• Home
  • About
    • Seokmin.Lee photo

      Seokmin.Lee

      Hello, I am a master's student in the Department of Convergence Security (Samsung Advanced Security) at Korea University.After graduation, I am expected as a security developer or researcher member of Samsung SDS.

    • Learn More
    • LinkedIn
    • Github
  • Posts
    • All Tags

[paper] Rosita towards Automatic Elimination of Power Analysis Leakage in Chiper

06 May 2021

Rosita

  1. Uses an emulator to detect leakage due to unintended interatctions between values
  2. Rewrites the code to eliminate the leakage.
  • A code rewrite engine that uses a leakage emulator which we amend to correctly emulate the micro-architecture of a target system.

    ๋Œ€์ƒ ์‹œ์Šคํ…œ์˜ ๋งˆ์ดํฌ๋กœ ์•„ํ‚คํ…์ฒ˜๋ฅผ ์˜ฌ๋ฐ”๋ฅด๊ฒŒ ์—๋ฎฌ๋ ˆ์ดํ„ฐ๋กœ ์ˆ˜์ •ํ•˜๊ธฐ ์œ„ํ•ด ๋ฆฌํฌ ์—๋ฎฌ๋ ˆ์ดํ„ฐ๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ์ฝ”๋“œ ์žฌ์ž‘์„ฑ ์—”์ง„์ด๋‹ค.

  • AES, ChaCha, Xoodoo๋“ฑ์„ ์ ์€ ํŒจ๋„ํ‹ฐ๋กœ protected maskํ•˜์˜€๋‹ค.

    Uniformed distributed โ€“> only proven secure attack

  • many chiperโ€™s implementations employ masking techniques that combine intermediate values with randomly selected masks.
  • โ€“> the mask being uniformed distributed
  • To fix this leaks repeatedly "Tweak the code until it stops leaking

    ๋ฐ˜๋ณต์ ์œผ๋กœ ๋ˆ„์ถœ์ด ๋ฉˆ์ถœ ๋•Œ๊นŒ์ง€ ์ฝ”๋“œ๋ฅผ ์ˆ˜์ •ํ•œ๋‹ค.

  • We have set out to explore if leakage emulators can be used for automatic elimination of side channel leakage from software implemenations

    ์†Œํ”„ํŠธ์›จ์–ด ๊ตฌํ˜„์—์„œ ์‚ฌ์ด๋“œ ์ฑ„๋„ ๋ˆ„์ถœ์„ ์ž๋™์œผ๋กœ ์ œ๊ฑฐํ•˜๊ธฐ ์œ„ํ•ด ๋ˆ„์ถœ ์—๋ฎฌ๋ ˆ์ดํ„ฐ๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š”์ง€ ์กฐ์‚ฌํ•˜๊ธฐ ์œ„ํ•ด ์ฐฉ์ˆ˜ํ–ˆ์Šต๋‹ˆ๋‹ค.

  • Code rewrite program: โ€œROSITAโ€ + Extended leakage emulator: โ€œELMOโ€

    • ROSITA
      1. rule-driven code rewrite engine.
      2. uses output from ELMO*
      3. to select rewrite rules and apply them at leaky points
        • incorporates rules to mitigate leakage arising from operand interactions, register reuse, rotation operation, and memory operations.

        • ํ”ผ์—ฐ์‚ฐ์ž ์ƒํ˜ธ ์ž‘์šฉ, ๋ ˆ์ง€์Šคํ„ฐ ์žฌ์‚ฌ์šฉ, ํšŒ์ „ ์—ฐ์‚ฐ ๋ฐ ๋ฉ”๋ชจ๋ฆฌ ์ž‘์—…์—์„œ ๋ฐœ์ƒํ•˜๋Š” ๋ˆ„์ถœ์„ ์™„ํ™”ํ•˜๊ธฐ ์œ„ํ•œ ๊ทœ์น™์„ ํ†ตํ•ฉํ•ฉ๋‹ˆ๋‹ค

    • ELMO has undergone a major upgrade to ELMO* for two reasons:
      1. Only detect leakage between consecutive instructions โ€“> Detact leakage between instructions that are further apart.
      2. Only instructions โ€“> Identify the accurate leagkage model
      3. Modify the workflow in ELMO to perform repeatly
        • It had to be able to tell ROSITA the cause of the leakage

        • ROSITA์—๊ฒŒ leakage์˜ ์›์ธ์„ ์•Œ๋ ค์ค„ ์ˆ˜ ์žˆ๋Š” ๊ธฐ๋Šฅ

        • We have added support by including the values that instructions store in various micro-architectural storage elements, which hold state that can leak information.

        • ์ถ”๊ฐ€์ ์ธ micro-architectural storage elemnets์—์„œ leakage์— ๋Œ€ํ•œ ๊ฐ’์„ ํฌํ•จํ•จ์œผ๋กœ์จ ์ง€์›์„ ์ถ”๊ฐ€ํ•จ

Contribution

  1. Propose a framework for generating first-order leakage resilient implementations of masked cipher.
  2. Design and implement systematic approaches for identifying leakage through microarchitectural storage elements. (ELMO ->ELMO*)
  3. Develop ROSITA that rewrites leaking instructions and eliminate leakage.
  4. USE ROSTIA โ€“> Result: AES,ChaCha,Xoodoo

Result

image

image

Workflow

image


๐ŸŒŸpaper-reviewsecurity-defense Share Tweet +1