Acoustic Surveillance of Physically Unmodified PCs

Michael D. LeMay and Dr. Jack Tan

Computer Science DepartmentUniversity of Wisconsin-Eau Claire

Funding: Center of Excellence for Faculty/Student Research Collaboration

Outline

• Introduction– Side-channel attacks– Past efforts in acoustic cryptanalysis

• Methods– Equipment used– Instruction sequence analysis– GNU MP modular exponentiation analysis– Acoustic keylogging

• Discussion and recommendations• Future directions

Side-channel attacks

CPUCPUCPUCPU

Acoustic cryptanalysis

• Adi Shamir and Eran Tromer● tp://www.wisdom.weizmann.ac.il/~tromer/acoustic/● Explored the acoustic emanations caused by:

● GnuPG (GNU Privacy Guard) signature generation● loops of HLT, MUL, FMUL, ADD, MOV and NOP

instructions● Neglected to explore:

● loops of SSE2 instructions● actual attack scenarios

Experimental Apparatus

Capacitors

www.dashdist.com/1u2u/company/capacitor.html

Instruction sequences

// andpd asm("movupd vec_x, %%xmm0\n" "movupd vec_y, %%xmm1\n" "top_andpd:\n" "andpd %%xmm0, %%xmm1\n" "loop top_andpd\n" : : "c"(repCnt) );

// andpd asm("movupd vec_x, %%xmm0\n" "movupd vec_y, %%xmm1\n" "top_andpd:\n" "andpd %%xmm0, %%xmm1\n" "loop top_andpd\n" : : "c"(repCnt) );

Spectrogram300MHz (12.5% duty)300MHz (12.5% duty)

600MHz (25% duty)600MHz (25% duty)

Capacitor plate oscillation

+-

2400MHz (100% duty)2400MHz (100% duty)

Acoustic Keylogging

Quaternary Encoding

BSWAP (0)

CMPXCHG8B (3)

BOUND (2)

BT (1)

Hello World!

=====BASE2===BASE4H: 0100 1000: 1020e: 0110 0101: 1211l: 0110 1110: 1232l: 0110 1110: 1232o: 0110 1111: 1233 : 0010 0000: 0200W: 0101 0111: 1113o: 0110 1111: 1233r: 0111 0010: 1302l: 0110 1100: 1230d: 0110 0100: 1210!: 0010 0001: 0201

NRZ (Non-Return to Zero)

Manchester

Manchester Encoding

10

NRZ (Non-Return to Zero)

Manchester

1 0 0 0 1 1 1

Quaternary Improved EncodingORIG[2] ORIG[16] NEW[4]

0000 0: 0101

0001 1: 0102

0010 2: 0103

0011 3: 0121

0100 4: 0123

0101 5: 0131

0110 6: 0132

0111 7: 0201

1000 8: 0202

1001 9: 0203

1010 A: 0212

1011 B: 0213

1100 C: 0231

1101 D: 0232

1110 E: 0301

1111 F: 0302

SYNC: 0312

Acoustic Keylogger for Linux

• LKL Linux KeyLogger• ttp://ourceforgenet/projects/kl

h: 0132 0202

e: 0132 0131

X10 Spy Cameras

Camera Head Close-up

Wireless A/V Receiver

h: 0132 0202

e: 0132 0131

Recommendations

• Disable CPU frequency scaling on critical systems.

Future Directions

• Determine why there is spectral overlap between instruction sequences

• Explore effects of multicore processors on acoustic emanations

• Determine how easily applications within virtual machines can modulate emanations