research-article

FASE: finding amplitude-modulated side-channel emanations

Authors:

Milos PrvulovicAuthors Info & Claims

ISCA '15: Proceedings of the 42nd Annual International Symposium on Computer Architecture

Pages 592 - 603

https://doi.org/10.1145/2749469.2750394

Published: 13 June 2015 Publication History

Abstract

While all computation generates electromagnetic (EM) side-channel signals, some of the strongest and farthest-propagating signals are created when an existing strong periodic signal (e.g. a clock signal) becomes stronger or weaker (amplitude-modulated) depending on processor or memory activity. However, modern systems create emanations at thousands of different frequencies, so it is a difficult, error-prone, and time-consuming task to find those few emanations that are AM-modulated by processor/memory activity.

This paper presents a methodology for rapidly finding such activity-modulated signals. This method creates recognizable spectral patterns generated by specially designed microbenchmarks and then processes the recorded spectra to identify signals that exhibit amplitude-modulation behavior. We apply this method to several computer systems and find several such modulated signals. To illustrate how our methodology can benefit side-channel security research and practice, we also identify the physical mechanisms behind those signals, and find that the strongest signals are created by voltage regulators, memory refreshes, and DRAM clocks. Our results indicate that each signal may carry unique information about system activity, potentially enhancing an attacker's capability to extract sensitive information. We also confirm that our methodology correctly separates emanated signals that are affected by specific processor or memory activities from those that are not.

References

[1]

O. Aciiçmez, c. K. Koç, and J.-P. Seifert, "On the power of simple branch prediction analysis," in Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security. ACM Press, Mar. 2007, pp. 312--320.

Digital Library

[2]

D. Agrawal, B. Archambeult, J. R. Rao, and P. Rohatgi, "The EM side-channel(s)," in Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2002, pp. 29--45.

Digital Library

[3]

D. Agrawal, B. Archambeult, J. R. Rao, and P. Rohatgi, "The EM side-channel(s): attacks and assessment methodologies," 2002. {Online}. Available: http://www.research.ibm.com/intsec/emf-paper.ps

[4]

Z. Alfassi, Statistical Treatment of Analytical Data. Wiley, 2009.

[5]

M. Backes, M. Durmuth, S. Gerling, M. Pinkal, and C. Sporleder, "Acoustic side-channel attacks on printers," in Proceedings of the USENIX Security Symposium, 2010.

Digital Library

[6]

E. Bangerter, D. Gullasch, and S. Krenn, "Cache games - bringing access-based cache attacks on AES to practice," in Proceedings of the IEEE Symposium on Security and Privacy, 2011.

Digital Library

[7]

A. Barenghi, G. Pelosi, and Y. Teglia, "Information Leakage Discovery Techniques to Enhance Secure Chip Design," in Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication, C. Ardagna and J. Zhou, Eds. Springer Berlin Heidelberg, 2011, vol. 6633, pp. 128--143.

Digital Library

[8]

A. G. Bayrak, F. Regazzoni, P. Brisk, F.-X. Standaert, and P. Ienne, "A first step towards automatic application of power analysis countermeasures," in Proceedings of the 48th Design Automation Conference, 2011.

Digital Library

[9]

E. Biham and A. Shamir, "Differential cryptanalysis of the data encryption standard," in Proceedings of the International Cryptology Conference, 1993.

Digital Library

[10]

E. A. Burton, G. Schrom, F. Paillet, J. Douglas, W. J. Lambert, K. Radhakrishnan, and M. J. Hill, "FIVR---Fully integrated voltage regulators on 4th generation Intel Core SoCs," in Applied Power Electronics Conference and Exposition (APEC), 2014 Twenty-Ninth Annual IEEE. IEEE, 2014, pp. 432--439.

[11]

R. Callan, A. Zajic, and M. Prvulovic, "A practical methodology for measuring the side-channel signal available to the attacker for instruction-level events," in Proceedings of the 47th International Symposium on Microarchitecture, 2014.

Digital Library

[12]

S. Chari, J. R. Rao, and P. Rohatgi, "Template attacks," in Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2002, pp. 13--28.

