Capacity of the EM Covert/Side-Channel Created by the Execution of Instructions in a Processor

The goal of this paper is to answer how much information is “transmitted” by the execution of particular sequence of instructions in a processor. Introducing such a measure would provide quantitative guidance for designing programs and computer hardware that minimizes inadvertent (side channel) information leakage, and would also help detect parts of a program or hardware design that have unusually high leakage (i.e., were designed to function as covert channel “transmitters”). To answer this question, we propose a new method to estimate the maximum information leakage through EM signals generated by the execution of instructions in a processor. We start by deriving a mathematical relationship between electromagnetic side-channel energy of individual instructions and the measured pairwise side-channel signal power. Then, we use this measure to calculate the transition probabilities needed for estimating capacity. Finally, we propose a new method to estimate side/covert channel capacity created by the execution of instructions in a processor and illustrate our results in several computer systems.

[1]  Albrecht Rüdiger,et al.  Spectrum and spectral density estimation by the Discrete Fourier transform (DFT), including a comprehensive list of window functions and some new at-top windows , 2002 .

[2]  Daniel Genkin,et al.  Stealing Keys from PCs Using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation , 2015, CHES.

[3]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.

[4]  Milos Prvulovic,et al.  Experimental Demonstration of Electromagnetic Information Leakage From Modern Processor-Memory Systems , 2014, IEEE Transactions on Electromagnetic Compatibility.

[5]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[6]  Ross J. Anderson,et al.  On the limits of steganography , 1998, IEEE J. Sel. Areas Commun..

[7]  Daniel Genkin,et al.  Get your hands off my laptop: physical side-channel key-extraction attacks on PCs , 2015, Journal of Cryptographic Engineering.

[8]  Robert H. Sloan,et al.  Power Analysis Attacks of Modular Exponentiation in Smartcards , 1999, CHES.

[9]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[10]  Shlomo Shamai,et al.  Variable-Rate Channel Capacity , 2010, IEEE Transactions on Information Theory.

[11]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[12]  Milos Prvulovic,et al.  A Practical Methodology for Measuring the Side-Channel Signal Available to the Attacker for Instruction-Level Events , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[13]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[14]  Y. Tsunoo,et al.  Cryptanalysis of Block Ciphers Implemented on Computers with Cache , 2002 .

[15]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[16]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[17]  Vahid Tarokh,et al.  Bounds on the Capacity of Discrete Memoryless Channels Corrupted by Synchronization and Substitution Errors , 2012, IEEE Transactions on Information Theory.

[18]  Paolo Ienne,et al.  A first step towards automatic application of power analysis countermeasures , 2011, 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC).

[19]  William H. Press,et al.  Numerical recipes in C , 2002 .

[20]  Milos Prvulovic,et al.  Comparison of electromagnetic side-channel energy available to the attacker from different computer systems , 2015, 2015 IEEE International Symposium on Electromagnetic Compatibility (EMC).

[21]  J. R. Rao,et al.  The EM Side–Channel(s):Attacks and Assessment Methodologies , 2003 .

[22]  Kannan Ramchandran,et al.  Achievable rates for channels with deletions and insertions , 2011, ISIT.

[23]  Markus G. Kuhn,et al.  Compromising Emanations , 2002, Encyclopedia of Cryptography and Security.

[24]  Koen De Bosschere,et al.  Practical Mitigations for Timing-Based Side-Channel Attacks on Modern x86 Processors , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[25]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[26]  Steven W. Smith,et al.  The Scientist and Engineer's Guide to Digital Signal Processing , 1997 .

[27]  Claude E. Shannon,et al.  The mathematical theory of communication , 1950 .

[28]  Eleni Drinea,et al.  Directly lower bounding the information capacity for channels with I.I.D.deletions and duplications , 2010, IEEE Trans. Inf. Theory.

[29]  David Naccache,et al.  Temperature Attacks , 2009, IEEE Security & Privacy.

[30]  Robert Locke Callan,et al.  Analyzing Software using Unintentional Electromagnetic Emanations from Computing Devices , 2016 .

[31]  David J. C. MacKay,et al.  Reliable communication over channels with insertions, deletions, and substitutions , 2001, IEEE Trans. Inf. Theory.

[32]  Ruby B. Lee,et al.  Capacity estimation of non-synchronous covert channels , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[33]  Michael Hutter,et al.  The Temperature Side Channel and Heating Fault Attacks , 2013, CARDIS.

[34]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[35]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[36]  Jun Hu,et al.  Achievable information rates for channels with insertions, deletions, and intersymbol interference with i.i.d. inputs , 2010, IEEE Transactions on Communications.

[37]  Jonathan K. Millen 20 years of covert channel modeling and analysis , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[38]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[39]  Alan V. Oppenheim,et al.  Discrete-time Signal Processing. Vol.2 , 2001 .

[40]  George Cybenko,et al.  Engineering Statistical Behaviors for Attacking and Defending Covert Channels , 2013, IEEE Journal of Selected Topics in Signal Processing.

[41]  Mordechai Guri,et al.  GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies , 2015, USENIX Security Symposium.