• PDF / 766,249 Bytes
• 17 Pages / 439.37 x 666.142 pts Page_size
• 70 Downloads / 209 Views

DOWNLOAD

REPORT

Univ. Grenoble Alpes, 38000 Grenoble, France CEA, IST, MINATEC Campus, 38054 Grenoble, France [email protected] 3 CEA-Tech DPACA, Gardanne, France ´ ´ Ecole Nationale Suprieure des Mines de Saint-Etienne, Saint-Etienne, France 5 Inria de Rennes, Rennes, France 2

4

Abstract. We present a generic framework for runtime code polymorphism, applicable to a broad range of computing platforms including embedded systems with low computing resources (e.g. microcontrollers with few kilo-bytes of memory). Code polymorphism is defined as the ability to change the observable behaviour of a software component without changing its functional properties. In this paper we present the implementation of code polymorphism with runtime code generation, which offers many code transformation possibilities: we describe the use of random register allocation, random instruction selection, instruction shuffling and insertion of noise instructions. We evaluate the effectiveness of our framework against correlation power analysis: as compared to an unprotected implementation of AES where the secret key could be recovered in less than 50 traces in average, in our protected implementation, we increased the number of traces necessary to achieve the same attack by more than 20000×. With regards to the state of the art, our implementation shows a moderate impact in terms of performance overhead.

1

Introduction

Side channel attacks are an effective means to recover a secret, by the observation of physical phenomena related to the secured activity. From the knowledge of the program under attack (e.g. the AES cipher), the attacker will try to establish a correlation between the observation traces and hypothesis about the intermediate values used during the secret computation (e.g. the output of the first SBOX computation). The hypothesis that provides the best correlation value is then used to recover the secret (e.g. the value of the AES key). Usually, a few points in the observation traces exhibit good correlation values with the hypothesis, which correspond to the leakage point, i.e. the time when the secret is observable during the computation. c IFIP International Federation for Information Processing 2016  Published by Springer International Publishing Switzerland 2016. All Rights Reserved S. Foresti and J. Lopez (Eds.): WISTP 2016, LNCS 9895, pp. 136–152, 2016. DOI: 10.1007/978-3-319-45931-8 9

Runtime Code Polymorphism as a Protection Against Side Channel Attacks

137

Two main protection schemes are effective against side channel attacks: hiding and masking. The key idea of masking is to split the sensitive values of the secured computation in several shares, in order to break the correlation between the observations and the hypothetical intermediate values. To recover the secret key from a masked implementation, and provided that the shares are computed at different times, an attacker needs correlation analysis of higher orders, i.e. analysis involving several observation points simultaneously. However, higher order attacks present a compu

Recommend Documents

Analysis of a Code-Based Countermeasure Against Side-Channel and Fault Attacks

157 61 1MB

Side-Channel Attacks

158 92 47MB

Adaptive caches as a defense mechanism against cache side-channel attacks

170 100 2MB

Enhancing Java Runtime Environment for Smart Cards Against Runtime Attacks

192 13 326KB

Side Channel Attacks on Irregularly Decimated Generators

166 51 8MB

Building Secure Defenses Against Code-Reuse Attacks

162 5 2MB

A Survey on Side-Channel Attacks of Strong PUF

149 47 78MB

Vulnerability Analysis of FPGA Through Side-Channel Attacks in Cloud

163 91 43MB

Key Update Countermeasure for Correlation-Based Side-Channel Attacks

148 46 5MB

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption

171 62 2MB

Side-Channel Analysis Protection and Low-Latency in Action

147 54 31MB

A Systematic Approach to the Side-Channel Analysis of ECC Implementations with Worst-Case Horizontal Attacks

141 33 2MB