computer security: computer science with attackers
DESCRIPTION
Computer Security: Computer Science with Attackers. Usable Privacy and Security Fall 2009 As told by David Brumley. Find X. There it is. X is 5. X. 3. 4. My Security Axioms. I. Attackers Get Lucky Defenders Do Not. II. Attackers are Creative. Agenda. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/1.jpg)
1
Computer Security: Computer Science with
Attackers
Usable Privacy and SecurityFall 2009
As told by David Brumley
![Page 2: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/2.jpg)
2
Find X
3
4
X
X is 5There it
is
![Page 3: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/3.jpg)
3
My Security AxiomsI. Attackers Get Lucky
Defenders Do Not
II. Attackers are Creative
![Page 4: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/4.jpg)
4
Agenda• Examples of Axioms,
(aka, how to think like an attacker)– Example I: Ken Thompson– Example II: APEG– Example III: RSA
• How to argue security
![Page 5: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/5.jpg)
5
Ken Thompson• Born Feb 4, 1943• Notable Work:– B Programming Language– UNIX– Plan 9– Popularized regular expressions
• 1983: Turing Award (joint with Ritchie) for UNIX and work in OS
• 1999: US National Medal of Technology
• 1999: First IEEE Tsutomu Kanai Award
![Page 6: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/6.jpg)
6
A Self-Reproducing Program
main(){printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
![Page 7: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/7.jpg)
7
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);
char *f=
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
![Page 8: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/8.jpg)
8
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);// 34 ascii is a quote (“)
char *f=“
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
![Page 9: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/9.jpg)
9
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
![Page 10: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/10.jpg)
10
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);// 34 is a quote
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
![Page 11: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/11.jpg)
11
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);// 34 is a quote
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”;main() {printf(f,34,f,34,10);}
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
![Page 12: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/12.jpg)
12
When Executed main(){printf(f,34,f,34,10);} printf(“char*f=%c%s%c;main() {printf(f,34,f,34,10);}
%c” ,34,f,34,10);// 10 is newline
char *f=“char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c”;main() {printf(f,34,f,34,10);}
char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
![Page 13: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/13.jpg)
13
Note• This program can contain an arbitrary
amount of excess baggage that will be reproduced along with the main algorithm.
main(){printf(f,34,f,34,10);} char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c";
![Page 14: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/14.jpg)
14
The C Compiler• The C compiler (cc) is written in C• Special characters, such as newlines,
quotes, etc., are escaped with backslashes. This is called a “character escape sequence”c = next();if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c;c = next();if(c == ‘\\’) return ‘\\’; // Will return “\\”if(c == ‘n’) return ‘\n’etc.
![Page 15: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/15.jpg)
15
Adding a New Escape Sequence
• The C compiler (cc) is written in C• How do we add a new escape
sequence?– Not yet valid C until added to compiler– But compiling modified compiler will not
work because not valid Cc = next();if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c;c = next();…if(c == ‘v’) return ‘\v’; /// INVALID!etc.
![Page 16: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/16.jpg)
16
What you do• Solution: Encode in current valid C• ‘\v’ is ASCII 11
c = next();if(c != ‘\\’) // Note, since compiler itself is written in C, must escape backslash return c;c = next();…if(c == ‘v’) return 11; // Worksetc.
![Page 17: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/17.jpg)
17
Checkpoint• Can make a program that prints itself
out• Can change the semantics of a compiler
![Page 18: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/18.jpg)
18
How a compiler works
Source Code get(s);compile(s);
ExecutableCode
Source Language Compiler
TargetLanguage
![Page 19: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/19.jpg)
19
Trojaning Login
‘login’get(s);compile(s);if(s == ‘login’) compile(backdoor);
Trojaned‘login’
Compiler
![Page 20: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/20.jpg)
20
Trojaning Compiler
‘cc’
get(s);compile(s);if(s == ‘login’) compile(backdoor);if(s == ‘cc’) compile(cc-backdoor);
Trojaned‘cc’
Compiler
![Page 21: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/21.jpg)
21
Using Trojaned Compiler
get(s);compile(s);if(s == ‘login’) compile(backdoor);if(s == ‘cc’) compile(cc-backdoor);
Trojaned‘cc’
Compiler
‘cc’ source
‘login’ source
Source
trojaned exec
‘cc’
trojaned exec
‘login’
![Page 22: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/22.jpg)
22
Agenda• Examples of Axioms,
(aka, how to think like an attacker)– Example I: Ken Thompson– Example II: APEG– Example III: RSA
• How to argue security
![Page 23: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/23.jpg)
“Regularly Install Patches”− Computer Security Wisdom
BBuggy Program
PPatched New Program
Patches Help Security
![Page 24: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/24.jpg)
Patches Can Help Attackers− Evil David
Evil David
![Page 25: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/25.jpg)
Evil David’s Timeline
T1
Gets Patch
Attack Unpatched Users
Delayed PatchAttack
T2
Use Patch to Reverse Engineer Bug
Evil David
![Page 26: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/26.jpg)
Asia gets P
Patch Delay
N. Americagets patched version P
[Gkantsidis et al 06]
![Page 27: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/27.jpg)
Evil David’s Timeline
T1
Gets Patch
Attack Unpatched UsersT2
Reverse Engineer Bug
I can reverse engineer the patched bug and create an
exploit in
minutes
Minutes
![Page 28: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/28.jpg)
IntuitionParticula
rInput
Bad Good
Trigger Bug
program
![Page 29: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/29.jpg)
Intuition
BBuggy Program
Exploit
Bad Good
program
![Page 30: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/30.jpg)
Intuition
BBuggy Program
PPatched ProgramBad Good
program
Patch leaks:1) Where2) How to exploit
![Page 31: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/31.jpg)
AutomaticPatch-Based Exploit Generation
Step 1: Get
B P Bad Good
program
Step 2:Diff B & P
Step 3:Automatically CalculateExploit
![Page 32: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/32.jpg)
Step 1: Get
B P Bad Good
program
Step 2:Diff B & P
Step 3:Automatically CalculateExploit
Profit!
AutomaticPatch-Based Exploit Generation
![Page 33: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/33.jpg)
IE6 Bug Example• All integers unsigned
32-bits• All arithmetic mod 232
• B is binary codeif input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
B
![Page 34: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/34.jpg)
IE6 Bug Example
if input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
B input = 232-2
232-2 % 2 == 0
s := 0 (232-2 + 2 % 232)
ptr := realloc(ptr,0)
Using ptr is a problem
![Page 35: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/35.jpg)
IE6 Bug ExampleWanted:
s > input
Integer Overflow when:
¬(s > input)
if input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
B
![Page 36: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/36.jpg)
if input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
Bif input % 2==0
read input
s := input + 3 s := input + 2
if s > input
TF
P
ptr := realloc(ptr, s)
TF
Error
Patch
![Page 37: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/37.jpg)
if input % 2==0
read input
s := input + 3 s := input + 2
if s > input
TF
P
ptr := realloc(ptr, s)
TF
Error
Patch
if input % 2==0
read input
s := input + 3 s := input + 2
ptr := realloc(ptr, s)
TF
B
Exploits for B are inputs that fail new safety condition check in P
(s > input) = false
![Page 38: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/38.jpg)
Result OverviewASPNet_Filter Information Disclosure 29 sec
GDI Hijack Control 135 sec
PNG Hijack Control 131 sec
IE COMCTL32 (B) Hijack Control 456 sec
IGMP Denial of Service 186 sec
• No public exploit for 3 out of 5• Exploit unique for other 2
![Page 39: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/39.jpg)
Does Automatic Patch-Based Exploit Generation Always Work?NO!
However, in security attackers get lucky, defenders do not
Current Delayed Patch Distribution Insecure
![Page 40: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/40.jpg)
40
Intermission
![Page 41: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/41.jpg)
41
Agenda• Examples of Axioms,
(aka, how to think like an attacker)– Example I: Ken Thompson– Example II: APEG– Example III: RSA
• How to argue security
![Page 42: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/42.jpg)
42
RSA Cryptosystem• Invented in 1978 by Rivest, Shamir, and
Adleman
• RSA is widely used – Apache+mod_SSL (https)– stunnel (Secure TCP/IP servers)– sNFS (Secure NFS)– bind (name service)– ssh (secure shell)
• We believe RSA is secure
![Page 43: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/43.jpg)
RSA Algorithm• RSA Initialization:
– pick prime p (secret)– pick prime q (secret)– Let N = pq (N is public)– pick e (public)– Find d s.t. d*e = 1 mod (p-
1)(q-1) (private)
• RSA encryption of m: calculate me mod N = c
• RSA decryption of c: calculate cd mod N = m
• p = 61, q = 53• N = 3233• e = 17• d = 2753
• Suppose m = 123• c = 12317 mod 3233 =
855• m = 8552753 mod 3233
= 123
![Page 44: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/44.jpg)
44
Why is RSA Secure• Step 1: define “security”• Step 2: Show that RSA meets definition
![Page 45: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/45.jpg)
45
Step 1: Define Security
Public Parameters– N = pq (N is public)– e (public)
Private Parameters– p (secret)– q (secret)– d (derived from e, p, and q,
private)RSA Problem:
Given N,e, me mod N, compute m
RSA is secure if the RSA problemcannot be solved efficiently
![Page 46: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/46.jpg)
46
Step 2: Show RSA Meets Definition
Public Parameters– N = pq (N is public)– e (public)
Private Parameters– p (secret)– q (secret)– d (derived from e, p, and q,
private)
RSA Problem:Given N,e, me mod N, compute m
Fact: we do not know RSA is secure
![Page 47: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/47.jpg)
47
2 Ways to Break RSARSA Problem:
Given N,e, me mod N, compute m
FactoringAlgorithm
PublicNe
Privatepqd
Fact: if we can factor, we can break RSA
Given me, we can decrypt just like those who know d
![Page 48: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/48.jpg)
48
2 Ways to Break RSARSA Problem:
Given N,e, me mod N, compute m
RootsPublicme mod
Nm
Fact: if we can take roots modulo N, we can break
RSA
![Page 49: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/49.jpg)
49
Arguing Security• Define what is public and private• Define protocol–What bad guy gets to see–What bad guy cannot see
• Show that any run of the protocol the bad guy– cannot see what he is not suppose to– cannot efficiently compute what he is not
suppose to
![Page 50: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/50.jpg)
50
I. Attackers Get Lucky Defenders Do Not
![Page 51: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/51.jpg)
51
NP Complete (i.e., it could be difficult)
is Insufficient
Problem DomainHard Instances
Probability of picking a hard instance is low
![Page 52: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/52.jpg)
52
We believe RSA is hard on average
Problem Domain
assumeciphertexts are easy to decrypt Random ciphertext c
![Page 53: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/53.jpg)
53
We believe RSA is hard on average
Problem Domain
assumeciphertexts are easy to decrypt Random ciphertext c
Can move instance
(homomorphism)
![Page 54: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/54.jpg)
54
II. Attackers are Creative
![Page 55: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/55.jpg)
Breaking RSA in Practice• RSA decryption: gd mod N = m
– d is private decryption exponent, N is public modulus
• Chinese remaindering (CRT) uses factors directly. N=pq, and d1 and d2 are pre-computed from d: 1. m1 = gd1 mod q 2. m2 = gd2 mod p 3. combine m1 and m2 to yield m (mod N)
• Goal: learn factors of N.
![Page 56: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/56.jpg)
56
Suppose I implement RSA as:
if (d == 1) sleep(1) decrypt(c)if(d == 2) sleep(2) decrypt(c)if(d==3) sleep(3) decrypt(c)
Time to decrypt leaks key
![Page 57: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/57.jpg)
RSA Decryption Time Variance
• Causes for decryption time variation:–Which multiplication algorithm is used.• OpenSSL uses both basic mult. and Karatsuba
mult.– Number of steps during a modular
reduction• modular reduction goal: given u, compute u mod
q• Occasional extra steps in OpenSSL’s reduction
alg.
• There are MANY:–multiplications by input c–modular reductions by factor q (and p)
![Page 58: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/58.jpg)
Reduction Timing Dependency
• Modular reduction: given u, compute u mod q.– OpenSSL uses Montgomery
reductions [M’85] .
• Time variance in Montgomery reduction:– One extra step at end of reduction
algorithmwith probability
Pr[extra step] (c mod q) [S’00]
2q
![Page 59: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/59.jpg)
Pr[extra step] (c mod q) 2q
Value c
Decryption Time
q 2q p
![Page 60: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/60.jpg)
Multiplication Timing Dependency
• Two algorithms in OpenSSL:– Karatsuba (fast): Multiplying two numbers
of equal length– Normal (slow): Multiplying two numbers of
different length
• To calc xc mod q OpenSSL does:– When x is the same length as (c mod q),
use Karatsuba mult.– Otherwise, use Normal mult.
