R. M. Seepers, C. Strydis, I. Sourdis, C. I. Zeeuw
Recent work on wireless Implantable Medical Devices (IMDs) has revealed the need for secure communication in order to prevent data theft and implant abuse by malicious attackers. However, security should not be provided at the cost of patient safety and an IMD should, thus, remain accessible during an emergency regardless of device security. In this paper, we present a novel method of providing IMD emergency access, based on generating Entity Identifiers (EI) using the Inter-Pulse Intervals (IPIs) of heartbeats. We evaluate the current state-of-the-art in EI-generation in terms of security and accessibility for healthy subjects with a wide range of heart rates. Subsequently, we present an adaptive EI-generation algorithm which takes the heart rate into account, maintaining an acceptable emergency-mode activation time (between 5-55.4 s) while improving security by up to 3.4x for high heart rates. Finally, we show that activating emergency mode may consume as little as 0.24μJ from the IMD battery.
{"title":"Adaptive entity-identifier generation for IMD emergency access","authors":"R. M. Seepers, C. Strydis, I. Sourdis, C. I. Zeeuw","doi":"10.1145/2556315.2556324","DOIUrl":"https://doi.org/10.1145/2556315.2556324","url":null,"abstract":"Recent work on wireless Implantable Medical Devices (IMDs) has revealed the need for secure communication in order to prevent data theft and implant abuse by malicious attackers. However, security should not be provided at the cost of patient safety and an IMD should, thus, remain accessible during an emergency regardless of device security. In this paper, we present a novel method of providing IMD emergency access, based on generating Entity Identifiers (EI) using the Inter-Pulse Intervals (IPIs) of heartbeats. We evaluate the current state-of-the-art in EI-generation in terms of security and accessibility for healthy subjects with a wide range of heart rates. Subsequently, we present an adaptive EI-generation algorithm which takes the heart rate into account, maintaining an acceptable emergency-mode activation time (between 5-55.4 s) while improving security by up to 3.4x for high heart rates. Finally, we show that activating emergency mode may consume as little as 0.24μJ from the IMD battery.","PeriodicalId":153749,"journal":{"name":"CS2 '14","volume":"175 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123019685","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Kamil Gomina, P. Gendrier, P. Candelier, J. Rigaud, A. Tria
This work investigates voltage attacks over the nominal voltage on CMOS digital circuits designed on advanced technology nodes. The behavior of both combinatorial and sequential logic is analyzed in presence of static and dynamic overvoltage attacks. It points out that only modifications of propagation delays occur in presence of such attacks. Timing detection circuits are then introduced to detect hold violations. These circuits offer good performance with low area overhead but their implementation require extra timing constraints on the design to protect. In addition, multiple power domain circuits must be considered to thwart overpowering attacks.
{"title":"Detecting positive voltage attacks on CMOS circuits","authors":"Kamil Gomina, P. Gendrier, P. Candelier, J. Rigaud, A. Tria","doi":"10.1145/2556315.2556320","DOIUrl":"https://doi.org/10.1145/2556315.2556320","url":null,"abstract":"This work investigates voltage attacks over the nominal voltage on CMOS digital circuits designed on advanced technology nodes. The behavior of both combinatorial and sequential logic is analyzed in presence of static and dynamic overvoltage attacks. It points out that only modifications of propagation delays occur in presence of such attacks. Timing detection circuits are then introduced to detect hold violations. These circuits offer good performance with low area overhead but their implementation require extra timing constraints on the design to protect. In addition, multiple power domain circuits must be considered to thwart overpowering attacks.","PeriodicalId":153749,"journal":{"name":"CS2 '14","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128181195","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Group-signature schemes allow members within a predefined group to prove specific properties without revealing more information than necessary. Potential areas of application include electronic IDs (eIDs) and smartcards, i.e., resource-constrained environments. Though literature provides many theoretical proposals for group-signature schemes, practical evaluations regarding the applicability of such mechanisms in resource-constrained environments are missing. In this work, we investigate four different group-signature schemes in terms of mathematical operations, signature length, and the proposed revocation mechanisms. We also use the RELIC toolkit to implement the two most promising of the investigated group-signature schemes---one of which is going to be standardized in ISO/IEC 20008---for the AVR microcontroller. This allows us to give practical insights into the applicability of pairings on the AVR microcontroller in general and the applicability of group-signature schemes in particular on the very same. Contrary to the general recommendation of precomputing and storing pairing evaluations if possible, we observed that the evaluation of pairings might be faster than computations on cached pairings.
