These types of attacks take advantage of information patterns. For example, electrical emissions from a computer screen or hard drive that could be used to analyze the type of information displayed on a screen or from computer components that draw different amounts of power when performing specific processes.
Using this type of attack could be very dangerous, because a different landscape is used to explore vulnerabilities than conventional approaches.
As shown in Figure 1 below, signals from popular devices such as smartphones, built-in IoT devices were used to find vulnerabilities, extract sensitive information or behaviors by analyzing the signal frequency over a period of time (from inputs and outputs).
Picture 1: Receiving side signals from popular devices ( source )
Another popular example of a side-channel attack that illustrates the scenario from Figure 1 is the use of the sounds of a keypad to identify it.
The image of side-channel attacks
"Usually when we design an algorithm we think about inputs and outputs. "We don't think about anything else that happens when the program runs," said Daniel Genkin, a computer scientist at the University of Michigan.
Computers work with physics and there are many physical side effects that can be analyzed, including time, power and sound. These are three important components that could be explored by fraudsters. For example, a timing attack is a side-channel attack in which an attacker attempts to compromise a cryptosystem by analyzing the time required to execute cryptographic algorithms.
Another known scenario is the blind SQL attack. Here, WAIT FOR DELAY functions can be used to suspend execution for a specified period of time or WAIT FOR TIME can be used to suspend query execution and resume when system time is equal to the parameter. Using this method, an attacker lists each letter of the desired data using the following logic:
- If the first letter of the first database name is "A", wait 10 seconds.
- If the first letter of the first database name is "B", wait 10 seconds.
In detail, these attacks take advantage of one of these effects to obtain more information about the secrets of the algorithm used.
From the intruder's point of view, virtually any random information leak can be collected to learn something he should not have learned.
Figure 2 below shows how a side-channel attack can be used for an attacker to gain the secrets of a normal application workflow and exploit side information such as sound, frequency, power consumption, and so on to get the final output (e.g., plain text from a ciphertext).
Figure 2 : Normal workflow in relation to a side-channel attack scenario
Computer systems are now much more sophisticated so these attacks are becoming more and more difficult to detect and prevent.
For example, several bugs have been detected in recent years on popular equipment, with vulnerabilities you already know: Meltdown, Specter, Fallout , RIDL and Zombieload. They all take advantage of side-channel attacks.
Let's look at each of them in detail.
Meltdown: This is a hardware vulnerability that affects Intel x86 microprocessors, IBM POWER processors and some ARM microprocessors. In detail, it allows a malicious process to take up all the memory, even when it is not authorized to do so.
Specter: This is a vulnerability that affects modern microprocessors.
Fallout: The Fallout attack allows you to download recently written data from the operating system.
RIDL: The RIDL attack can be used to leak information to various security domains from different buffers, such as the line-filling buffer and loading ports, within Intel processors.
ZombieLoad: ZombieLoad Attack revives private browsing history and other sensitive data. Allows information to be leaked from other applications, operating systems, virtual machines in the cloud and trusted execution environments.
Side-channel attacks have been a hot topic in recent years and have given more advanced exploration horizons to vulnerability groups. Meltdown and Specter are the real proof of this dangerous attack.
Preventing such scenarios is a difficult task, but there are proven best practices that can be used. OWASP (PDF) . For example, setting response times to worst execution times could be a good solution to prevent side-channel attacks in terms of time but with a serious impact on performance.
On the other hand, side-channel attacks on web applications are also a very big problem. You can, for example, find out if a user's name exists from response times or error messages.
Side-channels are displayed in different ways. Detection and prevention is a serious challenge and can often have a negative impact on system performance.
- This Radio Bug Can Steal Laptop Crypto Keys, Fits Inside a Pita, Wired
- Paul Kocher, Joshua Jaffe, and Benjamin Jun, Differential Power Analysis, Cryptography Research, Inc.
- The Sounds a Key Make Can Produce 3D-Printed Replica, Threatpost
- Uninstalling detectors in a way to create super-malware implanted in SGX enclosures, Computer Security
- Side Channel Vulnerabilities on the Web - Detection and Prevention, OWASP