390 likes | 517 Views
Hardware Support for Trustworthy Systems. Ted Huffmire ACACES 2012 Fiuggi , Italy. Disclaimer. The views presented in this course are those of the speaker and do not necessarily reflect the views of the United States Department of Defense. Lecture 4 Overview. Forward-Looking Problems
E N D
Hardware Support for Trustworthy Systems Ted Huffmire ACACES 2012 Fiuggi, Italy
Disclaimer • The views presented in this course are those of the speaker and do not necessarily reflect the views of the United States Department of Defense.
Lecture 4 Overview • Forward-Looking Problems • CAD Tools and IP Cores • Security Usability • Hardware Trust of FPGA Fabric • Languages • Configuration Management • Securing the Supply Chain • Physical Attacks on FPGAs • Dynamic Security • Split Manufacturing • Concluding Remarks
Trustworthy System Development • Maximize Performance • Minimize Cost • Integrate security mechanisms
Example Systems • Tagged Architectures • Banking • Smart Phones • Embedded Systems • Medical Devices • Cars
Example Systems • Discussion Points • What is the threat model for an ATM? • What is the threat model for a phone? • What is the threat model for a pacemaker? • What is the threat model for a car?
CAD Tools and IP Cords • Forward-Looking Problems • CAD Tools and IP Cores • Security Usability • Hardware Trust of FPGA Fabric • Languages • Configuration Management • Securing the Supply Chain • Physical Attacks on FPGAs • Dynamic Security • Split Manufacturing • Concluding Remarks
Trustworthy Tools and IP • Stripped-down alternative design flow
Trustworthy Tools and IP • Discussion Points: • Can we trust the output of CAD tools? • Can we trust the function of IP cores? • How can we improve the CAD tools? • How can we improve the IP cores? • Is it feasible to develop from scratch? • What about the software?
Security Usability • Forward-Looking Problems • CAD Tools and IP Cores • Security Usability • Hardware Trust of FPGA Fabric • Languages • Configuration Management • Securing the Supply Chain • Physical Attacks on FPGAs • Dynamic Security • Split Manufacturing • Concluding Remarks
Security Usability • Design tools and techniques • Technicians • End users • Manage Complexity • Trigger1{M1,w,R1}; • Trigger2{M1,w,R2}; • Access0{M1,r,R1} |{M1,r,R2}|{M2,rw,R1}|{M2,rw,R2}; • Access1{M1,rw,R1} |{M1,r,R2}|{M2,w,R1}|{M2,rw,R2}; • Access12{M1,rw,R1}|{M1,rw,R2}|{M2,w,R1}|{M2,w,R2}; • Access2{M1,r,R1}|{M1,rw,R2}|{M2,w,R1}|{M2,w,R2}; • Access21{M1,rw,R1}|{M1,rw,R2}|{M2,w,R1}|{M2,w,R2}; • Path1 (|Trigger1 Access1* ( |Trigger2 Access12*)); • Path2 (|Trigger2 Access2* ( |Trigger1 Access21*)); • PolicyAccess0* (|Path1|Path2);
Security Usability • Discussion Points • What do we expect from engineers? • What do we expect from technicians? • What do we expect from end users? • How does that guide our efforts?
Hardware Trust of FPGA Fabric • Forward-Looking Problems • CAD Tools and IP Cores • Security Usability • Hardware Trust of FPGA Fabric • Languages • Configuration Management • Securing the Supply Chain • Physical Attacks on FPGAs • Dynamic Security • Split Manufacturing • Concluding Remarks
DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM BRAM BRAM DRAM DRAM μP μP BRAM BRAM SRAM Block BRAM BRAM FPGA Fabric μP μP BRAM BRAM SDRAM (off-chip) FPGA chip Hardware Trust • Compromise of FPGA fabric
Hardware Trust • Discussion Points • Is it viable to attack the fabric itself? • Can a compromise be detected? • Can we use a compromised FPGA fabric? • What about radiation?
Languages • Forward-Looking Problems • CAD Tools and IP Cores • Security Usability • Hardware Trust of FPGA Fabric • Languages • Configuration Management • Securing the Supply Chain • Physical Attacks on FPGAs • Dynamic Security • Split Manufacturing • Concluding Remarks
Languages • Enhancements to HDLs • case({module_id,op,r1,r2}) • 9’b011110: //Module1,rw,Range1 • state=s0; • 9’b101101: //Module2,rw,Range2 • state=s0; • default: • state=s1; //reject • endcase
Languages • Discussion Points • Are HDL security enhancements useful? • What is the impact on the designer? • Does it slow down the compiler? • Does it slow down the design itself?
