Formal approaches to countering side-channel attacks

Cryptographic algorithms are often modeled as idealized mappings from input to output. This is a problematic over-simplification. A villain determined to break cryptography will use all available information and will not restrict himself to the analysis of ciphertexts and public key material. So-called side-channel attacks demonstrate that characteristics such as the timing behavior of an algorithm’s implementation can be effectively exploited for cryptanalysis. In this thesis, we provide mathematically rigorous methods that allow for the detection, quantification, and elimination of side-channels. We focus on side-channels due to timing behavior and side-channels that arise from thread interleavings in multithreaded programs. We present a novel method for detecting timing leaks in synchronous systems. The method is based on a parameterized and timing-sensitive notion of security that allows for the fine-grained modeling of information leakage. We present an efficient decision procedure for system security and show how it can be implemented in standard model-checking tools. We also present a model of adaptive side-channel attacks, which we combine with information-theoretic metrics to quantify the information revealed to an attacker. This allows us to express an attacker’s remaining uncertainty about a secret as a function of the number of side-channel measurements made. We present algorithms and approximation techniques for computing this measure. Furthermore, we demonstrate how both of our methods can be used to analyze the resistance of hardware implementations of cryptographic functions to timing attacks. We also present a method to detect and eliminate side-channels due to thread interleavings in multithreaded programs. Our approach uses unification on sub-programs to enforce that a program’s alternative execution paths do not reveal information about the secrets involved in branching decisions. We demonstrate that integrating our approach into an existing transforming type system can improve the precision of the analysis and the quality of the resulting programs.

[1]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[2]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[3]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[4]  Elisabeth Oswald,et al.  Practical Template Attacks , 2004, WISA.

[5]  Mads Dam,et al.  Decidability and proof systems for language-based noninterference relations , 2006, POPL '06.

[6]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[7]  Flemming Nielson,et al.  Analyzing for Absence of Timing Leaks in VHDL , 2006 .

[8]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[9]  Jean-Jacques Quisquater,et al.  A Practical Implementation of the Timing Attack , 1998, CARDIS.

[10]  David A. Basin,et al.  An information-theoretic model for adaptive side-channel attacks , 2007, CCS '07.

[11]  Flemming Nielson,et al.  Information Flow Analysis for VHDL , 2005, PaCT.

[12]  Michael R. Clarkson,et al.  Belief in information flow , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[13]  Dennis M. Volpano Safety versus Secrecy , 1999, SAS.

[14]  Andrei Sabelfeld,et al.  Gradual Release: Unifying Declassification, Encryption and Key Release Policies , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[15]  David A. Basin,et al.  Bytecode Verification by Model Checking , 2003, Journal of Automated Reasoning.

[16]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[17]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[18]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[19]  Stephan Merz,et al.  Model Checking , 2000 .

[20]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[21]  Steve Zdancewic,et al.  Challenges for Information-flow Security , 2004 .

[22]  G. Basharin On a Statistical Estimate for the Entropy of a Sequence of Independent Random Variables , 1959 .

[23]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[24]  Jonathan K. Millen,et al.  Non-interference, who needs it? , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[25]  Ueli Maurer,et al.  Abstract Storage Devices , 2009, SOFSEM.

[26]  Kevin Borders,et al.  Quantifying Information Leaks in Outbound Web Traffic , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[27]  David Clark,et al.  Quantitative Information Flow, Relations and Polymorphic Types , 2005, J. Log. Comput..

[28]  Richard S. Bird,et al.  Introduction to functional programming , 1988, Prentice Hall International series in computer science.

[29]  Igor Siveroni,et al.  Filling Out the Gaps: A Padding Algorithm for Transforming Out Timing Leaks , 2006, QAPL.

[30]  John O. Pliam On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks , 2000, INDOCRYPT.

[31]  Geoffrey Smith,et al.  Probabilistic noninterference through weak probabilistic bisimulation , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[32]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[33]  David Sands,et al.  Timing Aware Information Flow Security for a JavaCard-like Bytecode , 2005, Electron. Notes Theor. Comput. Sci..

