CSAW ESC 2021 Qualification Report

Technical track

TRX Technical Labs - Sapienza

Qian Matteo Chen Matteo Almanza Pasquale Caporaso

Sapienza University of Rome Sapienza University of Rome Sapienza University of Rome
chq.matteo@gmail.com almanza@di.uniroma1.it caporasopasqule97@gmail.com

Cristian Assaiante Leonardo Querzoni

Sapienza University of Rome Sapienza University of Rome
cristianassaiante@outlook.com querzoni@diag.uniroma1.it

Abstract—Side-channel attacks are attacks that rely on infor- need additional tools and abilities to access lower levels of the
mation leaked from a system during its operation. The source hardware target.
of this information is often a physical effect dependent on the We will provide the reader an overview of practical attack
implementation of the system, such as power consumption, elec-
tromagnetic radiation, or high resolution timing measurements. strategies and techniques able to bypass currently implemented
Another class of hardware attacks consists of inducing faults mitigations against both SCAs and FIAs.
in the system – placing it outside of its normal operating range
– to obtain additional information. II. C LASSICAL ATTACKS
A wide range of hardware and software mitigations have
been designed to protect against such attacks. However, cost
A. Side-channels
constraints and the broader availability of measurement devices 1) Timing Side-Channels: Timing side-channel attacks are
make it difficult to defend against them completely. based on the amount of time needed to perform some opera-
This work will first examine which attacks are practical in
tions.
terms of reliability, cost, required access, and knowledge of the
target system. Then, we will outline how we intend to apply these They are especially dangerous when the computation that is
attacks on a Chipwhisperer board for the final round. being attacked involves data that is supposed to remain secret,
Index Terms—side-channel attacks; fault-injection attacks; such as a cryptographic (secret) key.
The core of the attack lies in the fact that different op-
I. I NTRODUCTION erations take different times to execute. If the attacker can
precisely measure such timings, they may be able to work their
A Side-Channel Attack (SCA) passively exploits measur-
way back to the input that is being evaluated. Perhaps the most
able differences in different program executions to recover
known example of a timing side-channel is the square-and-
data that are supposed to remain secret. Examples of such
multiply algorithm, widely used in cryptography to evaluate
side-effects may be execution time [1] – like a cryptographic
(modular) exponentiations. Let us take into consideration the
operation executing faster or slower according to the value of
following implementation of the square and multiply algorithm
a private key – or power consumption [2] – like an operation
in Python.
taking more power according to the value of a secret key.
A Fault Injection Attack (FIA) actively exploits the target by 1 def square_and_multiply(b, exp, mod):
2 t = 1
constantly perturbating it with ad-hoc generated signals (or 3 while exp > 0:
waves). Such attacks can lead to the recovery of sensitive data 4 if exp & 0b1 != 0:
5 t = (t * b) % mod
or the modification of memory content. 6 b = (b ** 2) % mod
The practicability of SCAs and FIAs has multiple evaluation 7 exp >>= 1
8 return t % mod
criteria. Such attack techniques may rely on the precision of
time measurements or accuracy in synchronization of external It is easy to see how different inputs can cause the algorithm
sources, so the reliability of the attack is not always guar- to behave differently: if the exponent is of the form 2k , the if
anteed. The implementation costs may also be an obstacle in line 4 will be executed only once, whereas if the exponent
since some attack scenarios may need sophisticated technol- is of the form 2k − 1, the same if will be executed once for
ogy support with potentially high-cost investments. Another every iteration.
essential aspect to take care of is the required physical access Suppose the attacker can measure the algorithm’s evaluation
and knowledge of the target system. Some attacks may also time on different inputs with a fixed exponent. In that case,
 they can recover the exponent in its entirety using statistical the encryption of a message m using an unknown key k. Then,
correlation-based methods. Recall that in many practical use observe the traces generated by the encryption of m using
cases, the exponent represents sensitive information, like a 256 sequences of keys, each starting with a different byte and
private key or a nonce that is supposed to remain secret. followed by 15 random bytes. The byte that produces traces
While timing side-channel attacks are often performed on that are, on average, closer to the original one is the most
hardware devices, that is not always the case. When the likely to be the first byte of the secret key. The same process
attacker can measure timings with high precision – therefore can then be carried out to recover the remaining bytes.
are less influenced by noise – it has been shown by Brumley
and Boneh in [3] that web servers running cryptographic B. Fault Injection
primitives (openSSL) are vulnerable as well. Fault injection attacks involve the stimulation of a device
The most robust software-based countermeasure to defend or system under test beyond the intended operating condi-
against this type of attack is constant-time programming. A tions. Assuming as a target a hardware system, examples of
routine is considered to be constant-time if its control flow faults include changing the device’s temperature beyond the
and data accesses are not influenced in any way by the inputs recommended thresholds or changing the voltage of the power
that are supposed to remain secret. supply.
