Real World Crypto 2021 - Session 9: HardwareRWC2021 · Real World Crypto
Side-channel attacks first mooted in 1996 (Kocher)
Masking values ought to work in theory, but in reality CPUs pipeline, and values from the crypto calculation can be displaced from registers by masked ones, and so get leaked
Current practice: write s/w , run on a device, coupled up to equipement that e.g. measures voltages - run s/w many times and observe the data leakage via voltage measurements. Fix the s/w, then iterate. This takes a long time.
The authors have automated some of this using Elmo and Rosita.
Elmo has a power-model to emulate the voltage consumption of a CPU; there is a differential voltage for each assembler instruction. Use of statistics techniques allow research to figure out which registers being used result in a larger differential voltage, which causes info leakage.
Some tricks involve injecting a load of no-op (dummy) instructions (e.g. ‘mov r7, r7’) into compiled machine code to discourage the CPU from executing the surrounding instructions in the same pipeline.
Shows graphs of AES and ChaCha being analysed, and how Rosita’s injection of masking no-ops remove big spikes from differential voltage graphs.
RISC-V is a huge, 200-member consortium. You don’t need to be a member to use their IP to “build your own CPU”. Also anyone can create their own custom ISA extensions.
RISC-V can do scalar (non-vector) crypto. It’s now in opcode/consistency review, will be frozen in Q1 2021. Includes instructions useful for hashes / GCM such as bit rotations and carryless multiply, byte/bit reversal, shuffling.
More special purpose instructions included only for standards like AES.
Supports very lightweight AES for microcontrollers. Instructions to help in 32bit and 64bit settings (RV32 and RV64). Dedicated sha2 instructions. Instructions to build TRNGs with a specified entropy source interface. Constant-time multiplication; const-time s-boxes.
S-Boxes in hardware means that it doesn’t have timing side-channels due to s-box look-ups.
Mandatory vulnerability catchy name: CacheOut
Back in 2018 … meltdown and foreshadow based on leakage from CPU caches
2019 … Micro-architectural Data Sampling (MDS) attacks buffers in the CPU that surround the caches (MDS Attacks)
- similar implications to meltdown
Intel fixed this by adding a new instruction to flush the buffers. This fixes a symptom but not the underlying cause! Data can still be leaked. The attack is called CacheOut
- this can leak AES, RSA keys
CacheOut demo: picture of MonaLisa loaded into secure enclave, then leaked out again. CacheOut breaches SGX confidentiality allowing an attacker to masquerade as a legitimate enclave when it isn’t.
Awesome demo on Twitter: “Attestation as a Service” – shows a Cacheout-targeted SGX made willing to atteset to anything tweeted at it!
Case study: Signal, which uses SGX. Signal asked users to set PINs, to implement secure value recovery. THey wanted to be able to backup contacts to the cloud. Data has to be encrypted such that Signal themselves can’t read it. This uses SGX enclave in order to rate limit any attempt to brute-force a 4-digit PIN.
An attacker with access to Signal’s servers can use the CacheOut attack. The threat model is such that this couldn’t be done by a home user attacker; however a goverment agent who has subpoenaed Signal servers might be able to.
They use s/w ‘Tesla Toolbox’ which isn’t not meant to be publicly available but has been leaked on the internet. They can persuade a Tesla Model X to unlock.
(stopped taking notes, because this was too awesome not to focus on)