Trace Copilot: Automatically Locating Cryptographic Operations in Side-Channel Traces by Firmware Binary Instrumenting
A common assumption in side-channel analysis is that the attacker knows the cryptographic algorithm implementation of the victim. However, many labsetting studies implicitly extend this assumption to the knowledge of the source code, by inserting triggers to measure, locate or align the Cryptograph...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Ruhr-Universität Bochum
2024-12-01
|
| Series: | Transactions on Cryptographic Hardware and Embedded Systems |
| Subjects: | |
| Online Access: | https://tosc.iacr.org/index.php/TCHES/article/view/11925 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850171103912132608 |
|---|---|
| author | Shipei Qu Yuxuan Wang Jintong Yu Chi Zhang Dawu Gu |
| author_facet | Shipei Qu Yuxuan Wang Jintong Yu Chi Zhang Dawu Gu |
| author_sort | Shipei Qu |
| collection | DOAJ |
| description |
A common assumption in side-channel analysis is that the attacker knows the cryptographic algorithm implementation of the victim. However, many labsetting studies implicitly extend this assumption to the knowledge of the source code, by inserting triggers to measure, locate or align the Cryptographic Operations (CO) in the trace. For real-world attacks, the source code is typically unavailable, which poses a challenge for locating the COs thus reducing the effectiveness of many methods. In contrast, obtaining the (partial) binary firmware is more prevalent in practical attacks on embedded devices. While binary code theoretically encapsulates necessary information for side-channel attacks on software-implemented cryptographic algorithms, there is no systematic study on leveraging this information to facilitate side-channel analysis. This paper introduces a novel and general framework that utilizes binary information for the automated locating of COs on side-channel traces. We first present a mechanism that maps the execution flow of binary instructions onto the corresponding side-channel trace through a tailored static binary instrumentation process, thereby transforming the challenge of locating COs into one of tracing cryptographic code execution within the binary. For the latter, we propose a method to retrieve binary instruction addresses that are equivalent to the segmenting boundaries of the COs within side-channel traces. By identifying the mapping points of these instructions on the trace, we can obtain accurate segmentation labeling for the sidechannel data. Further, by employing the well-labeled side-channel segments obtained on a profiling device, we can readily identify the locations of COs within traces collected from un-controllable target devices. We evaluate our approach on various devices and cryptographic software, including a real-world secure boot program. The results demonstrate the effectiveness of our method, which can automatically locate typical COs, such as AES or ECDSA, in raw traces using only the binary firmware and a profiling device. Comparison experiments indicate that our method outperforms existing techniques in handling noisy or jittery traces and scales better to complex COs. Performance evaluation confirms that the runtime and storage overheads of the proposed approach are practical for real-world deployment.
|
| format | Article |
| id | doaj-art-c8f04ce7f81746d7a49e74dd211db1a5 |
| institution | OA Journals |
| issn | 2569-2925 |
| language | English |
| publishDate | 2024-12-01 |
| publisher | Ruhr-Universität Bochum |
| record_format | Article |
| series | Transactions on Cryptographic Hardware and Embedded Systems |
| spelling | doaj-art-c8f04ce7f81746d7a49e74dd211db1a52025-08-20T02:20:21ZengRuhr-Universität BochumTransactions on Cryptographic Hardware and Embedded Systems2569-29252024-12-012025110.46586/tches.v2025.i1.128-159Trace Copilot: Automatically Locating Cryptographic Operations in Side-Channel Traces by Firmware Binary InstrumentingShipei Qu0Yuxuan Wang1Jintong Yu2Chi Zhang3Dawu Gu4School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai, China; State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, ChinaSchool of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai, China; State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, ChinaSchool of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai, China; State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, ChinaSchool of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai, China; State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, ChinaSchool