Digital Library

[13]

B.-Y. Chung, C. Chien, H. Samueli, and R. Jain, "Performance analysis of an all-digital BPSK direct-sequence spread-spectrum IF receiver architecture," Selected Areas in Communications, IEEE Journal on, vol. 11, no. 7, pp. 1096--1107, Sep 1993.

Digital Library

[14]

O. A. Dobre, A. Abdi, Y. Bar-Ness, and W. Su, "Survey of automatic modulation classification techniques: classical approaches and new trends," Communications, IET, vol. 1, no. 2, pp. 137--156, 2007.

[15]

R. Erickson and D. Maksimovic, Fundamentals of Power Electronics. Springer, 2001.

[16]

C. Gebotys, S. Ho, and C. Tiu, "EM Analysis of Rijndael and ECC on a Wireless Java-Based PDA," in Cryptographic Hardware and Embedded Systems -- CHES 2005, J. Rao and B. Sunar, Eds. Springer Berlin Heidelberg, 2005, vol. 3659, pp. 250--264.

Digital Library

[17]

D. Genkin, I. Pipman, and E. Tromer, "Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks on PCs," in Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2014.

Digital Library

[18]

B. Gierlichs, L. Batina, P. Tuyls, and B. Preneel, "Mutual information analysis," in Cryptographic Hardware and Embedded Systems--CHES 2008. Springer, 2008, pp. 426--442.

Digital Library

[19]

C. Giraud, "DFA on AES," in Proceedings of the 4th International AES Conference. Springer, 2003, pp. 27--41.

Digital Library

[20]

L. Goubin and J. Patarin, "DES and Differential power analysis (the duplication method)," in Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems (CHES), 1999, pp. 158--172.

Digital Library

[21]

A. Hajimiri and T. Lee, "A general theory of phase noise in electrical oscillators," Solid-State Circuits, IEEE Journal of, vol. 33, no. 2, pp. 179--194, Feb 1998.

[22]

K. B. Hardin, J. T. Fessler, and D. R. Bush, "Spread spectrum clock generation for the reduction of radiated emissions," in Electromagnetic Compatibility, 1994. Symposium Record. Compatibility in the Loop., IEEE International Symposium on. IEEE, 1994, pp. 227--231.

[23]

Henry W. Ott, Electromagnetic Compatibility Engineering. Wiley, 2009.

Digital Library

[24]

M. G. Khun, "Compromising emanations: eavesdropping risks of computer displays," The complete unofficial TEMPEST web page: http://www.eskimo.com/~joelm/tempest.html, 2003.

[25]

P. Kocher, J. Jaffe, and B. Jun, "Differential power analysis: leaking secrets," in Proceedings of the International Cryptology Conference, 1999, pp. 388--397.

Digital Library

[26]

P. Lee, J. Lee, D.-k. Yoon, J. Choi, and S. Hong, "Analysis of DRAM EMI dependence on data pattern and power delivery design using a near-field EMI scanner," in Electromagnetic Compatibility and 19th International Zurich Symposium on Electromagnetic Compatibility, 2008. APEMC 2008. Asia-Pacific Symposium on. IEEE, 2008, pp. 271--274.

[27]

T. S. Messerges, E. A. Dabbish, and R. H. Sloan, "Power analysis attacks of modular exponentiation in smart cards," in Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems (CHES), 1999, pp. 144--157.

Digital Library

[28]

O. Meynard, D. Réal, F. Flament, S. Guilley, N. Homma, and J.-L. Danger, "Enhancement of simple electro-magnetic attacks by pre-characterization in frequency domain and demodulation techniques," in Design, Automation & Test in Europe Conference & Exhibition (DATE), 2011. IEEE, 2011, pp. 1--6.

[29]

G. Palshikar, "Simple algorithms for peak detection in time-series," in Proc. 1st International Conference Advanced Data Analysis, Business Analytics and Intelligence, 2009.

[30]

C. R. Paul, Introduction to Electromagnetic Compatibility, 2nd ed. Wiley, 2006.

Digital Library

[31]

G. Perin, L. Torres, P. Benoit, and P. Maurine, "Amplitude demodulation-based EM analysis of different RSA implementations," in Design, Automation & Test in Europe Conference & Exhibition (DATE), 2012. IEEE, 2012, pp. 1167--1172.

