Global Editions

How Secure is the Secured?

Preventing side-channel attacks altogether may not be possible, but improving confidentiality of existing cryptosystems can be achieved through intelligent and sophisticated software design.
By Khurram Bhatti

In 2016 alone, social networks like Facebook and Twitter produced approximately 4-petabytes and 8-terabytes of new data per day, respectively. IBM big data research shows that 2.5 quintillion bytes of data are created worldwide every day – so much so that 90% of  data today have been produced in last two years alone. The information buried in this deluge of data is valuable to society – be it commercial, economic, environmental, and governmental statistics, or concerning health and privacy of individuals. There is a growing body of evidence that shows that regardless of software protections being placed on computers, such as theoretically strong encryption mechanisms, there are indirect ways to extract information – the so called covert and side channels. These channels can give untrusted applications access to the trusted and sensitive data in order to retrieve private information.

A covert channel is formed when any two applications that are not supposed to communicate with each other do so. For instance, a weather monitoring application on a portable device can be used to create a covert channel through which images from an offline image editing application on the same device can be leaked to the Internet, thus, compromising privacy. In a side channel, a malicious application spies on benign processes, e.g., it may steal cryptographic keys or spy on keystrokes.

Read more: Securing Cyberspace for Pakistan

Side-Channel Attacks (SCAs) are a powerful method for breaking theoretically secure cryptographic implementations. Hardware-based SCAs extract secret information from the measurement of physical parameters during computation such as electromagnetic radiation, power consumption, or acoustic emanation from a computer. Software-based SCAs do not require additional equipment, as they are capable of extracting information solely based on the attacker software’s interaction with the target machine. Timing variations of cryptographic operations (encryption and decryption) and memory access patterns are interesting information for software-based SCAs. Figure-01 illustrates how an unintended side-channel attack might extract information during a regular cryptographic operation.

Figure-01: Unintended side-channel attack extracting information

In modern-day computing, where the use of cloud Infrastructure-as-a-Service (IaaS) is extensive and projected to be on the rise; these software-based sophisticated methods of information theft raise concerns about security in shared computing environments. Some recent and most advanced software-based side-channel attacks like Flush+Reload, CacheBleed, and Flush+Flush demonstrate that the secret keys of widely used high-security standards like RSA can be recovered with an average accuracy of up to 97% by merely observing a single signature or encryption/decryption round in a matter of seconds – reducing cryptographic security to nothing more than just a myth.

The success of such attacks mainly depends on two factors: the ability of attacker (malicious) application to detect and synchronize itself with the target (victim) application and the presence of resource sharing mechanisms. Against such software-based attacks, a common protection approach is to ensure that the memory accesses generated by cryptographic operations during their computation on hardware platforms are not dependent on the data being processed. That is, the sequence of cache memory accesses is independent of encryption/decryption key or user’s data. Such protection mechanisms are based on the hypothesis that if the sequence of cache memory lines being accessed depends on the secret data, the cryptographic process itself can leak information through the cache memories.

Researchers at the Embedded Computing Laboratory (ECLab) of Information Technology University (ITU), Lahore, in collaboration with Lab-STICC laboratory of University of South Brittany (UBS), France, are undertaking efforts that they believe will result in solutions – comprising analysis techniques and tools and countermeasure techniques – to help secure implementation of cryptographic standards from such attacks. In their latest findings, they have jointly proposed a countermeasure technique to prevent information theft by one of the most powerful software-based side-channel attacks called Flush+Reload. Their proposed solution is a quick-patch countermeasure that can be efficiently integrated in existing cryptographic standards to improve confidentiality. The developers of a popular free cryptographic software package, GnuPG, incorporated a similar patch into their latest version that adds random data in order to hide the exact nature of computations being performed on the computer.

Figure-02: Measured execution pattern of RSA cryptographic operations without any countermeasure

Figure-03: General sequence of Square, Multiply, and Subtract operations in RSA standard

Flush+Reload attack exposes vulnerabilities in Intel’s x86 architecture by exploiting its inclusive cache memory. The attack targets RSA cryptographic standard, which uses a specific pattern of Square, Multiply, and Subtract operations in order to perform computations related to encryption and decryption. Figure-02 shows the measured pattern while looking at the RSA’s operations through memory accesses and Figure-03 illustrates the sequence of these operations. The trick here for the attacker is that this sequence of Square, Multiply, and Subtract operations repeats itself when the cryptographic software operates to encrypt/decrypt data using secret keys. Measuring this pattern of operations and analyzing it using sophisticated software techniques can be enough to determine the secret keys used by RSA standard.

Read more: Cybersecurity: Work in Progress

The good news is that, while measuring such timing information can reveal secret keys, analyzing subtle changes in computer’s timing profile can also reveal if it is being attacked. These attacks generally observe timing variations in terms of difference between cache hit and miss times generated by the instructions of targeted operations. Based on these variations, the attacker captures the precise execution pattern of victim program. We propose a mechanism to confuse the attacker to a degree that the effort required to extract useful information becomes comparable to the brute force attack. We introduce the concept of so-called intelligent noise to the computation of cryptographic operations. The added noise compliments these operations in hiding the exact pattern of operational details from attacker as shown in Figure-04. The noise, in the form of independent thread, is responsible for generating additional memory accesses or additional memory evictions on selected instructions, i.e., square, multiply, and subtract. As a result, as shown in Figure-04, extracting exact execution pattern becomes impossible and thus, the attacker fails to retrieve secret keys.

Figure-04: Measured execution pattern of RSA cryptographic operations with countermeasure

Side-channel attacks target information extraction from physical implementation of a cryptosystem, rather than through brute force or theoretical weaknesses in algorithms. These results show that preventing side-channel attacks altogether might not be possible, but improving confidentiality of existing cryptosystems can be achieved through intelligent and sophisticated software design.

Dr. Khurram Bhatti is the Director of Embedded Computing Lab and Assistant Professor at ITU, Lahore, Pakistan. He can be reached at khurram.bhatti@itu.edu.pk.

Authors

Related posts

Top