\begin{frame} \mktitle{Learning outcomes} \begin{columns} \begin{column}{0.75\textwidth} \begin{itemize} \item Understand the threat of side-channels \item Get an intuition of timing attacks \end{itemize} \end{column} \begin{column}{0.25\textwidth} \centering \includegraphics[width=.8\textwidth]{img/meltdown} \end{column} \end{columns} \vfill \alert{No in-depth programming and cryptographic details} \end{frame} \begin{frame} \mktitle{Setting and security} \begin{tikzpicture} \node[draw=none](server){ \includegraphics[width=60pt]{img/server} }; \node[draw=none,left=100pt of server](client){ \includegraphics[width=40pt]{img/client} }; \path[draw, latex-latex] (client) -- (server); \end{tikzpicture} \end{frame} \begin{frame} \mktitle{Security on paper} \includegraphics[height=.67\textheight]{img/security-door-zoomin} \end{frame} \begin{frame} \mktitle{Reality --- not a black box} \includegraphics[height=.67\textheight]{img/security-door-zoomout} \end{frame} \begin{frame} \mktitle{Side channels --- Pandora's box} \begin{columns} \begin{column}{.5\textwidth} \hfill \includegraphics[height=.67\textheight]{img/pandora} \end{column} \begin{column}{.5\textwidth} \begin{itemize} \item Power consumption \item EM radiation \item Heat \item Sound \item Cache \item Faults \item Timing \item Size \item ... % REMINDER@Pandora: ... -> e.g., disk access patterns \end{itemize} \end{column} \end{columns} % REMINDER@Pandora: sky is the limit, there are lots of things to measure \end{frame} \begin{frame} \mktitle{Printer sounds --- document content leaked} \includegraphics[height=.67\textheight]{img/printersound} \vfill\scriptsize{ Backes \emph{et~al.}: Acoustic Side-Channel Attacks on Printers, In: USENIX Security (2010) } \end{frame} \begin{frame} \mktitle{Laptop sounds --- secret key leaked} \includegraphics[width=.67\textwidth]{img/ultrasound} \vfill\scriptsize{ Genkin \emph{et~al.}: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, In: Crypto (2014) } \end{frame} \begin{frame} \mktitle{Energy consumption --- secret key leaked} \includegraphics[width=.67\textwidth]{img/smartcard} \vfill\scriptsize{ Messerges \emph{et~al.}: Power Analysis Attacks of Modular Exponentiation in Smartcards, In: CHES (1999) } \end{frame} \begin{frame} \mktitle{Packet size --- encrypted content leaked} \includegraphics[height=.67\textheight]{img/voip} \vfill\scriptsize{ White \emph{et~al.}: Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on Fon-iks, In: IEEE SP (2011) } \end{frame} \begin{frame} \mktitle{Response timing --- message forgery} \begin{tikzpicture} \node[draw=none](server){ \includegraphics[width=60pt]{img/server} }; \node[draw=none,left=100pt of server](client){ \includegraphics[width=40pt]{img/attacker} }; \path[draw, -latex] (client.34) |- node[draw=none,above,pos=.75]{\texttt{msg, tag}} (server.155); \path[draw, -latex] (server.199) |- node[draw=none,above,pos=.75]{\texttt{yes/no}} (client.335); \end{tikzpicture} \vfill\scriptsize{ Crosby \emph{et al.}: Opportunities and Limits of Remote Timing Attacks, In: TISSEC (2009) }\\ \scriptsize{ Hale: A lesson in timing attacks, URL: \url{https://codahale.com/a-lesson-in-timing-attacks/} (2009) } \end{frame} \begin{frame} \mktitle{Scope} \begin{tikzpicture} \node[draw,rectangle, minimum width=.6\textwidth, minimum height=.4\textheight, fill=gray!33, ](sc){}; \node[draw=none,below=0pt of sc.150]{side-channels}; \node[draw,circle, minimum width=.15\textwidth, fill=rgdGreen, text=white, ](t){\textbf{timing}}; \end{tikzpicture} \end{frame} \begin{frame} \mktitle{Effort to crack this password?