Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code

Breier, Jakub; Hou, Xiaolu; Liu, Yang

doi:10.46586/tches.v2018.i2.96-122

Cited by 24 publications

(15 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In case of software level techniques, there are two works focusing on analyzing assembly implementations. The work in [BHL18] aims at unrolled microcontroller implementations and shows that some vulnerabilities are not visible from the cipher level perspective. For example, when permutation layer is combined with the substitution layer in block ciphers into a form of look-up tables, it introduces new vulnerabilities that cannot be estimated from the algorithmic representation.…”

Section: Implementation Level Approachesmentioning

confidence: 99%

Classical and Physical Security of Symmetric Key Cryptographic Algorithms

Baksi

2022

Computer Architecture and Design Methodologies

View full text Add to dashboard Cite

Chapter 3 ("Fault Attacks In Symmetric Key Cryptosystems") is currently under submission as a survey/systemization of of knowledge paper to a peer-reviewed journal.Chapter 4 is not under submission. The contributions of the co-authors are as follows:• The write-up for the first part (Chapters 4.1, 4.2) was done by me. For the second part (Chapter 4.3), I did part of the write-up and analysis.• P. Ravi prepared the electromagnetic leakage and part of the write-up.• R. R. Shrivastwa prepared the power leakage.3 Chapter 5 is accepted as "New Insights On Differential And Linear Bounds Using Mixed Integer Linear Programming"; by A. Baksi; in International Conference on Information Technology and Communications Security (SecITC), 2020 (with major modification). This is a single-author paper by me. As such, I am responsible for everything -ideation, experimental results, write-up and proofreading and so on.

show abstract

Section: Implementation Level Approachesmentioning

confidence: 99%

Classical and Physical Security of Symmetric Key Cryptographic Algorithms

Baksi

2022

Computer Architecture and Design Methodologies

View full text Add to dashboard Cite

show abstract

“…On the other hand, there are various approaches that try to find an actual mathematical attack based on some description of a cipher, e.g., using algebraic fault attacks [31] or classical DFA [5] (cf. [32] for an overview).…”

Section: B Fault Simulation and Assessmentmentioning

confidence: 99%

“…Even further, those are only applicable to the cryptographic operation itself and not to other security-critical parts of the code. For example [5] searches for vulnerable spots for DFA based on a data flow graph extracted from Assembly. A similar approach is presented in [33], but instead, the extracted set of equations is fed to an SMT solver to find a distinguisher.…”

Section: B Fault Simulation and Assessmentmentioning

confidence: 99%

“…Yet, especially for off-the-shelf microcontrollers such as IoT devices, a detailed low-level description is rarely available. On the other end of the spectrum, there is recent work that evaluates abstract descriptions of algorithms or implementations with respect to some specific mathematical fault exploitation [5], [6]. However, it is difficult to transfer this outcome to other types of attacks or even non-cryptographic but still security-critical parts of the implementation.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

ARMORY: Fully Automated and Exhaustive Fault Simulation on ARM-M Binaries

Hoffmann

Schellenberg

Paar

2021

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Embedded systems are ubiquitous. However, physical access of users and likewise attackers makes them often threatened by fault attacks: a single fault during the computation of a cryptographic primitive can lead to a total loss of system security. This can have serious consequences, e.g., in safetycritical systems, including bodily harm and catastrophic technical failures. However, countermeasures often focus on isolated fault models and high layers of abstraction. This leads to a dangerous sense of security, because exploitable faults that are only visible at machine code level might not be covered by countermeasures. In this work we present ARMORY, a fully automated open source framework for exhaustive fault simulation on binaries of the ubiquitous ARM-M class. It allows engineers and analysts to efficiently scan a binary for potential weaknesses against arbitrary combinations of multi-variate fault injections under a large variety of fault models. Using ARMORY, we demonstrate the power of fully automated fault analysis and the dangerous implications of applying countermeasures without knowledge of physical addresses and offsets. We exemplarily analyze two case studies, which are highly relevant for practice: a DFA on AES (cryptographic) and a secure bootloader (non-cryptographic). Our results show that indeed numerous exploitable faults found by ARMORY which occur in the actual implementations are easily missed in manual inspection. Crucially, most faults are only visible when taking machine code information, i.e., addresses and offsets, into account. Surprisingly, we show that a countermeasure that protects against one type of fault can actually largely increase the vulnerability to other fault models. Our work demonstrates the need for countermeasures that, at least in their evaluation, are not restricted to isolated fault models and consider low-level information during the design process.

show abstract

“…In this section, we discuss masking schemes, verification approaches, mitigation techniques and measurement of information leakage related to power side-channel attacks. Work on other side-channel attacks that rely on execution-time [3], [68], [69], [70], [71], [72], [73], [74], [75], [76], faults [52], [77], [78], [79], and cache [80], [81], [82], [83], [84], [85], [86], [87], [88], [89] do exist, but is orthogonal to ours, hence will not be discussed in this section.…”

Section: Related Workmentioning

confidence: 99%

Formal Verification of Masking Countermeasures for Arithmetic Programs

Gao

Xie

Sun

et al. 2020

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Cryptographic algorithms are widely used to protect data privacy in many aspects of daily lives from smart card to cyber-physical systems. Unfortunately, programs implementing cryptographic algorithms may be vulnerable to practical power side-channel attacks, which may infer private data via statistical analysis of the correlation between power consumptions of an electronic device and private data. To thwart these attacks, several masking schemes have been proposed, giving rise to effective countermeasures for reducing the statistical correlation between private data and power consumptions. However, programs that rely on secure masking schemes are not secure a priori. Indeed, designing effective masking programs is a labor intensive and error-prone task. Although some techniques have been proposed for formally verifying masking countermeasures and for quantifying masking strength, they are currently limited to Boolean programs and suffer from low accuracy. In this work, we propose an approach for formally verifying masking countermeasures of arithmetic programs. Our approach is more accurate for arithmetic programs and more scalable for Boolean programs comparing to the existing approaches. It is essentially a synergistic integration of type inference and model-counting based methods, armed with domain specific heuristics. The type inference system allows a fast deduction of leakage-freeness of most intermediate computations, the model-counting based methods accounts for completeness, namely, to eliminate spurious flaws, and the heuristics facilitate both type inference and model-counting based reasoning, which improve scalability and efficiency in practice. In case that the program does contain leakage, we provide a method to quantify its masking strength. A distuiguished feature of our type sytem lies in its support of compositonal reasoning when verifying programs with procedure calls, so the need of inlining procedures can be significantly reduced. We have implemented our methods in a verification tool QMVERIF which has been extensively evaluated on cryptographic benchmarks including full AES, DES and MAC-Keccak. The experimental results demonstrate the effectiveness and efficiency of our approach, especially for compositional reasoning. In particular, our tool is able to automatically prove leakage-freeness of arithmetic programs for which only manual proofs exist so far; it is also significantly faster than the state-of-the-art tools: EasyCrypt on common arithmetic programs, QMSINFER, SC Sniffer and maskVerif on Boolean programs.

show abstract

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code

Cited by 24 publications

References 21 publications

Classical and Physical Security of Symmetric Key Cryptographic Algorithms

Classical and Physical Security of Symmetric Key Cryptographic Algorithms

ARMORY: Fully Automated and Exhaustive Fault Simulation on ARM-M Binaries

Formal Verification of Masking Countermeasures for Arithmetic Programs

Contact Info

Product

Resources

About