![Page 61: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/61.jpg)
Multiplication Summary
c < q
Decryption Time
q
Normal MultiplicationKaratsuba Multiplication
cc > q
![Page 62: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/62.jpg)
Data Dependency Summary
• Decryption value c < q–Montgomery effect: longer decryption time–Multiplication effect: shorter decryption
time
• Decryption value c > q–Montgomery effect: shorter decryption time–Multiplication effect: longer decryption time
Opposite effects! But one will always dominate
![Page 63: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/63.jpg)
Timing Attack
High Level Attack:1) Suppose g=q for the top i-1 bits, and 0 elsewhere.
2) ghi = g, but with the ith bit 1. Then g < ghi Goal: decide if g<q<ghi or g<ghi<q
3) Sample decryption time for g and ghi:t1 = DecryptTime(g)t2 = DecryptTime(ghi)
4) If |t1 - t2| is large bit i is 0 (g < q < ghi)
else bit i is 1 (g < ghi < q)don’t
straddle q
large vs. small creates 0-1 gap
g and ghi straddle q
![Page 64: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/64.jpg)
Timing Attack Details• We know what is “large” and “small” from attack on
previous bits.
• Decrypting just c does not work because of sliding windows– Decrypt a neighborhood of values near g– Will increase diff. between large and small values
larger 0-1 gap• Only need to recover 1/2 bits of q [C’97] • Attack requires only 2 hours, about 1.4 million queries
![Page 65: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/65.jpg)
The Zero-One Gap
Zero-one gap
![Page 66: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/66.jpg)
How does this work with SSL?
How do we get the server to decrypt our c?
![Page 67: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/67.jpg)
Normal SSL Decryption
Regular Client SSL Server 1. ClientHello
2. ServerHello (send public key)
3. ClientKeyExchange (re mod N)
Result: Encrypted with computed shared master secret
![Page 68: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/68.jpg)
Attack SSL Decryption
Attack Client SSL Server
1. ClientHello
2. ServerHello (send public key)
3. Record time t1 Send guess g or ghi
4. Alert
5. Record time t2 Compute t2 –t1
![Page 69: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/69.jpg)
Attack requires accurate clock
• Attack measures 0.05% time difference between g and ghi– Only 0.001 seconds on a P4
• We use the CPU cycle counter as fine-resolution clock– “rdtsc” instruction on Intel– “%tick” register on UltraSparc
![Page 70: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/70.jpg)
Attack extract RSA private keyin OpenSSL
Montgomery reductionsDominates
Multiplication routine dominates
zero-one gap
![Page 71: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/71.jpg)
Attack extract RSA private key
Montgomery reductionsDominates
Multiplication routine dominates
zero-one gap
![Page 72: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/72.jpg)
72
Timing channels fell outside RSA security game
RSA Problem:Given N,e, me mod N, compute m
![Page 73: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/73.jpg)
73
My Security AxiomsI. Attackers Get Lucky
Defenders Do Not
II. Attackers are Creative
![Page 74: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/74.jpg)
74
Good GuyBad Guy
VS
Good Guy vs. Bad Guy
![Page 75: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/75.jpg)
75
Good Guy vs. Many Bad Guys
Good Guy
VS
Bad Guys
![Page 76: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/76.jpg)
76
What if they are powerful?
Good Guy
VS
![Page 77: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/77.jpg)
77
My WorkI. Securing the entire
software lifecycle
![Page 78: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/78.jpg)
Developer
Writing Debugging Releasing
Updating
Designing
User
VerifyingInstallingRunning
Exploiting
![Page 79: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/79.jpg)
79
My WorkI. Securing the entire
software lifecycleII. Allowing everyone to reason about the security of the code
they execute
![Page 80: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/80.jpg)
BAP: Binary Code Analysis Platform
• Binary code is everywhere• Security of the code you run
(not just the code compiled)
![Page 81: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/81.jpg)
Formal Methods Compilers
ProgrammingLanguages
Usability Algorithm
Design
![Page 82: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/82.jpg)
82
My Security AxiomsI. Attackers Get Lucky
Defenders Do Not
II. Attackers are Creative
![Page 83: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/83.jpg)
83
Thoughts?
![Page 84: Computer Security: Computer Science with Attackers](https://reader036.vdocuments.net/reader036/viewer/2022062410/568163a2550346895dd4a52e/html5/thumbnails/84.jpg)
84
That is all I have for today.