1 / 9

The “Taint” Leakage Model

The “Taint” Leakage Model. Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2008. Taint . Common term in software security Any external input is tainted . A computation with a tainted input produces tainted output. Think tainted = “controllable” by adversary

pearly
Télécharger la présentation

The “Taint” Leakage Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The “Taint” Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2008

  2. Taint • Common term in software security • Any external input is tainted. • A computation with a tainted input produces tainted output. • Think tainted = “controllable” by adversary • Untainted values are private inputs, random values you generate, and functions of untainted values. • E.g. what values in browser depend on user input?

  3. Proposed “Taint Leakage Model” z • Only computations with tainted inputs leak information. • Adversary learns output and all inputs (even untainted ones) of a computation with a tainted input. • Define a valued as spoiled if it is untainted but input to a computation with a tainted input. • Examples: tainted values in red,spoiled values in purple clean values in black (untainted and unspoiled) • z = f(x,y) No leakage; clean inputs gives clean outputs • z = f(x,y) x tainted so z tainted & y spoiled • z = f(x,y) x clean & y spoiled so z clean • Leakable iff tainted orspoiled • Adversary can learn all tainted and spoiled values. • Leakage may be unbounded or bounded. f y x z f y x z f y x

  4. Motivating Sample • What attacks motivate this model? • Various forms of chosen-input attacks, such as timing attacks or differential attacks. • C = EK(M) • Here K is spoiled, and thus leakable; this models timing attacks on K using adversary-controlled probes via control of M .

  5. Model useful in building systems Clean zone Tainted zone Spoiled zone adversary Private inputs Zones can be implemented separately -- e.g. untainted on a TPM (or remote!) -- clean zone may include a random source, and can do computations (e.g. keygen) -- output could even be stored when independent of adversarial input (ref Dodis talk in this workshop)

  6. Example • Encrypting (tainted) message M with key K : • C = EK(M) • K is spoiled and thus leaks (since M is tainted) • C = (R, S) where S = M xorY and Y = EK(R)) • K is not tainted or spoiled, thus protected • S is tainted (since M is tainted) • R is spoiled (since paired with tainted S ) (but known anyway) • Y is spoiled (since M is tainted) • Protect long-term keys by using random ephemeral working keys. (Can do similarly for signatures) • Taint model more-or-less distinguishes between chosen-plaintext and known-plaintext attacks. • Related to “on-line/off-line” primitives…

  7. Relation to other models • Incomparable… • Adversary is weaker with taint model than with computational leakage, since values not depending on adversarial input don’t leak. • Adversary is stronger than with bounded leakage models, since it is OK to leak all inputs and output of computation with tainted input. • Taint model doesn’t capture all attacks (e.g. power-analysis, memory remanence attacks, …)

  8. Discussion • Contribution here is probably mostly terminology; model presumably implicit (or explicit?) in prior work. • Results in taint leakage model may be easy in some cases (e.g. using empheral keys). (ref Dodis talk in this workshop) • Goals typically should be that leakage does at most temporary damage…. • What can be done securely in this model?

  9. The End

More Related