[34]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[35]  Reiner Hähnle,et al.  A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[36]  David A. Basin,et al.  Timing-Sensitive Information Flow Analysis for Synchronous Systems , 2006, ESORICS.

[37]  Gilles Barthe,et al.  Preventing Timing Leaks Through Transactional Branching Instructions , 2006, QAPL.

[38]  Heiko Mantel A uniform framework for the formal specification and verification of information flow security , 2003 .

[39]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[40]  Chris Hankin,et al.  Approximate non-interference , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[41]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[42]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[43]  Scott A. Smolka,et al.  CCS expressions, finite state processes, and three problems of equivalence , 1983, PODC '83.

[44]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[45]  Jean-Jacques Quisquater,et al.  A New Type of Timing Attack: Application to GPS , 2003, CHES.

[46]  Jörg H. Siekmann,et al.  Unification in Abelian semigroups , 1987, Journal of Automated Reasoning.

[47]  Ronitt Rubinfeld,et al.  The complexity of approximating entropy , 2002, STOC '02.

[48]  Christian Cachin,et al.  Entropy measures and unconditional security in cryptography , 1997 .

[49]  Alejandro Russo,et al.  Closing Internal Timing Channels by Transformation , 2006, ASIAN.

[50]  Jonathan K. Millen 20 years of covert channel modeling and analysis , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[51]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[52]  Akinori Yonezawa,et al.  Combining type-based analysis and model checking for finding counterexamples against non-interference , 2006, PLAS '06.

[53]  Heiko Mantel,et al.  Transformational typing and unification for automatically correcting insecure programs , 2007, International Journal of Information Security.

[54]  M. Yung,et al.  A Formal Practice-Oriented Model for the Analysis of Side-Channel Attacks , 2006 .

[55]  Roberto Gorrieri,et al.  Information flow analysis in a discrete-time process algebra , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[56]  Flemming Nielson,et al.  Language-based Security for VHDL , 2006 .

[57]  Robert H. Sloan,et al.  Power Analysis Attacks of Modular Exponentiation in Smartcards , 1999, CHES.

[58]  Onur Aciiçmez,et al.  Cache Based Remote Timing Attack on the AES , 2007, CT-RSA.

[59]  Jean-Pierre Deschamps,et al.  Digital systems, with algorithm implementation , 1983 .

[60]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[61]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[62]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.

[63]  Alejandro Russo,et al.  Securing interaction between threads and the scheduler , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[64]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[65]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[66]  Robert E. Tarjan,et al.  Three Partition Refinement Algorithms , 1987, SIAM J. Comput..

[67]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[68]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[69]  Alan Burns,et al.  Guest Editorial: A Review of Worst-Case Execution-Time Analysis , 2000, Real-Time Systems.

[70]  Andrei Sabelfeld The Impact of Synchronisation on Secure Information Flow in Concurrent Programs , 2001, Ershov Memorial Conference.

[71]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[72]  Heiko Mantel,et al.  Eliminating Implicit Information Leaks by Transformational Typing and Unification , 2005, Formal Aspects in Security and Trust.

[73]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[74]  Patrick Schaumont,et al.  An interactive codesign environment for domain-specific coprocessors , 2006, TODE.

[75]  Onur Aciiçmez,et al.  Improving Brumley and Boneh timing attack on unprotected SSL implementations , 2005, CCS '05.

[76]  Chris Hankin,et al.  Tempus fugit: How to plug it , 2007, J. Log. Algebraic Methods Program..

[77]  Heiko Mantel,et al.  Preserving information flow properties under refinement , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[78]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[79]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[80]  Roberto Giacobazzi,et al.  Timed Abstract Non-interference , 2005, FORMATS.

[81]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[82]  Eric Peeters,et al.  Towards Security Limits in Side-Channel Attacks , 2006, CHES.