Trace-based schedulability analysis to enhance passive side-channel attack resilience of embedded software

Highlights

• Formalization of the reschedulability based countermeasure against side channel attacks through Foata Normal Form.

• Definition of a flexible scheduling algorithm able to achieve higher instruction mobility.

• Definition of an efficiently computable lower bound for the number of schedules obtainable and a flexible rescheduling strategy.

• Practical implementation of the technique and validation on all the ISO standard block ciphers.

Abstract

Side channel attacks (SCAs) are a practical threat to the security of cryptographic implementations. A well known countermeasure against them is to alter the temporal location of instructions among different executions of the code. In this work we provide an algorithm to generate valid schedules of block cipher implementations. The proposed algorithm relies on a trace-theory based analysis and efficiently generates any valid schedule of the implementation under exam, selecting the ones with higher diversity among them. The algorithm was implemented as a pass in the backend of the LLVM compiler suite, and the results of the automated instruction scheduling are provided to validate its effectiveness as an SCA countermeasure employing the whole ISO standard block cipher suite.

Introduction

The role of cryptography has grown to a fundamental one in ensuring the security of modern embedded systems. One of the crucial aspects of cryptographic primitives, besides their mathematical security, is to be able to resist the so-called Side-Channel Attacks (SCAs). SCAs exploit the fact that several characteristics of an embedded device, such as execution time or instantaneous power consumption, depend on the processed data values [1]. The classic workflow for SCAs aims at recovering the value of the secret key, e.g., of a block cipher, one portion at a time. This is possible since the cryptographic algorithm combines the intermediate data values with a limited number of secret key bits at a time. For instance, employing the power consumption as a side-channel, the first step to perform an SCA is to measure it for the targeted device during a large amount of computations with different input messages. Subsequently, an intermediate operation of the algorithm employing a small portion of the secret-key is selected, and its results are computed for all the possible values of the key portion and input messages. From these hypotheses on the result values of the targeted operation, a series of predictions of the power consumption are made (one for each value of the secret-key portion). Finally, the predicted consumption values are compared with the actual measurements through statistical means to find out which prediction fits best. Such a prediction is the one relying on the correct hypothesis of the value of the secret-key portion.

In this paper, we tackle the security of software implementations of cryptographic primitives, devoting our attention to their protection. We exploit the data dependencies of a cipher implementation to derive different, semantically equivalent, schedules for it. This allows to employ different valid schedules for the cipher at runtime, effectively increasing the difficulty of modeling the execution flow of the cipher. Since the time-alignment of the measurements is a fundamental requirement for a correct SCA [1], [2], [3], changing the execution order of the instructions of a cipher effectively weakens the effectiveness of the statistical test to infer the key. We propose the first security evaluation of block cipher algorithms in terms of their schedulability properties, analyzing their data dependency graph structures by means of a new and automatic rescheduling technique aimed at maximizing schedule diversity. This provides an effective improvement with respect to the state-of-the-art, which only contemplates some examples of manual, ad-hoc rescheduling of the AES cipher [3], and the insertion of random length delays through dummy instructions [2]. Our automated analysis provides the ground to deploy multiple copies of the block cipher executable code, each one with a different schedule, and randomly pick one of them at each required execution of the cryptographic primitive. We provide a practical validation of our approach analyzing its effects on the whole set of ISO standard block ciphers.