hardware security - indian institute of technology madraschester/courses/17o_sse/slides/7... ·...

HardwareSecurity

1

ChesterRebeiroIITMadras

Physically Unclonable Functions

PhysicalUnclonableFunc1onsandApplica1ons:ATutorialh8p://ieeexplore.ieee.org/document/6823677/

EdgeDevices

3

1000softhemexpectedtobedeployedLowpower(solarorba8erypowered)SmallfootprintConnectedtosensorsandactuatorsExpectedtooperate24x7almostunmanned24x7thesedeviceswillbecon1nuouslypumpingdataintothesystem,whichmayinfluencethewayci1esoperateWillaffectusinmulRpleways,andwemaynotevenknowthattheyexist.

AuthenRcaRngEdgeDevices•  Storedkeys

–  EEPROMmanufactureisanoverhead–  Publickeycryptographyisheavy–  Canbeeasilycopied/cloned

4

EncrypRondoneinedgedevicePublickeysstoredinserver

Privatekeys

PhysicallyUnclonableFuncRons•  Nostoredkeys•  Nopublickeycryptography•  Cannotbecloned/copied•  Usesnano-scalevariaRonsinmanufacture.NotwodevicesareexactlyidenRcal

5

EncrypRondoneinedgedevicePublickeysstoredinserver

challenge/response

DigitalFingerprints

PUFs

6

AfuncRonwhoseoutputdependsontheinputaswellasthedeviceexecuRngit.

WhatisExpectedofaPUF?(InterandIntraDifferences)

7

challenge

response

response

challenge

Response

Response

(Reliable)SameChallengetoSamePUFDifferencebetweenresponsesmustbesmallonexpectaRonIrrespecRveoftemperature,noise,aging,etc.

(Unique)SameChallengetodifferentPUFDifferencebetweenresponsesmustbelargeonexpectaRonSignificantvariaRonduetomanufacture

WhatisExpectedofaPUF?(Unpredictability)

8

challenge

response

response

DifficulttopredicttheoutputofaPUFtoarandomlychosenchallengewhenonedoesnothaveaccesstothedevice

IntrinsicPUFs•  Completelywithinthechip

–  PUF–  Measurementcircuit–  Post-processing

•  Nofancyprocessingsteps!–  eg.MostSiliconbasedPUFs

9

SiliconPUFseg.RingOscillatorPUF

10

f = 12nt

FrequencyofringoscillatorNumberofstagesDelayofeachstage

fnt

RingOscillatorwithoddnumberofgates

FrequencyaffectedbyprocessvariaRon.

WhyvariaRonoccurs?

11

Whengate voltage is less than threshold no current flows When gate voltate is greater than threshold current flows from source to drain Threshold voltage is a function of doping concentration, oxide thickness

Delaydependsoncapacitance

ProcessVaria1ons•  Oxidethickness•  DopingconcentraRon•  Capacitance

MOSTransistor CMOSInverter

SiliconPUFseg.RingOscillatorPUF

12

>enable

counter

counter

Nbitchallenge

1

2

3

N

N-1

N-2

1bitresponse

RA

RB

response = 10

fA > fBfA ≤ fB

⎧⎨⎪

⎩⎪

ResultsofaROPUF15Xilinx,Virtex4FPGAs;1024ROsineachFPGA;EachROhad5inverterstagesand1ANDgate

13

Physical Unclonable Functions for Device Authentication and Secret Key Generation https://people.csail.mit.edu/devadas/pubs/puf-dac07.pdf

InterChipVaria1ons(Uniquenessmeasurement)

challenge

response

responseWhen128bitsareproduced,

Avg59.1bitsoutof128bitsdifferent

ResultsofaROPUF15Xilinx,Virtex4FPGAs;1024ROsineachFPGA;EachROhad5inverterstagesand1ANDgate

14

Physical Unclonable Functions for Device Authentication and Secret Key Generation https://people.csail.mit.edu/devadas/pubs/puf-dac07.pdf

IntraChipVaria1ons(Reproducabilitymeasurement)

challenge

response

response0.61bitsonaverageoutof128bitsdiffer

120oC1.08V

20oC;1.2V

ArbiterPUF

15

0

0

1

1

0

0

1

1

01

IdeallydelaydifferencebetweenRedandBluelinesshouldbe0iftheyaresymmetricallylaidout.InpracRcevariaRoninmanufacturingprocesswillintroducerandomdelaysbetweenthetwopaths

Switch

Arbiter

16

DFF

D

clk

Q ?

IfthesignalatDreachesfirstthenQwillbesetto1IfthesignalatclkreachesfirstthenQwillbesetto0

DFF

ArbiterPUF

17

…

challenge

rising Edge

1 if toppath is faster,else 0

D Q1

1

0

0

1

1

0

0

1

1

0

0

1 0 10 0 1

01

G

13.56MHzChipForISO14443Aspec.

ResultsforROPUF

18DesignandImplementa1onofPUF-Based“Unclonable”RFIDICsforAn1-Counterfei1ngandSecurityApplica1onsIEEEInt.Conf.onRFID,2008,S.Devdaset.Al.

ComparingROandArbiterPUF

19

NumberofChallenge:ResponsePairs:

NumberofChallenge:ResponsePairs:

N2

⎛

⎝⎜

⎞

⎠⎟ 2N

#CRPslinearlyrelatedtothenumberofcomponents

#CRPsexponenRallyrelatedtothenumberofcomponents

WEAKPUF STRONGPUF

WeakPUFvsStrongPUF

20

•  ComparaRvelyfewnumberofChallengeResponsePairs(CRPs)

•  HugenumberofChallengeResponsePairs(CRPs)

•  CRPsmustbekeptsecret,becauseana8ackermaybeabletoenumerateallpossibleCRPs

•  WeakPUFsusefulforcreaRngcryptographickeys

•  Itisassumedthatana8ackercannotEnumerateallCRPswithinafixedRmeinterval.ThereforeCRPscanbemadepublic

•  Formally,anadversarygivenapoly-sizedsampleofadapRvelychosenCRPscannotpredictthe

Responsetoanewrandomlychosenchallenge.

•  Typicallyusedalongwithacryptographicscheme(likeencrypRon/HMACetc)tohidetheCRP(sincetheCRPsmustbekeptsecret)

•  Doesnotrequireanycryptographicscheme,sinceCRPscanbepublic.

WeakPUF StrongPUF

•  VeryGoodInterandIntradifferences

PUFBasedAuthenRcaRon(withStrongPUF)

21

CRPs

challenge

response

Bootstrapping:Atmanufacture,serverbuildsadatabaseofCRPsforeachdevice.Atdeployment,serverpicksarandomchallengefromthedatabase,queriesthedeviceandvalidatestheresponse

PUFBasedAuthenRcaRonManintheMiddle

22

CRPs

challenge

response

ManinthemiddlemaybeabletobuildadatabaseofCRPsTopreventthis,CRPsarenotusedmorethanonce

PUFBasedAuthenRcaRonCRPTables

23

CRPs

challenge

response

EachdevicewouldrequireitsownCRPtableandsecurelystoredinatrustedserverTablesmustbelargeenoughtocatertotheenRrelifeRmeofthedeviceorneedtoberechargedperiodically(scalabilityissues)

CRPs

PUFbasedAuthenRcaRon(AlleviaRngCRPProblem)

SecretModelofPUF

24

GateDelaysofPUFcomponents Bootstrapping:Atmanufacture,serverbuildsa

databaseofgatedelaysofeachcomponentinthePUF.Atdeployment,serverpicksarandomchallengeconstructsitsexpectedresponsefromsecretmodel,queriesthedeviceandvalidatestheresponse

SRllRequiresSecureBootstrapping

andSecureStorage

PUFbasedAuthenRcaRon(AlleviaRngCRPProblem)

•  PPUF:PublicModelPUF

25

GateDelaysofPUFComponents(Public)

Trustedserver(PKI)

Bootstrapping:DownloadthepublicmodelofPUFfromthetrustedserver.Atdeployment,serverpicksarandomchallengeconstructsexpectedresponsefrompublicmodel,queriesthedeviceandvalidatestheresponse.IfRmeforresponseislessthanathresholdacceptresponseelserejects.

AssumpRon:AdevicetakesmuchlessRmetocomputeaPUFresponsethanana8ackerwhomodelsthePUF.

T<T0?

PUFbasedAuthenRcaRon(AlleviaRngCRPProblem)

HomomorphicEncryp1on

26

EncryptedCRPs

UntrustedCloud

Response

Conclusions•  DifferenttypesofPUFsbeingexplored

–  AnalogPUFs,SensorPUFsetc.

•  CRPissuesRllabigproblem

•  Severala8acksfeasibleonPUFs.–  Modelbuildinga8acks(SVMs)–  TamperingwithPUFcomputaRon(eg.Forcingasine-waveontheground

plane,canaltertheresultsofthePUF)

•  PUFsareaverypromisingwayforlightweightauthenRcaRonofedgedevices.

27

HardwareTrojans

Hardware Security: Design, Threats, and Safeguards; D. Mukhopadhyay and R.S. Chakraborty

29

h8ps://www.theguardian.com/technology/2012/may/29/cyber-a8ack-concerns-boeing-chiph8ps://techcrunch.com/2013/09/05/nsa-subverts-most-encrypRon-works-with-tech-companies-for-back-door-access-report-says/h8ps://www.theregister.co.uk/2013/07/29/lenovo_accused_backdoors_intel_ban/h8ps://www.technologyreview.com/s/519661/nsas-own-hardware-backdoors-may-sRll-be-a-problem-from-hell/

ICLifeCycle(VulnerableSteps)

30

IP ToolsStd. Cells Models

DesignSpecifications Fab Interface Mask Fab

WaferProbe

Dice and Package

PackageTest

Deploy and

Monitor

Trusted

Either

Untrusted

Wafer

*hbp://www.darpa.mil/MTO/solicita1ons/baa07-24/index.html

Offshore

Third-party

MalwareinThirdPartyIPs

•  ThirdpartyIPs–  Cantheybetrusted?– Willtheycontainmaliciousbackdoors

•  Developersdon’t/can’t

search1000soflinesofcodelookingoutfortrojans.

31

FANCI:IdenRficaRonofStealthyMaliciousLogic

•  FANCI:evaluatehardwaredesignsautomaRcallytodetermineifthereisanypossiblebackdoorshidden

•  ThegoalistopointouttotestersofpossibletrojanlocaRonsinahugepieceofcode

32

h8p://www.cs.columbia.edu/~simha/preprint_ccs13.pdf(someofthefollowingslidesareborrowedfromWaksman’sCCStalk)

HardwareTrojanStructure

33

PayloadTriggerCircuit

TriggerCircuit:Basedonaseldomoccurringevent.Forexample,•  whenaddressonaddressbusis

0xdeadbeef.•  AparRcularlyrarepacketarriveson

network•  SomeRmehaselapsed

Payload:Dosomethingnefarious:•  Makeapageinmemory(un)privileged•  LeakinformaRontotheoutsideworld

throughnetwork,covertchannels,etc•  Causethesystemtofail

Trojancanbeinsertedanywhereinduringthemanufacturingprocess(eg.InthirdpartyIPcorespurchased,byfabricaRonplant,etc.)

Trojan=Trigger+Payload

34

Trojan=Trigger+Payload

35

BackdoorsareStealthy

•  Small–  Typicallyafewlinesofcode/area

•  Stealth–  CannotbedetectedbyregulartesRngmethodologies(raretriggers)

–  Passivewhennottriggered

36

Unfortunately…

WithsomuchofcodeitishighlylikelythatstealthyporRonsofthecodearemissedornottestedproperly.

37

FANCI:willdetectthesestealthycircuits.Thesepartsaremostlikelyto

haveTrojans.TheaimistohavenofalsenegaRves.AfewfalseposiRvesareacceptable

ControlValues

A B C O

0 0 0 0

0 0 1 1

0 1 0 1

0 1 1 0

1 0 0 1

1 0 1 1

1 1 0 0

1 1 1 038

ByhowmuchdoesaninputinfluencetheoutputO?

A

B

C

O

ControlValues

A B C O

0 0 0 0

1 0 0 1

0 0 1 1

1 0 1 1

0 1 0 1

1 1 0 0

0 1 1 0

1 1 1 039

Byhowmuchdoesainputinfluencetheoutput0?

A:hasacontrolof0.5ontheoutput(Ama8ersinthisfuncRon)1 1 0 0A B C 0

A

B

C

O

ControlValues

A B C O

0 0 0 0

1 0 0 0

0 0 1 1

1 0 1 1

0 1 0 0

1 1 0 0

0 1 1 0

1 1 1 040

Byhowmuchdoesainputinfluencetheoutput0?

