SCNIFFER: Low-Cost, Automated, Efficient Electromagnetic Side-Channel Sniffing
Electromagnetic (EM) side-channel analysis (SCA) is a prominent tool to break mathematically-secure cryptographic engines, especially on resource-constrained IoT devices. Presently, to perform EM SCA on an embedded IoT device, the entire chip is manually scanned and the MTD (Minimum Traces to Disclosure) analysis is performed at each point on the chip to reveal the secret key of the encryption algorithm. However, an automated end-to-end framework for EM trace collection and attack has been missing. This work proposes SCNIFFER: a lowcost, automated EM leakage SNIFFing platform to perform efficient end-to-end Side-Channel attacks. Using a leakage measure such as the signal amplitude or TVLA, we propose a greedy gradient-search heuristic that converges to one of the points of highest EM leakage on the chip (dimension: N x N) within O(N) iterations, and then perform Correlational EM Analysis (CEMA) at that point. This reduces the CEMA attack time by N times compared to an exhaustive MTD analysis, and > 20x compared to choosing an attack location at random. We demonstrate SCNIFFER using a low-cost custom-built 3-D scanner (< 300) compared to > 50, 000 commercial EM scanners, an H-field probe, and a variety of microcontrollers as the devices under attack. The SCNIFFER framework is evaluated for several cryptographic algorithms (AES-128, DES, RSA) running on both an 8-bit Atmega microcontroller and a 32-bit ARM microcontroller to find the best point of leakage and then perform a CEMA at that point.
READ FULL TEXT