1: #include <stdio.h>
2: #include <time.h>
3:
4: #include <library.h>
5:
6: typedef bool (*attackfn_t)(void *subj, u_char *data, size_t len);
7:
8: static void start_timing(struct timespec *start)
9: {
10: clock_gettime(CLOCK_PROCESS_CPUTIME_ID, start);
11: }
12:
13: static uint64_t end_timing(struct timespec *start)
14: {
15: struct timespec end;
16:
17: clock_gettime(CLOCK_THREAD_CPUTIME_ID, &end);
18: return (end.tv_nsec - start->tv_nsec) +
19: (end.tv_sec - start->tv_sec) * 1000000000;
20: }
21:
22: static int intcmp(const void *a, const void *b)
23: {
24: return *(uint64_t*)a - *(uint64_t*)b;
25: }
26:
27: static uint64_t median(uint64_t *m, int count)
28: {
29: qsort(m, count, sizeof(uint64_t), intcmp);
30: return m[count / 2];
31: }
32:
33: static bool timeattack(attackfn_t attackfn, void *subj, size_t dlen,
34: u_int iterations, u_int distance)
35: {
36: struct timespec start;
37: u_char test[dlen];
38: uint64_t mini, maxi, t[256], m[256][10];
39: float fastdist = 0, slowdist = 0;
40: int i, j, k, l, byte, limit, retry = 0;
41: int fastest = 0, slowest = 0;
42:
43: memset(test, 0, dlen);
44:
45: /* do some iterations to fill caches */
46: for (i = 0; i < iterations; i++)
47: {
48: attackfn(subj, test, dlen);
49: }
50:
51: for (byte = 0; byte < dlen;)
52: {
53: memset(t, 0, sizeof(t));
54: memset(m, 0, sizeof(m));
55:
56: limit = iterations * (retry + 1);
57:
58: /* measure timing for all patterns in next byte */
59: for (k = 0; k < 10; k++)
60: {
61: for (j = 0; j < 256; j++)
62: {
63: for (l = 0; l < 100; l++)
64: {
65: test[byte] = j;
66: start_timing(&start);
67: for (i = 0; i < limit; i++)
68: {
69: attackfn(subj, test, dlen);
70: }
71: m[j][k] += end_timing(&start);
72: }
73: }
74: }
75:
76: for (j = 0; j < 256; j++)
77: {
78: t[j] = median(m[j], countof(m[j]));
79: }
80:
81: /* find fastest/slowest runs */
82: mini = ~0;
83: maxi = 0;
84: for (j = 0; j < 256; j++)
85: {
86: if (t[j] < mini)
87: {
88: mini = min(t[j], mini);
89: fastest = j;
90: }
91: if (t[j] > maxi)
92: {
93: maxi = max(t[j], maxi);
94: slowest = j;
95: }
96: }
97: /* calculate distance to next result */
98: mini = ~0;
99: maxi = 0;
100: for (j = 0; j < 256; j++)
101: {
102: if (fastest != j && t[j] < mini)
103: {
104: mini = min(t[j], mini);
105: fastdist = (float)(t[j] - t[fastest]) / distance;
106: }
107: if (slowest != j && t[j] > maxi)
108: {
109: maxi = max(t[j], maxi);
110: slowdist = (float)(t[slowest] - t[j]) / distance;
111: }
112: }
113: if (fastdist > 1.0f)
114: {
115: fprintf(stderr, "byte %02d: %02x (fastest, dist %02.2f)\n",
116: byte, fastest, fastdist);
117: test[byte] = fastest;
118: retry = 0;
119: byte++;
120: }
121: else if (slowdist > 1.0f)
122: {
123: fprintf(stderr, "byte %02d: %02x (slowest, dist %02.2f)\n",
124: byte, slowest, slowdist);
125: test[byte] = slowest;
126: retry = 0;
127: byte++;
128: }
129: else
130: {
131: if (retry++ > 5 && byte > 0)
132: {
133: fprintf(stderr, "distance fastest %02.2f (%02x), "
134: "slowest %02.2f (%02x), stepping back\n",
135: fastdist, fastest, slowdist, slowest);
136: test[byte--] = 0;
137: }
138: else if (retry < 10)
139: {
140: fprintf(stderr, "distance fastest %02.2f (%02x), "
141: "slowest %02.2f (%02x), retrying (%d)\n",
142: fastdist, fastest, slowdist, slowest, retry);
143: }
144: else
145: {
146: printf("attack failed, giving up\n");
147: return FALSE;
148: }
149: }
150: }
151: if (attackfn(subj, test, dlen))
152: {
153: printf("attack successful with %b\n", test, dlen);
154: return TRUE;
155: }
