{"id":8024,"date":"2017-06-22T07:40:21","date_gmt":"2017-06-22T15:40:21","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/06\/22\/news-1801\/"},"modified":"2017-06-22T07:40:21","modified_gmt":"2017-06-22T15:40:21","slug":"news-1801","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/06\/22\/news-1801\/","title":{"rendered":"Security Research News in Brief &#8211; May 2017 Edition"},"content":{"rendered":"<p><strong>Credit to Author: Axelle Apvrille| Date: Thu, 22 Jun 2017 15:00:03 +0000<\/strong><\/p>\n<div class=\"entry\">\n<p>Welcome back to our monthly review of some of the most interesting security research publications. This month, let&#39;s do a bit of crypto&#8230;<\/p>\n<p>Past editions:<\/p>\n<ul>\n<li><a href=\"http:\/\/blog.fortinet.com\/2017\/05\/10\/security-research-news-in-brief-april-2017-edition\">April 2017<\/a><\/li>\n<li><a href=\"http:\/\/blog.fortinet.com\/2017\/03\/24\/security-research-news-in-brief-march-2017-edition\">March 2017<\/a><\/li>\n<\/ul>\n<h2>P. Carru,&nbsp;<a href=\"http:\/\/www.eshard.com\/wp-content\/plugins\/email-before-download\/download.php?dl=9465aa084ff0f070a3acedb56bcb34f5\">Attack TrustZone with Rowhammer<\/a><\/h2>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Row_hammer\">Rowhammer<\/a>&nbsp;is an attack on DRAM, which consists in repeatedly accessing given rows of the DRAM to cause&nbsp;<strong>random bit flips<\/strong>&nbsp;in adjacent rows.<\/p>\n<p>Until now, the attack hadn&#39;t been demonstrated on ARM&#39;s&nbsp;<strong>TrustZone<\/strong>: but that&#39;s what the author implemented. He demonstrated that, using Rowhammer, it is possible to&nbsp;<strong>leak a <\/strong><em>private<\/em><strong> RSA key stored in TrustZone&#39;s<\/strong>&nbsp;secure side.<\/p>\n<p>His attack is implemented as follows:<\/p>\n<ul>\n<li>On the TrustZone non-secure side lies a Linux OS.<\/li>\n<li>On TrustZone&#39;s secure side, there is Trusty.&nbsp;<a href=\"https:\/\/source.android.com\/security\/trusty\/\">Trusty<\/a>&nbsp;is an open source secure kernel implemented by Google.<\/li>\n<li>Generate the RSA key on the secure side, sign a message, and retrieve a valid signature.<\/li>\n<li>Perform Rowhammer to cause a fault in one of the pre-computed integers used in an RSA implementation based on CRT (Chinese Remainder Theorem).<\/li>\n<li>Sign the same message again, and retrieve an invalid signature (as one pre-computed integer has been faulted).<\/li>\n<li>Using the valid and the invalid signature of the same message, recover a factor of the modulus. (This flaw is explained very well in&nbsp;<a href=\"http:\/\/download.springer.com\/static\/pdf\/589\/chp%253A10.1007%252F3-540-69053-0_4.pdf?originUrl=http%3A%2F%2Flink.springer.com%2Fchapter%2F10.1007%2F3-540-69053-0_4&amp;token2=exp=1497257444~acl=%2Fstatic%2Fpdf%2F589%2Fchp%25253A10.1007%25252F3-540-69053-0_4.pdf%3ForiginUrl%3Dhttp%253A%252F%252Flink.springer.com%252Fchapter%252F10.1007%252F3-540-69053-0_4*~hmac=3d04db5c555684120901f0f4da0b6fa6e1280854587ccd1e50a90d037ccd559f\">a paper by D. Boneh, et al<\/a>.&nbsp;which dates back to 1997). From there, the attacker is able to compute the private key.<\/li>\n<\/ul>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/Axelle%20news%201.png\" style=\"width: 900px; height: 506px;\" \/><\/p>\n<p align=\"center\"><em>This illustration is taken from P. Carru&#39;s presentation.<\/em><\/p>\n<p>See also: D. Gruss, et al.,&nbsp;<a href=\"https:\/\/arxiv.org\/pdf\/1507.06955v1.pdf\">Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript<\/a>, 2015. In this paper, the authors show how a low level attack such as Rowhammer can be executed from a high level software implementation in JavaScript.