230 likes | 244 Views
This lecture provides a high-level survey of microarchitectural support for security, covering various implementations and vulnerabilities. Topics include physical attacks, cryptography, side channel attacks, and more.
E N D
Micro Architectural Support for Security By Mastewal Abawa Shah Zafrani Sai Chandra Kosaraju
Introduction to Security • With the ubiquity of computerized technology in all aspects of our lives, it’s important to ensure that these devices work as intended without compromising function or privacy. • Securing devices at the hardware level is just as important as it is at the software level • In July of 2017, researchers found an exploit on a family of Broadcom WiFi chips that are used in iPhones, and many Android devices. The exploit was made possible because the chips firmware was sent through the device into main memory unencrypted which allowed researchers to easily reverse engineer it. This attack approach could have been mitigated by implementing encryption across device channels. • This lecture is a survey of the topic that will cover various security implementations and vulnerabilities from a high level.
Scope of Lecture This lecture will serve as a survey of the material you would cover in a dedicated course on MicroArchitectural Support for Security Topics include • Physical Attacks and Tamper resistance • Security Based on Physical Unclonability and Disorder • Scan Based Side Channel Attacks • JTAG Security Issues • Introduction to Cryptography • Crypto Processor Design • Side Channel Attacks • Hardware Trojan Horses: IC/IP Trust
Physical Attacks and Tamper Resistance One of the most obvious approaches to securing or attacking hardware is physically tampering with said hardware. There are a few common types of attacks and countermeasures we will see here, but rest assured we are only scratching the surface
Types of Physical Attacks and Tampering • Side-channel attacks rely on monitoring analog characteristics of device connections such as electromagnetic radiation or • Software attack design exploiting protocols, cryptographic function, and other aspects of implementation of device communication interfaces • Fault generation using environmental conditions the device wasn’t designed for in order to cause malfunctions that might lead to more access. Ex: ambient temperature, under/over volting, clock speed manipulation • Add scan channels
Countermeasures for Physical Attacks & Tampering • Internal bus hardware encryption can help prevent reverse engineering • Using internal voltage sensors can help protect attacks based on under or over volting. Clock speed sensors make static analysis or clock glitching attacks more difficult. • Using an ASIC (Application Specific Integrated Circuit) design as opposed to separate building block structures (CPU Instruction Decoder, ALU, Registers, etc) can prevent attackers from tapping into vital information.
Hardware Implementation Introduction • Multiplication itself can be thought of as a process of repeated addition • From the simple full-adder we have constructed ripple-carry adders, carry-lookahead adders, and overall a large suite of hardware constructs for addition which encompass a large range of time and area requirements • Addition of two n-bit numbers requires an n-bit adder, which produces an n-bit result with carry-out (or an .n + 1/-bit result). We can multiply two n-bit numbers by using n n-bit adders, or alternatively by using n2 full adders.The combinational multiplier is made up of an n-by-n matrix of full adders • This process is much easier to understand in binary than in decimal format – each row or column i of the multiplier will compute the value ABi and provide this value as a carry-input to the row or column i+1 that is computing the partial product ABi+1. • The least significant bit of every row or column i will be sent the output as the ith output of the combinational multiplier, and each output bit of the final row or column will be used as upper-bits of the product.
Trusted Design in FPGAs • Use of FPGAs (Field programmable gate arrays) have dramatically increased in demand in the past decade • HDL (Hardware Description Language) attacks often target stealing IP (Intellectual Property) and inserting malware or spyware to disrupt operation or extract information. Trojans are added to the HDL level code, which are difficult to detect. • Circuit configuration data for FPGAs is encoded in bitstreams which need to be loaded from external non-volatile sources (ex: EPROM, SRAM). Attackers can intercept this bitstream to steal IP.
