From 9ab4bcbde12607944ce1020a57564f3cd11fe2fe Mon Sep 17 00:00:00 2001 From: jasonjabbour Date: Sun, 17 Nov 2024 19:27:06 -0500 Subject: [PATCH] clearer explanation of power consumption attack and figures --- .../privacy_security/privacy_security.qmd | 28 +++++++++---------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/contents/core/privacy_security/privacy_security.qmd b/contents/core/privacy_security/privacy_security.qmd index a9f8b373..6830f3d8 100644 --- a/contents/core/privacy_security/privacy_security.qmd +++ b/contents/core/privacy_security/privacy_security.qmd @@ -285,15 +285,15 @@ Embedded machine learning hardware plays a critical role in powering modern AI a ### Hardware Bugs -Hardware is not immune to the pervasive issue of design flaws or bugs. Attackers can exploit these vulnerabilities to access, manipulate, or extract sensitive data, breaching the confidentiality and integrity that users and services depend on. An example of such vulnerabilities came to light with the discovery of Meltdown and Spectre---two hardware vulnerabilities that exploit critical vulnerabilities in modern processors. These bugs allow attackers to bypass the hardware barrier that separates applications, allowing a malicious program to read the memory of other programs and the operating system. +Hardware is not immune to the pervasive issue of design flaws or bugs. Attackers can exploit these vulnerabilities to access, manipulate, or extract sensitive data, breaching the confidentiality and integrity that users and services depend on. An example of such vulnerabilities came to light with the discovery of [Meltdown and Spectre](https://meltdownattack.com/)---two hardware vulnerabilities that exploit critical vulnerabilities in modern processors. These bugs allow attackers to bypass the hardware barrier that separates applications, allowing a malicious program to read the memory of other programs and the operating system. Meltdown [@Lipp2018meltdown] and Spectre [@Kocher2018spectre] work by taking advantage of optimizations in modern CPUs that allow them to speculatively execute instructions out of order before validity checks have been completed. This reveals data that should be inaccessible, which the attack captures through side channels like caches. The technical complexity demonstrates the difficulty of eliminating vulnerabilities even with extensive validation. -If an ML system is processing sensitive data, such as personal user information or proprietary business analytics, Meltdown and Spectre represent a real and present danger to data security. Consider the case of an ML accelerator card designed to speed up machine learning processes, such as the ones we discussed in the [A.I. Hardware](../hw_acceleration/hw_acceleration.qmd) chapter. These accelerators work with the CPU to handle complex calculations, often related to data analytics, image recognition, and natural language processing. If such an accelerator card has a vulnerability akin to Meltdown or Spectre, it could leak the data it processes. An attacker could exploit this flaw not just to siphon off data but also to gain insights into the ML model's workings, including potentially reverse-engineering the model itself (thus, going back to the issue of [model theft](@sec-model_theft). +If an ML system is processing sensitive data, such as personal user information or proprietary business analytics, Meltdown and Spectre represent a real and present danger to data security. Consider the case of an ML accelerator card designed to speed up machine learning processes, such as the ones we discussed in the [AI Hardware](../hw_acceleration/hw_acceleration.qmd) chapter. These accelerators work with the CPU to handle complex calculations, often related to data analytics, image recognition, and natural language processing. If such an accelerator card has a vulnerability akin to Meltdown or Spectre, it could leak the data it processes. An attacker could exploit this flaw not just to siphon off data but also to gain insights into the ML model's workings, including potentially reverse-engineering the model itself (thus, going back to the issue of [model theft](@sec-model_theft). A real-world scenario where this could be devastating would be in the healthcare industry. ML systems routinely process highly sensitive patient data to help diagnose, plan treatment, and forecast outcomes. A bug in the system's hardware could lead to the unauthorized disclosure of personal health information, violating patient privacy and contravening strict regulatory standards like the [Health Insurance Portability and Accountability Act (HIPAA)](https://www.cdc.gov/phlp/publications/topic/hipaa.html) -The [Meltdown and Spectre](https://meltdownattack.com/) vulnerabilities are stark reminders that hardware security is not just about preventing unauthorized physical access but also about ensuring that the hardware's architecture does not become a conduit for data exposure. Similar hardware design flaws regularly emerge in CPUs, accelerators, memory, buses, and other components. This necessitates ongoing retroactive mitigations and performance trade-offs in deployed systems. Proactive solutions like confidential computing architectures could mitigate entire classes of vulnerabilities through fundamentally more secure hardware design. Thwarting hardware bugs requires rigor at every design stage, validation, and deployment. +The Meltdown and Spectre vulnerabilities are stark reminders that hardware security is not just about preventing unauthorized physical access but also about ensuring that the hardware's architecture