Presentation is loading. Please wait.

Presentation is loading. Please wait.

Side-channels Tom Ristenpart CS 6431. Pick target(s) Choose launch parameters for malicious VMs Each VM checks for co-residence Frequently achieve advantageous.

Published bySuzan Maud Evans Modified over 9 years ago

Similar presentations

Presentation on theme: "Side-channels Tom Ristenpart CS 6431. Pick target(s) Choose launch parameters for malicious VMs Each VM checks for co-residence Frequently achieve advantageous."— Presentation transcript:

1 Side-channels Tom Ristenpart CS 6431

2 Pick target(s) Choose launch parameters for malicious VMs Each VM checks for co-residence Frequently achieve advantageous placement “Cloud cartography” Recall from last time: Hardware Hypervisor OS1 P1 P2 OS2 P1 P2 This shouldn’t matter if VMM provides good isolation!

3 Today RSA remote side-channel attack Flush+Reload side-channel attack

4 RSA reminder Z N = { i | gcd(i,N) = 1 } * Claim: Suppose e,d Z φ(N) satisfying ed mod φ(N) = 1 then for any x Z N we have that (x e ) d mod N = x * * (x e ) d mod N = x (ed mod φ(N)) mod N = x 1 mod N = x mod N First equality is by Euler’s Theorem φ(N) = |Z N |

5 RSA reminder Z N = { i | gcd(i,N) = 1 } * Claim: Suppose e,d Z φ(N) satisfying ed mod φ(N) = 1 then for any x Z N we have that (x e ) d mod N = x * * Z 15 = { 1,2,4,7,8,11,13,14 } * e = 3, d = 3 gives ed mod 8 = 1 Z φ(15) = { 1,3,5,7 } * x12478111314 x 3 mod 1518413211714 y 3 mod 1512478111314 φ(N) = |Z N |

6 Xf pk (X) easy given N,e hard given N,e easy given N,d The RSA trapdoor permutation pk = (N,e) sk = (N,d) with ed mod φ(N) = 1 f N,e (x) = x e mod Ng N,d (y) = y d mod N

7 pk = (N,e) sk = (N,d) with ed mod φ(N) = 1 f N,e (x) = x e mod Ng N,d (y) = y d mod N But how do we find suitable N,e,d ? If p,q distinct primes and N = pq then φ(N) = (p-1)(q-1) Why? φ(N) = |{1,…,N-1}| - |{ip : 1 ≤ i ≤ q-1}| - |{iq : 1 ≤ i ≤ p-1}| = N-1 - (q-1) - (p-1) = pq – p – q + 1 = (p-1)(q-1) The RSA trapdoor permutation

8 pk = (N,e) sk = (N,d) with ed mod φ(N) = 1 f N,e (x) = x e mod Ng N,d (y) = y d mod N But how do we find suitable N,e,d ? If p,q distinct primes and N = pq then φ(N) = (p-1)(q-1) Given φ(N), choose e Z φ(N) and calculate d = e -1 mod φ(N) The RSA trapdoor permutation *

9 We don’t know if inverse is true, whether inverting RSA implies ability to factor Learning p,q from N is the factoring problem

10 Textbook exponentiation Exp(h,x,N) X’ = h For i = 2 to x do X’ = X’*h Return X’ SqrAndMulExp(h,x,N) b k,…,b 0 = x f = 1 For i = k down to 0 do f = f 2 mod N If b i = 1 then f = f*h mod N Return f How do we compute h x for any h Z N ? Requires time O(|G|) in worst case. Requires time O(k) multiplies and squares in worst case. *

11 SqrAndMulExp(h,x,N) b k,…,b 0 = x f = 1 For i = k down to 0 do f = f 2 mod N If b i = 1 then f = f*h mod N Return f f 3 = 1  h f 2 = h 2 f 1 = (h 2 ) 2  h b 3 = 1 b 2 = 0 b 1 = 1 f 0 = (h 4  h) 2  h b 1 = 1 = h 8  h 2  h h 11 = h 8+2+1 = h 8  h 2  h