Configuration Management • Forward-Looking Problems • CAD Tools and IP Cores • Security Usability • Hardware Trust of FPGA Fabric • Languages • Configuration Management • Securing the Supply Chain • Physical Attacks on FPGAs • Dynamic Security • Split Manufacturing • Concluding Remarks
Configuration Management • Tools • IP Cores CPU Core μP AES Crypto Core
Configuration Management • Discussion Points • Is it useful to put CAD tools under CM? • Is it useful to put IP cores under CM? • What about licenses, patches, etc.?
Securing the Supply Chain • Forward-Looking Problems • CAD Tools and IP Cores • Security Usability • Hardware Trust of FPGA Fabric • Languages • Configuration Management • Securing the Supply Chain • Physical Attacks on FPGAs • Dynamic Security • Split Manufacturing • Concluding Remarks
Securing the Supply Chain • Trusted Packaging, Assembly, and Delivery • Testing
Securing the Supply Chain • Discussion Points • Is malicious packaging useful to attacker? • Do we need trusted assembly facilities? • What about bad capacitors and resistors? • Can tests detect compromised parts? • Are tests destructive? What is the cost? • What tests need to be developed?
Physical Attacks on FPGAs • Forward-Looking Problems • CAD Tools and IP Cores • Security Usability • Hardware Trust of FPGA Fabric • Languages • Configuration Management • Securing the Supply Chain • Physical Attacks on FPGAs • Dynamic Security • Split Manufacturing • Concluding Remarks
Physical Attacks on FPGAs • Design theft and bitstream decryption • Analysis of failure modes • Antenna attack
Physical Attacks on FPGAs • Discussion Points • How to protect bitstream from DPA? • Does an FPGA fail secure? • Is a configurable antenna useful? • How to detect a short-circuit?
Dynamic Security • Forward-Looking Problems • CAD Tools and IP Cores • Security Usability • Hardware Trust of FPGA Fabric • Languages • Configuration Management • Securing the Supply Chain • Physical Attacks on FPGAs • Dynamic Security • Split Manufacturing • Concluding Remarks
Dynamic Security • Partial reconfiguration
Dynamic Security • Discussion Points • Can you change the policy? • How often does the policy change? • Who changes the policy? • Can you return to an earlier policy? • Can you change to a less restrictive policy? • Are policies static or generated dynamically? • How many policies are there?
Split Manufacturing • Forward-Looking Problems • CAD Tools and IP Cores • Security Usability • Hardware Trust of FPGA Fabric • Languages • Configuration Management • Securing the Supply Chain • Physical Attacks on FPGAs • Dynamic Security • Split Manufacturing • Concluding Remarks
Split Manufacturing • 2-D • 3-D
Split Manufacturing • Discussion Points • Can we trust the result of split manufacturing? • Could this approach harm security? • What are the challenges of 2D? • What are the challenges of 3D? • Is it worth it? When is it worth it? • Why not use trusted foundry always? • Can we do everything from scratch?
Concluding Remarks • Forward-Looking Problems • CAD Tools and IP Cores • Security Usability • Hardware Trust of FPGA Fabric • Languages • Configuration Management • Securing the Supply Chain • Physical Attacks on FPGAs • Dynamic Security • Split Manufacturing • Concluding Remarks
Concluding Remarks • Security as High Priority in Design Practices • Tools and Cores • Attacks • Protection Mechanisms • Analysis of Cores, Tools, and Mechanisms • Electronic System Level (ESL) Design • Holistic View of Entire System & Lifecycle • Abstractions to Manage Complexity • Multiple Complementary Techniques • Multi-Core Systems
Lecture 4 Reading • Tagged Architectures • Secure Program Execution via Dynamic Information Flow Tracking • http://portal.acm.org/citation.cfm?id=1024404 • Complete Information Flow Tracking from the Gates Up • http://dl.acm.org/citation.cfm?id=1508258 • Crafting a Usable Microkernel, Processor, and I/O System with Strict and Provable Information Flow Security • http://dl.acm.org/citation.cfm?id=2000087
Lecture 4 Reading • Banking • The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography • http://simonsingh.net/books/the-code-book/ • Why Cryptosystems Fail • http://www.cl.cam.ac.uk/~rja14/Papers/wcf.pdf • Chip and PIN is Broken • http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
Lecture 4 Reading • Embedded Systems Security • Security in Embedded Systems: Design Challenges • http://dl.acm.org/citation.cfm?id=1015049 • Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses • http://www.secure-medicine.org/icd-study/icd-study.pdf • Experimental Security Analysis of a Modern Automobile • http://www.autosec.org/pubs/cars-oakland2010.pdf • TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones • http://www.usenix.org/event/osdi10/tech/full_papers/Enck.pdf
Lecture 4 Reading • Cryptography and Security: From Theory to Applications • http://springer.com/978-3-642-14451-6