Digital Library

[32]

T. Rappaport, Wireless Communications: Principles and Practice. Dorling Kindersley, 2009.

[33]

A. Shamir and E. Tromer, "Acoustic cryptanalysis (On nosy people and noisy machines)," http://tau.ac.il/~tromer/acoustic/.

[34]

T. Sugawara, Y.-i. Hayashi, N. Homma, T. Mizuki, T. Aoki, H. Sone, and A. Satoh, "Spectrum analysis on cryptographic modules to counteract side-channel attacks," in EMC, vol. 9, 2009, pp. 21--24.

[35]

P. Trischitta and E. Varma, Jitter in Digital Transmission Systems. Artech House, 1989.

Digital Library

[36]

Y. Tsunoo, E. Tsujihara, K. Minematsu, and H. Miyauchi, "Crypt-analysis of block ciphers implemented on computers with cache," in Proceedings of the International Symposiumon Information Theory and its Applications, 2002, pp. 803--806.

[37]

Y. Wang and D. Ma, "Ultra-fast on-chip load-current adaptive linear regulator for switch mode power supply load transient enhancement," in Applied Power Electronics Conference and Exposition (APEC), 2013 Twenty-Eighth Annual IEEE, March 2013, pp. 1366--1369.

[38]

Z. Wang and R. B. Lee, "New cache designs for thwarting software cache-based side channel attacks," in Proceedings of the 34th International Symposium on Computuer Architecture (ISCA). ACM, 2007, pp. 494--505.

Digital Library

[39]

A. Zajic and M. Prvulovic, "Experimental demonstration of electromagnetic information leakage from modern processor-memory systems," IEEE Transactions on Electromagnetic Compatibility, vol. 99, no. 3, pp. 1--9, 2014.

Cited By

Sathyanarayanan VGerstoft P(2024)Detection and Characterization of Unintended RF Emissions on Wideband Real Data2024 International Conference on Signal Processing and Communications (SPCOM)10.1109/SPCOM60851.2024.10631603(1-5)Online publication date: 1-Jul-2024
https://doi.org/10.1109/SPCOM60851.2024.10631603
Miketic IDhananjay KSalman E(2023)Covert Channel Communication as an Emerging Security Threat in 2.5D/3D Integrated SystemsSensors10.3390/s2304208123:4(2081)Online publication date: 13-Feb-2023
https://doi.org/10.3390/s23042081
Feng JZhao TSarkar SKonrad DJacques TCabric DSehatbakhsh N(2023)Fingerprinting IoT Devices Using Latent Physical Side-ChannelsProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/35962477:2(1-26)Online publication date: 12-Jun-2023
https://dl.acm.org/doi/10.1145/3596247
Show More Cited By

Index Terms

FASE: finding amplitude-modulated side-channel emanations
1. Hardware

Recommendations

FASE: finding amplitude-modulated side-channel emanations
ISCA'15

While all computation generates electromagnetic (EM) side-channel signals, some of the strongest and farthest-propagating signals are created when an existing strong periodic signal (e.g. a clock signal) becomes stronger or weaker (amplitude-modulated) ...
FaSe: fast selective flushing to mitigate contention-based cache timing attacks
DAC '22: Proceedings of the 59th ACM/IEEE Design Automation Conference

Caches are widely used to improve performance in modern processors. By carefully evicting cache lines and identifying cache hit/miss time, contention-based cache timing channel attacks can be orchestrated to leak information from the victim process. ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS'16

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ISCA '15: Proceedings of the 42nd Annual International Symposium on Computer Architecture

June 2015

768 pages

ISBN:9781450334020

DOI:10.1145/2749469

General Chair:
Debbie Marr
Intel
,
Program Chair:
David Albonesi
Cornell

ACM SIGARCH Computer Architecture News Volume 43, Issue 3S
ISCA'15
June 2015
745 pages
ISSN:0163-5964
DOI:10.1145/2872887
Editor:
Doug DeGroot
acm dot org
Issue’s Table of Contents

