New Side Channels Targeted at Passwords

Side channels are typically viewed as attacks that leak cryptographic keys during cryptographic algorithm processing, by observation of system side effects. In this paper, we present new side channels that leak password information during X Windows keyboard processing of password input. Keylogging is one approach for stealing passwords, but current keylogging techniques require special hardware or privileged processes. However, we have found that the unprivileged operation of modifying the user key mappings for X Windows clients enables a side channel sufficient for unprivileged processes to steal that user's passwords, even enabling the attacker to gain root access via sudo. We successfully tested one version on Linux 2.6; we were able to obtain a high degree of control over the scheduler, and thus we can obtain accurate timing information. A second version (logon detection) works without depending on accurate clocks or cache effects. Thus, in addition to demonstrating new side channels, we show that (a) side channels cannot be eliminated by removing accurate clocks or hardware cache mechanisms (b) side channels are of continued concern for computer security as well as cryptographic processing.

[1]  Daniel G. Bobrow,et al.  TENEX, a paged time sharing system for the PDP - 10 , 1972, CACM.

[2]  Gaurav Shah,et al.  Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[3]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[4]  Adrian Nye Xlib programming manual (3rd ed.) , 1993 .

[5]  Jonathan T. Trostle Modelling a Fuzzy Time System , 1993, J. Comput. Secur..

[6]  Wei-Ming Hu,et al.  Lattice scheduling and covert channels , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[8]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[9]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[10]  Wei-Ming Hu,et al.  Reducing timing channels with fuzzy time , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Jonathan T. Trostle,et al.  Timing attacks against trusted path , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[12]  Schindler Werner OPTIMIZED TIMING ATTACKS AGAINST PUBLIC KEY CRYPTOSYSTEMS , 2002 .

[13]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[14]  Butler W. Lampson,et al.  Hints for Computer System Design , 1983, IEEE Software.

[15]  Dan Page,et al.  Partitioned Cache Architecture as a Side-Channel Defence Mechanism , 2005, IACR Cryptology ePrint Archive.

[16]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .