Full Disclosure mailing list archives
[JRSA_0x2fbcd0251e8d606ebbb595dccb685f9446f441a7320f912666fd8b3362f3bffe_15-Dec-2005] Software Based Cipher Implementation Vulnerabilities Security Advisory 15-Dec-2005
From: coderman <coderman () gmail com>
Date: Thu, 15 Dec 2005 16:58:06 -0800
Software Based Cipher Implementation Vulnerabilities Random (tm) Security Advisory 15-Dec-2005 by J. Random Expert, CPA, CISSP, CISM, CISA, CCNA, CCSE, CCSA, GCIA, GCIH, GCFW, GIAC, GSNA, GCFA, GCUX, GSEC, GSUX, QUE, GQUE, WTFBBQ. contact: null () gmail com I. BACKGROUND We are experts on information security dedicated to bringing the public the highest quality imitation products and services to protect against all those dire security risks and impending integrity breeches that will bankrupt and publicly humiliate you unless you purchase our services for a reasonable recurring fee paid up front or net 30. II. DESCRIPTION Cryptography is the mysterious and complicated art of making information look like entropy. While the theory behind block and public key ciphers is straight forward the implementations are often flawed due to various oversights. We have empirically verified a class of cache and host based timing side channel attacks against common processors and operating systems which allows for 3DES, AES, RSA, DSA, ElGamal and Diffie Hellman secret key recovery remotely or via local exploit. Hyper-threading capabilities in newer processors can also be used to make local attacks even more effective. The basis for these attacks is the use of high resolution timing information related to processing of specially crafted cipher texts or specific memory regions to discern secret key material based on its representation in processor memory caches during encryption or decryption operations. This timing mechanism can be implemented across a low latency network or using a local unprivileged helper process on the target host. For the technical details and theory behind these attacks please refer to the following published materials: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf http://www.daemonology.net/hyperthreading-considered-harmful/ http://eprint.iacr.org/2005/368 III. ANALYSIS Successful exploitation of the described vulnerabilities allows unauthenticated remote attackers and authenticated local users to recover key material used on the host for various private communication channels. Compromise of these channels can lead to privilege escalation and / or remote exploitation of vulnerable systems. To gauge the feasibility of this attack we hired world renowned black hat 'MacGyver' to demonstrate this exploit on actual systems owned by a competitor of ours. We can confirm that key recovery and full remote exploitation of their IPsec VPN was attained using gcc, duct tape, and a roll of cinnamon flavored dental floss. Incriminating email evidence of their pool dying prank at our annual Christmas party was recovered as proof of our l33t'ness. Suck it you losers, we knew it was you. The Electronic Frontier Foundation has also independently verified this vulnerability and launched a new 'Software Ciphers Suck!' campaign to educate the public on the privacy dangers of using leaky cipher implementations. Sony BMG in particular was anxious to add this key recovery exploit to their audio disc DRM rootkit. Please contact our sales department with exploit licensing inquiries. IV. DETECTION If you are using software cipher implementations on Intel, AMD, IBM or Sparc processors you are vulnerable to this attack. Other architectures may have similar weaknesses but nobody gives a shit about them anyway. All known operating systems executing on the afore mentioned processors are also assumed to be vulnerable. NOTE: Those fortunate enough to live in a region where only mint or plain dental floss is sold may not be vulnerable to the MacGyver remote key recovery exploit. Unix, BSD and Linux users can use the psrinfo utility or /proc/cpuinfo file for more detailed processor identification. Windows users have bigger security holes to worry about. Move along, move along... V. WORKAROUNDS Special program modifications that add redundant execution loops and stack / heap padding can obfuscate timing information related to memory cache and bus communication latencies. In particular a general technique described in the following paper can be used to reduce or eliminate the potential for this attack: http://eprint.iacr.org/2005/368 Remember: five times slower and twice as fat is a feature, not a bug! The use of perfect forward secrecy and frequent key rotation may reduce the potential for successful exploitation. If at all possible hardware cipher implementations for offload of cryptographic processing is highly recommended. VIA's Padlock Engine is particularly attractive: http://www.via.com.tw/en/initiatives/padlock/hardware.jsp You losers stuck with Intel/AMD/IBM/Slowlaris procs can always buy a PCI based crypto accelerator: http://www.soekris.com/vpn1401.htm The are unsubstantiated reports that a properly designed tin foil hat placed directly above the processor fan may protect L1/L2 cache lines in the Intel family of processors. Please see the following for details on proper foil hat engineering: http://people.csail.mit.edu/rahimi/helmet/ VI. VENDOR RESPONSES The following vendors were contacted and their responses are provided in whole: <Intel> We suggest buying the latest Itanium processors for the best in cryptographic throughput and innovative computing! <AMD> We suggest buying the latest 64bit AMD processors for the best in cryptographic throughput and innovative computing! <IBM> We suggest buying the latest Power5 space heaters for the best in cryptographic throughput and innovative computing! <Sun> We suggest using Java to deploy secure software solutions! <$TLA> How much to shut you up, Random? Everybody has a price and we've got one phat fiscal budget with very little oversight... VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project publishes the CVE list (http://cve.mitre.org), which standardizes names for security problems. They laughed at us when we reported this serious vulnerability. Clearly they have sold out to The Man. VIII. DISCLOSURE TIMELINE 04/20/1984 Initial vendor notification 06/05/2003 Initial vendor responses 12/15/2005 Full disclosure IX. CREDITS This class of vulnerability was discovered by Marian Rejewski a good seventy years ago. Become a paid corporate security whore: http://www.iDefense.com/poi/teams/vcp.jsp Learn to h4x0r like the best kiddies around: http://www.sans.org/index.php Special thanks to n3td3v who will take credit for this advisory despite no understanding of side channel attacks or even cryptography in general. X. LEGAL NOTICE Copyright (C) 2005 J. Random Expert Information Security Enterprise Consortium, Inc. Permission is granted for the redistribution of this advisory electronically or in any other manner you so desire. It may not be edited in any way without the express written consent of J. Random Expert Information Security Enterprise Consortium, Inc. and filed in triplicate with a registered notary public. Disclaimer: The information in this advisory is believed to be snarky and accurate at the time of publishing based on currently available information. There are no warranties or expectations of quality with regard to this information. The author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. All trademarks and registered names are the property of their respective owners. Amen. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [JRSA_0x2fbcd0251e8d606ebbb595dccb685f9446f441a7320f912666fd8b3362f3bffe_15-Dec-2005] Software Based Cipher Implementation Vulnerabilities Security Advisory 15-Dec-2005 coderman (Dec 15)