does not become a conduit for data exposure. Similar hardware design flaws regularly emerge in CPUs, accelerators, memory, buses, and other components. This necessitates ongoing retroactive mitigations and performance trade-offs in deployed systems. Proactive solutions like confidential computing architectures could mitigate entire classes of vulnerabilities through fundamentally more secure hardware design. Thwarting hardware bugs requires rigor at every design stage, validation, and deployment. ### Physical Attacks @@ -345,27 +345,25 @@ Side-channel attacks constitute a class of security breaches that exploit inform The fundamental premise of a side-channel attack is that a device's operation can inadvertently reveal information. Such leaks can come from various sources, including the electrical power a device consumes [@kocher1999differential], the electromagnetic fields it emits [@gandolfi2001electromagnetic], the time it takes to process certain operations, or even the sounds it produces. Each channel can indirectly glimpse the system's internal processes, revealing information that can compromise security. -For instance, consider a machine learning system performing encrypted transactions. Encryption algorithms are supposed to secure data but require computational work to encrypt and decrypt information. An attacker can analyze the power consumption patterns of the device performing encryption to figure out the cryptographic key. With sophisticated statistical methods, small variations in power usage during the encryption process can be correlated with the data being processed, eventually revealing the key. Some differential analysis attack techniques are Differential Power Analysis (DPA) [@Kocher2011Intro], Differential Electromagnetic Analysis (DEMA), and Correlation Power Analysis (CPA). +Consider a machine learning system performing encrypted transactions. Encryption algorithms are designed to secure data but require computational work to encrypt and decrypt information. One widely used encryption standard is the Advanced Encryption Standard (AES), which encrypts data to prevent unauthorized access. However, attackers can analyze the power consumption patterns of a device performing encryption to deduce sensitive information, such as the cryptographic key. With sophisticated statistical methods, small variations in power usage during the encryption process can be correlated with the data being processed, eventually revealing the key. Some differential analysis attack techniques are Differential Power Analysis (DPA) [@Kocher2011Intro], Differential Electromagnetic Analysis (DEMA), and Correlation Power Analysis (CPA). -For example, consider an attacker trying to break the AES encryption algorithm using a differential analysis attack. The attacker would first need to collect many power or electromagnetic traces (a trace is a record of consumptions or emissions) of the device while performing AES encryption. +An attacker attempting to break AES encryption could collect power or electromagnetic traces (records of power consumption or emissions) from the device while it performs encryption. By analyzing these traces with statistical techniques, the attacker could identify correlations between the traces and the plaintext (original, unencrypted text) or ciphertext (encrypted text). These correlations could then be used to infer individual bits of the AES key and, eventually, reconstruct the entire key. Differential analysis attacks are particularly dangerous because they are low-cost, effective, and non-intrusive, allowing attackers to bypass algorithmic and hardware-level security measures. Compromises through these attacks are also challenging to detect, as they do not physically alter the device or break the encryption algorithm itself. -Once the attacker has collected sufficient traces, they would use a statistical technique to identify correlations between the traces and the different values of the plaintext (original, unencrypted text) and ciphertext (encrypted text). These correlations would then be used to infer the value of a bit in the AES key and, eventually, the entire key. Differential analysis attacks are dangerous because they are low-cost, effective, and non-intrusive, allowing attackers to bypass algorithmic and hardware-level security measures. Compromises by these attacks are also hard to detect because they do not physically modify the device or break the encryption algorithm. +Below, a simplified visualization illustrates how analyzing the encryption device's power consumption patterns can help extract information about the algorithm's operations and, in turn, the secret data. The example shows a device that takes a 5-byte password as input. The password entered in this scenario is `0x61, 0x52, 0x77, 0x6A, 0x73`, which represents the correct password. The power consumption patterns during authentication provide insights into how the algorithm functions. -Below, a simplified visualization illustrates how analyzing the encryption device's power consumption patterns can help extract information about the algorithm's operations and, in turn, the secret data. Consider a device that takes a 5-byte password as input. The different voltage patterns measured while the encryption device performs operations on the input to authenticate the password will be analyzed and compared. +In @fig-encryption, the red waveform represents the serial data lines as the bootloader receives the password data in chunks (i.e. `0x61, 0x52, 0x77, 0x6A, 0x73`). Each labeled segment (e.g., "Data: 61") corresponds to one byte of the