While it may seem like a hard property to enforce, some A recent survey [7] classifies fault injection attacks into two
tools are able to transform non-constant-time programs into pairs of orthogonal macro-categories: transient vs permanent,
constant-time ones at compile time [4], [5]. and invasive vs non-invasive. An attack can be categorized
2) Power Side-Channels: Like timing side-channel attacks, as transient if, as the name suggest, does not permanently
power side-channel attacks allow an attacker to recover sensi- modify the device, whose functionalities can be restored with
tive information tracing the power consumption of a device. a software restart or an hardware reset. On the other hand, non-
The simplest form of power side-channel is usually re- transient attacks permanently modify the state of the device,
ferred to as simple power analysis (SPA). It involves the making impossible its restoration. Orthogonally, an invasive
interpretation of the power traces measured while the device attack – as opposed to a non-invasive one – requires the
is performing some sensitive operations (e.g., encrypting some modification of the device either during the preparation or
data). during the execution of the attack. An example of invasive
Referring to the example of the square and multiply al- modification is the depackaging of the device to access its
gorithm, the aforementioned naive implementation allows an inner components.
attacker to recover the exponent by observing only one We will now review the most common fault injection attacks
exponentiation. It is possible since the squaring operation targeting hardware devices, discussing their practicality in
requires a different amount of electrical power compared to the terms of reliability, cost, required access, and knowledge of
multiplication. The attacker can therefore recover the exponent the target system.
one bit at a time by a simple analysis of the power trace. 1) Voltage Modification Attacks: Voltage modification at-
A simple countermeasure would be to transform the squar- tacks involve the modification of the voltage in the supply of
ing into a multiplication of b by itself or to rewrite the the target, possibly inducing: bit flips in memory, a misintepre-
multiplication as the difference of two squares [6]. The prob- tation of the current instruction to be executed, or the skip of
lem with this simplistic approach lies in the fact that the one or multiple instructions. The induced modification in the
exponentiation is still not constant time, so the Hamming behavior of the target device can be exploited in various ways;
weight of the exponent can still be leaked through timing for example, the NCC Group in [8] used a voltage modification
analysis. A possible solution to this problem is to insert a attack to skip the signature verification check in the boot loader
”dummy” multiplication, making the routine constant time but of a MediaTek MT8163V system-on-a-chip equipped with an
also slower. ARM Cortex-A53 processor.
1 def square_and_multiply(b, exp, mod): The strength of these attacks lies in the relatively
2 t = 1
3 while exp > 0: cheap equipment needed, often field-programmable gate-array
4 if exp & 0b1 != 0: (FPGA) development boards to control the power input.
5 t = (t * b) % mod
6 else: 2) Clock Glitch Attacks: Clock glitch attacks involve the
7 _ = (t * t) % mod modification of the signal’s logic level by inducing a short
8 b = (b ** 2) % mod
9 exp >>= 1 clock signal such that the device operates at frequencies out
10 return t % mod of specification. This will led to timing violations of registers
A more advanced type of power analysis, differential power and results in undefined behaviour. The effects of these attacks
analysis, consists of observing different traces of the encryp- can affect both the control flow and data. The diversion of the
tion routine and trying to recover the key using statistical control flow, e.g. early exit from loops and crashes, can be
correlation methods. Such sophisticated techniques allow the very effective when attacking bad implementation of password
attack of more complex algorithms such as AES. checkers. Data changes can lead to extremely powerful attacks
A simple example of how such an attack could leak the first in particular against cryptographic algorithms. For example,
byte of an AES key is the following. First, observe the trace of Agoyan et al. in [9] used a Delayed Locked Loop (DLL)
based FPGA platform to successfully attack an FPGA AES a dedicated 8-bit ADC. In this section we will walk through
implementation by inducing a one-bit fault. an example attack that can be executed on the ChipWhisperer
3) Heating Attacks: Heating attacks involve the usage of Nano board.
laser radiation as heat source to induce memory errors that
could potentially enable sensitive information to be deduced. A. Power trace assisted brute force
The idea behind the attack is that by heating up the semi- Let us consider the simple password comparison that stops
conductors used in the building of nonvolatile memories, e.g. at the first wrong character in the input string.
EEPROM and flash, the memory content could be modified,
bool check_password(char* input, char* password, int len) {
heading to severe security issues such as leakage of secret 12 for(int i = 0; i < len; i++) {
cryptographic keys. For example, Skorobogatov et al. in [10] 3 if (input[i] != password[i])
return false;
used an inexpensive laser-diode module mounted on a micro- 45 }
scope to heat up memory cells inside a memory array and 6 return true;
7 }
successfully alter memory content.
4) Ion Beam Fault Injections: Ion-based attacks involve the Using the Chipwhisperer python API [16] we setup the
use of ion beams to irradiate transistors with the intention scope for power tracing, send a candidate for the password
of introducing transient logic errors. These errors can be ex- over serial to the target device and read back the power con-
