A proof-of-concept log analysis tool for PKCS#11. The tool is able to identify several key-management attacks involving symmetric encryption operations.
This tool consists of three components:
- a software layer that wraps the existing PKCS#11 library interface. The wrapper allows the instrumentation of selected API calls to record the operations executed by the underlying library. It also computes key fingerprints to solve the log analysis problem;
- a logging facility to store the logs of each session in a central repository;
- the analyzer that parses the logs generated by the first two components and performs the discovery of attacks aimed at leaking the value of secure keys.
Install OpenCryptoki
sudo apt install opencryptoki libopencryptoki-dev
start the pkcsslotd daemon and initialize the token with pkcsconf. Ensure
to be in the pkcs11 group to run the command.
Enter directory src and type make to compile the tool. The wrapper will be
compiled to p11d.so in that directory.
Optionally, install gnutls-bin for p11tool. It allows to perform handy
operations on PKCS#11 tokens. For instance, the command to list all the
objects stored in the OpenCryptoki software token is the following:
p11tool --provider /usr/lib/pkcs11/libopencryptoki.so --list-all
To start an application with the PKCS#11 wrapper enabled you are required to run the logger in one terminal
$ ./analyser/logger.py
and load the p11d.so shared object before any other library:
LD_PRELOAD=./p11d.so ./your_program
Log files are automatically saved to /tmp/apilogger/. Use the
./analyser/analyser.py to parse them and search fro attacks.
The tool ships with a suite of key-mangement attakcs that can be used to assess the detection capabilities of the approach.
The supported attacks are:
- Wrap/Decrypt
- Wrap/Unwrap
- Re-Import
- Distributed Wrap/Decrypt
In order to check the tool against a certain attack, start the
test_attack binary and select the appropriate attack number.