Attacks on Implementations of Secure Systems

This is the handbook for the course "Attacks on Secure Implementations", taught in 2020 at Ben-Gurion University by Dr. Yossi Oren.

You can download the PDF of the entire handbook here, or view it online here.

The source code for the handbook, experimental labs and other fun material can be found in the GitHub repository:

[https://github.com/Yossioren/AttacksonImplementationsCourseBook]

Online course page: [https://moodle2.bgu.ac.il/moodle/enrol/index.php?id=30088]

More information: [https://iss.oy.ne.ro/Attacks]

Course materials

Lecture 1 - Introduction

Textbook Link

Basic reading is the first chapter of Coursebook; for further reading, see the paper about the TEMPEST; here's Thomas Popp's paper An Introduction to Implementation Attacks and Countermeasures; there's also an Overview about Attacks on Smart Cards;

Lecture 2 - Temporal Side Channels I

Textbook Link

Basic reading is the second chapter of Coursebook; for additional background reading on timing attacks, see A Practical Implementation of the Timing Attack; To read more about Montgomery's Modular Multiplications, see Modular Multiplication Without Trial Division; there's also an Overview about Attacks on Smart Cards; To delve more the math behind RSA, you can read Kaliski's "The Mathematics of the RSA Public-Key Cryptosystem";

Lecture 3 - Temporal Side Channels II

Textbook Link

Basic reading is the 3rd chapter of our Coursebook. It starts with a recap and then introduces efficient implementations of modular exponentiations as described in Chapter 14 of The Handbook of Applied Cryptography; To read about a cheaper way for modular multiplication, you can learn about the Chinese Remainder Theorem; You can also read the 1998 paper "A Practical Implementation of the Timing Attack" that proposes improvements to Kocher's idea that when the running time of a cryptographic algorithm is non-constant, timing measurements can leak information about the secret key; Then it discusses the Vaizata method, and it's recommended you brush up on T-Tests, developed by Guinness head brewer, William Sealey Gosset;

Lecture 4 - Power-EM Side Channels I

Textbook Link

Basic reading is chapter 4 of the Coursebook, that starts with an introduction to electric circuits and the involved components, Ohm's Law, logic gates and calculating the power consumption on a CMOS device using the Hamming Distance Model;

Lecture 5 - Power-EM Side Channels II

Textbook Link

The basic reading is Chapter 5 of the Coursebook up to around 5.12 "AES Internals"; It starts by Kocher's 1995 smart card power analysis attack that made it to the front page of The New York Times. It then further explores Power Analysis side-channel Attacks, simple power analysis, low and high data complexity attacks (sub-classes of power analysis attacks) and the types of devices commonly targeted by such attacks (microcontrollers and ASIC), AES power analysis attack.

Lecture 6 - Power-EM Side Channels III

  • Simple power analysis on AES - Plan A - Delving into 1 of 2 ways to performing a power analysis of AES. First, by capturing a power trace, then recovering the state bytes from that trace, and then using the state bytes to recover the key. (20 minutes);
  • Simple power analysis on AES - Plan B - Delving into the 2nd of 2 ways of performing a power analysis of AES. First, by capturing a power trace, then recovering the Hamming Weight from that trace, and then using the Hamming Weights to recover the key. (23 minutes);

The basic reading is Chapter 5 of the coursebook, from 5.10 The Advanced Encryption Standard, that explores the steps of AES and their leaky nature that can be used for a power analysis attack to recover the key.

Guest Lecture [Part 1] - Stjepan Picek - CSI NN: Reverse Engineering of Neural Network Architectures Through Electromagnetic Side Channel

Guest Lecture [Part 2] - Stjepan Picek - Machine Learning and Implementation Attacks

Lecture 7 - High Data Complexity Attacks Power-EM I

Textbook Link

Basic reading is Chapters 7 and 8 of the Coursebook; Whereas chapter 5 mainly focused on low data complexity attacks (with few traces), chapter 7 focuses on high data complexity attacks, aka DPA and CPA (many, many traces). It revisits the Vaizata method and how it can be used for high data complexity attacks, similarly to timing attacks (this time the assumption is that the power consumption is depended on the key). At 7.2 we demonstrate an attack on AES using example data from the Power Analysis Attacks book and visualize the process.

Lecture 8 - Micro-Architectural Side Channels

Textbook Link

Basic reading is chapter 6 of the coursebook that deals CPU Caches and Cache attack techniques; For further reading on cache attacks, see Colin Percival's Cache Missing For Fun And Profit; The chapter also introduces 2 main cache attack techniques: Flush+Reload and Prime+Probe; For further reading about the hash function can be reverse engineered, see Reverse engineering intel last-level cache complex addressing using performance counters. ; Finally, there is a step-by-step Flush+Reload cache attack (as presented in Gruss, Spreitzer and Mangard's "Automating attacks on inclusive last-level caches" and on Yarom and Faulkner's "A high resolution, low noise, L3 cache side-channel attack" demonstration to retrieve the user's keystroke timestamps in a gedit program. The Github repository can be found here.

Lecture 9 - Fault Attacks I

Textbook Link

  • Definition of Fault Attacks - Defining Fault Attacks, which are active attacks for extracting information from devices by breaking them (12 minutes);
  • Fault Attack Taxonomy - Further discussion of Fault Attacks, fault methods, and targets(25 minutes);
  • FA Example - Unlooper (1997) - Discussing unloopers which were smartcards intended to cause the card to skip one or more instructions by applying a "glitch" in some form to the power or clock signal(8 minutes);

This lecture is based on chapter 9 of the coursebook "Fault Attacks", which is an active attack that allows the attacker to extract information from a device by breaking it. It goes on to discuss different kinds of fault methods (power supply attacks, timing attacks, temperature attacks, and more), further giving examples of classic fault attacks targeting the control flow: Canon camera blinking, and Unloopers. We then examine a fault attack on RSA-CRT as presented by Boneh and Lipton in On the importance of eliminating errors in cryptographic computations;

Lecture 10 - Fault Attacks II

This lecture is based on chapter 9 of the coursebook "Fault Attacks". Papers covered include Kim et al.'s "Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors", Razavi et al.'s "Flip Feng Shui: Hammering a Needle in the Software Stack", Tang et al.'s "CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management", Schmidt and Hutter's "Optical and EM Fault-Attacks on CRT-based RSA: Concrete Results", Boneh DeMillo and Lipton's "On the Importance of Eliminating Errors in Cryptographic Computations", Murdock et al.'s "Plundervolt: Software-based Fault Injection Attacks against Intel SGX", and Biham and Shamir's "Differential fault analysis of secret key cryptosystems".

How To Compile The Handbook

Windows

Toolchain Installation

  1. Install MikTex from: https://miktex.org/download (with default settings). NOTE that although Tex Live is supposedly a decent alternative to MikTex on windows - attempts to use it for compiling the book failed miserably.
  2. Install Perl from: http://strawberryperl.com/
  3. [Optional but Recommended] Install VSCode and the LaTeX Workshop extension to be able to compile from VSCode.
  4. [Optional but Recommended] Install the LaTex language support VSCode extension to ease editing in VSCode.

Full book Compilation

  • From VSCode: open UniversityCourseBookAOI.tex, click on the "TEX" icon in the left sidebar, run the "Build LaTeX project" command.
  • Without VSCode: run latexmk from the root directory of the book repository

Other operating systems: just run latexmk