Two problems of computer security are investigated. On one hand, we are facing a practical problematic of actual processors: the cache, an element of the architecture that brings flexibility and allows efficient utilization of the resources, is demonstrated to open security breaches from which secret information can be extracted. This issue required a delicate study to understand the problem and the role of the incriminated elements, to discover the potential of the attacks and find effective countermeasures.
Because of the intricate behavior of a processor and limited resources of the cache, it is extremely hard to write constant-time software. This is particularly true with cryptographic applications that often rely on large precomputed data and pseudo-random accesses. The principle of time-driven attacks is to analyze the overall execution time of a cryptographic process and extract timing profiles. We show that in the case of AES those profiles are dependent on the memory lookups, i.e. the addition of the plaintext and the secret key. Correlations between some profiles with known inputs and some with partially unknown ones (known plaintext but unknown secret key) lead to the recovery of the secret key.
We then detail access-driven attacks: another kind of cache-based side channel. This case relies on stronger assumptions regarding the attacker's capacities: he must be able to run another process, concurrent to the security process. Even if the security policies prevent the so-called "spy" process from accessing directly the data of the "crypto" process, the cache is shared between them and its behavior can lead the spy process to deduce the secrets of the crypto process.
Several ways are explored for mitigations, depending on the security level to reach and on the attacker's capabilities. The respective performances of the mitigations are given. The scope is however oriented toward software mitigations as they can be directly applied to patch programs and reduce the cache leakage.
On the other hand, we tackle a situation of computer science that also concerns many people and where important economical aspects are at stake: although spam is often considered as the other side of the Internet coin, we believe that it can be defeated and avoided. A increasing number of researches for example explores the ways cryptographic techniques can prevent spams from being spread. We concentrated on studying the behavior of the spammers to understand how e-mail addresses can be prevented from being gathered. The motivation for this work was to produce and make available quantitative results to efficiently prevent spam, as well as to provide a better understanding of the behavior of spammers.
Even if orthogonal, both parts tackle practical problems and their results can be directly applied.
| Identifer | oai:union.ndltd.org:BICfB/oai:ucl.ac.be:ETDUCL:BelnUcetd-07072006-204327 |
| Date | 14 July 2006 |
| Creators | Neve de Mevergnies, Michael |
| Publisher | Universite catholique de Louvain |
| Source Sets | Bibliothèque interuniversitaire de la Communauté française de Belgique |
| Language | English |
| Detected Language | English |
| Type | text |
| Format | application/pdf |
| Source | http://edoc.bib.ucl.ac.be:81/ETD-db/collection/available/BelnUcetd-07072006-204327/ |
| Rights | unrestricted, J'accepte que le texte de la thèse (ci-après l'oeuvre), sous réserve des parties couvertes par la confidentialité, soit publié dans le recueil électronique des thèses UCL. A cette fin, je donne licence à l'UCL : - le droit de fixer et de reproduire l'oeuvre sur support électronique : logiciel ETD/db - le droit de communiquer l'oeuvre au public Cette licence, gratuite et non exclusive, est valable pour toute la durée de la propriété littéraire et artistique, y compris ses éventuelles prolongations, et pour le monde entier. Je conserve tous les autres droits pour la reproduction et la communication de la thèse, ainsi que le droit de l'utiliser dans de futurs travaux. Je certifie avoir obtenu, conformément à la législation sur le droit d'auteur et aux exigences du droit à l'image, toutes les autorisations nécessaires à la reproduction dans ma thèse d'images, de textes, et/ou de toute oeuvre protégés par le droit d'auteur, et avoir obtenu les autorisations nécessaires à leur communication à des tiers. Au cas où un tiers est titulaire d'un droit de propriété intellectuelle sur tout ou partie de ma thèse, je certifie avoir obtenu son autorisation écrite pour l'exercice des droits mentionnés ci-dessus. |
Page generated in 0.0022 seconds