Introduction[What is a side-channel attack]
The emergence of a side-channel attack is closely related to the existence of physically observable phenomena caused by the execution of computational tasks in microelectronic devices and common systems. For example, microprocessors consume time and energy to perform their assigned tasks. Devices keep their secrets, and if criminals understand the unintended signals, they could get some interesting secrets and use them to perform a side-channel attack. The same thing happens, for example, when a timing attack is performed on a web system to enumerate possible valid users.These kinds of attacks use patterns of information. For example, the screen will display electrical emissions from a computer monitor or hard drive that could be used to analyze this type of information, or a scenario where computer components draw different amounts of energy while performing certain processes.
Using this kind of attack could be very dangerous because a different landscape is used to explore vulnerabilities compared to conventional approaches. As shown in Figure 1 below, signals from popular devices such as smartphones, embedded devices and IoT environments have been used to find vulnerabilities, extract sensitive information or behavior by analyzing signal frequency over a period of time (inputs and outputs).
The big picture of side-channel attacks
“When we design an algorithm, we usually think about inputs and outputs. We don’t think about anything else that happens when the program is running,” says Daniel Genkin, a computer scientist at the University of Michigan.Computers work based on physics and there are many physics side effects that can be analyzed including time, power and sound. These are three important ingredients that scammers could explore in the wild. For example, a timing attack is a side-channel attack in which an attacker attempts to compromise a cryptosystem by analyzing the time it takes to execute cryptographic algorithms.
Another well-known web surface scenario is a time-based blind SQL attack. Here WAIT FOR DELAY functions can be used to pause execution for a specified time, or WAIT FOR TIME can be used to pause query execution and resume it when the system time is equal to the parameter. Using this method, the attacker enumerates each letter of the desired part of the data using the following logic:
If the first letter of the name of the first database is “A”, wait 10 seconds.
If the first letter of the name of the first database is “B”, wait 10 seconds.
[etc.]
These attacks use one of these effects to gain more information about the secrets of the algorithm being used.
From an attacker’s perspective, virtually any accidental information leak can be harvested to learn something they don’t have.
Figure 2 below shows how a side-channel attack can be used to obtain the secret of the normal application workflow and use side information such as audio, frequency, power consumption, etc. to obtain the final output (e.g. ciphertext).
Computing systems are now more sophisticated, with components pushed to their physical limits, going in all directions and using all possible information to achieve the best results. In this sense, side-channel attacks are becoming more and more difficult to detect and prevent.
As an example, several bugs have been discovered in recent years on the most popular physical equipment, with names like Meltdown, Spectre, Fallout, RIDL, and Zombieload, all of which use side-channel attacks as part of their stealth techniques. .
Let’s look at each of them in detail.
- Meltdown: This is a hardware vulnerability that affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. In detail, it allows a rogue process to get all the memory even if it doesn’t have permission to do so.
- Spectre: This is a vulnerability that affects modern microprocessors that implement branch prediction. On most processors, speculative execution resulting from incorrect branch prediction can leave observable side effects that can expose private data.
- Fallout: The Fallout attack makes it possible to obtain data that the operating system has recently written and to find out the memory position of the operating system strengthening other attacks.
- RIDL: A RIDL attack can be used to leak information across different security domains from different buffers such as line fill buffers and load ports inside Intel processors.
- ZombieLoad: The ZombieLoad attack regurgitates private browsing history and other sensitive data. It allows information leakage from other applications, the operating system, virtual machines in the cloud, and trusted execution environments.
Final thoughts
Side-channel attacks have been a hot topic in the past few years and have become a more sophisticated horizon used to explore a set of vulnerabilities on a physical device or use signals to reveal the secrets of a workflow, communication channel, or crypto tunnel.Meltdown and Specter are real proof of this dangerous attack, exploring vulnerabilities that affect microprocessors and using a time-based side-channel attack. Each uses different techniques to access and decode secret information in a processor’s cache—a part of memory that’s designed to keep certain data handy for better efficiency. In this context, an attacker can analyze the timing of processor responses to see what the cache is leaking and thus the secret information.
Preventing these kinds of scenarios is a difficult task, but there are a set of best practices that can be followed, as outlined by OWASP. For example, fixing worst-case execution time response time could be a good solution to prevent time-side channels, but with a serious performance impact.
On the other hand, attacks on web applications can also be a big problem. Determine the existence of a username from response time or error messages that could be used to exfiltrate information from the target system.
Side channels appear in a variety of ways. Detection and prevention is a serious challenge and can often have a negative impact on system performance.
Sources
This Radio Bug Can Steal Laptop Crypto Keys, Fits Inside a Pita
The list of threats to your computer’s security grows daily: Keyloggers, trojans, ransomware...and now the rogue falafel sandwich.