acoustic surveillance of physically unmodified pcs michael d. lemay and dr. jack tan computer...
TRANSCRIPT
Acoustic Surveillance of Physically Unmodified PCs
Michael D. LeMay and Dr. Jack Tan
Computer Science DepartmentUniversity of Wisconsin-Eau Claire
Funding: Center of Excellence for Faculty/Student Research Collaboration
Outline
• Introduction– Side-channel attacks– Past efforts in acoustic cryptanalysis
• Methods– Equipment used– Instruction sequence analysis– GNU MP modular exponentiation analysis– Acoustic keylogging
• Discussion and recommendations• Future directions
Side-channel attacks
CPUCPUCPUCPU
Acoustic cryptanalysis
• Adi Shamir and Eran Tromer● tp://www.wisdom.weizmann.ac.il/~tromer/acoustic/● Explored the acoustic emanations caused by:
● GnuPG (GNU Privacy Guard) signature generation● loops of HLT, MUL, FMUL, ADD, MOV and NOP
instructions● Neglected to explore:
● loops of SSE2 instructions● actual attack scenarios
Experimental Apparatus
Capacitors
www.dashdist.com/1u2u/company/capacitor.html
Instruction sequences
// andpd asm("movupd vec_x, %%xmm0\n" "movupd vec_y, %%xmm1\n" "top_andpd:\n" "andpd %%xmm0, %%xmm1\n" "loop top_andpd\n" : : "c"(repCnt) );
// andpd asm("movupd vec_x, %%xmm0\n" "movupd vec_y, %%xmm1\n" "top_andpd:\n" "andpd %%xmm0, %%xmm1\n" "loop top_andpd\n" : : "c"(repCnt) );
Spectrogram300MHz (12.5% duty)300MHz (12.5% duty)
600MHz (25% duty)600MHz (25% duty)
Capacitor plate oscillation
+-
2400MHz (100% duty)2400MHz (100% duty)
Acoustic Keylogging
Quaternary Encoding
BSWAP (0)
CMPXCHG8B (3)
BOUND (2)
BT (1)
Hello World!
=====BASE2===BASE4H: 0100 1000: 1020e: 0110 0101: 1211l: 0110 1110: 1232l: 0110 1110: 1232o: 0110 1111: 1233 : 0010 0000: 0200W: 0101 0111: 1113o: 0110 1111: 1233r: 0111 0010: 1302l: 0110 1100: 1230d: 0110 0100: 1210!: 0010 0001: 0201
NRZ (Non-Return to Zero)
Manchester
Manchester Encoding
10
NRZ (Non-Return to Zero)
Manchester
1 0 0 0 1 1 1
Quaternary Improved EncodingORIG[2] ORIG[16] NEW[4]
0000 0: 0101
0001 1: 0102
0010 2: 0103
0011 3: 0121
0100 4: 0123
0101 5: 0131
0110 6: 0132
0111 7: 0201
1000 8: 0202
1001 9: 0203
1010 A: 0212
1011 B: 0213
1100 C: 0231
1101 D: 0232
1110 E: 0301
1111 F: 0302
SYNC: 0312
Acoustic Keylogger for Linux
• LKL Linux KeyLogger• ttp://ourceforgenet/projects/kl
h: 0132 0202
e: 0132 0131
X10 Spy Cameras
Camera Head Close-up
Wireless A/V Receiver
h: 0132 0202
e: 0132 0131
Recommendations
• Disable CPU frequency scaling on critical systems.
Future Directions
• Determine why there is spectral overlap between instruction sequences
• Explore effects of multicore processors on acoustic emanations
• Determine how easily applications within virtual machines can modulate emanations