Side Channel Attacks (SCA) and Countermeasures • Based on “Side Channel Information” retrieved from the encryption device resulting from the encryption process along with other cryptanalytic techniques • The information is neither the plaintext to be encrypted nor the ciphertext • The information include: time, power consumption , radiation of various sorts • Timing Attack • Based on measuring the time it takes for a unit to perform operations. • Cryptosystems often take slightly different amounts of time to process different inputs. • Timing measurements are fed into a statistical model that can provide the guessed key bit • Power Consumption Attacks • Based on analyzing the power consumption of the unit while it performs the encryption operation. • The amount of power consumed varies depending on the microprocessor instruction performed • Simple Power Analysis (SPA) Attack: looking at the visual representation of the power consumption of a unit while an encryption operation is being Performed. • Differential Power Analysis (DPA) attack: consist not only of visual but also statistical analysis and error-correction statistical methods
Differential Fault Analysis (DFA) Attacks • Relates to investigating ciphers and extract keys by intentionally generating faults in a system • Changing the voltage, tampering with the clock, or by applying radiation of various types • Based on encrypting the same piece of data twice and comparing the results. • The data is not necessarily known to the attacker • A one-bit difference indicates a fault in one of the operations • Countermeasures Against Side Channel Attacks • Data Independent calculations • Encryption operations shall be data independent in their time consumption • sub-operations should take the same number of clock cycles. • Binding • Blinding signatures can be adapted to prevent attackers from knowing the input to the modular exponentiation function • Adding random multiple to the exponent before each modular exponentiation • Care must be taken to ensure that the addition process itself does not have timing characteristics • - Avoiding Conditional Branching and Secret Intermediaries • - Perform calculations using functions that utilize elementary operations such as AND, OR and XOR
Design and implement cryptosystems with the assumption that information will leak • Adding delays • Make all operations take exactly the same amount of time • It is difficult because factors such as the system responsiveness or power consumption may still change when the operation finishes in a way that can be detected • Time Equalization of Multiplication and Squaring • Power Consumption Balancing • Dummy registers and gates should be added on which (algorithm-wise) useless operations are made to balance power consumption into a constant value • Reduction of Signal size • Using constant execution path code, • Choosing operations that leak less information in their power consumption, • Balancing Hamming Weights and state transitions, or by physically shielding the device • Introduce noise into power consumption • Designing cryptosystems with realistic assumptions about the underlying hardware • Run the encryption twice and output the results only if these two are identical
Protecting against Scan-based Side Channel Attacks • Scan based test is a very powerful test technique as well as a powerful attack tool. • By loading pairs of known plaintexts with one-bit difference in the normal mode and then scanning out the internal state in the test mode, we first determine the position of all scan elements in the scan chain. Then, based on a systematic analysis of the structure of the non-linear substitution boxes, and using three additional plaintexts we discover the DES secret key. • Phase 3: The two 32-bit outputs of round 16 are concatenated and permuted using the inverse permutation and loaded into the output register. • Round key generation: Since each of the sixteen rounds uses a 48-bit round key, a round key generation is used to generate the sixteen round keys K1, K2 …K16 from the 56-bit user key. It uses simple bit-permutation and shift operations. Each round key contains 48 bits of the 56-bit user key • . Algorithm: • Phase 1: The 64-bit plaintext block is bit permuted and stored in two 32-bit registers L (Left) and R (Right). • Phase 2: A round operation composed of function f and exclusive-ored is performed 16 times. In the ith round, the 32-bit R and the 48-bit round key Ki are inputs to the f function. The output of the f function is exclusive-ored with L to form R for the round i+1. The R used in round i becomes the L for round i+1. Image source: Tehranipoor etal 2012)