ploited, for example, to induce decryption faults. For example, sumption over time of the device. By repeating the procedure
Li et al. in [11] used a ion-based attack to introduce exploitable for all possible bytes we can bruteforce the password one
decryption errors in a cryptographic field-programmable gate- character at a time, drastically reducing the search space and
array (FPGA) circuit. thus making the attack feasible.
While effective due to the high spacial precision of ion
import chipwhisperer as cw
beams, these type of attacks are very expensive, and requires 12
specialized experts and expensive equipment. As an example, 3 scope = cw.scope(type=scopes.CWNano)
target = cw.target(scope)
Li at al. in [11] estimate the cost of a ion-beam attacks in the 45 scope.default_setup()
order of 100’000$. 6
candidates = [...]
5) Laser Beam Fault Injections: Laser beam attacks use 78
intense source of light (either visible or not) to induce single 9 for password in candidates:
scope.arm()
event upsets (e.g., a bit flip) in the target device. As for 10 11 target.send(password)
the ion-beam attacks, also these type of fault injections can 12 power_trace = scope.get_last_trace()
cause exploitable modification of the state of the target device. 13
14 [...]
For example, Vaselle at al. in [12] uses a laser beam to
bypass secure boot on an Android smartphone modifying the In this example we use the scope’s default setup, which
TrustZone NS-bit [13]. captures 5000 ADC samples on a 7.5MHz clock, but the
6) Electromagnetic Pulses Attacks: Electromagnetic pulses values can be altered as needed if a higher precision or longer
attacks involve the usage of an active probe to apply an intense sampling time is required for the specific target under attack.
and transient magnetic field on a microprocessor. For example, For each key position, we then decide which of the candi-
Debhaoui et al. in [14] used electromagnetic pulses to inject dates is the most likely based on the resulting power traces.
transient faults into the calculations of a RISC micro-controller Since we expect all traces that have an invalid character to
running the AES algorithm to recover the secret key using behave in the same way, we can calculate the correlation
Differetial Fault Analysis (DFA). coefficient between all traces and the trace of a known invalid
byte (for example, 0xff), and expect all but one to have very
III. A PPLYING THE ATTACKS ON A C HIPWHISPERER
high correlation. If this is the case, the character corresponding
BOARD
to the least correlated trace is the next character of the
The ChipWhisperer Nano [15] is an open-source toolchain recovered password. If not, we can deduce that no more
for side-channel power analysis and glitching attacks, the characters are needed and the password is fully recovered by
objective of the project is to simplify the setup of the hardware the attack.
for side-channel attacks. The assumption that we can get a known invalid byte is
To perform a side-channel attack, we need two things: not fundamental, and if the device under attack forbids it (for
• A capture board: a board with special hardware that example, by checking that the password is printable before
is used to capture very small signals with precisely verifying it), the attack can still work. If this is the case, we
synchronized clock; can use any of the obtained traces as the reference, and then
• A target board: a processor programmed to perform some handle the two possible scenarios separately. If all remaining
kind of secure operation. traces have a low correlation with the reference, the reference
The ChipWhisperer Nano board includes both a target itself corresponds to the correct input byte. If instead we find
device in the form of a STM32F030F4P6 microcontroller and all but one to be highly correlated, we can infer that the chosen
a capture system implemented using an ATSAM4S chip and trace is wrong and proceed as before.
B. Other attacks [11] H. Li, G. Du, C. Shao, L. Dai, G. Xu, and J. Guo, “Heavy-ion microbeam
fault injection into sram-based fpga implementations of cryptographic
The previous example shows the basic attack workflow, but circuits,” IEEE Transactions on Nuclear Science, vol. 62, no. 3, pp.
in general we don’t expect the code to fail immediately on a 1341–1348, 2015.
[12] A. Vasselle, H. Thiebeauld, Q. Maouhoub, A. Morisset, and
wrong character, especially if it was developed keeping timing S. Ermeneux, “Laser-induced fault injection on smartphone bypassing
side-channels in mind. We can however try and look at patterns the secure boot,” in 2017 Workshop on Fault Diagnosis and Tolerance
in the power trace that correspond to different instructions to in Cryptography (FDTC), 2017, pp. 41–48.
[13] ARM, “Arm trustzone technology,” https://developer.arm.com/ip-
extract information on what is being executed and deduce if products/security-ip/trustzone, 2009.
our input is correct or not. [14] A. Debhaoui, J.-M. Dutertre, B. Robisson, P. Orsatelli, P. Maurine,
and A. Tria, “Injection of transient faults using electromagnetic
IV. C ONCLUSION pulses Practical results on a cryptographic system,” 2012, journal
of Cryptology ePrint Archive: Report 2012/123. [Online]. Available:
In this report, we presented an overview of existing attack https://hal-emse.ccsd.cnrs.fr/emse-00742850
[15] “Chipwhisperer nano.” [Online]. Available:
techniques that use side-channel and fault-injection attacks, https://rtfm.newae.com/Capture/ChipWhisperer-Nano.html
both at software level and hardware level. The presented [16] “Chipwhisperer nano api documentation.” [Online]. Avail-
attacks can be practically performed according to multiple able: https://chipwhisperer.readthedocs.io/en/latest/api.html#api-scope-
cwnano
evaluation criteria both in terms of economic costs, like the
need of specific hardware, and reliability.

Depending on the setup we will face during the final phase,

we will perform software or hardware attacks. In case of
timing side-channels and power side-channels we will con-
struct ad-hoc systems - using the given board - to accurately
measure differences in elapsed time or power consumption
during critical operation.

R EFERENCES
[1] P. C. Kocher, “Timing attacks on implementations of diffie-hellman, rsa,
dss, and other systems,” in Annual International Cryptology Conference.
Springer, 1996, pp. 104–113.
[2] M. Lipp, A. Kogler, D. Oswald, M. Schwarz, C. Easdon, C. Canella,
and D. Gruss, “Platypus: Software-based power side-channel attacks on
x86,” in 2021 IEEE Symposium on Security and Privacy (SP), 2021, pp.
355–371.
[3] D. Brumley and D. Boneh, “Remote timing attacks are
practical,” in 12th USENIX Security Symposium (USENIX Security
03). Washington, D.C.: USENIX Association, Aug. 2003.
[Online]. Available: https://www.usenix.org/conference/12th-usenix-
security-symposium/remote-timing-attacks-are-practical
[4] P. Borrello, D. C. D’Elia, L. Querzoni, and C. Giuffrida, “Constantine:
Automatic side-channel resistance using efficient control and data flow
linearization,” in Proceedings of the 2021 ACM SIGSAC Conference on
Computer and Communications Security, ser. CCS ’21. Association
for Computing Machinery, 2021.
[5] L. Soares and F. M. Q. Pereira, “Memory-safe elimination of side
channels,” in (to appear) In Proceedings of the 2021 IEEE/ACM
International Symposium on Code Generation and Optimization, ser.
CGO 2021, 2021.
[6] C. Negre and T. Plantard, “Efficient regular modular exponentiation
using multiplicative half-size splitting,” Journal of Cryptographic
Engineering, vol. 7, no. 3, pp. 245–253, Sep 2017. [Online]. Available:
https://doi.org/10.1007/s13389-016-0134-5
[7] C. Shepherd, K. Markantonakis, N. van Heijningen, D. Aboulkassimi,
C. Gaine, T. Heckmann, and D. Naccache, “Physical fault injection
and side-channel attacks on mobile devices: A comprehensive
survey,” CoRR, vol. abs/2105.04454, 2021. [Online]. Available:
https://arxiv.org/abs/2105.04454
[8] N. Group, “There’s a hole in your soc: Glitching the medi-
atek bootrom,” https://research.nccgroup.com/2020/10/15/theres-a-hole-
in-your-soc-glitching-the-mediatek-bootrom/, 2020.
[9] M. Agoyan, J.-M. Dutertre, D. Naccache, B. Robisson, and A. Tria,
“When clocks fail: On critical paths and clock faults,” vol. 6035, 04
2010, pp. 182–193.
[10] S. Skorobogatov, “Local heating attacks on flash memory devices,” in
2009 IEEE International Workshop on Hardware-Oriented Security and
Trust, 2009, pp. 1–6.