Location, Location, Location: Revisiting Modeling and Exploitation for Location-Based Side Channel Leakages

Abstract

Near-field microprobes have the capability to isolate small regions of a chip surface and enable precise measurements with high spatial resolution. Being able to distinguish the activity of small regions has given rise to the location-based side-channel attacks, which exploit the spatial dependencies of cryptographic algorithms in order to recover the secret key. Given the fairly uncharted nature of such leakages, this work revisits the location side-channel to broaden our modeling and exploitation capabilities. Our contribution is threefold. First, we provide a simple spatial model that partially captures the effect of location-based leakages. We use the newly established model to simulate the leakage of different scenarios/countermeasures and follow an information-theoretic approach to evaluate the security level achieved in every case. Second, we perform the first successful location-based attack on the SRAM of a modern ARM Cortex-M4 chip, using standard techniques such as difference of means and multivariate template attacks. Third, we put forward neural networks as classifiers that exploit the location side-channel and showcase their effectiveness on ARM Cortex-M4, especially in the context of single-shot attacks and small memory regions. Template attacks and neural network classifiers are able to reach high spacial accuracy, distinguishing between 2 SRAM regions of 128 bytes each with 100% success rate and distinguishing even between 256 SRAM byte-regions with 32% success rate. Such improved exploitation capabilities revitalize the interest for location vulnerabilities on various implementations, ranging from RSA/ECC with large memory footprint, to lookup-table-based AES with smaller memory usage.

Keywords

Appendices

7 Appendix A

Algorithmic Noise in Tightly-Packed Surfaces. Since countermeasure designers opt often for algorithmic noise countermeasures, we investigate the statistical variance of \(N^{algo}\) for a tightly packed circuit that contains a large number of randomly switching components which try to hide the targeted component. We assume every noise-generating component to have area \(b_i \approx d\), where d is the area of the targeted component Since we assume large \(n_a\), both the noise-generating components as well as the targeted component are small w.r.t. the probe size, i.e. \(d \ll o\). In a tightly packed circuit, the probe area o contains roughly \(\frac{o}{d}\) randomly switching components, i.e. \(n_a \approx \frac{o}{d}\). In this particular scenario, the following formula approximates \(N^{algo}\).

$$\begin{aligned}&\quad \ \ N^{algo} = \sum _{i=1}^{n_a} N^{algo}_i = d \cdot \sum _{i=1}^{n_a} B_i = d \cdot A, \\&\quad B_i \sim Bern(0.5) \text { , } A \sim Binomial(n_a,0.5)\\&\text {Thus, } N^{algo} \xrightarrow [\text {Theorem}]{\text {Central Limit}} Norm(\frac{d \cdot n_a}{2}, \frac{d \cdot n_a}{4} ) \end{aligned}$$

Using the approximation of the Central Limit Theorem, we see that \(Var[N^{algo}]=\frac{d \cdot n_a}{4} = \frac{o}{4}\). Thus, for the tightly-packed, small-component scenario we have established a direct link between the probe area o and the level of algorithmic noise, demonstrating how increasing the probe area induces extra noise.

8 Appendix B

Predicted versus actual values, visualizing the validation set success rate.

Predicted:	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
Actual:
0	35	0	1	0	0	0	1	0	0	0	0	0	0	0	0	0
1	1	30	1	0	0	0	0	0	0	0	0	0	0	0	0	0
2	1	0	27	0	0	0	0	0	0	0	0	0	0	0	0	0
3	0	0	0	40	1	1	0	0	0	0	0	0	0	0	0	0
4	2	0	0	1	31	0	0	1	0	0	0	0	1	0	0	0
5	0	1	0	1	0	28	1	0	0	0	0	0	0	0	0	0
6	0	1	0	0	0	0	37	0	0	0	0	0	0	1	0	0
7	0	0	0	1	2	1	0	26	0	0	0	0	0	0	1	0
8	0	0	0	1	0	0	0	0	26	0	0	0	0	0	0	0
9	0	0	1	0	0	1	1	0	1	30	0	0	0	0	0	0
10	0	0	0	0	0	2	0	0	1	1	37	0	1	0	0	2
11	0	1	0	1	1	0	0	1	0	1	0	34	0	1	0	0
12	0	1	0	0	0	0	0	2	1	0	0	0	34	0	0	0
13	0	0	0	0	0	0	1	1	0	0	3	0	0	32	2	0
14	0	0	0	0	0	0	0	0	0	0	0	0	0	0	27	0
15	0	0	0	0	1	0	0	0	0	0	0	1	0	1	0	31