{"title":"Group-signature schemes on constrained devices: the gap between theory and practice","authors":"Raphael Spreitzer, Jörn-Marc Schmidt","doi":"10.1145/2556315.2556321","DOIUrl":"https://doi.org/10.1145/2556315.2556321","url":null,"abstract":"Group-signature schemes allow members within a predefined group to prove specific properties without revealing more information than necessary. Potential areas of application include electronic IDs (eIDs) and smartcards, i.e., resource-constrained environments. Though literature provides many theoretical proposals for group-signature schemes, practical evaluations regarding the applicability of such mechanisms in resource-constrained environments are missing. In this work, we investigate four different group-signature schemes in terms of mathematical operations, signature length, and the proposed revocation mechanisms. We also use the RELIC toolkit to implement the two most promising of the investigated group-signature schemes---one of which is going to be standardized in ISO/IEC 20008---for the AVR microcontroller. This allows us to give practical insights into the applicability of pairings on the AVR microcontroller in general and the applicability of group-signature schemes in particular on the very same. Contrary to the general recommendation of precomputing and storing pairing evaluations if possible, we observed that the evaluation of pairings might be faster than computations on cached pairings.","PeriodicalId":153749,"journal":{"name":"CS2 '14","volume":"69 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114143641","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Reinhard Berlach, Michael Lackner, C. Steger, Johannes Loinig, E. Haselsteiner
Java enabled smart cards are widely used to store confidential information in a trusted and secure way in an untrusted and insecure environment, for example the credit card in your briefcase. In this environment the owner of the card can install and run any applet on his card, such as the loyalty application of your favorite store. However, every applet that runs on a trusted card has to be verified. On-card Bytecode Verification is a crucial step towards creating a trusted environment on the smart cards. The innovative verification method presented in this work comes without any additional off-card component and uses nearly the same amount of memory as the execution of the applet uses. The usage of a Control Flow Graph and Basic Blocks and the implementation of a temporary transformation of the methods reduces the complexity of this new verifier. We will show a detailed analysis of the implemented algorithm and preliminary tests of a prototype on a Java Card.
{"title":"Memory-efficient on-card byte code verification for Java cards","authors":"Reinhard Berlach, Michael Lackner, C. Steger, Johannes Loinig, E. Haselsteiner","doi":"10.1145/2556315.2556323","DOIUrl":"https://doi.org/10.1145/2556315.2556323","url":null,"abstract":"Java enabled smart cards are widely used to store confidential information in a trusted and secure way in an untrusted and insecure environment, for example the credit card in your briefcase. In this environment the owner of the card can install and run any applet on his card, such as the loyalty application of your favorite store. However, every applet that runs on a trusted card has to be verified. On-card Bytecode Verification is a crucial step towards creating a trusted environment on the smart cards. The innovative verification method presented in this work comes without any additional off-card component and uses nearly the same amount of memory as the execution of the applet uses. The usage of a Control Flow Graph and Basic Blocks and the implementation of a temporary transformation of the methods reduces the complexity of this new verifier. We will show a detailed analysis of the implemented algorithm and preliminary tests of a prototype on a Java Card.","PeriodicalId":153749,"journal":{"name":"CS2 '14","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131250663","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
J. Danger, Nicolas Debande, S. Guilley, Youssef Souissi
The timing attack (TA) is a side-channel analysis (SCA) variant that exploits information leakage through the computation duration. Previously, leakages in timing have been exploited by comparison analysis, most often thanks to "correlation - collision" or pre-characterization on a clone device. Time bias can also be used to break a secret crypto-system by linear correlations in a non-profiled setting. There is direct parallel between the Correlation Power Attack (CPA) and TA, the distinguisher being the same, but the exploited data being either vertical or horizontal. The countermeasures against such attacks consist in making the algorithm run in either random or constant time. In this paper, we show that the former is prone to high-order attacks that analyse the higher moments of the time computation during code execution. We present successful second-order timing attacks (2O-TA) based on a correlation and compare it to the second-order power attack. All experiments have been conducted on an 8-bit processor running an AES-128.
