Abstract
The wide deployment of biometric authentication and particularly fingerprint matching on mobile devices and laptops raises the question about their security. While respective algorithms have been extensively analysed regarding their ability to correctly identify a specific individual (and reject others), little attention has been paid to their secure implementation, especially on multi-user and multi-process systems. In this paper, we focus on this aspect and show that cache attacks on real-world biometric algorithms are a viable way to extract the user's fingerprint minutiae coordinates using a single side-channel trace. Specifically, we analyse NIST's MindTCT library that is used by the Linux fprintd fingerprint authentication system to identify suitable addresses for a Flush+Reload attack, then devise post-processing techniques to recover minutiae information. Using 1000 synthetic test fingerprints, our method succeeds in approximately 9% of cases to recover minutiae from a single cache trace. Our work proves that there is side-channel leakage from a widely used biometric algorithm and therefore more research should be performed on hardening biometric algorithms against such attacks.
Original language | English |
---|---|
Title of host publication | ASHES '23 |
Subtitle of host publication | Proceedings of the 2023 Workshop on Attacks and Solutions in Hardware Security |
Publisher | Association for Computing Machinery (ACM) |
Pages | 61–72 |
Number of pages | 12 |
ISBN (Electronic) | 9798400702624 |
DOIs | |
Publication status | Published - 26 Nov 2023 |
Event | 2023 Workshop on Attacks and Solutions in Hardware Security (ASHES ’23) - Copenhagen, Denmark Duration: 30 Nov 2023 → … http://ashesworkshop.org/workshop-program |
Publication series
Name | CCS: Computer and Communications Security |
---|
Workshop
Workshop | 2023 Workshop on Attacks and Solutions in Hardware Security (ASHES ’23) |
---|---|
Abbreviated title | ASHES '23 |
Country/Territory | Denmark |
City | Copenhagen |
Period | 30/11/23 → … |
Internet address |
Keywords
- biometry
- fingerprint matching
- cache attacks
- Flush+Reload
- sidechannel attacks