Pieter Robyns
Dennis Giese
ABSTRACT
Determining which operations are being executed by a black-box device is an important challenge to tackle in reverse engineering. Furthermore, in order to perform a successful side-channel analysis (SCA) of said operations, their precise timing must be determined. In this paper, we tackle these two challenges in context of an electromagnetic (EM) analysis of a NodeMCU Amica IoT device. More specifically, we propose a convolutional neural network (CNN) architecture that is designed to classify operations performed by the NodeMCU out of a set of 8 possible operations, namely OpenSSL AES, native AES, TinyAES, OpenSSL DES, SHA1-PRF, HMAC-SHA1, SHA1, and SHA1Transform. In addition, we use the same architecture to predict the start and end times of the operation, thereby removing the need for firmware modifications or manual triggers in SCA. Our approach is evaluated using a 66 GB dataset containing 69,632 complex traces of EM leakage, captured with a USRP B210 software defined radio. The best variant of our methodology achieves a classification accuracy of 96.47%, and is able to predict the start and end times of the operation within 34 |is of the ground truth on average. We compare our methodology to classical template matching, and provide our open-source implementation and datasets to the community so that the achieved results can be reproduced.
- Martín Abadi, Ashish Agarwal, Paul Barham, Eugene Brevdo, Zhifeng Chen, Craig Citro, Greg S. Corrado, Andy Davis, Jeffrey Dean, Matthieu Devin, Sanjay Ghemawat, Ian Goodfellow, Andrew Harp, Geoffrey Irving, Michael Isard, Yangqing Jia, Rafal Jozefowicz, Lukasz Kaiser, Manjunath Kudlur, Josh Levenberg, Dandelion Mané, Rajat Monga, Sherry Moore, Derek Murray, Chris Olah, Mike Schuster, Jonathon Shlens, Benoit Steiner, Ilya Sutskever, Kunal Talwar, Paul Tucker, Vincent Vanhoucke, Vijay Vasudevan, Fernanda Viégas, Oriol Vinyals, Pete Warden, Martin Wattenberg, Martin Wicke, Yuan Yu, and Xiaoqiang Zheng. 2015. TensorFlow: Large-Scale Machine Learning on Heterogeneous Systems. https://www.tensorflow.org/ Software available from tensor-flow.org.Google Scholar
- Dakshi Agrawal, Bruce Archambeault, Josyula R. Rao, and Pankaj Rohatgi. 2003. The EM Side-Channel(s). In Cryptographic Hardware and Embedded Systems, Burton S. Kaliski, çetin K. Koç, and Christof Paar (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 29--45.Google Scholar
- Josep Balasch, Benedikt Gierlichs, and Ingrid Verbauwhede. 2015. Electromagnetic Circuit Fingerprints for Hardware Trojan Detection. In IEEE International Symposium on Electromagnetic Compatibility (EMC). IEEE, 246--251.Google Scholar
- Julien Brouchier, Tom Kean, Carol Marsh, and David Naccache. 2009. Temperature Attacks. IEEE Security & Privacy 7, 2 (2009), 79--82.Google ScholarDigital Library
- Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, and Aurélien Francillon. 2018. Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 163--177.Google ScholarDigital Library
- François Chollet et al. 2015. Keras. https://keras.io.Google Scholar
- Thomas Eisenbarth, Timo Kasper, Amir Moradi, Christof Paar, Mahmoud Salma-sizadeh, and Mohammad T. Manzuri Shalmani. 2008. On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme. In Advances in Cryptology - CRYPTO, David Wagner (Ed.). Springer Berlin Heidelberg, Ber6lin, Heidelberg, 203--220.Google Scholar
- Thomas Eisenbarth, Christof Paar, and Björn Weghenkel. 2010. Building a Side Channel Based Disassembler. In Transactions on computational science X. Springer, 78--99.Google Scholar
- Espressif. [n.d.]. ESP8266EX - Low-Power, Highly-Integrated Wi-Fi Solution. Retrieved February 21, 2020 from https://www.espressif.com/en/products/hardware/esp8266ex/overviewGoogle Scholar