<\/p>\n<p>The slides show an interesting implementation of Rowhammer over TrustZone, and demonstrate that it can break an RSA key in practice. There are, however,&nbsp;<strong>conditions<\/strong>&nbsp;to this, which need to be highlighted: (a) the attack will only work over RSA implementations that are based on CRT (true, those are frequent, but nevertheless, not in every case), and (b) the attack only works correctly if the fault occurs on&nbsp;<strong>one<\/strong>&nbsp;of the pre-computed integers. If the attack occurs on two of the pre-computed integers, or elsewhere (e.g. modulus), it won&#39;t work.<\/p>\n<h2>D. J. Bernstein, et al,&nbsp;<a href=\"https:\/\/eprint.iacr.org\/2017\/351.pdf\">Post Quantum RSA<\/a><\/h2>\n<p>This paper proposes RSA parameters and a prime generation algorithm so that an attack, even if implemented on a theoretical quantum computer, would be of&nbsp;<a href=\"http:\/\/math.jccc.net:8180\/webMathematica\/JSP\/mmartin\/qcost.jsp\">quadratic cost<\/a>&nbsp;compared to its usage.<\/p>\n<p>The settings consist in a&nbsp;<strong>1-terabyte<\/strong>&nbsp;key, which is huge. However, the authors managed to demonstrate that generating such a key was feasible: they generated one on a (big) computer with terabytes of RAM and swap. They also managed to compute RSA encryption \/ decryption; however, with slightly smaller keys (256GB instead of 1T).<\/p>\n<p>So what? This&nbsp;<strong>paper looks far ahead of our time<\/strong>. It does not focus on whether quantum computers are feasible or not, but simply assumes they will be. What&rsquo;s interesting is that&nbsp;<strong>the authors debunk the claims which say quantum computers would kill RSA<\/strong>. And&nbsp;<strong>this<\/strong>&nbsp;is interesting.<\/p>\n<p>There&rsquo;s been a lot of speculation about quantum crypto (personally, I doubt it will ever work out &#8211; or not exactly the way we initially thought). The hype that quantum crypto will be capable of anything is, I believe, a misunderstanding of cryptography. Of course, it is true that the implementation described by the authors has a high cost (they do mention it themselves: $1 per encryption \/ decryption), but we&#39;re defending against something that does not even exist yet&#8230;<\/p>\n<h2>Miscellaneous<\/h2>\n<ul>\n<li><a href=\"http:\/\/conference.hitb.org\/hitbsecconf2017ams\/materials\/\">Hack in the Box presentation materials<\/a>, Amsterdam, 2017<\/li>\n<\/ul>\n<p><em>&#8212; the Crypto Girl<\/em><\/p>\n<p><em>&quot;If you think research is expensive, try disease!&quot;<\/em>&nbsp;&#8211; Mary Lasker (1900-1994)<\/p>\n<p>&nbsp;<\/p>\n<\/div<br \/><a href=\"https:\/\/blog.fortinet.com\/2017\/06\/22\/security-research-news-in-brief-may-2017-edition\" target=\"bwo\" >https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/Axelle%20news%201.png\"\/><\/p>\n<p><strong>Credit to Author: Axelle Apvrille| Date: Thu, 22 Jun 2017 15:00:03 +0000<\/strong><\/p>\n<p>Welcome back to our monthly review of some of the most interesting security research publications. This month, let&#039;s do a bit of crypto&#8230;    Past editions:      \tApril 2017  \tMarch 2017      P. Carru,\u00a0Attack TrustZone with Rowhammer    Rowhammer\u00a0is an attack on DRAM, which consists in repeatedly accessing given rows of the DRAM to cause\u00a0random bit flips\u00a0in adjacent rows.    Until now, the attack hadn&#039;t been demonstrated on ARM&#039;s\u00a0TrustZone: but that&#039;s what the author implemented. He demonstrated that, using&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-8024","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8024","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8024"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8024\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8024"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}