Thursday, July 9, 2015

52 Things: Number 39: What is the difference between a side-channel attack and a fault attack?

This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. We continue with our side-channel track and discuss the differences between a side-channel attack and a fault attack.

Side-channel attacks (SCA) are a class of attacks in which an adversary attempts to deduce information about a targets computation by observing side-channel leakage (e.g. timing, power consumption, electromagnetic emanations, acoustic noise etc.).

Fault attacks (FA) are a class of attacks in which an adversary attempts to exploit the result of a faulty computation. The fault may be the result of a program/design bug (e.g. Intel's famous FDIV bug), or a fault induced directly by the adversary (e.g. power glitch, clock glitch, temperature variation, ion-beam injection etc.). 'The Sorcerer’s Apprentice Guide to Fault Attacks' gives a good overview for a few of the more hands-on techniques for fault injection.

To sum up, the primary difference between the two is that SCAs exploit computation leakage and FAs exploit the result of erroneous computation. It's not a very insightful (or interesting) answer so perhaps a better question is to 'Discuss some similar approaches to side-channel and fault attacks'.

I'll discuss examples for three sub-classes for both SCAs and FAs: non-invasive, semi-invasive and invasive. Just as a side note, there may be some disagreement on the exact classification of non-invasive, semi-invasive and invasive attacks. These are my opinions and if you disagree, I invite you to take it up with my publisher.

Non-Invasive:

An attack is classed as non-invasive if the adversary has no physical contact with the target. I give solitary examples below but there are more out there.

SCA: Timing attacks are arguable both the most applicable and the least invasive SCA vector. This can be partly attributed to the fact that timing attacks can be carried out remotely but also because they are easily introduced. Consider a large library such as OpenSSL that supports numerous platforms and a whole suite of crypto applications. Ensuring that all sensitive computation is programmed to be constant time for each individual platform quickly becomes cumbersome. Add to this that you will be fighting the compilers efforts to optimise your code makes it an uphill battle.

FA: Non-invasive fault attacks are somewhat less common as it requires the faulty behaviour to be triggered based on the input. One could possibly build an attack using the aforementioned Intel FDIV bug which will return an incorrect division result for one in every 9 billion random inputs. I can't seem to find any reference to a concrete attack so we'll take it on faith that it may be possible.

Semi-Invasive:

An attack is classed as semi-invasive if the adversary has limited physical contact with the target. I give solitary examples below but there are more out there.

SCA: In a power analysis attack the adversary monitors the power consumption of a the target device during the computation of a secret datum. The theory behind the attack is that the dynamic power consumption will be (in some way) related to the data being processed. If the adversary can approximate this relationship then they may also be able to make deductions about the data being processed. This is arguably semi-invasive as the adversary would require a power tap to the target device which is not always available and so the adversary would need to modify the target.

FA: Clock and power glitch attacks aim to induce faulty behaviour in a target device by altering the target environment. Consider the clock input to a chip, this clock governs the speed at which the target device operates. The maximum clock rate of a device is bounded by the 'critical path' of the target which is the longest amount of time required for a combinatorial circuit to reach a stable state. Violation of this bound will trigger race conditions in the device and hence result in undefined behaviour. This makes glitch attacks somewhat unpredictable and sometimes hard to reproduce but incredibly effective!

Invasive:

An attack is classed as invasive if the adversary has unlimited resources and access the target.

SCA: Probing SCAs use a direct tap on the data bus of a target device allowing an adversary to (almost directly) read off any information that goes across the bus. The target must be fully decapsulated and carefully examined to precisely target the secret data.

FA: Probing FAs allow an adversary to completely change the behaviour of the target device. Once again, the target must be fully decapsulated and mapped out to accurately influence the behaviour but once this is done, adversary has the ability to re-wire the target and consequently alter its operation.

Both SCA and FA have been demonstrated on real-world devices to devastating effect. There are, of course, several countermeasures devised to mitigate for these attacks but these will come up later in our '52 things' series.

No comments:

Post a Comment