What is a side-channel attack?
Introduction
The origin of the side-channel attack is closely related to the existence of physically observable phenomena caused by the execution of computing tasks in microelectronic devices and common systems. For example, microprocessors consume time and power to perform their assigned tasks. Devices keep their secrets, and if criminals understand the unintended signals, some interesting secrets could be extracted and used to perform a side-channel attack. The same happens, for instance, when a timing attack on a web system is executed to enumerate possible valid users.
These kinds of attacks take advantage of patterns of information. For example, the electric emissions from a computer's monitor or hard drive that could be used to analyze that type of information are displayed on the screen, or the scenario where computer components draw different amounts of power when carrying out certain processes.
FREE role-guided training plans
The usage of this kind of attack could be very dangerous because a different landscape is used to explore vulnerabilities in relation to conventional approaches. As shown in Figure 1 below, signals from popular devices such as smartphones, embedded devices and IoT landscape have been used to find vulnerabilities, extract sensitive information or behaviors by analyzing the signal frequency in a specific period of time (inputs and outputs).
Figure 1: Obtaining side signals from popular devices (source)
Another popular side-channel attack example depicting the scenario from Figure 1 is the use of the sounds of a key to create a key replica via 3D printers.
The big picture of side-channel attacks
"Usually when we design an algorithm we think about inputs and outputs. We don’t think about anything else that happens when the program runs," says Daniel Genkin, a computer scientist at the University of Michigan.
Computers run on physics, and there are many lateral physical effects that can be analyzed, including the time, power, and sound. These are three important ingredients that could be explored in the wild by crooks. For instance, a timing attack is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms.
Another familiar scenario from the web surface is the blind SQL time-based attack. Here, the functions WAIT FOR DELAY can be used to suspend the execution for the specified amount of time or WAIT FOR TIME can be used to suspend the execution of the query and continue it when system time is equal to the parameter. By using this method, an attacker enumerates each letter of the desired piece of data using the following logic:
- If the first letter of the first database’s name is an “A”, wait for 10 seconds.
- If the first letter of the first database’s name is a “B”, wait for 10 seconds.
- [etc.]
In detail, these attacks exploit one of those effects to get more information about the secrets of the used algorithm.
From the attacker viewpoint, practically any accidental information leakage can be harvested to learn something they're not supposed to.
Figure 2 below presents how a side-channel attack could be used to get the secrets of a normal application workflow and take advantage of side information such as sound, frequency, power consumption and so on to get the final output (e.g., the plaintext from a ciphertext).
Figure 2: Normal workflow versus a side-channel attack scenario.
Computing systems are more sophisticated now, with components pushed to their physical limits and going in all directions and using all the possible information to fit the best results. In this sense, side-channel attacks are becoming more plentiful and hard to detect and prevent.
As an example, several bugs were detected in the last years on the most popular physical equipment, with names like Meltdown, Spectre, Fallout, RIDL and Zombieload, all of them taking advantage of side-channel attacks as part of their secret-stealing techniques.
Let’s look at each of those in detail.
Meltdown: This is a hardware vulnerability that affects Intel x86 microprocessors, IBM POWER processors and some ARM-based microprocessors. In detail, it allows a rogue process to get all the memory, even when it is not authorized to do so.
Spectre: This is a vulnerability that affects modern microprocessors that implement branch prediction. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data.
Fallout: The Fallout attack allows to get data that the operating system recently wrote and to figure out the memory position of the operating system strengthening other attacks.
RIDL: The RIDL attack can be used to leak information across various security domains from different buffers, such as line-fill buffers and load ports, inside Intel processors.
ZombieLoad: The ZombieLoad attack resurrects private browsing history and other sensitive data. It allows to leak information from other applications, the operating system, virtual machines in the cloud and trusted execution environments.
FREE role-guided training plans
Final thoughts
Side-channel attacks have been a hot topic in the last few years and becoming a more sophisticated horizon used to explore a group of vulnerabilities on physical equipment or using signals to reveal the secrets of a workflow, communication channel or cipher tunnel.
Meltdown and Spectre are the real proof of this dangerous attack, exploring vulnerabilities that affect microprocessors and taking advantage of a time-based side-channel attack. Each uses different techniques to access the secret information and decode it in a processor’s cache — a part of memory designed to keep certain data close at hand for better efficiency. Within this context, an attacker can analyze the timing of the processor’s responses and learn what the cache is leaking, and thus, the secret information.
Preventing these kinds of scenarios is a hard task, but there is a group of best practices that can be followed as stated by OWASP. For instance, the fix of response times to the worst-case execution time could be a good workaround to prevent time-side channels but with a serious performance impact.
On the other hand, side-channel attacks on web applications can also constitute a big problem. Learn the existence of user name from response times or error messages that could be used to exfiltrate information from a target system.
Side channels appear in various ways. Detection and prevention is a serious challenge and often may have a negative impact on the system’s performance.
Sources
This Radio Bug Can Steal Laptop Crypto Keys, Fits Inside a Pita, Wired
Paul Kocher, Joshua Jaffe, and Benjamin Jun, "Differential Power Analysis", Cryptography Research, Inc.
The Sounds a Key Make Can Produce 3D-Printed Replica, Threatpost
Investigadores descobriram uma maneira de criar um super-malware implantado em enclaves da SGX, Segurança Informática
Side Channel Vulnerabilities on the Web - Detection and Prevention, OWASP
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- What is a side-channel attack?
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- How to hack mobile communications via Unisoc baseband vulnerability
- How to build a hook syscall detector
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough [Updated 2021]
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- Top 7 cybersecurity books for ethical hackers in 2020
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Podcast/webinar recap: What's new in ethical hacking?
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Getting started in Red Teaming
- Ethical hacking: IoT hacking tools
- Ethical hacking: BYOD vulnerabilities
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: How to hack a web server
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Port interrogation tools and techniques
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Social engineering basics
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Basic malware analysis tools
- Ethical hacking: How to crack long passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: Log tampering 101
- Ethical hacking: What is vulnerability identification?
- Ethical hacking: Breaking cryptography (for hackers)
- Ethical hacking: Attacking routers
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
