(Software) Side Channel Attacks

Fall 2021

David Kohlbrenner
dkohlbre@cs.washington.edu

Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...
Admin

- **Lab3 due** (in a week) Wednesday
- **Friday** – Guest lecture on law + security
- **Final project due 12/13**
  - No late days
  - Make sure you:
    - Include references
    - Include at least one legal/ethics discussion slide
    - Create original content
    - Go beyond class materials (if it’s a topic we also covered)
Side-channels: conceptually

• A program’s implementation (that is, the final compiled version) is different from the conceptual description

• Side-effects of the difference between the implementation and conception can reveal unexpected information
  • Thus: Side-channels
Detour: Covert-channels

• We’ll see many unusual ways to have information flow from thing A to thing B

• If this is an *intentional* usage of side effects, it is a covert channel

• *Unintentional* means it is a side-channel

• The same *mechanism* can be used as a covert-channel, or abused as a side-channel
Side Channel Attacks

• Most commonly discussed in the context of cryptosystems
• But also prevalent in many contexts
  • E.g., we discussed the TENEX password implementation
  • E.g., we discussed browser fingerprinting
Why should we care about side-channels?

• Compromises happen via ‘simple’ methods
  • Phishing
  • Straight-forward attacks

• Embedded systems do see side-channel attacks

• “High Security” systems do see side-channel attacks
Timing Side-Channels

• Duration of a program (or operation) reveals information

• TENEX case
  • We... lied, sorry
  • Its... more complicated
TENEX attack (for real)

• TENEX had an early *memory paging system*

• The original attack used page faults, not timing
  • Timing would’ve also worked 😊
Timing side-channels: round 2

- Cryptographic implementations fall down
  - #1 target for timing attacks
  - Extremely common to find vulnerabilities

- Why?
  - Pollev.com/dkohlbre
Attacking cryptographic with side-channels

• ANY leakage is bad
  • E.g. 1 bit of key leaking is ‘catastrophic’

• Cryptographic implementations are complex
  • Many layers of protocols
Example Timing Attacks

• **RSA:** Leverage key-dependent timings of modular exponentiations

• **Block Ciphers:** Leverage key-dependent cache hits/misses
How odd can this get?
The SVG-filter **pixel-stealing** timing attack

- **Attacker:**
  - Hosts webpage
- **Victim:**
  - Visits attacker
  - Logged into target
- **Target:**
  - Website hosting private visual information
The SVG-filter **pixel-stealing** timing attack

- **Attacker:**
  - Hosts webpage
- **Victim:**
  - Visits attacker
  - Logged into target
- **Target:**
  - Website hosting private visual information

- **Diagram:**
  - **attacker.com**
  - **targeted.com**
  - iframe
  - David K
  - @dkohlbre
  - Following
  - Followers
The SVG-filter *pixel-stealing* timing attack

- **Attacker:**
  - Hosts webpage
- **Victim:**
  - Visits attacker
  - Logged into target
- **Target:**
  - Website hosting private visual information
The SVG-filter pixel-stealing timing attack

- **Attacker:**
  - Hosts webpage
- **Victim:**
  - Visits attacker
  - Logged into target
- **Target:**
  - Website hosting private visual information
SVG-filter Pixel-stealing attack overview

1. iframe of target page
2. Target pixel in red
3. Pixel multiplication <div>
4. SVG Filter
5. Filtered rendering
6. Target pixel white
   Target pixel black
SVG-filter Pixel-stealing attack overview

(1) iframe of target page

(2) Target pixel in red

(3) Pixel multiplication <div>

(4) SVG Filter

(5) Filtered rendering

(6) Target pixel black

Target pixel white
SVG-filter Pixel-stealing attack overview

1. iframe of target page
2. Target pixel in red
3. Pixel multiplication <div>
4. SVG Filter
5. Filtered rendering
6. Target pixel white
   Target pixel black
SVG-filter Pixel-stealing attack overview

1. iframe of target page
2. Target pixel in red
3. Pixel multiplication <div>
4. SVG Filter
5. Filtered rendering

(1) Target pixel white
(2) Target pixel black
SVG-filter Pixel-stealing attack overview

(1) iframe of target page

(2) Target pixel in red

(3) Pixel multiplication <div>

(4) SVG Filter

(5) Filtered rendering

Target pixel white

Target pixel black
SVG-filter Pixel-stealing attack overview

1. iframe of target page
2. Target pixel in red
3. Pixel multiplication `<div>`
4. SVG Filter
5. Filtered rendering
6. Target pixel white
   Target pixel black
SVG-filter Pixel-stealing attack overview

(1) iframe of target page
(2) Target pixel in red
(3) Pixel multiplication <div>
(4) SVG Filter
(5) Filtered rendering
(6) Target pixel white
(6) Target pixel black

