Advertisement

How Secure Is Green IT? The Case of Software-Based Energy Side Channels

  • Heiko Mantel
  • Johannes Schickel
  • Alexandra Weber
  • Friedrich Weber
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11098)

Abstract

Software-based energy measurement features in contemporary CPUs allow one to track and to limit energy consumption, e.g., for realizing green IT. The security implications of software-based energy measurement, however, are not well understood. In this article, we study such security implications of green IT. More concretely, we show that side-channel attacks can be established using software-based energy measurement at the example of a popular RSA implementation. Using distinguishing experiments, we identify a side-channel vulnerability that enables attackers to distinguish RSA keys by measuring energy consumption. We demonstrate that a surprisingly low number of sample measurements suffices to succeed in an attack with high probability. In contrast to traditional power side-channel attacks, no physical access to hardware is needed. This makes the vulnerabilities particularly serious.

Notes

Acknowledgements

We thank the anonymous reviewers for their helpful comments. We thank Yuri Gil Dantas, Ximeng Li, and Artem Starostin for helpful suggestions at different stages of our research project. This work has been funded by the DFG as part of the project Secure Refinement of Cryptographic Algorithms (E3) within the CRC 1119 CROSSING.

Supplementary material

References

  1. 1.
    Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: Predicting secret keys via branch prediction. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 225–242. Springer, Heidelberg (2006).  https://doi.org/10.1007/11967668_15CrossRefGoogle Scholar
  2. 2.
    Agat, J.: Transforming out timing leaks. In: POPL, pp. 40–53 (2000)Google Scholar
  3. 3.
    AlFardan, N.J., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: S&P, pp. 526–540 (2013)Google Scholar
  4. 4.
    Andrysco, M., Kohlbrenner, D., Mowery, K., Jhala, R., Lerner, S., Shacham, H.: On subnormal floating point and abnormal timing. In: S&P, pp. 623–639 (2015)Google Scholar
  5. 5.
    Arimoto, S.: An algorithm for computing the capacity of arbitrary discrete memoryless channels. IEEE Trans. Inf. Theory 18(1), 14–20 (1972)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Barthe, G., Rezk, T., Warnier, M.: Preventing timing leaks through transactional branching instructions. Electr. Notes Theor. Comput. Sci. 153(2), 33–55 (2006)CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995).  https://doi.org/10.1007/BFb0053428CrossRefGoogle Scholar
  8. 8.
    Bernstein, D.J.: Cache-Timing Attacks on AES (2005)Google Scholar
  9. 9.
    Bindel, N., Buchmann, J., Krämer, J., Mantel, H., Schickel, J., Weber, A.: Bounding the cache-side-channel leakage of lattice-based signature schemes using program semantics. In: Imine, A., Fernandez, J.M., Marion, J.-Y., Logrippo, L., Garcia-Alfaro, J. (eds.) FPS 2017. LNCS, vol. 10723, pp. 225–241. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-75650-9_15CrossRefGoogle Scholar
  10. 10.
    Blahut, R.E.: Computation of channel capacity and rate-distortion functions. IEEE Trans. Inf. Theory 18(4), 460–473 (1972)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-23822-2_20CrossRefGoogle Scholar
  12. 12.
    Chatzikokolakis, K., Chothia, T., Guha, A.: Statistical measurement of information leakage. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 390–404. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-12002-2_33CrossRefMATHGoogle Scholar
  13. 13.
    Chothia, T., Smirnov, V.: A traceability attack against e-Passports. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 20–34. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14577-3_5CrossRefGoogle Scholar
  14. 14.
    Cock, D., Ge, Q., Murray, T.C., Heiser, G.: The last mile: an empirical study of timing channels on seL4. In: CCS, pp. 570–581 (2014)Google Scholar
  15. 15.
    Cover, T.M., Thomas, J.A.: Elements of Information Theory, 2nd edn. Wiley, Hoboken (2006)MATHGoogle Scholar
  16. 16.
    Dantas, Y.G., Gay, R., Hamann, T., Mantel, H., Schickel, J.: An evaluation of bucketing in systems with non-deterministic timing behavior. In: IFIP SEC (2018, to appear)Google Scholar
  17. 17.
    David, H., Gorbatov, E., Hanebutte, U.R., Khanna, R., Le, C.: RAPL: memory power estimation and capping. In: ISLPED, pp. 189–194 (2010)Google Scholar
  18. 18.
    Doychev, G., Köpf, B., Mauborgne, L., Reineke, J.: CacheAudit: a tool for the static analysis of cache side channels. ACM Trans. Inf. Syst. Secur. 18(1), 4:1–4:32 (2015)CrossRefGoogle Scholar
  19. 19.
    Farkas, K.I., Flinn, J., Back, G., Grunwald, D., Anderson, J.M.: Quantifying the energy consumption of a pocket computer and a Java virtual machine. In: SIGMETRICS, pp. 252–263 (2000)Google Scholar
  20. 20.
    Hähnel, M., Döbel, B., Völp, M., Härtig, H.: Measuring energy consumption for short code paths using RAPL. SIGMETRICS Perform. Eval. Rev. 40(3), 13–17 (2012)CrossRefGoogle Scholar
  21. 21.
    Intel: Intel-64 and IA-32 Architectures Software Developer’s Manual. Volume 3 (3A, 3B, & 3C): System Programming Guide (2017)Google Scholar
  22. 22.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_9CrossRefGoogle Scholar
  23. 23.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_25CrossRefGoogle Scholar
  24. 24.