156: printf("attack failed with %b\n", test, dlen);
157: return FALSE;
158: }
159:
160: CALLBACK(attack_memeq1, bool,
161: u_char *subj, u_char *data, size_t len)
162: {
163: return memeq(data, subj, len);
164: }
165:
166: CALLBACK(attack_memeq2, bool,
167: u_char *subj, u_char *data, size_t len)
168: {
169: return memeq(subj, data, len);
170: }
171:
172: CALLBACK(attack_memeq3, bool,
173: u_char *subj, u_char *data, size_t len)
174: {
175: int i;
176:
177: for (i = 0; i < len; i++)
178: {
179: if (subj[i] != data[i])
180: {
181: return FALSE;
182: }
183: }
184: return TRUE;
185: }
186:
187: CALLBACK(attack_memeq4, bool,
188: u_char *subj, u_char *data, size_t len)
189: {
190: int i, m = 0;
191:
192: for (i = 0; i < len; i++)
193: {
194: m |= subj[i] != data[i];
195: }
196: return !m;
197: }
198:
199: CALLBACK(attack_memeq5, bool,
200: u_char *subj, u_char *data, size_t len)
201: {
202: return memeq_const(subj, data, len);
203: }
204:
205: static bool attack_memeq(char *name, u_int iterations, u_int distance)
206: {
207: struct {
208: char *name;
209: attackfn_t fn;
210: } attacks[] = {
211: { "memeq1", attack_memeq1 },
212: { "memeq2", attack_memeq2 },
213: { "memeq3", attack_memeq3 },
214: { "memeq4", attack_memeq4 },
215: { "memeq5", attack_memeq5 },
216: };
217: u_char exp[16];
218: int i;
219:
220: srandom(time(NULL));
221: for (i = 0; i < sizeof(exp); i++)
222: {
223: exp[i] = random();
224: }
225: fprintf(stderr, "attacking %b\n", exp, sizeof(exp));
226:
227: for (i = 0; i < countof(attacks); i++)
228: {
229: if (streq(name, attacks[i].name))
230: {
231: return timeattack(attacks[i].fn, exp, sizeof(exp),
232: iterations, distance);
233: }
234: }
235: return FALSE;
236: }
237:
238: CALLBACK(attack_chunk1, bool,
239: u_char *subj, u_char *data, size_t len)
240: {
241: return chunk_equals(chunk_create(subj, len), chunk_create(data, len));
242: }
243:
244: CALLBACK(attack_chunk2, bool,
245: u_char *subj, u_char *data, size_t len)
246: {
247: return chunk_equals_const(chunk_create(subj, len), chunk_create(data, len));
248: }
249:
250: static bool attack_chunk(char *name, u_int iterations, u_int distance)
251: {
252: struct {
253: char *name;
254: attackfn_t fn;
255: } attacks[] = {
256: { "chunk1", attack_chunk1 },
257: { "chunk2", attack_chunk2 },
258: };
259: u_char exp[16];
260: int i;
261:
262: srandom(time(NULL));
263: for (i = 0; i < sizeof(exp); i++)
264: {
265: exp[i] = random();
266: }
267: fprintf(stderr, "attacking %b\n", exp, sizeof(exp));
268:
269: for (i = 0; i < countof(attacks); i++)
270: {
271: if (streq(name, attacks[i].name))
272: {
273: return timeattack(attacks[i].fn, exp, sizeof(exp),
274: iterations, distance);
275: }
276: }
277: return FALSE;
278: }
279:
280: CALLBACK(attack_aead, bool,
281: aead_t *aead, u_char *data, size_t len)
282: {
283: u_char iv[aead->get_iv_size(aead)];
284:
285: memset(iv, 0, sizeof(iv));
286: return aead->decrypt(aead, chunk_create(data, len), chunk_empty,
287: chunk_from_thing(iv), NULL);
288: }
289:
290: static bool attack_aeads(encryption_algorithm_t alg, size_t key_size,
291: u_int iterations, u_int distance)
292: {
293: u_char buf[64];
294: aead_t *aead;
295: bool res;
296:
297: aead = lib->crypto->create_aead(lib->crypto, alg, key_size, 0);
298: if (!aead)
299: {
300: fprintf(stderr, "creating AEAD %N failed\n",
301: encryption_algorithm_names, alg);
302: return FALSE;
303: }
304: memset(buf, 0xe3, sizeof(buf));
305: if (!aead->set_key(aead, chunk_create(buf, aead->get_key_size(aead))))
306: {
307: aead->destroy(aead);
