Hacker News new | past | comments | ask | show | jobs | submit login
Automatic Extraction of Secrets from the Transistor Jungle Using Laser-Assisted [pdf] (usenix.org)
45 points by todsacerdoti 19 days ago | hide | past | favorite | 9 comments

Impressive results.

Can anyone think of negative consequences for end-users? I imagine this is not really a practical attack vector on your YubiKey's 2FA keys or TPM disk encryption keys.

All the applications I can think of are unwanted just for DRM and other compute-freedom restrictions, which I see as a win. (See sibling comment from no_time).

Maybe one edge case would be things like SGX? IIUC being able to extract the secret keys would allow one to write an emulator that can run arbitrary code and pass remote attestation, while still being able to inspect (and modify) the code and data. This is something which feels at least somewhat useful and not fundamentally user-hostile. But my understanding is that the security model there might be broken regardless.

> One might argue that it is not always true that the adversary can program different keys into the NVM on a training device, for instance, when one-time programmable (OTP) memories like e-fuses or ROMs are used. We admit that such keys cannot be extracted using our approach.

The SGX remote attestation key is burnt into the chip during manufacture and isn’t programmable.

Extracting a single SGX private key is less desirable but nonetheless practical even if the hardware gets destroyed in the process. You could load the extracted key into an emulator and do your computing that way. It just does not scale unfortunately.

Decrypting the firmware of ME or AMD PSP this way could totally work though.

Hardware roots of trust are used for secure boot and device encryption. There are definitely downsides to secure boot systems but for the average user it just means better security. I don't think there are any real downsides to device encryption.

There are already services to do "firmware recovery" from individual credit cards in China.

Those guys allegedly have access to TEM labs. TEM is a much more impressive, and expensive piece of hardware than this.

Usually there are just a dozen of TEM labs per an industrialised country.

Very nice job. Imagine an alternative universe without the DMCA where we could crowd fund the secret extraction of these processors to increase user freedom.

I don't think there's going to be a consumer application of this anytime soon. However this seems practical enough for big organizations to break things like TPM, clone credit/debit/SIM/NFC cards and do cybersecurity research.

“…Using Laser-Assisted Side-Channel Attacks”

Uh oh.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact