Automated Detection of Side Channels in Cryptographic Protocols: DROWN the ROBOTs!

Currently most practical attacks on cryptographic protocols like TLS are based on side channels, such as padding oracles. Some well-known recent examples are DROWN, ROBOT and Raccoon (USENIX Security 2016, 2018, 2021). Such attacks are usually found by careful and time-consuming manual analysis by specialists. In this paper, we consider the question of how such attacks can be systematically detected and prevented before (large-scale) deployment. We propose a new, fully automated approach, which uses supervised learning to identify arbitrary patterns in network protocol traffic. In contrast to classical scanners, which search for known side channels, the detection of general patterns might detect new side channels, even unexpected ones, such as those from the ROBOT attack. To analyze this approach, we develop a tool to detect Bleichenbacher-like padding oracles in TLS server implementations, based on an ensemble of machine learning algorithms. We verify that the approach indeed detects known vulnerabilities successfully and reliably. The tool also provides detailed information about detected patterns to developers, to assist in removing a potential padding oracle. Due to the automation, the approach scales much better than manual analysis and could even be integrated with a CI/CD pipeline of a development environment, for example.

[1]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[2]  John C. Platt,et al.  Fast training of support vector machines using sequential minimal optimization, advances in kernel methods , 1999 .

[3]  Graham Steel,et al.  Efficient Padding Oracle Attacks on Cryptographic Hardware , 2012, IACR Cryptol. ePrint Arch..

[4]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[5]  Stephen E. Fienberg,et al.  Testing Statistical Hypotheses , 2005 .

[6]  Kenneth G. Paterson,et al.  On the Joint Security of Encryption and Signature in EMV , 2012, CT-RSA.

[7]  LinChih-Jen,et al.  Dual coordinate descent methods for logistic regression and maximum entropy models , 2011 .

[8]  Yoshua Bengio,et al.  No Unbiased Estimator of the Variance of K-Fold Cross-Validation , 2003, J. Mach. Learn. Res..

[9]  Jörg Schwenk,et al.  Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities , 2019, USENIX Security Symposium.

[10]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[11]  Emmanuel Prouff,et al.  Breaking Cryptographic Implementations Using Deep Learning Techniques , 2016, SPACE.

[12]  Tom M. Mitchell,et al.  Machine learning, International Edition , 1997, McGraw-Hill Series in Computer Science.

[13]  Erik Tews,et al.  Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks , 2014, USENIX Security Symposium.

[14]  Frank Hutter,et al.  Initializing Bayesian Hyperparameter Optimization via Meta-Learning , 2015, AAAI.

[15]  Tie-Yan Liu,et al.  LightGBM: A Highly Efficient Gradient Boosting Decision Tree , 2017, NIPS.

[16]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[17]  Tibor Jager,et al.  Bleichenbacher's Attack Strikes again: Breaking PKCS#1 v1.5 in XML Encryption , 2012, ESORICS.

[18]  Lior Rokach,et al.  Ensemble-based classifiers , 2010, Artificial Intelligence Review.

[19]  Michael K. Reiter,et al.  Cross-Tenant Side-Channel Attacks in PaaS Clouds , 2014, CCS.

[20]  J. Friedman Greedy function approximation: A gradient boosting machine. , 2001 .

[21]  Jörg Schwenk,et al.  The Dangers of Key Reuse: Practical Attacks on IPsec IKE , 2018, USENIX Security Symposium.

[22]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[23]  Nenghai Yu,et al.  A Novel Evaluation Metric for Deep Learning-Based Side Channel Analysis and Its Extended Application to Imbalanced Data , 2020 .

[24]  Arthur E. Hoerl,et al.  Ridge Regression: Biased Estimation for Nonorthogonal Problems , 2000, Technometrics.

[25]  Yoav Freund,et al.  A decision-theoretic generalization of on-line learning and an application to boosting , 1995, EuroCOLT.

[26]  Pierre Geurts,et al.  Extremely randomized trees , 2006, Machine Learning.

[27]  Janez Demsar,et al.  Statistical Comparisons of Classifiers over Multiple Data Sets , 2006, J. Mach. Learn. Res..

[28]  James Manger,et al.  A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 , 2001, CRYPTO.

[29]  Eibe Frank,et al.  Evaluating the Replicability of Significance Tests for Comparing Learning Algorithms , 2004, PAKDD.

[30]  Yoshua Bengio,et al.  Inference for the Generalization Error , 1999, Machine Learning.

[31]  Chapter 5 – Feature Selection , 2009 .

[32]  Matthew Green,et al.  Automating the Development of Chosen Ciphertext Attacks , 2020, USENIX Security Symposium.

[33]  Adi Shamir,et al.  The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[34]  Chih-Jen Lin,et al.  Dual coordinate descent methods for logistic regression and maximum entropy models , 2011, Machine Learning.

[35]  Tim Güneysu,et al.  Applications of machine learning techniques in side-channel attacks: a survey , 2019, Journal of Cryptographic Engineering.

[36]  F. Wilcoxon Individual Comparisons by Ranking Methods , 1945 .

[37]  Cécile Canovas,et al.  Deep Learning to Evaluate Secure RSA Implementations , 2019, IACR Cryptol. ePrint Arch..

[38]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[39]  Yi-Zeng Liang,et al.  Monte Carlo cross validation , 2001 .

[40]  Yoav Freund,et al.  Large Margin Classification Using the Perceptron Algorithm , 1998, COLT' 98.

[41]  Bodo Möller,et al.  This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[42]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[43]  Lilian Bossuet,et al.  Ranking Loss: Maximizing the Success Rate in Deep Learning Side-Channel Analysis , 2020, IACR Cryptol. ePrint Arch..

[44]  Hendrik Blockeel,et al.  On estimating model accuracy with repeated cross-validation , 2012 .

[45]  Jörg Schwenk,et al.  Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E) , 2020, IACR Cryptol. ePrint Arch..

[46]  Juraj Somorovsky,et al.  Return Of Bleichenbacher's Oracle Threat (ROBOT) , 2018, IACR Cryptol. ePrint Arch..

[47]  Juraj Somorovsky,et al.  Systematic Fuzzing and Testing of TLS Libraries , 2016, CCS.

[48]  Romain Poussier,et al.  Template Attacks vs. Machine Learning Revisited (and the Curse of Dimensionality in Side-Channel Analysis) , 2015, COSADE.

[49]  John R. Koza,et al.  Automated Design of Both the Topology and Sizing of Analog Electrical Circuits Using Genetic Programming , 1996 .

[50]  Tibor Jager,et al.  On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption , 2015, CCS.

[51]  G. F. Hughes,et al.  On the mean accuracy of statistical pattern recognizers , 1968, IEEE Trans. Inf. Theory.

[52]  Nando de Freitas,et al.  Portfolio Allocation for Bayesian Optimization , 2010, UAI.

[53]  Padhraic Smyth,et al.  Clustering Using Monte Carlo Cross-Validation , 1996, KDD.

[54]  Joos Vandewalle,et al.  Machine learning in side-channel analysis: a first study , 2011, Journal of Cryptographic Engineering.

[55]  Sylvain Guilley,et al.  End-to-end automated cache-timing attack driven by machine learning , 2020, Journal of Cryptographic Engineering.

[56]  Sergios Theodoridis Chapter 5 – Feature Selection , 2006 .

[57]  S. Holm A Simple Sequentially Rejective Multiple Test Procedure , 1979 .

[58]  Vili Podgorelec,et al.  Decision trees , 2018, Encyclopedia of Database Systems.

[59]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[60]  Vlastimil Klíma,et al.  Attacking RSA-Based Sessions in SSL/TLS , 2003, CHES.

[61]  Burton S. Kaliski,et al.  PKCS #1: RSA Encryption Version 1.5 , 1998, RFC.