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

IEEE TCCA: IEEE Computer Society Technical Committee on Computer Architecture
SIGARCH: ACM Special Interest Group on Computer Architecture

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 June 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Conference

ISCA '15

Sponsor:

IEEE TCCA
SIGARCH

ISCA '15: The 42nd Annual International Symposium on Computer Architecture

June 13 - 17, 2015

Oregon, Portland

Acceptance Rates

Overall Acceptance Rate 543 of 3,203 submissions, 17%

Upcoming Conference

ISCA '25

Sponsor:
sigarch

The 52nd Annual International Symposium on Computer Architecture

June 21 - 25, 2025

Tokyo , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

45
Total Citations
View Citations
381
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)2

Reflects downloads up to 01 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sathyanarayanan VGerstoft P(2024)Detection and Characterization of Unintended RF Emissions on Wideband Real Data2024 International Conference on Signal Processing and Communications (SPCOM)10.1109/SPCOM60851.2024.10631603(1-5)Online publication date: 1-Jul-2024
https://doi.org/10.1109/SPCOM60851.2024.10631603
Miketic IDhananjay KSalman E(2023)Covert Channel Communication as an Emerging Security Threat in 2.5D/3D Integrated SystemsSensors10.3390/s2304208123:4(2081)Online publication date: 13-Feb-2023
https://doi.org/10.3390/s23042081
Feng JZhao TSarkar SKonrad DJacques TCabric DSehatbakhsh N(2023)Fingerprinting IoT Devices Using Latent Physical Side-ChannelsProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/35962477:2(1-26)Online publication date: 12-Jun-2023
https://dl.acm.org/doi/10.1145/3596247
Feng JJacques TAbari OSehatbakhsh N(2023)Demo Abstract: Leveraging Side-Channels to Turn Processors into Low Overhead RadiosProceedings of the 22nd International Conference on Information Processing in Sensor Networks10.1145/3583120.3589813(360-361)Online publication date: 9-May-2023
https://dl.acm.org/doi/10.1145/3583120.3589813
Feng JJacques TAbari OSehatbakhsh N(2023)Everything has its Bad Side and Good Side: Turning Processors to Low Overhead Radios Using Side-ChannelsProceedings of the 22nd International Conference on Information Processing in Sensor Networks10.1145/3583120.3586959(288-301)Online publication date: 9-May-2023
https://dl.acm.org/doi/10.1145/3583120.3586959
Liu ZLin FWang CShen YBa ZLu LXu WRen K(2023)CamRadarProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/35695056:4(1-25)Online publication date: 11-Jan-2023
https://dl.acm.org/doi/10.1145/3569505
Zhu JLi MZhang XBu KZhang MSong T(2023)Hitchhiker: Accelerating ORAM With Dynamic SchedulingIEEE Transactions on Computers10.1109/TC.2023.324827272:8(2321-2335)Online publication date: 1-Aug-2023
https://doi.org/10.1109/TC.2023.3248272
Jevtic RPerez-Tirador PCabezaolias CCarnero PCaffarena G(2022)Side-channel Attack Countermeasure Based on Power Supply Modulation2022 30th European Signal Processing Conference (EUSIPCO)10.23919/EUSIPCO55093.2022.9909766(618-622)Online publication date: 29-Aug-2022
https://doi.org/10.23919/EUSIPCO55093.2022.9909766
Patel NKrishnamurthy PAmrouch HHenkel JShamouilian MKarri RKhorrami F(2022)Towards a New Thermal Monitoring Based Framework for Embedded CPS Device SecurityIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.297395919:1(524-536)Online publication date: 1-Jan-2022
https://doi.org/10.1109/TDSC.2020.2973959
Jevtic ROtero M(2022)Methodology for Complete Decorrelation of Power Supply EM Side-Channel Signal and Sensitive DataIEEE Transactions on Circuits and Systems II: Express Briefs10.1109/TCSII.2022.314407169:4(2256-2260)Online publication date: Apr-2022
https://doi.org/10.1109/TCSII.2022.3144071
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents