Presentation is loading. Please wait.

Presentation is loading. Please wait.

The “Taint” Leakage Model

Published by序掌 蓟 Modified over 5 years ago

Similar presentations

Presentation on theme: "The “Taint” Leakage Model"— Presentation transcript:

1 The “Taint” Leakage Model
Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2008

2 Taint Common term in software security Any external input is tainted.
A computation with a tainted input produces tainted output. Think tainted = “controllable” by adversary Untainted values are private inputs, random values you generate, and functions of untainted values. E.g. what values in browser depend on user input?

3 Proposed “Taint Leakage Model”
z Only computations with tainted inputs leak information. Adversary learns output and all inputs (even untainted ones) of a computation with a tainted input. Define a valued as spoiled if it is untainted but input to a computation with a tainted input. Examples: tainted values in red, spoiled values in purple clean values in black (untainted and unspoiled) z = f(x,y) No leakage; clean inputs gives clean outputs z = f(x,y) x tainted so z tainted & y spoiled z = f(x,y) x clean & y spoiled so z clean Leakable iff tainted or spoiled Adversary can learn all tainted and spoiled values. Leakage may be unbounded or bounded. f x y z f x y z f x y

4 Motivating Sample What attacks motivate this model?
Various forms of chosen-input attacks, such as timing attacks or differential attacks. C = EK(M) Here K is spoiled, and thus leakable; this models timing attacks on K using adversary-controlled probes via control of M .

5 Model useful in building systems
Clean zone Spoiled zone Tainted zone adversary Private inputs Zones can be implemented separately -- e.g. untainted on a TPM (or remote!) -- clean zone may include a random source, and can do computations (e.g. keygen) -- output could even be stored when independent of adversarial input (ref Dodis talk in this workshop)

6 Example Encrypting (tainted) message M with key K :
C = EK(M) K is spoiled and thus leaks (since M is tainted) C = (R, S) where S = M xor Y and Y = EK(R)) K is not tainted or spoiled, thus protected S is tainted (since M is tainted) R is spoiled (since paired with tainted S ) (but known anyway) Y is spoiled (since M is tainted) Protect long-term keys by using random ephemeral working keys. (Can do similarly for signatures) Taint model more-or-less distinguishes between chosen-plaintext and known-plaintext attacks. Related to “on-line/off-line” primitives…

7 Relation to other models
Incomparable… Adversary is weaker with taint model than with computational leakage, since values not depending on adversarial input don’t leak. Adversary is stronger than with bounded leakage models, since it is OK to leak all inputs and output of computation with tainted input. Taint model doesn’t capture all attacks (e.g. power-analysis, memory remanence attacks, …)

8 Discussion Contribution here is probably mostly terminology; model presumably implicit (or explicit?) in prior work. Results in taint leakage model may be easy in some cases (e.g. using empheral keys). (ref Dodis talk in this workshop) Goals typically should be that leakage does at most temporary damage…. What can be done securely in this model?

9 The End

Download ppt "The “Taint” Leakage Model"

Similar presentations

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.

Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Remarks on Voting using Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.

Remarks on Voting using Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.
Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN 2010 13/09/2010 Sapienza University of Rome.

Leakage-Resilient Storage Francesco Davì Stefan Dziembowski Daniele Venturi SCN /09/2010 Sapienza University of Rome.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)

Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.

Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
An Offloaded Dynamic Taint Analysis Approach for Privacy Leakage Detection on Android Hui Xu 1.

An Offloaded Dynamic Taint Analysis Approach for Privacy Leakage Detection on Android Hui Xu 1.
Lecture 2: Introduction to Cryptography

Lecture 2: Introduction to Cryptography
Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.

Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.
The “Taint” Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009.

The “Taint” Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009.
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.

Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.

DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.

1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.
Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.

Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.

Similar presentations

Ads by Google