A:hasacontrolof0ontheoutput(Adoesnotma8erinthisfuncRon)(AiscalledunaffecRng)

1 1 0 0A B C 0

A

B

C

O

ControlValuesforaTriggerinaTrojan

41

if (addr == 0xdeadbeee) then{ trigger = 1 }

A31 A30 A2 A1 A0 trigger

0 0 … 0 0 0 0

0 0 … 0 0 1 0

0 0 … 0 1 0 0

0 0 … 0 1 1 0

: : : : : :

1 1 1 1 0 1

: : : : : :

1 1 1 1 1 1 0

A31hasacontrolvalue1/232

EasiertohideatrojanwhenlargerinputsetsareconsideredAlowchanceofaffecRngtheoutputLendsitselftostealthinessàeasiertohideamaliciouscode

AnExampleofaMux

42

<A,B,C,D,S1,S2>=<0.25,0.25,0.25,0.25,0.5,0.5>Notrojanpresenthere(intuRvely):*Allmuxinputshaveacontrolvaluearoundmidrange(nottoocloseto0)

AnExampleofaMaliciousMux

43

66extraselectlineswhichareonlymodifyMwhenwheyaresettoaparRcularvalue

M

ThecontrolvaluesEandS3toS66aresuspiciousbecausetheyrarelyInfluencethevalueofM.Perfectfordisguisingmaliciousbackdoors

JustsearchingforMINvaluesisowennotenough.Be8ermetricsAreneeded.

CompuRngStealthfromControl

44

CompuRngStealthfromControl

45

FANCI:TheCompleteAlgorithm

46

ICLifeCycle(TheFab)

47

IP ToolsStd. Cells Models

DesignSpecifications Fab Interface Mask Fab

WaferProbe

Dice and Package

PackageTest

Deploy and

Monitor

Trusted

Either

Untrusted

Wafer

*hbp://www.darpa.mil/MTO/solicita1ons/baa07-24/index.html

Offshore

Third-party

DetecRngTrojansinICs•  OpRcalInspecRonbasedtechniques

ScanningOpRcalMicroscopy(SOM),ScanningElectronMicroscopy(SEM),andpico-secondimagingcircuitanalysis(PICA)

–  Drawbacks:CostandTime!

•  TesRngtechniques–  Notaverypowerfultechnique

•  Sidechannelbasedtechniques–  Nonintrusivetechnique–  Compareside-channelswithagoldenmodel

48

ASurveyonHardwareTrojanDetecRonTechniquesh8p://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7169073

SideChannelBasedTrojanDetecRon

49

LightweightPRESENTImplementaRonPowerTraces

Hardwaretrojandesignanddetec1on:aprac1calevalua1onh8ps://dl.acm.org/citaRon.cfm?id=2527318

SideChannelBasedTrojanDetecRon(ICwithTrojan)

50

DifferenceofDistribuRons

51

HardwareTrojanPrevenRon(Ifyoucan’tdetectthenprevent)

52

SilencingHardwareBackdoorswww.cs.columbia.edu/~simha/preprint_oakland11.pdfSlidestakenfromAdamWaksman’sOaklandtalk

HardwareTrojanPrevenRon

53

EnsurethatahardwareTrojanisneverdeliveredthecorrectTrigger

Example(A5stageprocessor)

54

Example(A5stageprocessor)

55

TypesofTrojans

56

TickingTimebomb

57

TickingTimebomb

58

CheatCodes

59

CheatCodes

60

SequenceCheatCodes

61

HardwareTrojanSilencing(withObfuscaRon)

62

SilencingTickingTimebombs•  PowerResets:flushpipeline,writecurrentIPandregistersto

memory,savebranchhistorytargets

63

SilencingTickingTimebombs•  Cantriggerbestoredtoarchitecturalstateandrestoredlater

–  No.UnitvalidaRontestspreventthis–  ReasonfortrusRngvalidaRonepoch

LargevalidaRonteamsOrganizedhierarchically

•  Cantriggersbestoredinnon-volaRlestateinternaltotheunit?–  Eg.Malwareconfiguresahiddennon-volaRlememory

•  UnmaskableInterrupts?–  UseaFIFOtostoreunmaskableinterrupts

•  PerformanceCountersarehiddenRmebombs

64

DataObfuscaRon

65

HomomorphicEncrypRon(Gentry2009)IdealsoluRonButpracRcalhurdles

DataObfuscaRon

66

DataObfuscaRon

67

StoreData5toAddress7

DataObfuscaRon(ComputaRonalCase)

68

SequenceBreaking(Reordering)

69

EnsurefuncRonalityismaintained

SequenceBreaking(InserRngevents)

70

Insertarbitraryeventswhenreorderingisdifficult

CatchAll(DuplicaRon)

71

Expensive:Non-recurring:design;verificaRoncostsduetoduplicaRonRecurring:Powerandenergycosts