Date post: | 16-Jan-2016 |
Category: |
Documents |
Upload: | barry-gaines |
View: | 215 times |
Download: | 0 times |
Acoustic Surveillance of Physically Unmodified PCs
Michael D. LeMay and Dr. Jack Tan
Computer Science DepartmentUniversity of Wisconsin-Eau Claire
Funding: Center of Excellence for Faculty/Student Research Collaboration
Outline
• Introduction– Side-channel attacks– Past efforts in acoustic cryptanalysis
• Methods– Equipment used– Instruction sequence analysis– GNU MP modular exponentiation analysis– Acoustic keylogging
• Discussion and recommendations• Future directions
Side-channel attacks
CPUCPUCPUCPU
Acoustic cryptanalysis
• Adi Shamir and Eran Tromer● tp://www.wisdom.weizmann.ac.il/~tromer/acoustic/● Explored the acoustic emanations caused by:
● GnuPG (GNU Privacy Guard) signature generation● loops of HLT, MUL, FMUL, ADD, MOV and NOP
instructions● Neglected to explore:
● loops of SSE2 instructions● actual attack scenarios
Experimental Apparatus
Capacitors
www.dashdist.com/1u2u/company/capacitor.html
Instruction sequences
// andpd asm("movupd vec_x, %%xmm0\n" "movupd vec_y, %%xmm1\n" "top_andpd:\n" "andpd %%xmm0, %%xmm1\n" "loop top_andpd\n" : : "c"(repCnt) );
// andpd asm("movupd vec_x, %%xmm0\n" "movupd vec_y, %%xmm1\n" "top_andpd:\n" "andpd %%xmm0, %%xmm1\n" "loop top_andpd\n" : : "c"(repCnt) );
Spectrogram300MHz (12.5% duty)300MHz (12.5% duty)
600MHz (25% duty)600MHz (25% duty)
Capacitor plate oscillation
+-
2400MHz (100% duty)2400MHz (100% duty)
Acoustic Keylogging
Quaternary Encoding
BSWAP (0)
CMPXCHG8B (3)
BOUND (2)
BT (1)
Hello World!
=====BASE2===BASE4H: 0100 1000: 1020e: 0110 0101: 1211l: 0110 1110: 1232l: 0110 1110: 1232o: 0110 1111: 1233 : 0010 0000: 0200W: 0101 0111: 1113o: 0110 1111: 1233r: 0111 0010: 1302l: 0110 1100: 1230d: 0110 0100: 1210!: 0010 0001: 0201
NRZ (Non-Return to Zero)
Manchester
Manchester Encoding
10
NRZ (Non-Return to Zero)
Manchester
1 0 0 0 1 1 1
Quaternary Improved EncodingORIG[2] ORIG[16] NEW[4]
0000 0: 0101
0001 1: 0102
0010 2: 0103
0011 3: 0121
0100 4: 0123
0101 5: 0131
0110 6: 0132
0111 7: 0201
1000 8: 0202
1001 9: 0203
1010 A: 0212
1011 B: 0213
1100 C: 0231
1101 D: 0232
1110 E: 0301
1111 F: 0302
SYNC: 0312
Acoustic Keylogger for Linux
• LKL Linux KeyLogger• ttp://ourceforgenet/projects/kl
h: 0132 0202
e: 0132 0131
X10 Spy Cameras
Camera Head Close-up
Wireless A/V Receiver
h: 0132 0202
e: 0132 0131
Recommendations
• Disable CPU frequency scaling on critical systems.
Future Directions
• Determine why there is spectral overlap between instruction sequences
• Explore effects of multicore processors on acoustic emanations
• Determine how easily applications within virtual machines can modulate emanations