Skip to main content

Side-Channel Aware Engineering

Periodic Reporting for period 2 - SCARE (Side-Channel Aware Engineering)

Reporting period: 2020-06-01 to 2021-11-30

Side-Channel Analysis (SCA) is an offensive security technique that targets secrets in implementations of security-critical devices. SCA leverages leakage through side channels to recover system or algorithm state that should critically remain secret. Examples of existing side-channels include power consumption, electro-magnetic radiation, timing, and acoustic emanations. At a high level, "SCARE: Side-Channel Aware Engineering" will discover new side-channels, utilize them to develop attacks on real-world devices and protocols, and mitigate the attacks with a regression testing approach.

The first objective of SCARE concerns next generation side-channels. The goal is to discover new sources of leakage, leading to novel covert channel classes that will build a foundation for new types of SCA.

The second objective of SCARE concerns side-channel security assurance. The goal is to encompass side-channel security as part of the development lifecycle.

SCARE focuses on devices and systems that are deployed in the real world to maximize societal impact. This approach ensures that the scientific results of SCARE have a distinct, immediate application, inspired by the implementation characteristics that are the foundation of SCA.
The methodology used to achieve SCARE objectives contains three Work Packages (WP).

WP1 seeks to deepen the understanding of leakage, exploring known channels but more importantly developing new channels. These new channels will form the basis for next generation side-channel attacks, laying out the groundwork for new classes of attacks for many years to come.

The main result from WP1 so far is the novel PortSmash microarchitecture technique. Applicable in Simultaneous Multithreading (SMT) architectures, PortSmash uses SMT execution engine sharing as a side-channel leakage source. It targets ports to stacks of execution units to create a high-resolution timing side channel due to port contention, inherently stealthy since it does not depend on the memory subsystem.

WP2 seeks to understand the exploitability of the channels from WP1. The focus is on end-to-end side-channel attacks, from triggering the leakage all the way through to complete key recovery.

The main result from WP2 so far is the analysis of Mozilla's NSS open source software library. It is a security-critical library that powers other popular application software, such as the Firefox web browser. We used a combination of two independently-developed SCA security frameworks to identify and test security vulnerabilities. Furthermore, we contributed fixes for the discovered issues.

WP3 turns to countermeasures. It seeks to develop and evaluate countermeasures to the leakage sources in WP1 and attacks realized in WP2. The aim is a holistic approach, rather than limiting to dedicated mitigations.

The main result from WP3 so far is Triggerflow, a tool for tracking execution paths that, assisted by source annotations, dynamically analyzes the binary through the debugger. The main application of the tool is regression testing for software as part of Continuous Integration (CI), to ensure expected control flow at runtime. We used Triggerflow to establish automated testing through CI for the open source OpenSSL software project.
The SCARE methodology will continue through the second half of the project. We will continue to look for new leakage sources in security-critical implementations of both software and hardware, develop methods to exploit the leakage at the system or protocol level, and extend our testing frameworks to automatically detect and prevent the leakage as part of the product life cycle.

Societal impact is a key outcome for SCARE. Identifiers for Common Vulnerabilities and Exposures (CVE) span several vendors of real-world security-critical products directly impacted by SCARE results. So far, these include OpenSSL (CVE-2018-0737, CVE-2018-5407, CVE-2019-1547), ARM's Mbed TLS (CVE-2019-18222, CVE-2020-10932), wolfSSL (CVE-2020-11735), and Mozilla's NSS (CVE-2020-12399, CVE-2020-12401, CVE-2020-12402, CVE-2020-6829).
Applying the PortSmash microarchitecture attack technique
Applying the Triggerflow framework for automated testing