12 SqrAndMulExp(h,x,N) b k,…,b 0 = x f = 1 For i = k down to 0 do f = f 2 mod N If b i = 1 then f = f*h mod N Return f What side-channels might arise? Timing CPU state (caches, branch predictors,…) Power

13 “Remote” attack setting Hardware Hypervisor OS1 RSA- Decrypt OS2 (Attacker) OS2 (Attacker) Co-located placement on cloud instance RSA-Decrypt takes adversarially supplied ciphertext c Z N and computes c d mod N Attacker can time operation Where would this come up in practice? *

14 (Part of) TLS handshake for RSA transport Client Server PMS <- D(sk,C) ClientHello, MaxVer, Nc, Ciphers/CompMethods ServerHello, Ver, Ns, SessionID, Cipher/CompMethod CERT = (pk of bank, signature over it) Check CERT using CA public verification key Pick random Nc Pick random Ns Pick random PMS C <- E(pk,PMS) C

15 SqrAndMulExp(h,x,N) b k,…,b 0 = x f = 1 For i = k down to 0 do f = f 2 mod N If b i = 1 then f = f*h mod N Return f C1C1 t1t1 C2C2 t2t2 … Prior work before BB: Kocher 96 timing attack x = b k b k-1 … b k-i+1 u k-i u k-i-1 … u 0 Guess some bits at frontRemaining exponent bits are unknown Predict how long it should take to decrypt (random) value C If guess is right, predictions will correlate with observed timings If guess is wrong, no correlations As more b k … b k-i+1 known, predictions get stronger Kocher shows can do with q = O(k)

16 Kocher attack in practice? BB point out: – OpenSSL widely used implementation of TLS Kocher attack doesn’t work against it: – OpenSSL uses CRT, sliding windows, two different modular multiplication algorithms – CRT: Chinese Remainder Theorem – Sliding window: exponentation by handling exponent in chunks, not one bit at a time

17 Chinese Remainder Theorem For n = n 1 n 2 …n k with gcd(n i,n j ) = 1 System of congruences x = x 1 mod n 1 = … = x k mod n k has exactly one solution and we can find it efficiently For RSA with N = pq d1 = d mod (p-1) d2 = d mod (q-1) q -1 = q -1 mod p Compute m 1 = h d1 mod p m 2 = h d2 mod q Compute m = m 1 + (q -1 *(m1 – m2) mod p) * q

18 Towards a timing attack Decryption requires m 2 = h d2 mod q Square-and-multiply (lots of multiplies mod q) Sliding window (fewer multiplies mod q) Multiply x*y mod q uses Montgomery reduction Let R = 2 z for some z Compute (xR*yR)*R -1 = zR mod q – Fast to compute R -1 – At end of computation: zR > q then subtract q Schindler’s observation: Pr[subtract q] ≈ (h mod q ) / 2R

19

20 R -1 * h lo mod N t lo R -1 *h hi mod N t hi Guess first few bits of q = b k … b 1 Let h lo = b k b k-1 … b k-i+1 0 0 0 … 0 Let h hi = b k b k-1 … b k-i+1 1 0 0 … 0 If b k-i = 0 then: h lo < q < h hi If b k-i = 1 then: h lo < h hi < q q Decryption time h lo h hi if b k-1 = 0 h hi if b k-1 = 1 RSA- Decrypt

21 Many more details Secondary timing effect – Karatsuba versus standard multiplication – Opposite timing difference for h hi - h lo – Use absolute values: one effect always dominates Sliding window (few multiplications) – Amplify by querying a bunch of values: h hi, h hi + 1, h hi + 2, … – Called a neighborhood

22 Timing differences measurable

23 The attack worked… ~1.5 million queries for 1024 bit RSA 2 hours on that era’s computers Blinding countermeasure: y = r e * c mod N m = y d / r mod N SqrAndMulExp(h,x,N) b k,…,b 0 = x f = 1 For i = k down to 0 do f = f 2 mod N If b i = 1 then f = f*h mod N Return f Hardware Hypervisor OS1 RSA- Decrypt OS2 (Attacker) OS2 (Attacker)