Browser Window
How?
if (x == rect.x || xExt[0] <= startX || xExt[1] <= startX || xExt[2] <= startX || xExt[3] <= startX) {
    [...]
} else { // We only need to look at the newest column
    for (PRUInt32 y1 = startY; y1 <= endY; y1++) {
        [...]
    }
}
if (x == rect.x || xExt[0] <= startX || xExt[1] <= startX || xExt[2] <= startX || xExt[3] <= startX) {
    [...]
} else { // We only need to look at the newest column
    for (PRUInt32 y1 = startY; y1 <= endY; y1++) {
        [...]
    }
}
if (x == rect.x || xExt[0] <= startX || xExt[1] <= startX || xExt[2] <= startX || xExt[3] <= startX) {
 [...]
} else { // We only need to look at the newest column
 for (PRUInt32 y1 = startY; y1 <= endY; y1++) {
 [...]
}
// Constant-time max and min functions for unsigned arguments
static inline unsigned umax(unsigned a, unsigned b)
{
    return a - ((a - b) & -(a < b));
}

static inline unsigned umin(unsigned a, unsigned b)
{
    return a - ((a - b) & -(a > b));
}
Implemented with Floating-point math
Variable time instructions?
## Intel i5-4460 double-precision floating-point multiply

<table>
<thead>
<tr>
<th></th>
<th>0.0</th>
<th>1.0</th>
<th>1e10</th>
<th>1e+200</th>
<th>1e-300</th>
<th>1e-42</th>
<th>256</th>
<th>257</th>
<th>1e-320</th>
</tr>
</thead>
<tbody>
<tr>
<td>0.0</td>
<td>6.59</td>
<td>6.56</td>
<td>6.59</td>
<td>6.58</td>
<td>6.58</td>
<td>6.57</td>
<td>6.58</td>
<td>6.59</td>
<td>6.57</td>
</tr>
<tr>
<td>1.0</td>
<td>6.57</td>
<td>6.59</td>
<td>6.55</td>
<td>6.57</td>
<td>6.57</td>
<td>6.56</td>
<td>6.56</td>
<td>6.56</td>
<td>130.89</td>
</tr>
<tr>
<td>1e10</td>
<td>6.55</td>
<td>6.55</td>
<td>6.56</td>
<td>6.58</td>
<td>6.56</td>
<td>6.56</td>
<td>6.56</td>
<td>6.57</td>
<td>130.95</td>
</tr>
<tr>
<td>256</td>
<td>6.58</td>
<td>6.53</td>
<td>6.56</td>
<td>6.54</td>
<td>6.56</td>
<td>6.56</td>
<td>6.58</td>
<td>6.57</td>
<td>130.94</td>
</tr>
<tr>
<td>1e-320</td>
<td>6.59</td>
<td>130.90</td>
<td>130.92</td>
<td>130.94</td>
<td>6.59</td>
<td>6.58</td>
<td>130.95</td>
<td>130.91</td>
<td>6.56</td>
</tr>
</tbody>
</table>
Intel i5-4460 double-precision floating-point multiply

<table>
<thead>
<tr>
<th></th>
<th>0.0</th>
<th>1.0</th>
<th>1e10</th>
<th>1e+200</th>
<th>1e-300</th>
<th>1e-42</th>
<th>256</th>
<th>257</th>
<th>1e-320</th>
</tr>
</thead>
<tbody>
<tr>
<td>0.0</td>
<td>6.59</td>
<td>6.56</td>
<td>6.59</td>
<td>6.58</td>
<td>6.58</td>
<td>6.57</td>
<td>6.58</td>
<td>6.59</td>
<td>6.57</td>
</tr>
<tr>
<td>1.0</td>
<td>6.57</td>
<td>6.59</td>
<td>6.55</td>
<td>6.57</td>
<td>6.57</td>
<td>6.56</td>
<td>6.56</td>
<td>6.56</td>
<td>130.89</td>
</tr>
<tr>
<td>1e10</td>
<td>6.55</td>
<td>6.55</td>
<td>6.56</td>
<td>6.58</td>
<td>6.56</td>
<td>6.56</td>
<td>6.56</td>
<td>6.57</td>
<td>130.95</td>
</tr>
<tr>
<td>256</td>
<td>6.58</td>
<td>6.53</td>
<td>6.56</td>
<td>6.54</td>
<td>6.56</td>
<td>6.56</td>
<td>6.58</td>
<td>6.57</td>
<td>130.94</td>
</tr>
<tr>
<td>1e-320</td>
<td>6.59</td>
<td>130.90</td>
<td>130.92</td>
<td>130.94</td>
<td>6.59</td>
<td>6.58</td>
<td>130.95</td>
<td>130.91</td>
<td>6.56</td>
</tr>
</tbody>
</table>

