Welcome to Software Observatory Etherpad!

This pad text is synchronized as you type, so that everyone viewing this page sees the same text.

To prevent this pad from appearing in the etherdump, paste (or leave) the following code:


Warning: DirtyDB is used. This is fine for testing but not recommended for production. -- To suppress these warning messages change suppressErrorsInPadText to true in your settings.json
# Side channel attacks

Thomas De Cnudde <thomas.decnudde@student.kuleuven.be>

**software is a list of sequential instructions!**  
done! that was a good block.

pin code checking software: check if the user entered the right pin code   
s oftware runs on " something "; i n this case " hardware "  
"it ultimately instructs hardware to operate"   

application software
operating system

"leakage from boundaries" is what is considered side channel attacks

dilation of the pupil will tell what you are calculating! very innocent   
extra information = side channel = revealed information   
unintentionally, unaware of it, not clear the mechanics behind   

p upil as 'side channel' from the brain   
pupils leak information   
follows laws we might never discover (mechanics of the human body)   

a software running o n a hardware   
it emanates radio-magnetic waves , act ing like an antenna (fracking)   

you can build an antenna and use it to capture the waves and reconstruct what the user is doing   
electromagnetic radiation gives information on your devices   
once you are aware of it, it is hard to control but can be mitigated: put it in a cage made of metal   
why look at this problem?   
bad people want to steal your money   
or they want to side channel your hardware to retrieve the way your algorithm works, break intellectual property   
what can they steal?   
they can steal values but also intellectual property   

" hardware lives in the real world and real world properties lead to side channels "   
"side channel attacks exist because we live in a real world"  
"real world properties lead to side changels" (= angels of change? ) :)  

p roperties:
* computation speed
* area
* power consumption
* reliability
s ome side channels

* t iming
* p ower consumption
* e lectromagnatic radiation
* l ight, sound, temperature (exotic)

algorithms as a target   
(patents, intellectual property)

we enter 4 random numbers

* algorithm checks it
* if it is wrong it stops
* if first digit is right, it proceeds to check the second digit etc.
* with timing analysis, we can see already if the first digit is wrong, if the program checks the first digit first

you can divide   
and conquer! :P
power analysis / electromagnetic analysis is simple : on e or two measurements

* duration - how long an operation takes before it goes silent (power gives information on timing)
* amplitude

ATCPOTW: All the computation power of the world   
just by measuring the power consumption you can retrieve information   
what to do against it?

* shielding
* confusing by noise

how do you derive the key from this power analysis?   
looking at the algorithm itself?

ex = in public key cryptography,   
rsa is computed by a squaring operation ( x ^2) or multiplication   
squaring is optimized, results as green in an analysis of po we r consumption   
multiplication instead is not, so results red (more consumption) in the graph   
green computation takes less ti m e and power than the red computation   
these are optimized for speed and your battery   
x^2 is green and x.y is red   
the algorithm dictates which function you use   
a key: 100101   
is basically such that   
all ones are green   
and all zeros are red   
(or the other way around)   
a co u nter-measure is to add red power consumption like patterns after the red power consumption units.

![]( http://etherbox.local/home/pi/images/thursday/138872.jpg )

![] http://etherbox.local/home/pi/images/thursday/138873.jpg )

template attacks (wah)   
you can create templates if you have control over a device   
where you can build curves that represent the different values that are being executed   
p r eferably have the same device as one you want to attack   
the best is from the same fabrication, but this is not necessary   
what is necessary is to have the same mechanisms for drawing on power   

Kym: what about retro-active m i m e sis   
in ww2, having access to the enigma, they could replicate the encryption type   
enigma on the mathematical side of crypto, here we are in the electric al side of crypto   
"enigma was an algorithm"   
enigma provided the algorithm   
without the algorithm you know nothing and cannot get the keys   

in ww 2, navajo language was used   
you cannot break the cipher without knowing that it is that language   
(it was more difficult for nazis to find native speakers of navajo)   
_ Philip Johnston, a civil engineer for the city of Los Angeles,[13] proposed the use of Navajo to the United States Marine Corps at the beginning of World War II. Johnston, a World War I veteran, was raised on the Navajo reservation as the son of a missionary to the Navajo. He was one of the few non-Navajo who spoke the language fluently. < https://en.wikipedia.org/wiki/Code_talker#Navajo_code_talkers >_  
f or the US army it was difficult, too. ;) .. Good appropriation of the language of an oppressed minority for military use.   

whe n you do certain manipulations on your machine    
i t uses energy in pulses   
you are listening to the pulses   
you recreate the content of another machine   

in WWII , they got one of the machines   
they then knew how the machine worked   
they didn't know the presets necessary to break enigma   
they used the weather reports: they always started with heil hitler   
that was the key

they first got the algorithm by getting the machine   
they still needed to retrieve the key that changed everyday   

the first recorded side channel attack was on a mechanical device by placing microphone in the office and recording the device's clicks in order to break the code

a lot of side-chan come from engineers trying to optimize things

side-channel come s from technology we use   
CMOS technology   
a lot of gates that can be either closed or open   
the transition from open to closed requires effort, consumes power and makes sound   
high pitch sounds => + electromagnetic field   
& heat from friction

a ttackers are " passive " in that they only observe -> no interaction   
actually you can observe if you are being observed, hence once again no detached observation   

passive and non invasive attacker   
m odels of attackers   
passive and non-invasive attackers   
cost of attack: 300 euros   

adversaries: only allowed to observe but not allowed to interact   (Read 444)   

( how do you design a system that notices when it is observed? <- VW case :) that's when you know _ how _ you will be observed. who is observing who in the VW case? )

