Upload
vuongmien
View
217
Download
3
Embed Size (px)
Citation preview
• @0xABD [email protected]
• Background: fintech, payment security
• Security analyst @ Riscure, evaluating payment tech
• Who is Riscure? • Security lab in the Netherlands & USA • 80 hackers working on:
• Security test tools • Security test services
• We host the #RHme & #RHme2 hardware CTFs! • rhme.riscure.com • 500 players from 49 countries this year
About me
Cryptography Crash Course
Attacks on (Software) Crypto
Side Channel Attacks
Fault Injection Attacks
DEMO
Conclusions
Agenda
• Some history: how did people use and break cryptography? • Black room == Mallory peeks in the room == broken
• “Cabinet noir”
• Black box == Mallory peeks in the box == broken • Commercial encryption machines
• Kerckhoffs's principle == Mallory has the key == broken
• …
• The present day: • All of the above
• Internal state == Key
• ???
Cryptography Crash Course
• Black box == Attacker cannot look inside
• Grey box == Attacker can see something* inside and/or influence it
• White box == Attacker has full control
Cryptography Crash Course
• What is cryptography, when implemented in hardware and software?
• Start with a Black box • Inputs
• Data
• Key
• Output
Cryptography Crash Course
Input
Key
Output
• Crypto is executed by a machine
• Sometimes, a “weird machine” (Sergey Bratus et al., 2011) • http://langsec.org/papers/Bratus.pdf
Cryptography Crash Course
Un
inte
nd
ed
fu
nct
ion
alit
y
Normal, intended
functionality
Un
inte
nd
ed
stat
es Normal,
intended states
• What is cryptography, when implemented in hardware and software?
• Symmetric crypto • Done in (simple) steps – rounds
• Key schedule • Use a new key every round
• Linear operations (aka affine transformations) • Matrix operations
• Register arithmetic: SHIFT XOR ADD OR AND NOT …
• Non-linear operations • Table lookups (aka Look-Up Tables “LUT” aka S-boxes, …)
Cryptography Crash Course
• What is cryptography, when implemented in hardware and software?
• Asymmetric crypto • Arithmetic on looooong numbers (> 4x wider than our CPU regs)
• Modular arithmetic
• Various optimizations to make it fit into register width
• Various hacks to make it faster
Cryptography Crash Course
Breaking Modern Cryptography
The hipster way:
• Classic Cryptanalysis
• Linear Cryptanalysis
• Differential Cryptanalysis
• Formal verification of protocols
• …
• “3-AES will probably never be cryptanalyzed”
Breaking Modern Cryptography
• Symmetric crypto: • Current view on computational
complexity (Joan Daemen, 2016): • 80 bits: lightweight
• 96 bits: solid
• 128 bits: secure for the foreseeable future
• 256 bits: for the clueless
Breaking Modern Cryptography
The brutal way:
1. Make assumptions on the internal state of the cipher
2. Guess the state / edit the state
3. Guessed/new state depends on key (and data)
4. Measure & Calculate the key • Adjust your assumptions
Grey box model – the attacker can see through the box and touch it
Breaking Modern Cryptography
The brutal way:
• Side Channel Analysis (SCA) • Timing analysis • Power analysis
• Simple power analysis (SPA) • Differential power analysis (DPA) • Correlation power analysis (CPA)
• …
• Fault Injection (FI) • Differential fault analysis • …
Side-channel Basics
????
8???
82??
827?
PIN
8275
Example: PIN Verification and power measurements (traces)
• Observe the whole cryptosystem • Find what is leaking (and, preferably, where)
• Time
• Power consumption
• Electromagnetic field
• Light / Sound / Temperature / …
• …
• Make an assumption on the dependencies between secret state and observable state • Leakage model
• Process the observation data & Get the key
Side-channel Basics
• Why it leaks? A hardware circuit is more complex than its schematics
• Each switch (=bit) draws power when flipped (clocked)
• A power consumption of a register is a function of its data (state) • Same for EM / temperature / other energy emissions
Side-channel Basics
• Every wire is an antenna
• Every loop is a coil
• Works both ways (see later)
• Noise is (usually) random/uniform, correctly modeled leakage is not • Acquire more measurements (traces)
• Noise cancels itself, but data dependencies are amplified • If leakage model is correct, otherwise == becomes noise too
Side-channel Basics
• For pure software, every shared hardware resource leaks • CPU caches
• CPU branch predictor
• Any resource of the memory controller
• …
• https://scholar.google.com/scholar?q=cross+vm+side+channel+attack
• Lipp, M., Gruss, D., Spreitzer, R., & Mangard, S. (2015). Armageddon: Last-level cache attacks on mobile devices. arXiv preprint arXiv:1511.04897. • https://www.blackhat.com/docs/eu-16/materials/eu-16-Lipp-ARMageddon-How-
Your-Smartphone-CPU-Breaks-Software-Level-Security-And-Privacy.pdf
• https://github.com/IAIK/armageddon
Side-channel Basics
• How to perform actual SCA attacks?
1. Acquisition of many traces – extracting leakage out of the box
2. Signal processing – leaving the good things
3. Statistical analysis of the trace set
Side-channel Basics
Side-channel Basics
(1) arm
(6) response
(3) trigger
(4) measurement
(5) acquisition
(2) command
Embedded System Current Probe
(7) attack
• Acquisition of many traces
• Proper equipment
• Proper setup
• Or, “Garbage in – Garbage Out”
Side-channel Basics
• Statistical analysis of the trace set
• First-order analysis – single point on a trace vs. model • Differential
• Correlation
• Higher-order analysis – multiple points on a trace vs. model • Works against protected implementations
• Other attacks
Side-channel Basics
• Statistical analysis of the trace set – How?
• FOSS tools: https://github.com/SideChannelMarvels
• Entry-level hardware: ChipWhisperer
• Commercial tools: Riscure Inspector
Side-channel Basics
• Further reading
• ZeroNights 2014, Roman Korkikyan, “Deriving cryptographic keys via power consumption” • http://2014.zeronights.org/assets/files/slides/korkikyan.pdf
Side-channel Basics
• Hardware is FRAGILE
• Introduce glitches in power supply
• Introduce glitches in CLK
• Directly supply energy to parts of the chip • Laser
• EM field
• Invasive techniques • Edit & Probe the silicon
Fault injection Basics
• Cryptography is FRAGILE
• Errors propagate
• State depends on the key (and data)
• (Error+State) propagates too
• Output is now more a function of a key than before • Sometimes, a single-bit flip = key extracted
• Most of the time = solve a system of (linear) equations
Fault injection Basics
• Why symmetric crypto fails under FI?
• Magic does not happen at once • Symmetric crypto is done in rounds
• Data (fault) propagation per round is limited
• Faults in state remove data dependencies
• Key is linearly combined with the faulty state
Fault injection Basics
• Why asymmetric crypto fails under FI?
• All assumptions fail • Prime numbers become composite with a single bit flip
• Points on a strong ECC curve become points on weaker curves
• …
Fault injection Basics
• Side Channel and Fault Injection the gray box scenario • A hardware black box does not protect the state (the key)
• Even gray boxes no longer sufficient to secure the current ecosystem • Hardware is not free and cannot be delivered over the wire
• Can we make cryptography secure on an untrusted hardware? • Mobile (Payments/Banking/HCE)
• Content Protection (DRM)
• …
• How to hide the key in plain sight of the attacker?
White-box Cryptography Basics
• Assumptions: • Even the hardware is now untrusted
• The attacker can read the code AND the key
• Can it still be secure?
• Let’s mix the key in the algorithm. Code == Key • Tables
• Dark magic
• Tables & dark magic
• And obfuscate the code, make the white-box self-aware • To avoid key extraction and arbitrary code reuse (lifting)
White-box Cryptography Basics
• White-boxed algorithms • DES
• AES
• RSA
• ECC
• SHA256, SHA256-HMAC
• …
• Fight magic with magic?