24 Cache-based side channel attacks A long literature on cache side channel attacks – Percivel 2005: RSA side channels – Tromer et al. 2005: AES side channels Today: particularly simple one by Yarom and Faulkner useful in PaaS clouds

25 Attacker VM Victim VM Main memory L1 instr cache Prime+Probe protocol Attacker VM (each row represents cache set) … Scheduling order on CPU core Victim VM Attacker VM … Timings correlated to (distinct) cache usage patterns of S, M operations Can spy frequently (every ~16 μs) by exploiting scheduling Timings correlated to (distinct) cache usage patterns of S, M operations Can spy frequently (every ~16 μs) by exploiting scheduling Interrupt Slow Fast Runs (S) operation Runs (M) operation

26 Prime+Probe limitations Works only for L1 caches – Some recent work extending to LLC in certain settings – Multi-core settings difficult (Zhang et al. 2012) Lots of noise from various sources

27 Towards Flush+Reload Deduplication-based memory page sharing (Linux, KVM, VMWare) Duplicate memory pages detected, physical pages coalesced Virtual address spaces different, but mapped to same physical addresses Main memory Libgcrypt square( ) instructions Inclusive cache architecture

28 Towards Flush+Reload Deduplication-based memory page sharing (Linux, KVM, VMWare) Duplicate memory pages detected, physical pages coalesced Virtual address spaces different, but mapped to same physical addresses Main memory Libgcrypt square( ) instructions Inclusive cache architecture

29 Flush+Reload protocol Flush from LLC memory line of interest Wait Time reloading memory line Not-accessed by victim Accessed by victim

30 Attacking Square and Multiply SqrAndMulExp(h,x,N) b k,…,b 0 = x f = 1 For i = k down to 0 do f = f 2 mod N If b i = 1 then f = f*h mod N Return f

31 Flush+Reload type attacks damaging Immediately used in a large number of follow- up papers to break various things – Cryptographic targets – Non-cryptographic targets Requires memory deduplication – Turned off in Amazon EC2 But not in Linux by default – PaaS services vulnerable [Zhang et al. 2014]

32 General victim execution tracing 32 #include "stdio.h” int b; int inc(int number) { return number + 1; } int main() { int a = 9; if (a % 2 == 1) a = inc(a); b = a; return 0; }

33 Control-Flow Graph 33 #include "stdio.h” int b; int main() { int a = 9; if (a % 2 == 1) a = inc(a); int inc(int number) { return number + 1; } b = a; return 0; }

34 Control-Flow Graph 34 4004b6: mov $0x9,%edi 4004bb: callq 4004b4 4004b6: mov $0x9,%edi 4004bb: callq 4004b4 400324: lea 0x1(%rdi),%eax 400327: retq 400324: lea 0x1(%rdi),%eax 400327: retq 4004c0: mov %eax,0x200b60(%rip) 4004c6: mov $0x0,%eax 4004cb: retq 4004c0: mov %eax,0x200b60(%rip) 4004c6: mov $0x0,%eax 4004cb: retq chunk 1: [400480-4004bf] chunk 3: [4004c0-4004ff] chunk 2: [400300-40033f]

35 Control-Flow Graph 35 chunk1 [400480-4004bf] chunk1 [400480-4004bf] chunk2 [400300-40033f] chunk2 [400300-40033f] chunk 3 [4004c0-4004ff] chunk 3 [4004c0-4004ff]

36 An Attack NFA 36 {c1} {c2, c3} {c3} Flush-Reload {} (c1, t 1, t 2 ) (c2, t 3, t 4 ) chunk1 [400480-4004bf] chunk1 [400480-4004bf] chunk2 [400300-40033f] chunk2 [400300-40033f] chunk 3 [4004c0-4004ff] chunk 3 [4004c0-4004ff] start (c3, t 7, t 8 ) (c3, t 5, t 6 )