password being processed by the encryption algorithm. The blue graph shows the power consumption of the encryption device as it processes each byte. When the correct password is entered, the device processes all 5 bytes successfully, and the blue voltage graph displays consistent patterns throughout. This chart gives you a baseline to understand how the device's power consumption looks when a correct password is entered. In the next figures, you'll see how the power profile changes with incorrect passwords, helping you spot the differences in the device's behavior when authentication fails. -First, the power analysis of the device's operations after entering a correct password is shown in the first picture in @fig-encryption. The dense blue graph outputs the encryption device's voltage measurement. What is significant here is the comparison between the different analysis charts rather than the specific details of what is happening in each scenario. +![Power consumption profile of the device during normal operations with a valid 5-byte password (0x61, 0x52, 0x77, 0x6A, 0x73). The red line represents the serial data being received by the bootloader, which in this figure is receiving the correct bytes. Notice how the blue line, representing power usage during authentication, corresponds to receiving and verifying the bytes. In the next figures, this blue power consumption profile will change. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_correct_password.png){#fig-encryption} -![Power analysis of an encryption device with a correct password. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_correct_password.png){#fig-encryption} +When an incorrect password is entered, the power analysis chart is shown in @fig-encryption2. The first three bytes of the password are correct (i.e. `0x61, 0x52, 0x77`). As a result, the voltage patterns are very similar or identical between the two charts, up to and including the fourth byte. After processing the fourth byte (`0x42`), the device detects a mismatch with the correct password and stops processing further. This results in a noticeable change in the power pattern, shown by the sudden jump in the blue line as the voltage increases. -When an incorrect password is entered, the power analysis chart is shown in @fig-encryption2. The first three bytes of the password are correct. As a result, the voltage patterns are very similar or identical between the two charts, up to and including the fourth byte. After the device processes the fourth byte, a mismatch between the secret key and the attempted input is determined. A change in the pattern at the transition point between the fourth and fifth bytes is noticed: the voltage increases (the current decreases) because the device has stopped processing the rest of the input. +![Power consumption profile of the device when an incorrect 5-byte password (0x61, 0x52, 0x77, 0x42, 0x42) is entered. The red line represents the serial data received by the bootloader, showing the input bytes being processed. The first three bytes (0x61, 0x52, 0x77) are correct and match the expected password, as indicated by the consistent blue power consumption line. However, upon processing the fourth byte (0x42), a mismatch is detected. The bootloader stops further processing, resulting in a noticeable jump in the blue power consumption line, as the device halts authentication and enters an error state. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_(partially)_wrong_password.png){#fig-encryption2} -![Power analysis of an encryption device with a (partially) wrong password. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_(partially)_wrong_password.png){#fig-encryption2} +@fig-encryption3 shows another example but where the password is entirely incorrect (0x30, 0x30, 0x30, 0x30, 0x30), unlike the previous example with the first three bytes correct. Here, the device identifies the mismatch immediately after processing the first byte and halts further processing. This is reflected in the power consumption profile, where the blue line exhibits a sharp jump following the first byte, indicating the device's early termination of authentication. -@fig-encryption3 describes another chart of a completely wrong password. After the device finishes processing the first byte, it determines that it is incorrect and stops further processing - the voltage goes up and the current down. +![Power consumption profile of the device when an entirely incorrect password (0x30, 0x30, 0x30, 0x30, 0x30) is entered. The blue line shows a sharp jump after processing the first byte, indicating that the device has halted the authentication process. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_wrong_password.png){#fig-encryption3} -![Power analysis of an encryption device with a wrong password. Source: [Colin O'Flynn.](https://www.youtube.com/watch?v=2iDLfuEBcs8)](images/png/Power_analysis_of_an_encryption_device_with_a_wrong_password.png){#fig-encryption3} - -The example above demonstrates how information about the encryption process and the secret key can be inferred by analyzing different inputs and attempting to 'eavesdrop' on the device's operations on each input byte. For a more detailed explanation, watch @vid-powerattack below. +The example above demonstrates how information about the encryption process and the secret key can be inferred by analyzing different inputs and brute-force testing variations of each password byte, effectively 'eavesdropping' on the device's operations. For a more detailed explanation, watch @vid-powerattack below. :::{#vid-powerattack .callout-important}