Déjà Vu: Side-Channel Analysis of Mozilla's NSS

Recent work on Side Channel Analysis (SCA) targets old, well-known vulnerabilities, even previously exploited, reported, and patched in high-profile cryptography libraries. Nevertheless, researchers continue to find and exploit the same vulnerabilities in old and new products, highlighting a big issue among vendors: effectively tracking and fixing security vulnerabilities when disclosure is not done directly to them. In this work, we present another instance of this issue by performing the first library-wide SCA security evaluation of Mozilla's NSS security library. We use a combination of two independently-developed SCA security frameworks to identify and test security vulnerabilities. Our evaluation uncovers several new vulnerabilities in NSS affecting DSA, ECDSA, and RSA cryptosystems. We exploit said vulnerabilities and implement key recovery attacks using signals---extracted through different techniques such as timing, microarchitecture, and EM---and improved lattice methods.

[1]  J. Stein Computational problems associated with Racah algebra , 1967 .

[2]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[3]  Billy Bob Brumley,et al.  Set It and Forget It! Turnkey ECC for Instant Integration , 2020, ACSAC.

[4]  Marc Joye,et al.  Side-Channel Analysis , 2005, Encyclopedia of Cryptography and Security.

[5]  Cesar Pereida García,et al.  Side-Channel Analysis of SM2: A Late-Stage Featurization Case Study , 2018, IACR Cryptol. ePrint Arch..

[6]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .

[7]  Noboru Kunihiro Mathematical Approach for Recovering Secret Key from Its Noisy Version , 2017, CREST Crypto-Math Project.

[8]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[9]  Jean-Pierre Seifert,et al.  New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures , 2007, IMACC.

[10]  Cesar Pereida García,et al.  Triggerflow: Regression Testing by Advanced Execution Path Inspection , 2019, IACR Cryptol. ePrint Arch..

[11]  Thomas Eisenbarth,et al.  TPM-FAIL: TPM meets Timing and Lattice Attacks , 2019, USENIX Security Symposium.

[12]  Yuval Yarom,et al.  CacheBleed: a timing attack on OpenSSL constant-time RSA , 2016, Journal of Cryptographic Engineering.

[13]  Billy Bob Brumley,et al.  Start Your ENGINEs: Dynamically Loadable Contemporary Crypto , 2019, 2019 IEEE Cybersecurity Development (SecDev).

[14]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[15]  Marek Sýs,et al.  Minerva: The curse of ECDSA nonces , 2020, IACR Cryptol. ePrint Arch..

[16]  Yuval Yarom,et al.  ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels , 2016, IACR Cryptol. ePrint Arch..

[17]  Jakob Jonsson,et al.  PKCS #1: RSA Cryptography Specifications Version 2.2 , 2016, RFC.

[18]  Cesar Pereida García,et al.  Certified Side Channels , 2020, USENIX Security Symposium.

[19]  Stefan Mangard,et al.  Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches , 2015, USENIX Security Symposium.

[20]  Donald E. Porter,et al.  Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX , 2017, USENIX Annual Technical Conference.

[21]  Santiago Sánchez-Solano,et al.  Side‐channel analysis of the modular inversion step in the RSA key generation algorithm , 2017, Int. J. Circuit Theory Appl..

[22]  Adi Shamir,et al.  The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[23]  Samuel Weiser,et al.  Single Trace Attack Against RSA Key Generation in Intel SGX SSL , 2018, AsiaCCS.

[24]  Keegan Ryan,et al.  Return of the Hidden Number Problem. A Widespread and Novel Key Extraction Attack on ECDSA and DSA , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[25]  Naomi Benger,et al.  "Ooh Aah... Just a Little Bit" : A Small Amount of Side Channel Can Go a Long Way , 2014, CHES.

[26]  Billy Bob Brumley,et al.  Amplifying side channels through performance degradation , 2016, ACSAC.

[27]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[28]  Kazukuni Kobara,et al.  A New Variant for an Attack Against RSA Signature Verification Using Parameter Field , 2007, EuroPKI.

[29]  Cesar Pereida García,et al.  Cache-Timing Attacks on RSA Key Generation , 2019, IACR Cryptol. ePrint Arch..

[30]  Cesar Pereida García,et al.  Port Contention for Fun and Profit , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[31]  Carlisle M. Adams,et al.  Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) , 2001, RFC.

[32]  Mehdi Tibouchi,et al.  Side-Channel Analysis of Weierstrass and Koblitz Curve ECDSA on Android Smartphones , 2016, CT-RSA.

[33]  Risto M. Hakala,et al.  Cache-Timing Template Attacks , 2009, ASIACRYPT.

[34]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[35]  Cesar Pereida García,et al.  Constant-Time Callees with Variable-Time Callers , 2017, USENIX Security Symposium.

[36]  Cesar Pereida García,et al.  "Make Sure DSA Signing Exponentiations Really are Constant-Time" , 2016, CCS.

[37]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[38]  Carl A. Gunter,et al.  Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX , 2017, CCS.

[39]  Vipul Gupta,et al.  Integrating elliptic curve cryptography into the web's security infrastructure , 2004, WWW Alt. '04.

[40]  Bo-Yin Yang,et al.  Fast constant-time gcd computation and modular inversion , 2019, IACR Cryptol. ePrint Arch..

[41]  Georg Sigl,et al.  DATA - Differential Address Trace Analysis: Finding Address-based Side-Channels in Binaries , 2018, USENIX Security Symposium.

[42]  Shweta Shinde,et al.  Preventing Page Faults from Telling Your Secrets , 2016, AsiaCCS.

[43]  Rüdiger Kapitza,et al.  Telling Your Secrets without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution , 2017, USENIX Security Symposium.

[44]  Gorka Irazoqui Apecechea,et al.  Lucky 13 Strikes Back , 2015, AsiaCCS.

[45]  Yuval Yarom,et al.  Just a Little Bit More , 2015, CT-RSA.

[46]  David Robinson,et al.  The Common Gateway Interface (CGI) Version 1.1 , 2004, RFC.

[47]  Jan Reineke,et al.  CacheAudit: A Tool for the Static Analysis of Cache Side Channels , 2013, TSEC.

[48]  J. Alex Halderman,et al.  Measuring small subgroup attacks against Diffie-Hellman , 2017, NDSS.

[49]  David Schrammel,et al.  Big Numbers - Big Troubles: Systematically Analyzing Nonce Leakage in (EC)DSA Implementations , 2020, USENIX Security Symposium.

[50]  Billy Bob Brumley,et al.  Remote Timing Attacks Are Still Practical , 2011, ESORICS.

[51]  Adam Chlipala,et al.  Simple High-Level Code for Cryptographic Arithmetic - With Proofs, Without Compromises , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[52]  Frank Piessens,et al.  SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control , 2017, SysTEX@SOSP.

[53]  Santiago Sánchez-Solano,et al.  SPA vulnerabilities of the binary extended Euclidean algorithm , 2017, Journal of Cryptographic Engineering.