{"title":"High-order timing attacks","authors":"J. Danger, Nicolas Debande, S. Guilley, Youssef Souissi","doi":"10.1145/2556315.2556316","DOIUrl":"https://doi.org/10.1145/2556315.2556316","url":null,"abstract":"The timing attack (TA) is a side-channel analysis (SCA) variant that exploits information leakage through the computation duration. Previously, leakages in timing have been exploited by comparison analysis, most often thanks to \"correlation - collision\" or pre-characterization on a clone device. Time bias can also be used to break a secret crypto-system by linear correlations in a non-profiled setting. There is direct parallel between the Correlation Power Attack (CPA) and TA, the distinguisher being the same, but the exploited data being either vertical or horizontal. The countermeasures against such attacks consist in making the algorithm run in either random or constant time. In this paper, we show that the former is prone to high-order attacks that analyse the higher moments of the time computation during code execution. We present successful second-order timing attacks (2O-TA) based on a correlation and compare it to the second-order power attack. All experiments have been conducted on an 8-bit processor running an AES-128.","PeriodicalId":153749,"journal":{"name":"CS2 '14","volume":"75 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133999589","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
V. Saraswat, Daniel Feldman, Denis Foo Kune, Satyajit Das
We present a cache-timing attack on the Advanced Encryption Standard (AES) [14] with the potential to be applied remotely and develop an evaluation framework for comparing the relative performance of the attacks under various simulated network conditions. We examine Bernstein's original AES cache-timing attack [3], and its variants [6, 12, 10]. We conduct an analysis of network noise and develop a hypothesis fishing concept in order to reduce the number of samples required to recover a key in our implementation of the attacks of [3]. Our rough estimate for the number of samples required is about 2 × 109 which is comparable to the estimate 4 × 109 of our month-long experiment using Bernstein's technique [3].
{"title":"Remote cache-timing attacks against AES","authors":"V. Saraswat, Daniel Feldman, Denis Foo Kune, Satyajit Das","doi":"10.1145/2556315.2556322","DOIUrl":"https://doi.org/10.1145/2556315.2556322","url":null,"abstract":"We present a cache-timing attack on the Advanced Encryption Standard (AES) [14] with the potential to be applied remotely and develop an evaluation framework for comparing the relative performance of the attacks under various simulated network conditions. We examine Bernstein's original AES cache-timing attack [3], and its variants [6, 12, 10]. We conduct an analysis of network noise and develop a hypothesis fishing concept in order to reduce the number of samples required to recover a key in our implementation of the attacks of [3]. Our rough estimate for the number of samples required is about 2 × 109 which is comparable to the estimate 4 × 109 of our month-long experiment using Bernstein's technique [3].","PeriodicalId":153749,"journal":{"name":"CS2 '14","volume":"119 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132551840","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Michael Lackner, Reinhard Berlach, R. Weiss, C. Steger
Java enabled smart cards protect security-related code and data by a sandbox concept. Unfortunately, this sandbox can be bypassed by fault attacks. Therefore, there is a substantial need for transparent, effective, and low-overhead countermeasures. This work demonstrates a new countermeasure against type confusion and buffer overflow attacks. This new countermeasure is based on obfuscating the security critical calculation parts of a virtual machine by secret keys. This countermeasure was integrated into a Java Card virtual machine running on a smart card prototype. New hardware features were added to this prototype to accelerate the obfuscating operation. The execution time overhead of the new countermeasure is demonstrated by performing run-time measurements on the prototype.
