FASE: Finding Amplitude-modulated Side-channel Emanations

While all computation generates electromagnetic (EM) side-channel signals, some of the strongest and farthest-propagating signals are created when an existing strong periodic signal (e.g. a clock signal) becomes stronger or weaker (amplitude-modulated) depending on processor or memory activity. However, modern systems create emanations at thousands of different frequencies, so it is a difficult, error-prone, and time-consuming task to find those few emanations that are AM-modulated by processor/memory activity. This paper presents a methodology for rapidly finding such activity-modulated signals. This method creates recognizable spectral patterns generated by specially designed micro-benchmarks and then processes the recorded spectra to identify signals that exhibit amplitude-modulation behavior. We apply this method to several computer systems and find several such modulated signals. To illustrate how our methodology can benefit side-channel security research and practice, we also identify the physical mechanisms behind those signals, and find that the strongest signals are created by voltage regulators, memory refreshes, and DRAM clocks. Our results indicate that each signal may carry unique information about system activity, potentially enhancing an attacker's capability to extract sensitive information. We also confirm that our methodology correctly separates emanated signals that are affected by specific processor or memory activities from those that are not.

[1]  Alessandro Barenghi,et al.  Information Leakage Discovery Techniques to Enhance Secure Chip Design , 2011, WISTP.

[2]  Henry Ott,et al.  Electromagnetic Compatibility Engineering , 2009 .

[3]  Y. Tsunoo,et al.  Cryptanalysis of Block Ciphers Implemented on Computers with Cache , 2002 .

[4]  Rajeev Jain,et al.  Performance Analysis of an All-Digital BPSK Direct-Sequence Spread-Spectrum IF Receiver Architecture , 1993, IEEE J. Sel. Areas Commun..

[5]  Takeshi Sugawara,et al.  EMC ’ 09 / Kyoto Spectrum Analysis of Cryptographic Modules to Counteract Side-Channel Attacks , 2009 .

[6]  Manfred Pinkal,et al.  Acoustic Side-Channel Attacks on Printers , 2010, USENIX Security Symposium.

[7]  Antje Sommer,et al.  Electromagnetic Compatibility Engineering , 2016 .

[8]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[9]  Catherine H. Gebotys,et al.  EM Analysis of Rijndael and ECC on a Wireless Java-Based PDA , 2005, CHES.

[10]  Fabrice Paillet,et al.  FIVR — Fully integrated voltage regulators on 4th generation Intel® Core™ SoCs , 2014, 2014 IEEE Applied Power Electronics Conference and Exposition - APEC 2014.

[11]  Theodore S. Rappaport,et al.  Wireless communications - principles and practice , 1996 .

[12]  Girish Keshav Palshikar Simple Algorithms for Peak Detection in Time-Series , 2009 .

[13]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[14]  Jean-Pierre Seifert,et al.  On the power of simple branch prediction analysis , 2007, ASIACCS '07.

[15]  Milos Prvulovic,et al.  Experimental Demonstration of Electromagnetic Information Leakage From Modern Processor-Memory Systems , 2014, IEEE Transactions on Electromagnetic Compatibility.

[16]  Junho Lee,et al.  Analysis of DRAM EMI dependence on data pattern and power delivery design using a near-field EMI scanner , 2008, 2008 Asia-Pacific Symposium on Electromagnetic Compatibility and 19th International Zurich Symposium on Electromagnetic Compatibility.

[17]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[18]  Zvi Boger,et al.  Statistical Treatment of Analytical Data , 2004 .

[19]  Olivier Meynard,et al.  Enhancement of simple electro-magnetic attacks by pre-characterization in frequency domain and demodulation techniques , 2011, 2011 Design, Automation & Test in Europe.

[20]  Eran Tromer,et al.  Acoustic cryptanalysis : on nosy people and noisy machines , 2004 .

[21]  Bart Preneel,et al.  Mutual Information Analysis , 2008, CHES.

[22]  Patrick R. Trischitta,et al.  Jitter in digital transmission systems , 1989 .

[23]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[24]  Milos Prvulovic,et al.  A Practical Methodology for Measuring the Side-Channel Signal Available to the Attacker for Instruction-Level Events , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[25]  Ali Hajimiri,et al.  A general theory of phase noise in electrical oscillators , 1998 .

[26]  Paolo Ienne,et al.  A first step towards automatic application of power analysis countermeasures , 2011, 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC).

[27]  C. Paul Introduction to Electromagnetic Compatibility: Paul/Introduction to Electromagnetic Compatibility, Second Edition , 2005 .

[28]  Christophe Giraud,et al.  DFA on AES , 2004, AES Conference.

[29]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[30]  Dongsheng Ma,et al.  Ultra-fast on-chip load-current adaptive linear regulator for switch mode power supply load transient enhancement , 2013, 2013 Twenty-Eighth Annual IEEE Applied Power Electronics Conference and Exposition (APEC).

[31]  Robert W. Erickson,et al.  Fundamentals of Power Electronics , 2001 .

[32]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[33]  Ali Abdi,et al.  Survey of automatic modulation classification techniques: classical approaches and new trends , 2007, IET Commun..

[34]  Christos Christopoulos,et al.  Introduction to Electromagnetic Compatibility , 2007 .

[35]  Pascal Benoit,et al.  Amplitude demodulation-based EM analysis of different RSA implementations , 2012, 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[36]  Markus G. Kuhn,et al.  Compromising Emanations , 2002, Encyclopedia of Cryptography and Security.

[37]  Daniel Genkin,et al.  Get your hands off my laptop: physical side-channel key-extraction attacks on PCs , 2015, Journal of Cryptographic Engineering.

[38]  Robert H. Sloan,et al.  Power Analysis Attacks of Modular Exponentiation in Smartcards , 1999, CHES.

[39]  B. Razavi A General Theory of Phase Noise in Electrical Oscillators , 2003 .

[40]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[41]  J. R. Rao,et al.  The EM Side–Channel(s):Attacks and Assessment Methodologies , 2003 .

[42]  Keith Bryan Hardin,et al.  Spread spectrum clock generation for the reduction of radiated emissions , 1994, Proceedings of IEEE Symposium on Electromagnetic Compatibility.