    Kocher, P.C., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. J. Cryptogr. Eng. 1(1), 5–27 (2011)CrossRefGoogle Scholar
  25. 25.
    Köpf, B., Basin, D.A.: An information-theoretic model for adaptive side-channel attacks. In: CCS, pp. 286–296 (2007)Google Scholar
  26. 26.
    Köpf, B., Mantel, H.: Transformational typing and unification for automatically correcting insecure programs. Int. J. Inf. Sec. 6(2–3), 107–131 (2007)CrossRefGoogle Scholar
  27. 27.
    Köpf, B., Smith, G.: Vulnerability bounds and leakage resilience of blinded cryptography under timing attacks. In: CSF, pp. 44–56 (2010)Google Scholar
  28. 28.
    Ledig, H., Muller, F., Valette, F.: Enhancing collision attacks. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 176–190. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-28632-5_13CrossRefGoogle Scholar
  29. 29.
    Legion of the Bouncy Castle Inc.: The Legion of the Bouncy Castle. https://www.bouncycastle.org/. Accessed 12 Apr 2018
  30. 30.
    Linux Kernel Organization Inc: Power Capping Framework. https://www.kernel.org/doc/Documentation/power/powercap/powercap.txt. Accessed 18 Apr 2018
  31. 31.
    Linux Programmer’s Manual: MSR - x86 CPU MSR access device (2009). http://man7.org/linux/man-pages/man4/msr.4.html. Accessed 12 Apr 2018
  32. 32.
    Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: Armageddon: cache attacks on mobile devices. In: USENIX Security, pp. 549–564 (2016)Google Scholar
  33. 33.
    Macé, F., Standaert, F.-X., Quisquater, J.-J.: Information theoretic evaluation of side-channel resistant logic styles. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 427–442. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74735-2_29CrossRefGoogle Scholar
  34. 34.
    Mangard, S.: A simple power-analysis (SPA) attack on implementations of the AES key expansion. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 343–358. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36552-4_24CrossRefGoogle Scholar
  35. 35.
    Mantel, H., Weber, A., Köpf, B.: A systematic study of cache side channels across AES implementations. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds.) ESSoS 2017. LNCS, vol. 10379, pp. 213–230. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-62105-0_14CrossRefGoogle Scholar
  36. 36.
    Mantel, H., Starostin, A.: Transforming out timing leaks, more or less. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 447–467. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24174-6_23CrossRefGoogle Scholar
  37. 37.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Power analysis attacks of modular exponentiation in smartcards. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 144–157. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48059-5_14CrossRefGoogle Scholar
  38. 38.
    Michalevsky, Y., Schulman, A., Veerapandian, G.A., Boneh, D., Nakibly, G.: Powerspy: location tracking using mobile device power analysis. In: USENIX Security, pp. 785–800 (2015)Google Scholar
  39. 39.
    Millen, J.K.: Covert channel capacity. In: S&P, pp. 60–66 (1987)Google Scholar
  40. 40.
    Molnar, D., Piotrowski, M., Schultz, D., Wagner, D.: The program counter security model: automatic detection and removal of control-flow side channel attacks. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 156–168. Springer, Heidelberg (2006).  https://doi.org/10.1007/11734727_14CrossRefMATHGoogle Scholar
  41. 41.
    Noureddine, A., Rouvoy, R., Seinturier, L.: Monitoring energy hotspots in software - energy profiling of software code. Autom. Softw. Eng. 22(3), 291–332 (2015)CrossRefGoogle Scholar
  42. 42.
    Novak, R.: SPA-based adaptive chosen-ciphertext attack on RSA implementation. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 252–262. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45664-3_18CrossRefGoogle Scholar
  43. 43.
    Page, D.: Theoretical use of cache memory as a cryptanalytic side-channel. IACR Cryptology ePrint Archive, pp. 1–23 (2002)Google Scholar
  44. 44.
    Renauld, M., Standaert, F.-X., Veyrat-Charvillon, N.: Algebraic side-channel attacks on the AES: why time also matters in DPA. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 97–111. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-04138-9_8CrossRefGoogle Scholar
  45. 45.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefGoogle Scholar
  46. 46.
    RSA Laboratories: PKCS #1 v2.2: RSA Cryptography Standard (2012). https://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptography-standard-wp.pdf. Accessed 12 Apr 2018
  47. 47.
    Schramm, K., Wollinger, T., Paar, C.: A new class of collision attacks and its application to DES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 206–222. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-39887-5_16CrossRefGoogle Scholar
  48. 48.
    Snedecor, G.W., Cochran, W.G.: Statistical Methods, 8th edn. Iowa State University Press, Ames (1989)MATHGoogle Scholar
  49. 49.
    Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01001-9_26CrossRefGoogle Scholar
  50. 50.
    Tyley, R.: Spongy Castle by rtyley. https://rtyley.github.io/spongycastle/. Accessed 12 Apr 2018
  51. 51.
    Yan, L., Guo, Y., Chen, X., Mei, H.: A study on power side channels on mobile devices. In: Internetware, pp. 30–38 (2015)Google Scholar
  52. 52.
    Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security, pp. 719–732 (2014)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Department of Computer ScienceTU DarmstadtDarmstadtGermany

Personalised recommendations