12/1/2021
CSE 484 / CSE M 584 - Autumn 2021
<table>
<thead>
<tr>
<th></th>
<th>0.0</th>
<th>1.0</th>
<th>1e10</th>
<th>1e+200</th>
<th>1e-300</th>
<th>1e-42</th>
<th>256</th>
<th>257</th>
<th>1e-320</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Cycle count</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td><strong>secret</strong></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>0.0</td>
<td>6.59</td>
<td>6.56</td>
<td>6.59</td>
<td>6.58</td>
<td>6.58</td>
<td>6.57</td>
<td>6.58</td>
<td>6.59</td>
<td>6.57</td>
</tr>
<tr>
<td>1.0</td>
<td>6.57</td>
<td>6.59</td>
<td>6.55</td>
<td>6.57</td>
<td>6.57</td>
<td>6.56</td>
<td>6.56</td>
<td>6.56</td>
<td>130.89</td>
</tr>
<tr>
<td>1e10</td>
<td>6.55</td>
<td>6.55</td>
<td>6.56</td>
<td>6.56</td>
<td>6.56</td>
<td>6.56</td>
<td>6.56</td>
<td>6.57</td>
<td>130.95</td>
</tr>
<tr>
<td>256</td>
<td>6.58</td>
<td>6.53</td>
<td>6.56</td>
<td>6.54</td>
<td>6.56</td>
<td>6.56</td>
<td>6.58</td>
<td>6.57</td>
<td>130.94</td>
</tr>
<tr>
<td>1e-320</td>
<td>6.59</td>
<td>130.90</td>
<td>130.92</td>
<td>130.94</td>
<td>6.59</td>
<td>6.58</td>
<td>130.95</td>
<td>130.91</td>
<td>6.56</td>
</tr>
</tbody>
</table>
### Intel i5-4460 double-precision floating-point multiply

<table>
<thead>
<tr>
<th></th>
<th>0.0</th>
<th>1.0</th>
<th>1e10</th>
<th>1e+200</th>
<th>1e-300</th>
<th>1e-42</th>
<th>256</th>
<th>257</th>
<th>1e-320</th>
</tr>
</thead>
<tbody>
<tr>
<td>0.0</td>
<td>6.59</td>
<td>6.56</td>
<td>6.59</td>
<td>6.58</td>
<td>6.58</td>
<td>6.57</td>
<td>6.58</td>
<td>6.59</td>
<td>6.57</td>
</tr>
<tr>
<td>1.0</td>
<td>6.57</td>
<td>6.59</td>
<td>6.55</td>
<td>6.57</td>
<td>6.57</td>
<td>6.56</td>
<td>6.56</td>
<td>6.56</td>
<td>130.89</td>
</tr>
<tr>
<td>1e10</td>
<td>6.55</td>
<td>6.55</td>
<td>6.56</td>
<td>6.58</td>
<td>6.56</td>
<td>6.56</td>
<td>6.56</td>
<td>6.57</td>
<td>130.95</td>
</tr>
<tr>
<td>256</td>
<td>6.58</td>
<td>6.53</td>
<td>6.56</td>
<td>6.54</td>
<td>6.56</td>
<td>6.56</td>
<td>6.58</td>
<td>6.57</td>
<td>130.94</td>
</tr>
<tr>
<td>1e-320</td>
<td>6.59</td>
<td>130.90</td>
<td>130.92</td>
<td>130.94</td>
<td>6.59</td>
<td>6.58</td>
<td>130.95</td>
<td>130.91</td>
<td>6.56</td>
</tr>
</tbody>
</table>
Attack in Action

TOP SECRET/SI//ORCON//NOFORN
Analysis follows

Attacker’s Web Server
Pixel stealing takeaways

- Combines web security, hardware knowledge, and software design
- Side-channels are real, and viable 😊
Power-side channels

- The amount of *power* used by a computer is related to what it is doing
- How can you use this?
- Canvas
Cache side-channels

• **Idea**: The cache’s current state implies something about prior memory accesses

• **Insight**: Prior memory accesses can tell you a lot about a program!
Cache Basics

- **Cache lines**: fixed-size units of data
- **Cache set**: holds multiple cache lines
- **Set index**: assigns cache line to cache set
- **Eviction**: removing cache lines to make room
- **L1, L2, L3**: different levels of cache
- **Inclusive**: lines in L1/L2 must also be in L3

Many thanks to Craig Disselkoen for the animations.
Cache Attacks: Structure

Pre-Attack

Active Attack

Analysis

Many thanks to Craig Disselkoen for the animations.
Timing threshold
Eviction set

Prime targeted set
Wait
[Timed] Prime targeted set
Victim accesses targeted set

Victim access if time > threshold

Analysis

Pre-attack

Active Attack

Pre-existing data
Attacker’s data
Victim’s data

Cache set 0
Cache set 1
Cache set 2

PRIME+PROBE
FLUSH+RELOAD

(requires shared memory)

Many thanks to Craig Disselkoen for the animations.
T-Table AES

- Tested against OpenSSL’s T-Table implementation of AES
- Traditional target for cache attacks
- No longer used in practice, but useful for comparison
- Chosen plaintext, key recovery
T-Table AES

PRIME+PROBE

PRIME+ABORT