Déjà Vu: Side-Channel Analysis of Mozilla's NSS

Sohaib Ul Hassan; Iaroslav Gridin; Ignacio M. Delgado-Lozano; Cesar Pereida García; Jesús Javier Chi-Domínguez; Alejandro Cabrera Aldaya; Billy Bob Brumley

doi:10.1145/3372297.3421761

Déjà Vu: Side-Channel Analysis of Mozilla's NSS

Sohaib Ul Hassan, Iaroslav Gridin, Ignacio M. Delgado-Lozano, Cesar Pereida García, Jesús Javier Chi-Domínguez, Alejandro Cabrera Aldaya, Billy Bob Brumley

Tietotekniikka

Tutkimustuotos: Konferenssiartikkeli › Tieteellinen › vertaisarvioitu

10 Sitaatiot (Scopus)

95 Lataukset (Pure)

Abstrakti

Recent work on Side Channel Analysis (SCA) targets old, well-known vulnerabilities, even previously exploited, reported, and patched in high-profile cryptography libraries. Nevertheless, researchers continue to find and exploit the same vulnerabilities in old and new products, highlighting a big issue among vendors: effectively tracking and fixing security vulnerabilities when disclosure is not done directly to them. In this work, we present another instance of this issue by performing the first library-wide SCA security evaluation of Mozilla's NSS security library. We use a combination of two independently-developed SCA security frameworks to identify and test security vulnerabilities. Our evaluation uncovers several new vulnerabilities in NSS affecting DSA, ECDSA, and RSA cryptosystems. We exploit said vulnerabilities and implement key recovery attacks using signals - -extracted through different techniques such as timing, microarchitecture, and EM - -and improved lattice methods.

Alkuperäiskieli	Englanti
Otsikko	CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security
Kustantaja	ACM
Sivut	1887-1902
Sivumäärä	16
ISBN (elektroninen)	9781450370899
DOI - pysyväislinkit	https://doi.org/10.1145/3372297.3421761
Tila	Julkaistu - 30 lokak. 2020
OKM-julkaisutyyppi	A4 Artikkeli konferenssijulkaisussa
Tapahtuma	ACM SIGSAC Conference on Computer and Communications Security - Kesto: 9 marrask. 2020 → 13 marrask. 2020

Julkaisusarja

Nimi	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (painettu)	1543-7221

Conference

Conference	ACM SIGSAC Conference on Computer and Communications Security
Ajanjakso	9/11/20 → 13/11/20

Julkaisufoorumi-taso

Jufo-taso 2

!!ASJC Scopus subject areas

Software
Computer Networks and Communications

Pääsy asiakirjaan

10.1145/3372297.3421761Lisenssi: CC BY-NC-SA

3372297.3421761Final published version, 1,52 MBLisenssi: CC BY-NC-SA

http://urn.fi/URN:NBN:fi:tuni-202101151364Lisenssi: CC BY-NC-SA

CVE-2020-12399: research data and tooling
Sohaib ul Hassan, N. (Creator), Gridin, I. (Creator), Delgado Lozano, I. (Creator), Pereida Garcia, C. (Creator), Chi Dominguez, J. (Creator), Cabrera Aldaya, A. (Creator) & Brumley, B. (Creator), Zenodo, 13 elok. 2020
DOI - pysyväislinkki: 10.5281/zenodo.3982271
Tietoaineisto: Dataset

Siteeraa tätä

Hassan, S. U., Gridin, I., Delgado-Lozano, I. M., García, C. P., Chi-Domínguez, J. J., Aldaya, A. C., & Brumley, B. B. (2020). Déjà Vu: Side-Channel Analysis of Mozilla's NSS. teoksessa CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (Sivut 1887-1902). (Proceedings of the ACM Conference on Computer and Communications Security). ACM. https://doi.org/10.1145/3372297.3421761

@inproceedings{8c0fe464f0c2431a870e30dfdf73ba5e,

title = "D{\'e}j{\`a} Vu: Side-Channel Analysis of Mozilla's NSS",

abstract = "Recent work on Side Channel Analysis (SCA) targets old, well-known vulnerabilities, even previously exploited, reported, and patched in high-profile cryptography libraries. Nevertheless, researchers continue to find and exploit the same vulnerabilities in old and new products, highlighting a big issue among vendors: effectively tracking and fixing security vulnerabilities when disclosure is not done directly to them. In this work, we present another instance of this issue by performing the first library-wide SCA security evaluation of Mozilla's NSS security library. We use a combination of two independently-developed SCA security frameworks to identify and test security vulnerabilities. Our evaluation uncovers several new vulnerabilities in NSS affecting DSA, ECDSA, and RSA cryptosystems. We exploit said vulnerabilities and implement key recovery attacks using signals - -extracted through different techniques such as timing, microarchitecture, and EM - -and improved lattice methods.",

keywords = "applied cryptography, CVE-2020-12399, CVE-2020-12401, CVE-2020-12402, CVE-2020-6829, DSA, ECDSA, lattice-based cryptanalysis, NSS, public key cryptography, RSA, side-channel analysis, software security",

author = "Hassan, {Sohaib Ul} and Iaroslav Gridin and Delgado-Lozano, {Ignacio M.} and Garc{\'i}a, {Cesar Pereida} and Chi-Dom{\'i}nguez, {Jes{\'u}s Javier} and Aldaya, {Alejandro Cabrera} and Brumley, {Billy Bob}",

