SCITL: Side Channel Impedance Through Linearization. Sahil Madeka, Nitish Paradkar, Nicholas Rifel, Zelalem Aweke, Fangzhou Xing

Transcription

1 1 SCITL: Side Channel Impedance Through Linearization Sahil Madeka, Nitish Paradkar, Nicholas Rifel, Zelalem Aweke, Fangzhou Xing

2 2 Outline Introduction If Conversion Pass Evaluation Q&A

3 3 Timing Attacks Attacks that attempt to compromise cryptosystem by analyzing the time taken to execute the algorithms for various inputs Demonstrated by [Bernstein, 2005] on AES (complete recovery of key by observing timing of known plaintexts) [Kocher, 1996] demonstrated this on RSA and Diffie-Hellman Goal: Recompile the code to be safe from such timing attacks

4 4 RSA Decryption RSA decryption algorithm (square and multiply algorithm) x = C mod(x, n) for j = 1 to n if x >= n x = x 2 mod n x = x % n if d j == 1 end if x = (xc) mod n return x end if next j return x

5 5 Performing a Timing Attack Take messages Y and Z such that Y 3 < n and Z 2 < n < Z 3 Attack individual d i x = C mod(x, n) for j = 1 to n if x >= n x = x 2 mod n x = x % n if d j == 1 end if x = (xc) mod n return x end if next j return x

6 6 The Fix Always perform both modular multiplications regardless of whether d j is 1 or not x = C mod(x, n) for j = 1 to n x 1 = x % n x 1 = x 2 mod n x = (x >= n)?x 1 :x x 2 = (x 1 C) mod n return x x = (d j ==1)?x 2 :x 1 next j return x

7 7 Linearizing the CFG Unconverted CFG If converted CFG x = x 2 mod n d j == 1 T F x 1 = x 2 mod n x = (xc) mod n x 2 = (x 1 C) mod n x = (d j ==1)? x 2 :x 1 for.cond... for.cond.

8 8 If Conversion Works for both diamond and triangle structures Works for nest if-else if constructs Works when either side of the construct has loops

9 9 If Conversion Limitations Does not work on blocks that call functions with side effects Comparisons with pointers as operands can cause issues Does not work with when either side of the structure has a side exit or side entrance Function exit or break on one side does not work Can t have a goto to a side without going through the condition first If memory allocated on both sides, one side will always leak memory

10 10 Implementation Three main steps to perform the conversion Make all memory-writing instructions conditional Linearize the CFG (if-conversion) Rewriting/Replacing PHI nodes

11 11 First Step - Convert Memory Writes Walk all unvisited basic blocks on either side If instruction is a store: Insert a load from the same address Insert a Select based on Head branch cond. Select loaded value or original store value Change the store value to the Select s value If instruction is a memcpy or memmove intrinsic: Insert a Select between src and dest Change intrinsic s dest to the Select s value If memcpy, change to memmove

12 12

13 13 Second step - Linearize CFG Make branch from Head BB unconditional Execute both true and false side BB s in a row Update other branches Update any loop PHI nodes necessary Update Dominator Tree Information

14 14

15 15 Third step - Fix Up PHI Nodes For all PHI Nodes in the Tail BB: If there are 2 operands from the original shape: Replace both operands with a single Select Else if there is only 1 operand from the shape: Correct its incoming BB if necessary If PHI Node is now unnecessary / empty: Delete it and replaces all uses with the Select Preserves correctness after linearization

16

17 17 Evaluation Benchmarks Commonly used encryption/decryption algorithms RSA ElGamal Other more general algorithms Test Platform Ubuntu GB RAM Quad-core 2.3GHz

18 18 Time Variation - RSA 1024 Bit Key Keys varied from all zeros to all ones

19 19 Time Variation - RSA 1024 Bit Key Random keys generated with /dev/urandom Relative Standard Deviation of 5.4% Vs. 3.2%

20 20 Execution Overhead-RSA 1024 Bit Key Operations Overhead ADD/SUB 6.50x AND 6.56x CALL 4.05x CMOV x CMP 5.23x MUL 6.74x JMPs 5.67x MOV 5.87x mem-read 6.02x mem-write 5.80x Total 6.082x Average slowdown of 5.95x

21 21 Time Variation - Elgamal 32 bits 10,000 keys 10% less relative standard deviation 17% execution time overhead

22 22 Conclusion Timing channels can be eliminated by linearizing the control flow graph Overhead can be reduced by converting only specific functions. If-conversion does not reduce variances of most general algorithms because running time for algorithms that do not depend on secret data.

23 Q&A 23

24 24

25 CFG Linearization with Loops 25