation. We specifically focus on the implementation used by Apple’s CoreCrypto library which we run on the Apple A10 Fusion SoC. To that end, we implement an optimized side channel acquisition infrastructure involving both custom iPhone software and accelerated analysis code. We find that an adversary which can observe 5-30 million known-ciphertext traces can reliably extract secret AES keys using electromagnetic (EM) radiation as a side channel. This corresponds to an encryption operation on less than half of a gigabyte of data, which could be acquired in less than 2 seconds on the iPhone 7 we examined. Our attack thus highlights the need for side channel defenses for real devices and production, industry-standard encryption software