308: return FALSE;
309: }
310: memset(buf, 0, aead->get_iv_size(aead));
311: if (!aead->encrypt(aead, chunk_create(buf, 0), chunk_empty,
312: chunk_create(buf, aead->get_iv_size(aead)), NULL))
313: {
314: aead->destroy(aead);
315: return FALSE;
316: }
317: fprintf(stderr, "attacking %b\n", buf, aead->get_icv_size(aead));
318:
319: res = timeattack(attack_aead, aead, aead->get_icv_size(aead),
320: iterations, distance);
321: aead->destroy(aead);
322: return res;
323: }
324:
325: CALLBACK(attack_signer, bool,
326: signer_t *signer, u_char *data, size_t len)
327: {
328: return signer->verify_signature(signer, chunk_empty, chunk_create(data, len));
329: }
330:
331: static bool attack_signers(integrity_algorithm_t alg,
332: u_int iterations, u_int distance)
333: {
334: u_char buf[64];
335: signer_t *signer;
336: bool res;
337:
338: signer = lib->crypto->create_signer(lib->crypto, alg);
339: if (!signer)
340: {
341: fprintf(stderr, "creating signer %N failed\n",
342: integrity_algorithm_names, alg);
343: return FALSE;
344: }
345: memset(buf, 0xe3, sizeof(buf));
346: if (!signer->set_key(signer, chunk_create(buf, signer->get_key_size(signer))))
347: {
348: signer->destroy(signer);
349: return FALSE;
350: }
351: if (!signer->get_signature(signer, chunk_empty, buf))
352: {
353: signer->destroy(signer);
354: return FALSE;
355: }
356: fprintf(stderr, "attacking %b\n", buf, signer->get_block_size(signer));
357:
358: res = timeattack(attack_signer, signer, signer->get_block_size(signer),
359: iterations, distance);
360: signer->destroy(signer);
361: return res;
362: }
363:
364: static bool attack_transform(char *name, u_int iterations, u_int distance)
365: {
366: const proposal_token_t *token;
367:
368: token = lib->proposal->get_token(lib->proposal, name);
369: if (!token)
370: {
371: fprintf(stderr, "algorithm '%s' unknown\n", name);
372: return FALSE;
373: }
374:
375: switch (token->type)
376: {
377: case ENCRYPTION_ALGORITHM:
378: if (encryption_algorithm_is_aead(token->algorithm))
379: {
380: return attack_aeads(token->algorithm, token->keysize / 8,
381: iterations, distance);
382: }
383: fprintf(stderr, "can't attack a crypter\n");
384: return FALSE;
385: case INTEGRITY_ALGORITHM:
386: return attack_signers(token->algorithm, iterations, distance);
387: default:
388: fprintf(stderr, "can't attack a %N\n", transform_type_names, token->type);
389: return FALSE;
390: }
391: }
392:
393: int main(int argc, char *argv[])
394: {
395: library_init(NULL, "timeattack");
396: atexit(library_deinit);
397: lib->plugins->load(lib->plugins, getenv("PLUGINS") ?: PLUGINS);
398:
399: if (argc < 3)
400: {
401: fprintf(stderr, "usage: %s <attack> <iterations> <distance>\n", argv[0]);
402: fprintf(stderr, " <attack>: memeq[1-5] / chunk[1-2] / aead / signer\n");
403: fprintf(stderr, " <iterations>: number of invocations * 1000\n");
404: fprintf(stderr, " <distance>: time difference in ns for a hit\n");
405: fprintf(stderr, " example: %s memeq1 100 500\n", argv[0]);
406: fprintf(stderr, " example: %s aes128gcm16 100 4000\n", argv[0]);
407: return 1;
408: }
409: if (strpfx(argv[1], "memeq"))
410: {
411: return !attack_memeq(argv[1], atoi(argv[2]), atoi(argv[3]));
412: }
413: if (strpfx(argv[1], "chunk"))
414: {
415: return !attack_chunk(argv[1], atoi(argv[2]), atoi(argv[3]));
416: }
417: return !attack_transform(argv[1], atoi(argv[2]), atoi(argv[3]));
418: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to timeattack.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / scripts