37 Three Example Attacks Inferring Sensitive User Data SAML-based Single Sign-on Attacks Password-Reset Attack 37

38 Three Example Attacks Inferring Sensitive User Data SAML-based Single Sign-on Attacks Password-Reset Attack 38

39 Password Reset 39 Password Reset Token Verification Pseudo- Random Number Generator User Token

40 Password Reset Attack 40 Password Reset Token Verification Pseudo- Random Number Generator User Token Pseudo- Random Number Generator Shared Library Shared Library gettimeofday() Attacker Attack NFA Library calls Token Prediction Shared OS Application

41 Call Graph of Password Resetting 41

42 Attacker’s Strategy 42 Attacker application Attacker application Victim application Attacker’s email account Password reset against his own account Password reset token (attack NFA) Offline: Bruteforce value of getpid() Password reset against victim account Online: token guessing (attack NFA) (HTTP keepAlive)

43 The Attack NFA 43

44 Evaluation Demonstrated successful attacks against Magento (controlled by ourselves) in a public PaaS cloud. After 2 20 offline computation, the attacker can narrow down the password reset token to 2 2 possible values---easy to brute-force online. 44

45 Side-channel countermeasures Constant time code – Input-independent memory accesses, timing Very difficult to truly get! – Input-dependent instruction timing on CPU Best bet: don’t share physical resources

Download ppt "Side-channels Tom Ristenpart CS 6431. Pick target(s) Choose launch parameters for malicious VMs Each VM checks for co-residence Frequently achieve advantageous."

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Cross-VM Side Channels and Their Use to Extract Private Keys

Cross-VM Side Channels and Their Use to Extract Private Keys
Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)

Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Yan Qiang, 2009-1-7.

Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Yan Qiang,
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Data encryption with big prime numbers

Data encryption with big prime numbers
Public Clouds (EC2, Azure, Rackspace, …) VM Multi-tenancy Different customers’ virtual machines (VMs) share same server Provider: Why multi-tenancy? Improved.

Public Clouds (EC2, Azure, Rackspace, …) VM Multi-tenancy Different customers’ virtual machines (VMs) share same server Provider: Why multi-tenancy? Improved.
Computer Science CSC 405By Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 2. Basic Cryptography (Part II)

Computer Science CSC 405By Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 2. Basic Cryptography (Part II)
Side-Channel Attack on OpenSSL ECDSA Naomi BengerJoop van de Pol Nigel Smart Yuval Yarom 1.

Side-Channel Attack on OpenSSL ECDSA Naomi BengerJoop van de Pol Nigel Smart Yuval Yarom 1.
7. Asymmetric encryption-

7. Asymmetric encryption-
By Christopher Moran, Nicoara Talpes 1.  Solution is addressed to VMs that are web servers  Web servers should not have confidential information anyway.

By Christopher Moran, Nicoara Talpes 1.  Solution is addressed to VMs that are web servers  Web servers should not have confidential information anyway.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.

Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.
RSA Attacks 1 RSA Implementation Attacks RSA Attacks 2 RSA  RSA o Public key: (e,N) o Private key: d  Encrypt M C = M e (mod N)  Decrypt C M = C d.

RSA Attacks 1 RSA Implementation Attacks RSA Attacks 2 RSA  RSA o Public key: (e,N) o Private key: d  Encrypt M C = M e (mod N)  Decrypt C M = C d.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CSE331: Introduction to Networks and Security Lecture 20 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 20 Fall 2002.
Scheduler-based Defenses against Cross-VM Side- channels Venkat(anathan) Varadarajan, Thomas Ristenpart, and Michael Swift 1 D EPARTMENT OF C OMPUTER S.

Scheduler-based Defenses against Cross-VM Side- channels Venkat(anathan) Varadarajan, Thomas Ristenpart, and Michael Swift 1 D EPARTMENT OF C OMPUTER S.
Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Similar presentations

Ads by Google