** engineers are good guys! **  
how can you think about the ways bad people will use the technology

how do es this software circulate? there are software suites   
chip whisperer - also a friendly guy , canadian   
< https://wiki.newae.com/Main_Page >  
( no animal mascotte? but FLOSS ... :P )  
not sure if it is legal   
(they make their own stuff) brilliant guys   

f ault attacks are more powerful but more expensive   

## counter-measures and prevention

"if we keep computing we need c ounter-me a sures "   
OS - restrict certain things system can do   
s oftware layer - how will users use the system - how will the adversary misuse the system   
= changing the approach : from how will the user will use it to how will it be misused   

how to design to prevent side channel analysis?   
shift from observing a potential user to being observed by a potential adversary   

classic system designers   
how will the user use the system   
new designers   
how will the adversary misuse the system?   
problem: can you ever know all attacks?   
countermeasures are tailored to what we know   
preventing side-channel analysis (when is it analysis and when is it attack?)   

try to eliminate side channels   
noise generators   
balancing power consumption   
insert dummy operation => timing purposes (make software "time independent" which means making the run-time non correlative to the o   
in order to make all operations having same length (leaking useles infos)   

drains your battery   
h e ightens your ecological foot print

## methods for preventing side-channel analysis

* Make Software Time Independent : insert dummy operations (could these be deployed for aesthetic or other purposes instead of being purely dummy operations?)
* Randomizing Data - masking
* Randomizing Operation Order - shuffling, random delays (like when preventing theft : making measures to delay the intruder)
* Shielding - a Faraday cage
* Logic Styles

d ifferential power analysis   
question of how to isolate an algorithm when another process is occur r ing   
d ifferent attacker models

* one has device in advance and can manipulate it
* the other only can observe from a distance without prior knowledge
t ry to extract a model in order to make widely applicable counter measures
m asking   
b oolean masking < https://perso.uclouvain.be/fstandae/PUBLIS/49.pdf >  
r econstruction   
power analysis is probing   
if you have one probe, you can never fully retrieve the original value   
one observation reveals no information (probing model)  
w ith two observations you are able to remove one source of masking   
using 2 random values breaks masking (...)   
design new systems considering the new requirements:   
area, speed, power (old model)   
there is also an interest in considering security   
Intel SGX : < https://software.intel.com/en-us/blogs/2013/09/26/protecting-application-secrets-with-intel-sgx >
if you design software, you need to consider the hardware because hardware is the link between software and the real world   
push security down to low levels   
fault injections (laser)    
< http://cryptologie.net/home/all/3 >  

![]( http://cryptologie.net/upload/2016-08-18_11.41_.20_.jpg )

full architectural reports of chips!   
< https://www.texplained-store.com/en/5-architectural-reports >  
full scans of chips, so to know where to use the laser on, etc. (on SALE now!!)   
< https://www.texplained-store.com/en/3-images >  
let ' s buy some!   

is software and hardware the same thing?   
does the observation of software and hardware are distinct?    

VHDL: hardware description language   
xilinx design language - description file/configureation file in human readable form of native CIRCUIT description -> gets compiled - bitstream generator -> takes the machine version and configures trough 0s 1s the wires -> the gates   
so a data/descriptor file -> compiler -> circuit   

"Hardware for me is made of silicon, software a sequence of bits in a file . But naturally I am biased: I'm a hardware desginer so I like to consider it as unique and special".

"We are observing software through the hardware" ultimately starts and end with software

you have the algorithm and the device   
break the hardware by running some known software on it and the record a profile to build a model that then reveals the hardware (example of using software to break hardware)   
and in other contexts you can break the software using hardware   

"I totally forgot about punchcards "   
computers as people   
"my (m) other was a computer" [^mother]  
< https://library.memoryoftheworld.org/b/x1Ectf3ojxJTcaop8ivmZs1eeku8yYCz0bjnPgBItRmSlZuD >  
(sidenote: in dutch: 'rekenmeisje' of 'rekenaarster' = calculation girl / woman = fr: calculatrice )   
s earching for patterns? What is an electrical trace / recording of the operation of software on hardware?   

FPGA (field programmable gate array) = huge array of switches / user can program which gates are active > generate a hardware description using code (VHDL/ verilog)    
< https://en.wikipedia.org/wiki/Field-programmable_gate_array >  
programmable integrated circuit   
tons of gates   

reconfigurable computing is interesting for counter measures   
back to hardware programming   

parallelism and reducing (low level) variability   

"the mapping is not determ i nistic"   

last question: what are your tools?   

* m(e/a)thlab, toolbox
* matlab
* oscillo scopes (very cool ones)
* em probes (antennas) which let you localize measurements 

first ones to do side channel analysis were biologists, using old T ektronix oscilloscope with ph os ph orus screen, had to work at night to observe the peaks   

electr o magnetic probes to look for where the encryption is   
< http://www.tek.com/support/faqs/tektronix-near-field-probe-kit-tektronix-p-n-119-4146-00 >  
< http://gizmodo.com/why-mathematicians-are-hoarding-this-special-type-of-ja-1711008881 >  

Paul Kosher -> bio engineers doing side channel attacks  
F: 'software-curious' people  

[^mother]: F rom the introduction to My Mother was a computer : _In Neal Stephenson’s Cryptonomicon, the fictional mathematical genius Lawrence Pritchard Waterhouse is showing off his new mechanical invention to his supervisor, Lieutenant Colonel Earl Comstock. Comstock inquires: “If you had to give a name to the whole apparatus, what would you call it?” “Hmmm,” Waterhouse says. “Well, its basic job is to perform mathematical calculations—like a computer.” Comstock snorts, “A computer is a human being.”_  
The semantic shock the sentence is likely to give us today is rooted not only in the shift from human to machine labor, but also in the feeling that a kinship category essential to human society has been violated.