Cache-Timing Attacks Still Threaten IoT Devices

Deployed widely and embedding sensitive data, The security of IoT devices depend on the reliability of cryptographic libraries to protect user information. However when implemented on real systems, cryptographic algorithms are vulnerable to side-channel attacks based on their execution behavior, which can be revealed by measurements of physical quantities such as timing or power consumption. Some countermeasures can be implemented in order to prevent those attacks. However those countermeasures are generally designed at high level description, and when implemented, some residual leakage may persist. In this article we propose a methodology to assess the robustness of the MbedTLS library against timing and cache-timing attacks. This comprehensive study of side-channel security allows us to identify the most frequent weaknesses in software cryptographic code and how those might be fixed. This methodology checks the whole source code, from the top level routines to low level primitives, that are used for the final application. We retrieve hundreds of lines of code that leak sensitive information.

[1]  Sylvain Guilley,et al.  Correlated Extra-Reductions Defeat Blinded Regular Exponentiation , 2016, CHES.

[2]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[3]  Cécile Canovas,et al.  An overview of side channel analysis attacks , 2008, ASIACCS '08.

[4]  Sylvain Guilley,et al.  Detecting Cache-Timing Vulnerabilities in Post-Quantum Cryptography Algorithms , 2018, 2018 IEEE 3rd International Verification and Security Workshop (IVSW).

[5]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[6]  Kouichi Itoh,et al.  Address-Bit Differential Power Analysis of Cryptographic Schemes OK-ECDH and OK-ECDSA , 2002, CHES.

[7]  Billy Bob Brumley,et al.  Remote Timing Attacks Are Still Practical , 2011, ESORICS.

[8]  Wil Michiels,et al.  Differential Computation Analysis: Hiding Your White-Box Designs is Not Enough , 2016, CHES.

[9]  Sylvain Guilley,et al.  A Pre-processing Composition for Secret Key Recovery on Android Smartphone , 2014, WISTP.

[10]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[11]  Éliane Jaulmes,et al.  Side-Channel Attack against RSA Key Generation Algorithms , 2014, CHES.

[12]  Naomi Benger,et al.  Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack , 2014, IACR Cryptol. ePrint Arch..

[13]  Sylvain Guilley,et al.  Give me your binary, I'll tell you if it leaks , 2018, 2018 13th International Conference on Design & Technology of Integrated Systems In Nanoscale Era (DTIS).

[14]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[15]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[16]  Cyril Arnaud,et al.  Timing Attack against Protected RSA-CRT Implementation Used in PolarSSL , 2013, CT-RSA.

[17]  Kouichi Itoh,et al.  A Practical Countermeasure against Address-Bit Differential Power Analysis , 2003, CHES.

[18]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[19]  Tanja Lange,et al.  Flush, Gauss, and reload : a cache attack on the BLISS lattice-based signature scheme , 2016 .

[20]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.