It has been a while again since I've posted, I've been busy with the day job.
Given some recent research results, I thought I would briefly discuss side-channels. In case you don't fully understand what a side-channel is I heard a great analogy from my boss, Intel Vice President Sridhar Iyengar (pro-tip: it never hurts to compliment your boss occasionally :)).
Brief Description of Side Channels
Suppose you were considering starting a drive-thru coffee stand in your neighborhood. Before you embark upon this venture it would be good to know how much revenue is generated by other coffee stands in your area. Now if I owned a potential rival coffee stand across town there are a number of good reasons why I may want to keep my daily/weekly/monthly revenue a secret. So if you want to know what other coffee stands make, but you can't expect the owners of those businesses to tell you, how can you do it?
You could set up a chair across the street from one of these stands and sit and count how many cars come through during a given time period. Then if you knew what an average drink costs at the stand, you can form a rough idea of how much revenue is coming in. You can go further by looking closer at how many people are in the cars and what types of cars are driving through (more brand new BMW SUVs or 20 year old Toyota pickups) and you can get an even better idea of how much revenue is coming in.
So even though the coffee stand owner didn't tell you how much money came in, by watching what was happening around the coffee stand you can get a pretty close approximation. These observations of vehicle traffic, occupants, and type are side-channels!
Possible Side Channels for revealing secrets
Technical side channels are often used to infer information about secrets on a platform. Researchers have shown that taking electromagnetic measurements of certain types of computing elements can allow them to infer some information about the information being processed by a device. Network traffic analysis is yet another way to gain insights into the information being processed by a program or a device.
Another commonly used technical side-channel is the observation of the memory access patterns made by a program. Just today, researchers from the University of Texas Austin and Microsoft Research published a paper showing how they could use a memory side channel to infer information about the data processed by large blocks of unmodified code placed into a protected environment. These are some of the same folks that showed how Intel® SGX can be used to protect cloud workloads and just yesterday how it can also be used to help protect data analytics. But as the side-channel research shows software developers still need to be careful.
Call to action
Many current libraries for cryptography have already been developed with memory side-channels in mind. They ensure that if an application is performing an encryption or decryption operation, other software observing the memory access behavior of the application cannot infer anything interesting about the contents of the data being encrypted/decrypted or the associated keys. But as the recent research shows if one is trying to protect a picture or a document the same sort of attention that has historically been paid to crypto algorithms to avoid side-channels may also need to be considered when developing the software that is using the secret information.
Work is underway at Intel and elsewhere to create tools that make the detection and prevention of possible memory side-channels easier, but more contributions are always welcome. It would be good for all software developers to know a little bit more about side-channels and how these may impact the information they are protecting. History shows that when a person or even an organization attempts to create a complete top-to-bottom security solution alone, in secret, the results almost always lead difficult future faced with continually dealing with flaws as they are discovered. Any security technologist in today's day and age needs to be prepared to rapidly respond to vulnerabilities as they are discovered, but life is much easier if few of these issues are discovered after a solution is released.
As I mentioned in this Intel Labs blog post, some of the best results are achieved when experts from many disciplines and organizations come together to create a secure solution. So I hope that any developer with enough interest to read this post would spend some time learning more about software side-channels and maybe propose some innovative solutions that will benefit the worldwide information technology community.