|
|
|
|
| |
| Adi Shamir and Eran Tromer published a research paper and Proof of Concept discussing an idea for a cryptanalysis technique that uses the noise emitted by a computer's CPU. |
| |
Credit:
The full presentation can be found at: http://www.wisdom.weizmann.ac.il/~tromer/acoustic/
|
| |
Introduction and FAQ
A powerful method for extracting information from supposedly secure systems is side-channel attacks: cryptanalytic techniques that rely on information unintentionally leaked by computing devices. Most side-channel attack research has focused on electromagnetic emanations (TEMPEST), power consumption and, recently, diffuse visible light from CRT displays. The oldest eavesdropping channel, namely acoustic emanations, has received little attention. Our preliminary analysis of acoustic emanations from personal computers shows them to be a surprisingly rich source of information on CPU activity.
Q: What information is leaked?
This depends on the specific computer hardware. We have tested several desktop and laptop computers, and in all cases it was possible to distinguish an idle CPU (i.e., 80x86 "HLT" state) from a busy CPU. For some computers, it was also possible to distinguish various patterns of CPU operations and memory access. This can be observed for artificial cases (e.g., loops of various CPU instructions), and also for real-life cases (e.g., RSA decryption). The time resolution is usually on the order of milliseconds.
Q: How can a low-frequency (KHz) acoustic source yield information on a much faster (GHz) CPU?
In two ways. First, when the CPU is carrying out a long operation, it may create a characteristic acoustic spectral signature: for example, below we show how RSA signature/decryption sounds different for different secret keys. Second, we get temporal information about the length of each operation, and this can be used to mount timing attacks, especially when the attacker can affect the input to the operation (i.e., in chosen-ciphertext attack scenario).
Q: Won't the attack be foiled by loud fan noise, or by multitasking, or by several computers in the same room?
Probably not. The interesting acoustic signals are mostly above 10KHz, whereas typical computer fan noise and normal room noise are concentrated at lower frequencies and can thus be filtered out by suitable equipment. In a task-switching systems, different tasks can be distinguished by their different acoustic spectral signatures. When several computers are present, they can be told apart by their different acoustic signatures, since these vary with the hardware, the component temperatures, and other environmental conditions.
Q: What about other acoustic attacks?
Eavesdropping on keyboard keystrokes has been often discussed; keys can be distinguished by timing, or (as recently proposed by Asonov and Agrawal) by their different sounds. While this attack is applicable to data that is entered manually (e.g., passwords), it is not applicable to larger secret data such as RSA keys. Another acoustic source is hard disk head seeks; this source does not appear very useful in the presence of caching, delayed writes and multitasking. Preceding modern computers, one may recall MI5's operation "ENGULF", where a phone tap was used to eavesdrop on the operation of an Egyptian embassy's Enigma cipher machine, thereby recovering its secret key.
Q: Why bother with acoustic attacks, when TEMPEST and power-analysis attacks are available?
Side-channel attacks based on electromagnetic emanations are indeed very powerful and widely discussed. For precisely this reason, secure facilities take measures to protect against these, such as Faraday cages and isolated power supplies. However, these measures may be transparent to acoustic radiations -- consider a Faraday cage constructed of metallic mesh. Also, digital audio recording equipment is ubiquitous, and this creates new attack scenarios: for example, a compromised laptop carried into a secure computer room may record valuable acoustic information without its owner's knowledge. Another scenario is a program recording the computer on which it runs in order to learn information on other running programs, thereby breaching sandbox security boundaries or compromising NGSCB-like systems.
Q: What's so special about the "HLT" instruction, and why is it useful to detect it?
The CPU instruction that is easiest to detect acoustically, though by now means the only one detectable, is the 80x86 "HLT instruction. This instruction puts the CPU into a special low-power sleep state that lasts until the next hardware interrupt. On modern CPUs this temporarily shuts down many of the on-chip circuits, which dramatically lowers power consumption and alters acoustic emissions for relatively long time. Experimentally, the difference between active computation (which normally never involves HLT instructions) and an idle CPU (where the kernel executes HLT instructions in its idle loop) is usually very prominent. If the only program running is a cryptographic application, then this already suffices to detect when the program awakens to handle input and when it finishes its cryptographic tasks, and this information can be used to mount timing attacks as discussed above. Of course, additional subtler acoustic cues will yield further information.
|
|
|
|
|