{"title":"Countering type confusion and buffer overflow attacks on Java smart cards by data type sensitive obfuscation","authors":"Michael Lackner, Reinhard Berlach, R. Weiss, C. Steger","doi":"10.1145/2556315.2556317","DOIUrl":"https://doi.org/10.1145/2556315.2556317","url":null,"abstract":"Java enabled smart cards protect security-related code and data by a sandbox concept. Unfortunately, this sandbox can be bypassed by fault attacks. Therefore, there is a substantial need for transparent, effective, and low-overhead countermeasures. This work demonstrates a new countermeasure against type confusion and buffer overflow attacks. This new countermeasure is based on obfuscating the security critical calculation parts of a virtual machine by secret keys. This countermeasure was integrated into a Java Card virtual machine running on a smart card prototype. New hardware features were added to this prototype to accelerate the obfuscating operation. The execution time overhead of the new countermeasure is demonstrated by performing run-time measurements on the prototype.","PeriodicalId":153749,"journal":{"name":"CS2 '14","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127526673","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Multi-operating systems have been introduced to manage the manifold requirements of embedded systems. Especially in safety critical environments like the automotive domain the system's security must be guaranteed. Despite the state-of-the-art virtualization mechanisms, the idea of asymmetric-multi-processing can be used to split a system's hardware resources, which makes the virtualization of hardware obsolete. However, this special technique to implement a multi-operating system might add special demands to security objectives like isolation. In this paper an attack vector is shown, which utilizes a co-processor to break through the isolation of an operating system domain. Using a multi-operating system environment, we inject a malicious firmware into the co-processor in order to circumvent isolation mechanisms on behalf of an attacking operating system. Our attack vector demonstrates weaknesses in CPU centric isolation mechanisms, which will be further presented in the remainder of the document.
{"title":"Towards attacks on restricted memory areas through co-processors in embedded multi-OS environments via malicious firmware injection","authors":"Pierre Schnarz, J. Wietzke, I. Stengel","doi":"10.1145/2556315.2556318","DOIUrl":"https://doi.org/10.1145/2556315.2556318","url":null,"abstract":"Multi-operating systems have been introduced to manage the manifold requirements of embedded systems. Especially in safety critical environments like the automotive domain the system's security must be guaranteed. Despite the state-of-the-art virtualization mechanisms, the idea of asymmetric-multi-processing can be used to split a system's hardware resources, which makes the virtualization of hardware obsolete. However, this special technique to implement a multi-operating system might add special demands to security objectives like isolation. In this paper an attack vector is shown, which utilizes a co-processor to break through the isolation of an operating system domain. Using a multi-operating system environment, we inject a malicious firmware into the co-processor in order to circumvent isolation mechanisms on behalf of an attacking operating system. Our attack vector demonstrates weaknesses in CPU centric isolation mechanisms, which will be further presented in the remainder of the document.","PeriodicalId":153749,"journal":{"name":"CS2 '14","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131660089","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
S. Picek, Baris Ege, L. Batina, D. Jakobović, L. Chmielewski, M. Golub
Finding balanced S-boxes with high nonlinearity and low transparency order is a difficult problem. The property of transparency order is important since it specifies the resilience of an S-box against differential power analysis. Better values for transparency order and hence improved side-channel security often imply less in terms of nonlinearity. Therefore, it is impossible to find an S-box with all optimal values. Currently, there are no algebraic procedures that can give the preferred and complete set of properties for an S-box. In this paper, we employ evolutionary algorithms to find S-boxes with desired cryptographic properties. Specifically, we conduct experiments for the 8×8 S-box case as used in the AES standard. The results of our experiments proved the feasibility of finding S-boxes with the desired properties in the case of AES. In addition, we show preliminary results of side-channel experiments on different versions of "improved" S-boxes.
{"title":"On using genetic algorithms for intrinsic side-channel resistance: the case of AES S-box","authors":"S. Picek, Baris Ege, L. Batina, D. Jakobović, L. Chmielewski, M. Golub","doi":"10.1145/2556315.2556319","DOIUrl":"https://doi.org/10.1145/2556315.2556319","url":null,"abstract":"Finding balanced S-boxes with high nonlinearity and low transparency order is a difficult problem. The property of transparency order is important since it specifies the resilience of an S-box against differential power analysis. Better values for transparency order and hence improved side-channel security often imply less in terms of nonlinearity. Therefore, it is impossible to find an S-box with all optimal values. Currently, there are no algebraic procedures that can give the preferred and complete set of properties for an S-box. In this paper, we employ evolutionary algorithms to find S-boxes with desired cryptographic properties. Specifically, we conduct experiments for the 8×8 S-box case as used in the AES standard. The results of our experiments proved the feasibility of finding S-boxes with the desired properties in the case of AES. In addition, we show preliminary results of side-channel experiments on different versions of \"improved\" S-boxes.","PeriodicalId":153749,"journal":{"name":"CS2 '14","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125126108","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: