[REVS] Acoustic Cryptanalysis: On Nosy People and Noisy Machines

• Previous message: SecuriTeam: "[NT] Remote Heap Corruption overflow Vulnerability in MailEnable"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 11 May 2004 15:58:31 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Acoustic Cryptanalysis: On Nosy People and Noisy Machines
------------------------------------------------------------------------

SUMMARY

Adi Shamir and Eran Tromer published a research paper and Proof of Concept
discussing an idea for a cryptanalysis technique that uses the noise
emitted by a computer's CPU.

DETAILS

Introduction and FAQ
 A powerful method for extracting information from supposedly secure
systems is side-channel attacks: cryptanalytic techniques that rely on
information unintentionally leaked by computing devices. Most side-channel
attack research has focused on electromagnetic emanations (TEMPEST), power
consumption and, recently, diffuse visible light from CRT displays. The
oldest eavesdropping channel, namely acoustic emanations, has received
little attention. Our preliminary analysis of acoustic emanations from
personal computers shows them to be a surprisingly rich source of
information on CPU activity.

Q: What information is leaked?
 This depends on the specific computer hardware. We have tested several
desktop and laptop computers, and in all cases it was possible to
distinguish an idle CPU (i.e., 80x86 "HLT" state) from a busy CPU. For
some computers, it was also possible to distinguish various patterns of
CPU operations and memory access. This can be observed for artificial
cases (e.g., loops of various CPU instructions), and also for real-life
cases (e.g., RSA decryption). The time resolution is usually on the order
of milliseconds.
 
Q: How can a low-frequency (KHz) acoustic source yield information on a
much faster (GHz) CPU?
In two ways. First, when the CPU is carrying out a long operation, it may
create a characteristic acoustic spectral signature: for example, below we
show how RSA signature/decryption sounds different for different secret
keys. Second, we get temporal information about the length of each
operation, and this can be used to mount timing attacks, especially when
the attacker can affect the input to the operation (i.e., in
chosen-ciphertext attack scenario).
 
Q: Won't the attack be foiled by loud fan noise, or by multitasking, or by
several computers in the same room?
Probably not. The interesting acoustic signals are mostly above 10KHz,
whereas typical computer fan noise and normal room noise are concentrated
at lower frequencies and can thus be filtered out by suitable equipment.
In a task-switching systems, different tasks can be distinguished by their
different acoustic spectral signatures. When several computers are
present, they can be told apart by their different acoustic signatures,
since these vary with the hardware, the component temperatures, and other
environmental conditions.
 
Q: What about other acoustic attacks?
Eavesdropping on keyboard keystrokes has been often discussed; keys can be
distinguished by timing, or (as recently proposed by Asonov and Agrawal)
by their different sounds. While this attack is applicable to data that
is entered manually (e.g., passwords), it is not applicable to larger
secret data such as RSA keys. Another acoustic source is hard disk head
seeks; this source does not appear very useful in the presence of caching,
delayed writes and multitasking. Preceding modern computers, one may
recall MI5's operation "ENGULF", where a phone tap was used to eavesdrop
on the operation of an Egyptian embassy's Enigma cipher machine, thereby
recovering its secret key.
 
Q: Why bother with acoustic attacks, when TEMPEST and power-analysis
attacks are available?
 Side-channel attacks based on electromagnetic emanations are indeed very
powerful and widely discussed. For precisely this reason, secure
facilities take measures to protect against these, such as Faraday cages
and isolated power supplies. However, these measures may be transparent to
acoustic radiations -- consider a Faraday cage constructed of metallic
mesh. Also, digital audio recording equipment is ubiquitous, and this
creates new attack scenarios: for example, a compromised laptop carried
into a secure computer room may record valuable acoustic information
without its owner's knowledge. Another scenario is a program recording the
computer on which it runs in order to learn information on other running
programs, thereby breaching sandbox security boundaries or compromising
NGSCB-like systems.
 
Q: What's so special about the "HLT" instruction, and why is it useful to
detect it?
The CPU instruction that is easiest to detect acoustically, though by now
means the only one detectable, is the 80x86 "HLT instruction. This
instruction puts the CPU into a special low-power sleep state that lasts
until the next hardware interrupt. On modern CPUs this temporarily shuts
down many of the on-chip circuits, which dramatically lowers power
consumption and alters acoustic emissions for relatively long time.
Experimentally, the difference between active computation (which normally
never involves HLT instructions) and an idle CPU (where the kernel
executes HLT instructions in its idle loop) is usually very prominent. If
the only program running is a cryptographic application, then this already
suffices to detect when the program awakens to handle input and when it
finishes its cryptographic tasks, and this information can be used to
mount timing attacks as discussed above. Of course, additional subtler
acoustic cues will yield further information.

ADDITIONAL INFORMATION

The full presentation can be found at:
<http://www.wisdom.weizmann.ac.il/~tromer/acoustic/>
http://www.wisdom.weizmann.ac.il/~tromer/acoustic/

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Remote Heap Corruption overflow Vulnerability in MailEnable"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]