} \begin{tikzpicture}[ rgddBox/.style = { draw = black, minimum width = 20pt, minimum height = 20pt, fill = gray!33, font = \bfseries, } ] \def\rgddBoxData{{z},{f},{T},{B},{s},{v},{g},{O},{e},{t}} \foreach[count=\i] \x in \rgddBoxData{ \ifnum\i=1\relax \node[rgddBox](p\i){\x}; \else \pgfmathparse{int(\i-1)} \node[rgddBox,right=6pt of p\pgfmathresult](p\i){\x}; \fi \node[draw=none,text=darkRed,above=0pt of p\i]{\i}; } %\pause \foreach[count=\i] \x in \rgddBoxData{ \node[draw=none,text=darkGreen,below=0pt of p\i]{52}; } \end{tikzpicture} \pause \vfill 144555105949057024 \pause \vfill $52^{10}$ combinations and 100M queries/s $\rightarrow$ 46 years %REMINDER@Password: exponential increase for each character \pause \\\includegraphics[height=.2\textheight]{img/grandpa} \end{frame} \begin{frame} \mktitle{Experiment --- are these strings equal?} \pause \texttt{0000000000000000} \floatright{\texttt{9389349108837912}}\\ \pause \texttt{0000439513027213} \floatright{\texttt{0000431513027213}}\\ \pause \texttt{7485820126271479} \floatright{\texttt{7485820126371479}}\\ \end{frame} \begin{frame} \mktitle{Comparing strings like a programmer} \begin{tikzpicture}[ rgddBox/.style = { draw = black, minimum width = 20pt, minimum height = 20pt, fill = gray!33, font = \bfseries, }, rgddPopup/.style = { draw=rgdGreen, thick, rectangle, fill=rgdYellow, minimum width = \textwidth, minimum height = 40pt, }, ] \def\rgddBoxData{{7},{4},{8},{5}} \foreach[count=\i] \x in \rgddBoxData{ \ifnum\i=1\relax \node[rgddBox](p\i){\x}; \else \pgfmathparse{int(\i-1)} \node[rgddBox,right=6pt of p\pgfmathresult](p\i){\x}; \fi } \def\rgddBoxData{{7},{4},{0},{2}} \foreach[count=\i] \x in \rgddBoxData{ \ifnum\i=1\relax \node[rgddBox,right=60pt of p4](q\i){\x}; \else \pgfmathparse{int(\i-1)} \node[rgddBox,right=6pt of q\pgfmathresult](q\i){\x}; \fi } \foreach \i in {1,...,3}{ \only<\i>{\node[draw=none,below=6pt of p\i]{\lding};} \only<\i>{\node[draw=none,below=6pt of q\i]{\lding};} } \only<4>{ \node[rgddPopup] at ($ (p4) !.5! (q4) $) {\Huge no need to continue}; } \end{tikzpicture} \end{frame} %\begin{frame} % \mktitle{Programming 101 --- string comparison} % \lstinputlisting[style=CStyle,firstline=3,lastline=14]{img/strcmp.py} %\end{frame} \begin{frame} \mktitle{Timing --- an inutitive note} \includegraphics[width=\textwidth]{img/timeit} \end{frame} \begin{frame} \mktitle{Effort to crack this password?} \begin{tikzpicture}[ rgddBox/.style = { draw = black, minimum width = 20pt, minimum height = 20pt, fill = gray!33, font = \bfseries, } ] \def\rgddBoxData{{z},{f},{T},{B},{s},{v},{g},{O},{e},{t}} \foreach[count=\i] \x in \rgddBoxData{ \ifnum\i=1\relax \node[rgddBox](p\i){\x}; \else \pgfmathparse{int(\i-1)} \node[rgddBox,right=6pt of p\pgfmathresult](p\i){\x}; \fi \node[draw=none,text=darkRed,above=0pt of p\i]{\i}; } \foreach[count=\i] \x in \rgddBoxData{ \node[draw=none,text=darkGreen,below=0pt of p\i]{52}; } \end{tikzpicture} \vfill \pause \begin{tikzpicture}[ rgddBox/.style = { draw = black, minimum width = 20pt, minimum height = 20pt, fill = gray!33, font = \bfseries, } ] \def\rgddBoxData{{a},{a},{a},{a},{a},{a},{a},{a},{a},{a}} \foreach[count=\i] \x in \rgddBoxData{ \ifnum\i=1\relax \node[rgddBox](q\i){\x}; \else \pgfmathparse{int(\i-1)} \node[rgddBox,right=6pt of q\pgfmathresult](q\i){\x}; \fi } \def\rgddBoxData{{z},{f},{T},{B},{s},{v},{g},{O},{e},{t}} \foreach[count=\i] \x in \rgddBoxData{ \ifnum\i<5\pause\fi \ifnum\i=1\relax \node[rgddBox, text=darkOrange](q\i){\x}; \else \pgfmathparse{int(\i-1)} \node[rgddBox, text=darkOrange, right=6pt of q\pgfmathresult](q\i){\x}; \fi } \end{tikzpicture} %$52*10$ tries $\rightarrow$ ``negl'' time %REMINDER@Password: linear increase for each character \end{frame} \begin{frame} \mktitle{Demo --- Experimental setup} \begin{tikzpicture} \node[draw=none](server){ \includegraphics[width=60pt]{img/server} }; \node[draw=none,left=100pt of server](client){ \includegraphics[width=40pt]{img/attacker} }; \path[draw, -latex] (client.34) |- node[draw=none,above,pos=.75]{\texttt{msg, tag}} (server.155); \path[draw, -latex] (server.199) |- node[draw=none,above,pos=.75]{\texttt{yes/no}} (client.335); \path[draw,-latex] (server) edge[loop