- Ettus Research. [n.d.]. USRP B200/B210 Product Overview. Retrieved February 21, 2020 from https://www.ettus.com/wp-content/uploads/2019/01/b200-b210_spec_sheet.pdfGoogle Scholar
- Karine Gandolfi, Christophe Mourtel, and Francis Olivier. 2001. Electromagnetic Analysis: Concrete Results. In Cryptographic Hardware and Embedded Systems, Çetin K. Koç, David Naccache, and Christof Paar (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 251--261.Google Scholar
- Daniel Genkin, Itamar Pipman, and Eran Tromer. 2015. Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks on PCs. Journal of Cryptographic Engineering 5, 2 (01 Jun 2015), 95--112. Google ScholarCross Ref
- Ben Hilburn et al. 2020. GNU Radio - The Free & Open Source Radio Ecosystem. GNU Radio project. https://www.gnuradio.org/Google Scholar
- Diederik P Kingma and Jimmy Ba. 2014. Adam: A Method for Stochastic Optimization. arXiv preprint arXiv:1412.6980 (2014).Google Scholar
- Paul Kocher, Joshua Jaffe, and Benjamin Jun. 1999. Differential Power Analysis. In Annual International Cryptology Conference. Springer, 388--397.Google Scholar
- Paul C Kocher. 1996. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and other systems. In Annual International Cryptology Conference. Springer, 104--113.Google ScholarDigital Library
- Yann LeCun and Yoshua Bengio. 1995. Convolutional Networks for Images, Speech, and Time Series. The Handbook of Brain Theory and Neural Networks (1995), 255--258.Google Scholar
- Yann LeCun, Yoshua Bengio, and Geoffrey Hinton. 2015. Deep Learning. Nature 521, 7553 (2015), 436.Google Scholar
- Gaëtan Leurent and Thomas Peyrin. 2020. SHA-1 is a Shambles.Google Scholar
- Kevin Merchant, Shauna Revay, George Stantchev, and Bryan Nousain. 2018. Deep Learning for RF Device Fingerprinting in Cognitive Communication Networks. IEEE Journal of Selected Topics in Signal Processing 12, 1 (2018), 160--167.Google ScholarCross Ref
- Olivier Meynard, Denis Réal, Sylvain Guilley, Florent Flament, Jean-Luc Danger, and Frédéric Valette. 2010. Characterization of the Electromagnetic Side Channel in Frequency Domain. In International Conference on Information Security and Cryptology. Springer, 471--486.Google Scholar
- David P Montminy, Rusty O Baldwin, Michael A Temple, and Mark E Oxley. 2013. Differential Electromagnetic Attacks on a 32-bit Microprocessor using Software Defined Radios. IEEE Transactions on Information Forensics and Security 8, 12 (2013), 2101--2114.Google ScholarDigital Library
- Colin O'Flynn and Zhizhang David Chen. 2015. Side Channel Power Analysis of an AES-256 Bootloader. In 28th Canadian Conference on Electrical and Computer Engineering (CCECE). IEEE, 750--755.Google ScholarCross Ref
- Timothy J O'Shea, Johnathan Corgan, and T Charles Clancy. 2016. Convolutional Radio Modulation Recognition Networks. In International Conference on Engineering Applications of Neural Networks. Springer, 213--226.Google Scholar
- Jungmin Park, Fahim Rahman, Apostol Vassilev, Domenic Forte, and Mark Tehranipoor. 2019. Leveraging Side-Channel Information for Disassembly and Security. J. Emerg. Technol. Comput. Syst. 16, 1, Article Article 6 (Dec 2019), 21 pages. Google ScholarDigital Library
- Stjepan Picek, Ioannis Petros Samiotis, Jaehun Kim, Annelie Heuser, Shivam Bhasin, and Axel Legay. 2018. On the Performance of Convolutional Neural Networks for Side-Channel Analysis. In International Conference on Security, Privacy, and Applied Cryptography Engineering. Springer, 157--176.Google Scholar
- Emmanuel Prouff, Remi Strullu, Ryad Benadjila, Eleonora Cagli, and Cécile Dumas. 2018. Study of Deep Learning Techniques for Side-Channel Analysis and Introduction to ASCAD Database. IACR Cryptology ePrint Archive (2018), 53. http://eprint.iacr.org/2018/053Google Scholar
