To know where the sides are, you need to know where the front (and back) is. Since the American cryptologist Paul C. Kocher invented the term side-channel attack in 1996 to describe attacks on cryptosystems that were new at the time using their physical implementation, it has become a household name. New side channels have been added almost every month over the past three years. For example, the open edges (!) Of AMD Ryzen and Epyc in August. In the meantime, we are using cache, timing, power consumption, radiation, imaging, eavesdropping, error induction and cold spray tricks to get past the “real” security.
He has a weak point for risks and writing about cyber: In his main job security researcher at HiSolutions AG, David Fuhr rages and rages on in this column about current incidents and general truths of information security. In addition to new articles, articles already printed in iX appear here – always with a tongue-in-cheek update on the current security situation.
The basic principle is always the same: Effects at a lower level of abstraction (e.g. implementation, hardware, physics) are used to apply restrictions of the higher level of abstraction that we usually focus on (e.g. protocol, algorithm, software) that are used as security guarantees bypass.
This triumphant advance of the side channels, which have overtaken the classic “full on 12” attacks in many areas (from the side, of course), can be explained on the one hand by the soaring, statistics and (big) data in the last 20 years have started. We can not only measure better and better, but also extract more and more knowledge from the smallest deviations.
More and new perspectives
In my opinion, however, there is a second group of factors that contribute to the success of the side-channel attacks: the increasing differentiation between IT, the IT industry and the hacker scene. Psychologists have a different view of possible attack vectors than makers, physicists or data scientists. Because in addition to technical side channels, for example with the variant-rich Specter problem (cache and speculation attacks), there are also completely different, alternative ways of obtaining information or manipulating it. We often don’t see these as the primary avenues of attack.
Three examples. Even if these are not all classically classified as side channels, the typical elements can be identified very nicely:
- Internal perpetrators at telecommunications providers. Obvious security level: access protection, role concept, technical security measures etc. pp. Side channel: Bribery of employees. Works great for SIM card unlocking; easily transferable to other manipulations or data theft and basically to all supply chain topics.
- DSGVO / GDPR. Obvious security / data protection level: The General Data Protection Regulation helps. Side channel: A talk at Black Hat 2019 (Whitepaper; Video) showed that you can easily obtain the most private data from others by querying your “own” information.
- Social engineering and rubber tube cryptanalysis (threat of torture, see here). Obvious security level: crypto / measure X helps. Side canal: the meat is weak.
The mess always arises from the fact that security is not holistic – from all sides! – was considered. Because the problem with side channels is not that “dirty” levels of abstraction such as inconsistent implementations (ugh), wobbly hardware properties (uh) or even weepy wetware (ihhh) destroy our beautiful, pure ideas / algorithms. It is much more in the eye of the beholder – in the literal sense of the word: dismissing something conceptually as a “side”, symbolically as a topic as it were, is hubris in the worse case, and in the better case an intermediate step to deeper knowledge. Because side channels are dangerous precisely when the implementers and defenders are not even aware of them.
The language of evil
The English phrase “We are on the same page” means something like “We speak one language”. In order to arm ourselves successfully against side-channel attacks, however, it is not enough if the builders and defenders – the Blue Team for short – get on well with each other. Rather, we also have to understand and learn to speak the sides and languages of chance, chaos and “evil” in order to be able to include them in our models. So it’s about further developing our ability to think and interpret so that we understand the implications of our actions (and programming) in as many different worlds as possible – before others do.
This column was published in iX 09/2019 and has been updated for the online edition.