Attack step 1 • First step, we will first locate the FF(Flip-Flops) in our input, L(left) and R(right) registers in the scan chain. The scan out pin TDO(Output pin) yields a serial bit stream that does not reveal immediately the correspondence between the bits in the registers and the bits in our scanned-out bit stream. By switching the DES(encryption circuit ) circuit between normal mode and test mode, we can determine the structure of scan chain as follows. • First step is to Reset the DES chip and run it in normal mode for one clock cycle to load a known plaintext word into input register. • Then change the circuit to test mode and scan out the bit stream pattern 1. • Then switch back our circuit to normal mode and run one clock cycle to load the plaintext into L or R registers. • Then again Switch to test mode and scan out the bit stream pattern 2. • Repeat steps 1 to 3 using a plaintext that is different from the first plaintext in only one-bit position. • Save the pattern 3 and pattern 4. Pattern 1 and pattern 3 must only have a one bit difference and that determines the location of an input register flip-flop in the scan chain. Pattern 2 and 4 onlymust have two-bit difference, Image sources: Tehranipoor etal 2012)
Attack step 2: • Recover Round Key 1 • Since we already known L and R’ s location in registers in the scan chain ,Then we can break DES algorithm by applying three known plaintexts and analyzing the DES algorithm. a DES round can be described as follows • L1=R0; • R1=L0⊕d; • d=permutation(c) • a=Expand(r); • b=a⊕K1; • c= S_box(b); • Last step is to load a plaintext word (L0 and R0) and run 3 clock cycles. • By Switching to test mode and scan out the bit stream. Now L1 and R1 are known. • , d is known (=L0⊕R1). • , c is known (c = inverse permutation(d)). , a is known (expand (R0)). if we know b, we can find round key K1 (K1 = a⊕b). Since we only know a, we need to find b the input to the s-boxes, from their output c. Image sources: Yang etal 2017)
Steps for Low-Cost Secure Scan Insertion Flow • Define # of dFFs (size of key and KCL)(dFF is the dummy flip-flop which is shown with the black colour in the above diagram ) • Define KCL key (random or user defined key ). • Define # of LFSR bits(Linear feedback shift register). • Define # of RRN gates (must be ≤ # of LFSR bits)(RRN stands for Random Response Network). • Load and Compile KCL and RBG(Random Bit Generator) • Load and Compile our Targeted Design (TD). • Set our Current Design to Targeted Design (TD). • Now Initialize KCL and RBG in our TD. • Initialize dFFs in TD. •Now Connect CLK of Targeted designs to dFFs. • Connect Q of all dFFs to their respective KCL port. • Initialize RRN placeholder FFs. • • Connect CLK of TD to all placeholder FFs. • Connect D of all placeholder FFs to respective RBG port. • Then Reorder scan chain placing dFFs before all RRN placeholder FFs. • Now Perform the scan insertion. • Replace RRN placeholder FFs with our actual RRN gates. • Then Load and Compile new netlist with our Low-Cost Secure Scan included in our Targeted Design
Hardware Trojan Horses (HTH): IC/IP Trust • Due to globalization, semiconductor industry has spread across the borders • Intentionally implant malicious extra logic as HTH circuitry into an Integrated Circuit (IC) by tampering the supply chain . • The security of electronic systems built upon third party IP (Intellectual Property) cores could be compromised by maliciously inserting hardware trojans. • An attacker can change a design netlist or subvert the fabrication process by manipulating design masks, without affecting the functionality of the design. • Could be designed to disable or destroy a system at some future time or leak confidential information such as secret key covertly to an adversary • For instance, new triggers utilize don’t-care states in a design or silicon wearout mechanisms for Trojan activation. • Trigger : activates the malicious activity • Payload: Executes the malicious activity • Figure Minimalist hardware trojan horse (Source Basin et al 2013) • New payloads might generate intentional side-channel signals to leak secret information
Countermeasures Against Hardware Trojans • Trojan Detection: • Post Silicon detection techniques can be classified into: • destructive and • nondestructive methods • Destructive: use destructive reverse-engineering techniques to depackage an IC and obtain images of each layer in order to reconstruct the design-for-trust validation of the end product. • High cost and could take several weeks and months to do this for an IC of reasonable complexity. • Functional tests need to activate Trojans by applying test vectors and comparing the responses with the correct results • Non-Destructive: it doesn’t cause destruction of IC
Pre-silicon Trojan detection techniques. • Functional validation, • Code/structural analysis, • Formal verification • Functional validation is conducted with simulation, while functional tests have to be performed on a tester for applying input patterns and collecting output responses. • Code analysis can be performed on behavioral or structural [Hicks et al. 2010] codes to identify redundant statements or circuits that may be a part of a Trojan. • Formal verification is an algorithmic-based approach to logic verification that exhaustively proves a predefined set of security properties that a design should satisfy . • DESIGN FOR TRUST • Facilitate Functional Test. • Facilitate Side-Channel Signal Analysis. • Runtime Monitoring. • Logic Obfuscation. • Camouflaging. • Functional Filler Cell.
