- Story:
http://cacm.acm.org/magazines/2016/6/202646-physical-key-extraction-attacks-on-pcs/fulltext
- Archived:
https://web.archive.org/web/*/http://cacm.acm.org/magazines/2016/6/202646-physical-key-extraction-attacks-on-pcs/fulltext
https://archive.is/MrXho
For attackers, ramming the gates of cryptography is not the only option. They can instead undermine the fortification by violating basic assumptions made by the cryptographic software. One such assumption is software can control its outputs. Our programming courses explain that programs produce their outputs through designated interfaces (whether print, write, send, or mmap); so, to keep a secret, the software just needs to never output it or anything that may reveal it. (The operating system may be misused to allow someone else's process to peek into the program's memory or files, though we are getting better at avoiding such attacks, too.)
Yet programs' control over their own outputs is a convenient fiction, for a deeper reason. The hardware running the program is a physical object and, as such, interacts with its environment in complex ways, including electric currents, electromagnetic fields, sound, vibrations, and light emissions. All these "side channels" may depend on the computation performed, along with the secrets within it. "Side-channel attacks," which exploit such information leakage, have been used to break the security of numerous cryptographic implementations
(Score: 2) by shrewdsheep on Monday July 25 2016, @08:57AM
...some disconnected machines!!!...
Hm, .... I believe that your exclamation marks are somewhat misplaced here. I believe that the notion of the "air-gapped" machine is illusory and everyone should be aware of it. For example, the stuxnet attack used many channels and ultimately reached the air-gapped production networks via usb-drives. If you completely isolate a machine, it has no relation to the rest of the universe and can thereby be excluded from further consideration. I personally do have an older laptop serving solely as a backup machine only turned on once a year or so and sitting in what I believe to be a defined state. By no means is that machine disconnected. There are only grades and states of connectedness the degree and extend of which indeed needs to be carefully considered.
(Score: 2) by opinionated_science on Monday July 25 2016, @09:40AM
well might need to drive it via a solar panel to prevent PSU intrusion, but you get the idea ;-)