Whip the Whisperer: Simulating Side Channel Leakage

The presentation discusses the importance of addressing side-channel attacks in hardware design and the need for countermeasures testing in simulation.

• Security is a fourth dimension in power performance area and comes at a cost.
• Trade-offs between security and cost must be made by designers.
• Simulations are limited by CPU cores and design size.
• Manual review of designs is insufficient and statistics simulations are necessary.
• Countermeasure testing in simulation is important to address side-channel attacks.
• Masking is a common countermeasure that can be implemented in AES design.
• Optimization by synthesis tools can throw off countermeasures.
• Insight into design can help identify and fix leakage points.

The presenter discusses a case study where they implemented their own AES design and added off-the-shelf literature masking to it. When they turned off the countermeasures, they found leakage points as predicted. However, when they turned the countermeasures on, there were still leakage points. Upon further investigation, they found that the synthesis tool for software people had optimized the design and flipped two X4 operations around, throwing off the countermeasures. Once they identified the issue, they were able to tell the synthesis tool not to optimize certain things and maintain the operation, resulting in no more leakage points.

Cryptographic side channels are well-understood from a mathematical perspective, and many countermeasures exist that reduce leakage. Yet, there are many implementations in the field that leak. This is caused by a combination of lack of security experts, the fact that upon implementation countermeasures can become leaky, and the absence of good pre-silicon side channel analysis tools. In this presentation, we show how common hardware design tools can be used to perform pre-silicon power simulations, and how that can be used to detect leaky implementations. We show a case study of how countermeasure implementations that look fine in source are actually leaky, and how simulation can help pinpoint individual leaky elements, both in software and hardware. There are surprising results where non-related software instructions leak, caused by microarchitectural interactions in the CPU pipeline. Armed with all this knowledge, those issues can be fixed. This talk is interesting for hardware and software designers to see how tools can be used to pinpoint leakage down to the gate or code level, and for researchers in finding new side channels due to processor design.