- Jean-Jacques Quisquater and David Samyde. 2001. ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards. In Proceedings of the International Conference on Research in Smart Cards: Smart Card Programming and Security (E-SMART '01). Springer-Verlag, London, UK, UK, 200--210. http://dl.acm.org/citation.cfm?id=646803.705980Google ScholarCross Ref
- Joseph Redmon, Santosh Divvala, Ross Girshick, and Ali Farhadi. 2016. You Only Look Once: Unified, Real-Time Object Detection. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 779--788.Google ScholarCross Ref
- Shamnaz Riyaz, Kunal Sankhe, Stratis Ioannidis, and Kaushik Chowdhury. 2018. Deep Learning Convolutional Neural Networks for Radio Identification. IEEE Communications Magazine 56, 9 (2018), 146--152.Google ScholarCross Ref
- Asanka Sayakkara, Nhien-An Le-Khac, and Mark Scanlon. 2019. Leveraging Electromagnetic Side-Channel Analysis for the Investigation of IoT Devices. Digital Investigation 29 (2019), S94--S103.Google ScholarCross Ref
- Adi Shamir and Eran Tromer. 2004. Acoustic Cryptanalysis. Presentation available from http://www.wisdom.weizmann.ac.il/~tromer (2004).Google Scholar
- Karen Simonyan and Andrew Zisserman. 2014. Very Deep Convolutional Networks for Large-Scale Image Recognition. arXiv preprint arXiv:1409.1556 (2014).Google Scholar
- Barron D Stone and Samuel J Stone. 2015. Radio Frequency Based Reverse Engineering of Microcontroller Program Execution. In National Aerospace and Electronics Conference (NAECON). IEEE, 159--164.Google Scholar
- The NodeMCU firmware contributors. 2020. NodeMCU-firmware - Lua-based Interactive Firmware for ESP8266, ESP8285 and ESP32. NodeMCU. https://github.com/nodemcu/nodemcu-firmwareGoogle Scholar
- C Tiu. 2005. A New Frequency-Based Side Channel Attack for Embedded Systems. Master's thesis. University of Waterloo.Google Scholar
- Aäron van den Oord, Sander Dieleman, Heiga Zen, Karen Simonyan, Oriol Vinyals, Alex Graves, Nal Kalchbrenner, Andrew Senior, and Koray Kavukcuoglu. 2016. WaveNet: A Generative Model for Raw Audio. In 9th ISCA Speech Synthesis Workshop. 125--125.Google Scholar
- Guang Yang, Huizhong Li, Jingdian Ming, and Yongbin Zhou. 2018. Convolutional Neural Network Based Side-Channel Attacks in Time-Frequency Representations. In International Conference on Smart Card Research and Advanced Applications. Springer, 1--17.Google Scholar
- YongBin Zhou and DengGuo Feng. 2005. Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing. IACR Cryptology ePrint Archive (2005), 388.Google Scholar
- Yuanyuan Zhou and François-Xavier Standaert. 2019. Deep Learning Mitigates But Does Not Annihilate the Need of Aligned Traces and a Generalized ResNet Model for Side-Channel Attacks. Journal of Cryptographic Engineering (2019), 1--11.Google Scholar
Index Terms
- Practical operation extraction from electromagnetic leakage for side-channel analysis and reverse engineering
Recommendations
Modeling of Tamper Resistance to Electromagnetic Side-Channel Attacks on Voltage-Scaled Circuits
ASPDAC '24: Proceedings of the 29th Asia and South Pacific Design Automation ConferenceThe threat of information leakage by Side-Channel Attacks (SCAs) using ElectroMagnetic (EM) leakage is becoming more and more prominent for crypto circuits. This paper models tamper resistance to EM SCAs on voltage-scaled crypto circuits. It is well ...
Countermeasures for timing-based side-channel attacks against shared, modern computing hardware
There are several vulnerabilities in computing systems hardware that can be exploited by attackers to carry out devastating microarchitectural timing-based side-channel attacks against these systems and as a result compromise the security of the users of ...
Side channel cryptanalysis of product ciphers
Building on the work of Kocher (1996), Jaffe and Yun (1998), we discuss the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate ...
Comments