Flipped Classroom Lecture 14/9 [RG]: Side channels

Content

Problems related to side channels

    • Time driven side-channels
    • Cache based Access driven side-channels
    • Cache based Trace-driven side-channels
    • Countermeasures
    • Famous side channels in AES
    • Spectre 

The live lecture will consist of two parts. In the first part you will be divided in groups and you will discuss about one problem and few questions (from previous exams) related to side channels. At the end of the first part someone can present  a solution and we will discuss about alternatives. In the second part we will answer questions regarding side channels and more advanced topics, like Spectre.

Please, watch the videos and try to solve the previous-exam exercise before the live lecture.

Previous exam problem and questions

Let a system use a shared data cache (no instruction cache) of 256 bytes, 4 lines, 64 bytes perline. The cache is directly mapped. The array M consists of 32 entries of 4 bytes. The first sixteen entries of the array are mapped to the first cache line, the second sixteen entries are mapped to the second cache line. The variables A, B, and C are secret numbers and are mapped to the third line. Finally, assume that 0 <= B  < 32 and 0 <= C < 32. The victim program is the following:

A = M[(C+B)/4]

A += M[32-(C+B)/4)]

Can an access driven attack(i.e. by detecting which cache line has been evicted) extract information about the variables of this program? If yes, explain the attack and describe how you can fix the program or prevent the attack; if not, motivate why this program is secure.

Questions

  1. A side-channel attack consists of injecting faults into a system (i.e. using electromagnetic waves).
  2. Flushing caches is sufficient to prevent attacks that measure execution time of the victim.
  3. Constant-time execution prevents leakage via side channels by making the control flow and memory accesses being not-dependent on secret variables.
  4. In an access driven attack, the attacker determines the cache lines accessed by the victim.
  5. Both data-caches and instruction-caches can lead to side channels if the program does not use countermeasures.
  6. Side channels can be used to violate the confidentiality of the implementation of a cryptographyc algorithm even if the algorithm is cryptographically secure.

 

Exercise

Exercise: Side channels [Branch side-channel]

Reading

https://en.wikipedia.org/wiki/Spectre_(security_vulnerability) (Links to an external site.)

https://en.wikipedia.org/wiki/Row_hammer (Links to an external site.)

New version of the book Links to an external site.
19.1 Side channels
19.2.1 histoy of emission attacks
19.4.1 Timing analysis
19.4.4 Rowhammer, CLKscrew and Plundervolt
19.4.5  Meltdown, Spectre and other enclave side channels
19: Further Reading

Slides

Download SideChannels.pdf

Additional resources

Advances on Access-Driven Cache Attacks on AES 2006

Practicality of accelerometer side channels on smartphones 2012

Side channels in video games:  the myth of the treasure fox in Skyrim Links to an external site.

Tandem Deep Learning Side-Channel Attack Against FPGA Implementation of AES 2020

Videos

Side channels: introduction

An example: check digit

A case study: RSA

Other types of side channels

Background: Caches

Time driven attacks

Trace driven attacks

Access driven attacks

Instruction cache based side channels 

A case study: AES

Countermeasures