Abstract
Deployed widely and embedding sensitive data, The security of IoT devices depend on the reliability of cryptographic libraries to protect user information. However when implemented on real systems, cryptographic algorithms are vulnerable to side-channel attacks based on their execution behavior, which can be revealed by measurements of physical quantities such as timing or power consumption. Some countermeasures can be implemented in order to prevent those attacks. However those countermeasures are generally designed at high level description, and when implemented, some residual leakage may persist. In this article we propose a methodology to assess the robustness of the MbedTLS library against timing and cache-timing attacks. This comprehensive study of side-channel security allows us to identify the most frequent weaknesses in software cryptographic code and how those might be fixed. This methodology checks the whole source code, from the top level routines to low level primitives, that are used for the final application. We retrieve hundreds of lines of code that leak sensitive information.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Arnaud, C., Fouque, P.-A.: Timing attack against protected RSA-CRT implementation used in PolarSSL. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 18–33. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36095-4_2
Bauer, A., Jaulmes, E., Lomné, V., Prouff, E., Roche, T.: Side-channel attack against RSA key generation algorithms. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 223–241. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_13
Bernstein, D.J.: Cache-timing attacks on AES (2005)
Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your white-box designs is not enough. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 215–236. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_11
Bouvet, A., Bruneau, N., Facon, A., Guilley, S., Marion, D.: Give me your binary, I’ll tell you if it leaks, pp. 1–4 (2018)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_2
Groot Bruinderink, L., Hülsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload – a cache attack on the BLISS lattice-based signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 323–345. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_16
Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_20
Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48059-5_25
Dugardin, M., Guilley, S., Danger, J.-L., Najm, Z., Rioul, O.: Correlated extra-reductions defeat blinded regular exponentiation. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 3–22. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_1
Facon, A., Guilley, S., Lec’hvien, M., Schaub, A., Souissi, Y.: Detecting cache-timing vulnerabilities in post-quantum cryptography algorithms. In: 2018 IEEE 3rd International Verification and Security Workshop (IVSW), pp. 7–12. IEEE (2018)
Itoh, K., Izu, T., Takenaka, M.: Address-bit differential power analysis of cryptographic schemes OK-ECDH and OK-ECDSA. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 129–143. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_11
Itoh, K., Izu, T., Takenaka, M.: A practical countermeasure against address-bit differential power analysis. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 382–396. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45238-6_30
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Le, T.-H., Canovas, C., Clédiere, J.: An overview of side-channel analysis attacks. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, pp. 33–43. ACM (2008)
Nakano, Y., et al.: A pre-processing composition for secret key recovery on android smartphone. In: Naccache, D., Sauveron, D. (eds.) WISTP 2014. LNCS, vol. 8501, pp. 76–91. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43826-8_6
Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_1
Yarom, Y., Benger, N.: Recovering OpenSSL ECDSA nonces using the FLUSH+RELOAD cache side-channel attack. In: IACR Cryptology ePrint Archive, 2014:140 (2014)
Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium, pp. 719–732 (2014)
Acknowledgments
The authors are grateful to Matthieu Lec’hvien for having initiated this work (under the guidance of Alexander Schaub). This work has benefited from a funding via TeamPlay (https://teamplay-h2020.eu/), a project from European Union’s Horizon2020 research and innovation programme, under grand agreement No. 779882. Besides, this work has been partly financed by NSFC grant No. 61632020, and French PIA (Projet d’Investissment d’Avenir) grant P141580, of acronym RISQ (Regroupement de l’Industrie pour la Sécurité post-Quantique).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
Here we give all the inter-procedural graphs that show the dependency and the leakage location for each algorithm (Figs. 13, 14, 15, 16, 17, and 18).
Full RSA graph with leakage dependency for \(mbedtls\_rsa\_private\) function
Part of ECDSA graph with leakage dependency for \(mbedtls\_ecdsa\_sign\) function
Full AES graph with leakage dependency: \(mbedtls\_aes\_self\_test\)
Full DES graph with leakage dependency: \(mbedtls\_des\_self\_test\) function
Full Blowfish graph with leakage dependency: \(blowfish\_enc\) function
Full Camellia graph with leakage dependency: \(mbedtls\_camellia\_self\_test\) function
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Takarabt, S. et al. (2019). Cache-Timing Attacks Still Threaten IoT Devices. In: Carlet, C., Guilley, S., Nitaj, A., Souidi, E. (eds) Codes, Cryptology and Information Security. C2SI 2019. Lecture Notes in Computer Science(), vol 11445. Springer, Cham. https://doi.org/10.1007/978-3-030-16458-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-16458-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-16457-7
Online ISBN: 978-3-030-16458-4
eBook Packages: Computer ScienceComputer Science (R0)