of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai, China; State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China A common assumption in side-channel analysis is that the attacker knows the cryptographic algorithm implementation of the victim. However, many labsetting studies implicitly extend this assumption to the knowledge of the source code, by inserting triggers to measure, locate or align the Cryptographic Operations (CO) in the trace. For real-world attacks, the source code is typically unavailable, which poses a challenge for locating the COs thus reducing the effectiveness of many methods. In contrast, obtaining the (partial) binary firmware is more prevalent in practical attacks on embedded devices. While binary code theoretically encapsulates necessary information for side-channel attacks on software-implemented cryptographic algorithms, there is no systematic study on leveraging this information to facilitate side-channel analysis. This paper introduces a novel and general framework that utilizes binary information for the automated locating of COs on side-channel traces. We first present a mechanism that maps the execution flow of binary instructions onto the corresponding side-channel trace through a tailored static binary instrumentation process, thereby transforming the challenge of locating COs into one of tracing cryptographic code execution within the binary. For the latter, we propose a method to retrieve binary instruction addresses that are equivalent to the segmenting boundaries of the COs within side-channel traces. By identifying the mapping points of these instructions on the trace, we can obtain accurate segmentation labeling for the sidechannel data. Further, by employing the well-labeled side-channel segments obtained on a profiling device, we can readily identify the locations of COs within traces collected from un-controllable target devices. We evaluate our approach on various devices and cryptographic software, including a real-world secure boot program. The results demonstrate the effectiveness of our method, which can automatically locate typical COs, such as AES or ECDSA, in raw traces using only the binary firmware and a profiling device. Comparison experiments indicate that our method outperforms existing techniques in handling noisy or jittery traces and scales better to complex COs. Performance evaluation confirms that the runtime and storage overheads of the proposed approach are practical for real-world deployment. https://tosc.iacr.org/index.php/TCHES/article/view/11925Side-channel analysisSoftware/Hardware co-analysisBinary instrumentationLocating of cryptographic operations |
| spellingShingle | Shipei Qu Yuxuan Wang Jintong Yu Chi Zhang Dawu Gu Trace Copilot: Automatically Locating Cryptographic Operations in Side-Channel Traces by Firmware Binary Instrumenting Transactions on Cryptographic Hardware and Embedded Systems Side-channel analysis Software/Hardware co-analysis Binary instrumentation Locating of cryptographic operations |
| title | Trace Copilot: Automatically Locating Cryptographic Operations in Side-Channel Traces by Firmware Binary Instrumenting |
| title_full | Trace Copilot: Automatically Locating Cryptographic Operations in Side-Channel Traces by Firmware Binary Instrumenting |
| title_fullStr | Trace Copilot: Automatically Locating Cryptographic Operations in Side-Channel Traces by Firmware Binary Instrumenting |
| title_full_unstemmed | Trace Copilot: Automatically Locating Cryptographic Operations in Side-Channel Traces by Firmware Binary Instrumenting |
| title_short | Trace Copilot: Automatically Locating Cryptographic Operations in Side-Channel Traces by Firmware Binary Instrumenting |
| title_sort | trace copilot automatically locating cryptographic operations in side channel traces by firmware binary instrumenting |
| topic | Side-channel analysis Software/Hardware co-analysis Binary instrumentation Locating of cryptographic operations |
| url | https://tosc.iacr.org/index.php/TCHES/article/view/11925 |
| work_keys_str_mv | AT shipeiqu tracecopilotautomaticallylocatingcryptographicoperationsinsidechanneltracesbyfirmwarebinaryinstrumenting AT yuxuanwang tracecopilotautomaticallylocatingcryptographicoperationsinsidechanneltracesbyfirmwarebinaryinstrumenting AT jintongyu tracecopilotautomaticallylocatingcryptographicoperationsinsidechanneltracesbyfirmwarebinaryinstrumenting AT chizhang tracecopilotautomaticallylocatingcryptographicoperationsinsidechanneltracesbyfirmwarebinaryinstrumenting AT dawugu tracecopilotautomaticallylocatingcryptographicoperationsinsidechanneltracesbyfirmwarebinaryinstrumenting |