right] node[draw=none,pos=.7,below]{ \begin{tabular}{c} byte-by-byte cmp\\ with $\approx$ms sleep \end{tabular} } (); \end{tikzpicture} \vfill\url{https://github.com/rgdd/timing-server} \end{frame} \begin{frame} \mktitle{Can you recommend another demo? Asking for a friend} \includegraphics[height=.67\textheight]{img/demo} \url{https://www.youtube.com/watch?v=2-zQp26nbY8} \end{frame} \begin{frame} \mktitle{Countermeasure -- constant time compare} \begin{tikzpicture}[ rgddBox/.style = { draw = black, minimum width = 20pt, minimum height = 20pt, fill = gray!33, font = \bfseries, }, rgddPopup/.style = { draw=rgdGreen, thick, rectangle, fill=rgdYellow, minimum width = \textwidth, minimum height = 40pt, }, ] \def\rgddBoxData{{7},{4},{8},{5}} \foreach[count=\i] \x in \rgddBoxData{ \ifnum\i=1\relax \node[rgddBox](p\i){\x}; \else \pgfmathparse{int(\i-1)} \node[rgddBox,right=6pt of p\pgfmathresult](p\i){\x}; \fi } \def\rgddBoxData{{7},{4},{0},{2}} \foreach[count=\i] \x in \rgddBoxData{ \ifnum\i=1\relax \node[rgddBox,right=60pt of p4](q\i){\x}; \else \pgfmathparse{int(\i-1)} \node[rgddBox,right=6pt of q\pgfmathresult](q\i){\x}; \fi } \foreach \i in {1,...,4}{ \only<\i>{\node[draw=none,below=6pt of p\i]{\lding};} \only<\i>{\node[draw=none,below=6pt of q\i]{\lding};} } \end{tikzpicture} \end{frame} %\begin{frame} % \mktitle{Countermeasure --- constant time compare} % \lstinputlisting[style=CStyle,firstline=3,lastline=14]{img/countermeasure.py} %\end{frame} \begin{frame} \mktitle{Lessons learned} \centering \textbf{Adversarial input?} Think twice before using standard equality operators \vfill \textbf{Cryptography in code?} Stick to cryptographic libraries, hope for the best \end{frame} \begin{frame} \mktitle{Meltdown} \includegraphics[height=.67\textheight]{img/meltdown} \vfill\scriptsize{ Lipp \emph{et~al.}: Meltdown, In: CoRR abs/1801.01207 (2018) } \end{frame} \begin{frame} \mktitle{Preliminaries --- per-process virtual memory layout} \includegraphics[width=.67\textwidth]{img/memlayout} \vfill \begin{tikzpicture} \Tree [ .{page table} [ .{\textcolor{darkBlue}{address translation}} ] [ .{\textcolor{darkGreen}{privelege checks}} ] ] \end{tikzpicture} \end{frame} \begin{frame} \mktitle{Preliminaries --- caching and out-of-order execution} \begin{tikzpicture}[ rgddBox/.style = { draw = black, minimum width = 20pt, minimum height = 20pt, fill = gray!33, font = \bfseries, } ] \def\rgddBoxData{{},{},{},{},{},{},{},{},{}} \foreach[count=\i] \x in \rgddBoxData{ \ifnum\i=1\relax \node[rgddBox](p\i){\x}; \else \pgfmathparse{int(\i-1)} \node[rgddBox,right=6pt of p\pgfmathresult](p\i){\x}; \fi \node[draw=none,text=darkRed,above=0pt of p\i]{\i}; } % First access \node[draw=none,below=of p3,font=\rmfamily](call1){% \texttt{access}($\mathsf{MEM}[5]$) }; \path[draw, -latex] (call1) -- node[draw=none,sloped,above,font=\scriptsize]{slow} (p5.248); % Second access \node[draw=none,below=of p7,font=\rmfamily](call2){% \texttt{access}($\mathsf{MEM}[5]$) }; \path[draw, -latex] (call2) -- node[draw=none,sloped,above,font=\scriptsize]{fast} (p5.292); \end{tikzpicture} \pause \begin{columns} \begin{column}{.29\textwidth} \lstinputlisting[style=CStyle]{img/isn} \end{column} \begin{column}{.49\textwidth} \includegraphics[width=\textwidth]{img/meltdown-out-of-order} \end{column} \end{columns} \end{frame} \begin{frame} \mktitle{Ooops --- leaked privileged memory?} \begin{columns} \begin{column}{.45\textwidth} \lstinputlisting[style=CStyle]{img/meltdown-isn} \end{column} \end{columns} \pause \vfill \includegraphics[width=.67\textwidth]{img/meltdown-pageload} \end{frame} \begin{frame} \mktitle{Proof of concept} \hfill \includegraphics[height=.5\textheight]{img/meltdown-dump} \hfill \includegraphics[height=.5\textheight]{img/meltdown-ff} \hfill \end{frame} \begin{frame} \vfill\centering\Large\textbf{ That's it --- questions? }\vfill \end{frame}