JTAG and Security Issues • JTAG is the dominant standard for in circuit configuration and debug test. • It is designed to handle faults in: Design , Fabrication Packaging and PC boards • The JTAG protocol defines a bidirectional • communication link intended for system • management task with one master and • arbitrary number of slaves. • JTAG enabled systems could be prone to attack • The attacker can be manufacturer of one • of the chips or a malicious end user Sniffing Attack : secret that is being sent via a victim chip Read out Secret : secret that is stored in the victim chip. Modify State of Authentic Part: modify the victim chip’s state False Response attack: deceive the tester about the victim chip’s true state Figure sniffing attack, an attacker exploits the JTAG path ( Source Rosenfeld and Karri 2010)
Cryptography 101 • Cryptography is the art of enciphering and deciphering information, used to ensure that only the intended audience has access to it. It is one of the fundamentals of security today. • Most modern cryptography used for data transmission over networks relies on the XOR (exclusive or) operator on a stream of information with a “key”. These keys consist of extremely large prime numbers. • Cryptography is prevalent everywhere from your internet browser communicating with facebook to securely deliver your feed, to ATMs that encrypt data transmitted on their own buses. • Hardware Support for Cryptography includes CoProcessors that speed up the implementation of cryptographic operations on web servers, and instruction sets that also boost the speed of said operations on your personal computers (see AES instruction set for x86 systems).
Crypto Processor Design • Crypto processors are specialized processors that execute cryptographic algorithms within hardware. • Functions • Accelerating encryption algorithms, • Data protection • Protects against tampering • Intrusion detection • security enhanced memory access and I/O. • Design • Start from the ground up • Assure the security of the silicon- the fabricator should be trusted • No backdoors, no undocumented features, etc. • Design and program in secure environment and limit access to design info • Have a strong and reliable key management system Figure Semiconductor supply chain (source, Xiao etal 2016)
Security Based on Physical Unclonability and Disorder • As our demand for interconnected devices grows so does the need for reliable security measures for identifying, authenticating, and verifying the integrity of these devices. • Existing methods of achieving this rely on the use of secret keys, but they have vulnerabilities that create design challenges. For example, attackers have been known to extract, estimate, or clone these keys when they are stored in non-volatile memory. This leads to the tradeoff between developing secure non-volatile memory for use in FPGA-based reconfigurable devices at high cost, or storing them in (more vulnerable) external memory. If back-up batteries are used to keep the keys in on-chip volatile storage then the system complexity increases as well as costs. • There are two forthcoming approaches to the problem or cheaply and effectively achieving these security goals: • Physical Unclonable Functions • Physical structures that are easy to evaluate when given inputs and difficult to predict the outcome of • Unique Objects • Device that produces a “fingerprint” based on the unique disorder of its physical construction • Both of these rely on the difficulty of reproducing them. They also must remain stable over time and their outputs should not be affected by environmental differences
Reference • Bashi, Danger, Guilley, Ngo and Sauvage (2013), Hardware Trojan Horses in Cryptographic IP Cores, Accessed 25 October 2017, <http://ieeexplore.ieee.org/document/6623552/ > • Hagai Bar El (n .d) , Introduction to Side channel attacks, Accessed 25 October 2017, <http://gauss.ececs.uc.edu/Courses/c653/lectures/SideC/intro.pdf > • Yang, Wu and Karri (n.d), Scan Based Side Channel Attacks, Accessed 19 October 2017, < https://eprint.iacr.org/2004/083.pdf > • Rosenfeld and Karri (2010), Attacks and Defenses for JTAG, Accessed 27 October 2017,<http://isis.poly.edu/~kurt/papers/design_and_test_final.pdf > • TehraniPoor and Wang (2012), Introduction to Hardware Security and Trust, Springer, New York. • Xiao, Forte, Jin, Karri, Bhunia, Tehranipoor (2016) , Hardware Trojans: Lessons Learned from one Decade of Research, Accessed 20 October 2017, <http://jin.ece.ufl.edu/papers/TODAES16.pdf > • Lee, Tehranipoor and Plusquellic (n.d), A Low-Cost Solution for Protecting IPs Against Scan-Based Side-Channel Attacks < http://www.engr.uconn.edu/~chandy/ece311/f06/VTS06_LCSS_Final.pdf >