note = "Funding Information: The first author was supported in part by the Tuula and Yrj{\"o} Neuvo Fund through the Industrial Research Fund at Tampere University of Technology. Funding Information: This project has received funding from the European Research Council (ERC) under the European Union{\textquoteright}s Horizon 2020 research and innovation programme (grant agreement No 804476). Publisher Copyright: {\textcopyright} 2020 Owner/Author. Copyright: Copyright 2020 Elsevier B.V., All rights reserved. jufoid=50069; ACM SIGSAC Conference on Computer and Communications Security ; Conference date: 09-11-2020 Through 13-11-2020",

year = "2020",

month = oct,

day = "30",

doi = "10.1145/3372297.3421761",

language = "English",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "ACM",

pages = "1887--1902",

booktitle = "CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security",

address = "United States",

}

Hassan, SU , Gridin, I, Delgado-Lozano, IM, García, CP, Chi-Domínguez, JJ, Aldaya, AC & Brumley, BB 2020, Déjà Vu: Side-Channel Analysis of Mozilla's NSS. julkaisussa CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, ACM, Sivut 1887-1902, ACM SIGSAC Conference on Computer and Communications Security, 9/11/20. https://doi.org/10.1145/3372297.3421761

Déjà Vu: Side-Channel Analysis of Mozilla's NSS. / Hassan, Sohaib Ul ; Gridin, Iaroslav; Delgado-Lozano, Ignacio M. et al.
CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2020. s. 1887-1902 (Proceedings of the ACM Conference on Computer and Communications Security).

Tutkimustuotos: Konferenssiartikkeli › Tieteellinen › vertaisarvioitu

TY - GEN

T1 - Déjà Vu

T2 - ACM SIGSAC Conference on Computer and Communications Security

AU - Hassan, Sohaib Ul

AU - Gridin, Iaroslav

AU - Delgado-Lozano, Ignacio M.

AU - García, Cesar Pereida

AU - Chi-Domínguez, Jesús Javier

AU - Aldaya, Alejandro Cabrera

AU - Brumley, Billy Bob

N1 - Funding Information: The first author was supported in part by the Tuula and Yrjö Neuvo Fund through the Industrial Research Fund at Tampere University of Technology. Funding Information: This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 804476). Publisher Copyright: © 2020 Owner/Author. Copyright: Copyright 2020 Elsevier B.V., All rights reserved. jufoid=50069

PY - 2020/10/30

Y1 - 2020/10/30

N2 - Recent work on Side Channel Analysis (SCA) targets old, well-known vulnerabilities, even previously exploited, reported, and patched in high-profile cryptography libraries. Nevertheless, researchers continue to find and exploit the same vulnerabilities in old and new products, highlighting a big issue among vendors: effectively tracking and fixing security vulnerabilities when disclosure is not done directly to them. In this work, we present another instance of this issue by performing the first library-wide SCA security evaluation of Mozilla's NSS security library. We use a combination of two independently-developed SCA security frameworks to identify and test security vulnerabilities. Our evaluation uncovers several new vulnerabilities in NSS affecting DSA, ECDSA, and RSA cryptosystems. We exploit said vulnerabilities and implement key recovery attacks using signals - -extracted through different techniques such as timing, microarchitecture, and EM - -and improved lattice methods.

AB - Recent work on Side Channel Analysis (SCA) targets old, well-known vulnerabilities, even previously exploited, reported, and patched in high-profile cryptography libraries. Nevertheless, researchers continue to find and exploit the same vulnerabilities in old and new products, highlighting a big issue among vendors: effectively tracking and fixing security vulnerabilities when disclosure is not done directly to them. In this work, we present another instance of this issue by performing the first library-wide SCA security evaluation of Mozilla's NSS security library. We use a combination of two independently-developed SCA security frameworks to identify and test security vulnerabilities. Our evaluation uncovers several new vulnerabilities in NSS affecting DSA, ECDSA, and RSA cryptosystems. We exploit said vulnerabilities and implement key recovery attacks using signals - -extracted through different techniques such as timing, microarchitecture, and EM - -and improved lattice methods.

KW - applied cryptography

KW - CVE-2020-12399

KW - CVE-2020-12401

KW - CVE-2020-12402

KW - CVE-2020-6829

KW - DSA

KW - ECDSA

KW - lattice-based cryptanalysis

KW - NSS

KW - public key cryptography

KW - RSA

KW - side-channel analysis

KW - software security

U2 - 10.1145/3372297.3421761

DO - 10.1145/3372297.3421761

M3 - Conference contribution

AN - SCOPUS:85096157246

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1887

EP - 1902

BT - CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

PB - ACM

Y2 - 9 November 2020 through 13 November 2020

ER -

Hassan SU , Gridin I, Delgado-Lozano IM, García CP, Chi-Domínguez JJ, Aldaya AC et al. Déjà Vu: Side-Channel Analysis of Mozilla's NSS. julkaisussa CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. ACM. 2020. s. 1887-1902. (Proceedings of the ACM Conference on Computer and Communications Security). doi: 10.1145/3372297.3421761

Déjà Vu: Side-Channel Analysis of Mozilla's NSS

Abstrakti

Julkaisusarja

Conference

Julkaisufoorumi-taso

!!ASJC Scopus subject areas

Pääsy asiakirjaan

Sormenjälki

Tietoaineistot

CVE-2020-12399: research data and tooling

Siteeraa tätä