Breaking White-box Cryptography
• Fight magic with magic…
• Or apply brutal hardware attacks • Naïve white-box implementations do
not solve the gray-box problems
• If crypto happens, the state is there
• If crypto happens, the fragile parts are there, too
Breaking White-box Cryptography
• Eloi Sanfelix, Cristofaro Mune, Job de Haas, “Unboxing the White-Box” BH EU 2015 • https://www.blackhat.com/docs/eu-
15/materials/eu-15-Sanfelix-Unboxing-The-White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf
• Joppe W Bos, Charles Hubain, Wil Michiels, Philippe Teuwen “Differential Computation Analysis: Hiding your White-Box Designs is Not Enough” • https://eprint.iacr.org/2015/753
Breaking White-box Cryptography
• Side-channel attacks on WBC
• Run on “hardware” • attack as if it was a pure hardware cipher
• – What is leaking? – Everything! • Memory
• Values in registers
• “Trace” is now data dump over time
Breaking White-box Cryptography
• Why (some) WBC fails under side channel? • Linearity = leakage
• Sasdrich, Pascal, Amir Moradi, and Tim Güneysu. "White-Box Cryptography in the Gray Box.“ • http://eprint.iacr.org/2016/203.pdf
Breaking White-box Cryptography
• Fault injection attacks on WBC
• Run on “hardware” • attack as if it was a pure hardware cipher
• – What can we glitch? – Anything! • Memory
• Values in registers
Breaking White-box Cryptography
• Need to tap into the code flow and data. How?
• Manual code manipulation at run time (hook/inject/debug)
• Decompile & recompile with probes
• Dynamic Binary Instrumentation
• Emulation (with probes)
• Absolute worst case: run on real hardware and bring the big guns
Software Crypto Instrumentation
• Manual code manipulation at run time (hook/inject/debug)
• + Easy to start from a software RE/expl. background
• – Lower speed (esp. when debugging, need to tap into everything)
• – Need to bypass anti-debug countermeasures
• – Scripting debuggers is ugly
Software Crypto Instrumentation
• Decompile & recompile with probes
• + Easy to start from a software RE/expl. background
• + Speed
• – lots of manual corrections
• – some RE & understanding of the target needed
Software Crypto Instrumentation
• Dynamic Binary Instrumentation
• Intel PIN
• Valgrind
• DynamoRIO
• (Frida) http://www.frida.re/
• https://github.com/SideChannelMarvels already has one
Software Crypto Instrumentation
• Dynamic Binary Instrumentation
• + Flexibility
• + Stealth
• – architecture-specific issues
Software Crypto Instrumentation
• Emulation (with probes)
• Platform-level emulation = The mighty QEMU • Unicorn Engine (not a platform, only a CPU) http://www.unicorn-engine.org/
• Standalone
• IDA plugin
• Awesome
• PANDA (a full platform) https://github.com/moyix/panda • Record traces and replay
• Plugin framework
• Awesome (but slow)
Software Crypto Instrumentation
• Emulation (with probes)
• + Flexibility
• + Stealth
• + Speed
• – Platform-level emulation is slow
Software Crypto Instrumentation
• What to do? Side-channel: • Log all memory accesses
• Address
• Value & Size
• Log all registers
• What to do? Fault injection: • Flip bits in memory values and memory addresses
• Flip bits in registers
• KEEP TRACK OF THE PROGRAM COUNTER == TIME
Software Crypto Instrumentation
• Narrow down the addresses and PC range
• Compare execution traces, identifying data and key dependencies
• Side-channel – easy optimizations • Memory writes are more useful than reads
• Most registers are redundant (sometimes LSB is enough)
• Data can be compressed/discarded on the fly
• Fault injection – easy optimizations • Keep track of what you glitch
Software Crypto Instrumentation
• White-boxed AES in JS from https://github.com/tsu-iscd/jcrypto
• Fault injection attack in 9th round
• Using https://github.com/SideChannelMarvels/JeanGrey to extract the key
DEMO 1
• Huge traces for SCA • ~1GHz CPUs, white-box can run in 0.1s, easily 100 M instructions x N bytes
per instruction = a lot of data
Compress and discard more aggressively
Software Crypto Instrumentation Challenges
• Misalignment • Leakage location depends on input
Do aggressive signal processing
Smart emulation (CFG?)
Software Crypto Instrumentation Challenges
• Glitching runs wild • Unwanted glitching of return addresses
• Unwanted glitching of instruction loading addresses
Simple heuristics when glitching, better focus
Software Crypto Instrumentation Challenges
• Why?
• Directly applicable on regular software crypto
• Defeat obfuscation without deobfuscating • What is executable will be executed and WILL leak / WILL be glitchable
• Minimum reverse engineering • Ideally, locate the target function in time domain only
• Can be tailored into a point-and-click solution if needed
Bonus: Attacking Regular Software Crypto
• But… hardware acceleration? AES-NI, etc.? • Only for symmetric crypto.
• Maybe forbidden by obfuscator/protector
• Often not applicable due to platform diversity • E.g. standard crypto extensions for ARM are not there yet, etc.
• Or, emulate & get the key from emulator’s implementation
• Or, emulate & apply DCA on the whole emulator
• Worst case, debug & get the key from registers, as usual
Bonus: Attacking Regular Software Crypto
• OLLVM-Obfuscated standard AES encryption
• Side-channel leakage is memory accesses
• Using Riscure Inspector to extract the key
DEMO 2
• Any state can be leaked via SCA
• Any data dependency • PIN/Key/Password lengths
• Hamming weights/distances of values
• Code structure / CFG leaks too • Basic blocks in CFG may be recognizable
SCA & FI: Beyond Attacking Crypto
• Any state can be affected via FI
• Most critical – bypass security mechanisms • MAC/Signature/PIN/Password checks
• Secure Boot
• …
Niek Timmers, Albert Spruyt: “Bypassing Secure Boot using Fault Injection”, BH EU 2016
https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing-Secure-Boot-Using-Fault-Injection.pdf
SCA & FI: Beyond Attacking Crypto
• Countermeasures exist
• SCA countermeasures
• FI countermeasures
SCA & FI: Beyond Attacking Crypto
• SCA countermeasures • Most are patented, bad news for silicon and crypto vendors
• Reduce leakages (double rail logic, shields, …)
• Introduce noise and jitter
• Shuffle the state in time domain
• Masking
• Encodings between rounds
SCA & FI: Beyond Attacking Crypto
• FI countermeasures • Most are patented, bad news for silicon and crypto vendors
• Best idea: verify everything
• Transform the algorithms • To allow verification on side effects of the calculations
• To propagate errors DRAMATICALLY, diffusing the key dependencies
• Hardware: • Awareness – sensors: glitch, light, EM, …
SCA & FI: Beyond Attacking Crypto
• State-of-the-art white-box crypto, as seen in highly competitive markets like content protection, is tough: • All of the above
• SCA countermeasures • FI countermeasures
• State-of-the-art obfuscation, anti-debug, anti-emulation and anti-DBI • Attacking == Defusing an explosive black box with a hammer
• If possible, uses encodings • Internal encoding:
• 𝐿𝑈𝑇 = 𝑔 ∘ 𝐿𝑈𝑇 ∘ 𝑓−1
• External encoding: • 𝐴𝐸𝑆𝑘
′ = 𝐺 ∘ 𝐴𝐸𝑆𝑘 ∘ 𝐹−1
• 𝐴𝐸𝑆𝑘′ (𝑚) is unusable by anyone, except the vendor who can decode
SCA & FI: Beyond Attacking Crypto
• More countermeasures for white-box crypto: • Remember, state = key. Diffuse the state so it is too large to easily extract or
compress • Bogdanov, A., & Isobe, T.. (2015). White-Box Cryptography Revisited: Space-Hard
Ciphers. ACM Conference on Computer and Communications Security. 10.1145/2810103.2813699
SCA & FI: Beyond Attacking Crypto
• It is still possible to break crypto without being a cryptographer • Academy is busy constructing funny whiteboxes
• Thinking out of the box helps • Best hacks happen on an edge
• Proper tools • Continuously evaluate your product before it hits the market
• The fight goes on…
Conclusions
• http://langsec.org/papers/Bratus.pdf
• http://2014.zeronights.org/assets/files/slides/korkikyan.pdf
• https://www.blackhat.com/docs/eu-15/materials/eu-15-Sanfelix-Unboxing-The-White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf
• https://eprint.iacr.org/2015/753
• http://eprint.iacr.org/2016/203.pdf
• https://github.com/SideChannelMarvels
• http://www.frida.re
• http://www.unicorn-engine.org
• https://github.com/moyix/panda
• https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing-Secure-Boot-Using-Fault-Injection.pdf
References
Challenge your security
Riscure North America
550 Kearny St.
Suite 330
San Francisco, CA 94108
+1 (650) 646 9979
Riscure B.V.
Frontier Building, Delftechpark 49
2628 XJ Delft
The Netherlands
Phone: +31 15 251 40 90
www.riscure.com
We are hiring! www.riscure.com/careers