Home Publications Technical Secure Application Programming in the presence of Side Channel Attacks

Secure Application Programming in the presence of Side Channel Attacks

Author: Marc Witteman

Side channel threats are a pervasive and unique form of assault on device security in a variety of industries, such as automotive, mobile phones, payment terminals, and medical equipment. While Smart Cards, side channel attackers’ traditional target, have adopted effective countermeasures against the attacks, other industries have been slow to adopt these changes. These changes can include hardware, operating system, and application-level countermeasures. This paper is focused on these application-level countermeasures.

Side Channel Attacks

Side channel attacks target the unintended (and therefore often unsecured) channels of communication. This often requires physical access to the device, making consumer devices with a security function and access control tokens ideal targets.

Some of the most commonly attacked side channels are:

  • Time: the time needed to complete certain operations.
  • Power: the power available to and used by a device.
  • Electromagnetic radiation: EM radiation produced by a device.

Defensive Patterns 

This paper divides the patterns designed to secure against various attacks into two groups: those against data leakage and those again fault injections. The patterns used to counter data leakage focus on protecting confidential data like keys and passwords as well as hiding sensitive decisions. Patterns focusing on fault injection aim to protect critical data or program flow. Before implementing any of these patterns, a developer should consider the risk of a side-channel attack. For example, is there a reason an attack might be attempted, are the side-channels the most obvious weakness in the device, and is it even possible to get physical access to the device? If the answer to these questions is ‘Yes,’ then a series of steps should be followed to protect the device.

  1. Understand the hardware and operating system’s resistances
  2. Identify the potential weaknesses in the application design
  3. Implement the appropriate patterns
  4. Test the device and security

Download the free whitepaper now

Recent publications

PCI MPoC: Build It or Use It?

PCI MPoC: Build It or Use It?

Should you build your own MPoC Solution, or partner with a third-party MPoC provider? This white paper provides a detailed analysis to guide payment companies through this complex decision-making process.

read more
Share This