hardware security - indian institute of technology madraschester/courses/18o_sse/slides/... ·...
TRANSCRIPT
HardwareSecurity
1
ChesterRebeiroIITMadras
Physically Unclonable Functions
PhysicalUnclonableFunctionsandApplications:ATutorialhttp://ieeexplore.ieee.org/document/6823677/
EdgeDevices
3
1000softhemexpectedtobedeployedLowpower(solarorbatterypowered)SmallfootprintConnectedtosensorsandactuatorsExpectedtooperate24x7almostunmanned24x7thesedeviceswillbecontinuouslypumpingdataintothesystem,whichmayinfluencethewaycitiesoperateWillaffectusinmultipleways,andwemaynotevenknowthattheyexist.
AuthenticatingEdgeDevices• Storedkeys
– EEPROMmanufactureisanoverhead– Publickeycryptographyisheavy– Canbeeasilycopied/cloned
4
EncryptiondoneinedgedevicePublickeysstoredinserver
Privatekeys
PhysicallyUnclonableFunctions• Nostoredkeys• Nopublickeycryptography• Cannotbecloned/copied• Usesnano-scalevariationsinmanufacture.Notwodevicesareexactlyidentical
5
EncryptiondoneinedgedevicePublickeysstoredinserver
challenge/response
DigitalFingerprints
PUFs
6
Afunctionwhoseoutputdependsontheinputaswellasthedeviceexecutingit.
WhatisExpectedofaPUF?(InterandIntraDifferences)
7
challenge
response
response
challenge
Response
Response
(Reliable)SameChallengetoSamePUFDifferencebetweenresponsesmustbesmallonexpectationIrrespectiveoftemperature,noise,aging,etc.
(Unique)SameChallengetodifferentPUFDifferencebetweenresponsesmustbelargeonexpectationSignificantvariationduetomanufacture
WhatisExpectedofaPUF?(Unpredictability)
8
challenge
response
response
DifficulttopredicttheoutputofaPUFtoarandomlychosenchallengewhenonedoesnothaveaccesstothedevice
IntrinsicPUFs• Completelywithinthechip
– PUF– Measurementcircuit– Post-processing
• Nofancyprocessingsteps!– eg.MostSiliconbasedPUFs
9
SiliconPUFseg.RingOscillatorPUF
10
f = 12nt
FrequencyofringoscillatorNumberofstagesDelayofeachstage
fnt
RingOscillatorwithoddnumberofgates
Frequencyaffectedbyprocessvariation.
Whyvariationoccurs?
11
Whengate voltage is less than threshold no current flows When gate voltate is greater than threshold current flows from source to drain Threshold voltage is a function of doping concentration, oxide thickness
Delaydependsoncapacitance
ProcessVariations• Oxidethickness• Dopingconcentration• Capacitance
MOSTransistor CMOSInverter
SiliconPUFseg.RingOscillatorPUF
12
>enable
counter
counter
Nbitchallenge
1
2
3
N
N-1
N-2
1bitresponse
RA
RB
response = 10
fA > fBfA ≤ fB
⎧⎨⎪
⎩⎪
ResultsofaROPUF15Xilinx,Virtex4FPGAs;1024ROsineachFPGA;EachROhad5inverterstagesand1ANDgate
13
Physical Unclonable Functions for Device Authentication and Secret Key Generation https://people.csail.mit.edu/devadas/pubs/puf-dac07.pdf
InterChipVariations(Uniquenessmeasurement)
challenge
response
responseWhen128bitsareproduced,
Avg59.1bitsoutof128bitsdifferent
ResultsofaROPUF15Xilinx,Virtex4FPGAs;1024ROsineachFPGA;EachROhad5inverterstagesand1ANDgate
14
Physical Unclonable Functions for Device Authentication and Secret Key Generation https://people.csail.mit.edu/devadas/pubs/puf-dac07.pdf
IntraChipVariations(Reproducabilitymeasurement)
challenge
response
response0.61bitsonaverageoutof128bitsdiffer
120oC1.08V
20oC;1.2V
ArbiterPUF
15
0
0
1
10
0
1
1
01
IdeallydelaydifferencebetweenRedandBluelinesshouldbe0iftheyaresymmetricallylaidout.Inpracticevariationinmanufacturingprocesswillintroducerandomdelaysbetweenthetwopaths
Switch
Arbiter
16
DFFD
clk
Q ?
IfthesignalatDreachesfirstthenQwillbesetto1IfthesignalatclkreachesfirstthenQwillbesetto0
DFF
ArbiterPUF
17
…challenge
rising Edge
1 if toppath is faster,else 0
D Q1
1
0
0
1
1
0
0
1
1
0
0
1 0 10 0 1
01
GThe image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
13.56MHzChipForISO14443Aspec.
ResultsforROPUF
18DesignandImplementationofPUF-Based“Unclonable”RFIDICsforAnti-CounterfeitingandSecurityApplicationsIEEEInt.Conf.onRFID,2008,S.Devdaset.Al.
ComparingROandArbiterPUF
19
NumberofChallenge:ResponsePairs:
NumberofChallenge:ResponsePairs:
N2
⎛
⎝⎜
⎞
⎠⎟ 2N
#CRPslinearlyrelatedtothenumberofcomponents
#CRPsexponentiallyrelatedtothenumberofcomponents
WEAKPUF STRONGPUF
WeakPUFvsStrongPUF
20
• ComparativelyfewnumberofChallengeResponsePairs(CRPs)
• HugenumberofChallengeResponsePairs(CRPs)
• CRPsmustbekeptsecret,becauseanattackermaybeabletoenumerateallpossibleCRPs
• WeakPUFsusefulforcreatingcryptographickeys
• ItisassumedthatanattackercannotEnumerateallCRPswithinafixedtimeinterval.ThereforeCRPscanbemadepublic
• Formally,anadversarygivenapoly-sizedsample
ofadaptivelychosenCRPscannotpredicttheResponsetoanewrandomlychosenchallenge.
• Typicallyusedalongwithacryptographicscheme(likeencryption/HMACetc)tohidetheCRP(sincetheCRPsmustbekeptsecret)
• Doesnotrequireanycryptographicscheme,sinceCRPscanbepublic.
WeakPUF StrongPUF
• VeryGoodInterandIntradifferences
PUFBasedAuthentication(withStrongPUF)
21
CRPs
challenge
response
Bootstrapping:Atmanufacture,serverbuildsadatabaseofCRPsforeachdevice.Atdeployment,serverpicksarandomchallengefromthedatabase,queriesthedeviceandvalidatestheresponse
PUFBasedAuthenticationManintheMiddle
22
CRPs
challengeresponse
ManinthemiddlemaybeabletobuildadatabaseofCRPsTopreventthis,CRPsarenotusedmorethanonce
PUFBasedAuthenticationCRPTables
23
CRPs
challengeresponse
EachdevicewouldrequireitsownCRPtableandsecurelystoredinatrustedserver.Tablesmustbelargeenoughtocatertotheentirelifetimeofthedeviceorneedstoberechargedperiodically(scalabilityissues)
CRPs
PUFbasedAuthentication(AlleviatingCRPProblem)
SecretModelofPUF
24
GateDelaysofPUFcomponents Bootstrapping:Atmanufacture,serverbuildsa
databaseofgatedelaysofeachcomponentinthePUF.Atdeployment,serverpicksarandomchallengeconstructsitsexpectedresponsefromsecretmodel,queriesthedeviceandvalidatestheresponse
StillRequiresSecureBootstrapping
andSecureStorage
PUFbasedAuthentication(AlleviatingCRPProblem)
• PPUF:PublicModelPUF
25
GateDelaysofPUFComponents(Public)
Trustedserver(PKI)
Bootstrapping:DownloadthepublicmodelofPUFfromthetrustedserver.Atdeployment,serverpicksarandomchallengeconstructsexpectedresponsefrompublicmodel,queriesthedeviceandvalidatestheresponse.Iftimeforresponseislessthanathresholdacceptresponseelserejects.
Assumption:AdevicetakesmuchlesstimetocomputeaPUFresponsethananattackerwhomodelsthePUF.
T<T0?
PUFbasedAuthentication(AlleviatingCRPProblem)
HomomorphicEncryption
26
EncryptedCRPs
UntrustedCloud
Response
Conclusions• DifferenttypesofPUFsbeingexplored
– AnalogPUFs,SensorPUFsetc.
• CRPissuestillabigproblem
• SeveralattacksfeasibleonPUFs.– Modelbuildingattacks(SVMs)– TamperingwithPUFcomputation(eg.Forcingasine-waveonthegroundplane,
canaltertheresultsofthePUF)
• PUFsareaverypromisingwayforlightweightauthenticationofedgedevices.
27
HardwareTrojans
Hardware Security: Design, Threats, and Safeguards; D. Mukhopadhyay and R.S. Chakraborty Slides from R. S. Chakraborty, Jayavijayan Rajendran, Adam Waksman
HardwareTrojan
29
• MaliciousanddeliberatelystealthymodificationmadetoanelectronicdevicesuchasanIC
• ItcanchangethechipsfunctionalitytherebyunderminetrustinsystemsthatusethisIC
cryptoModule
key
inputciphertext
HardwareTrojan
30
• MaliciousanddeliberatelystealthymodificationmadetoanelectronicdevicesuchasanIC
• ItcanchangethechipsfunctionalitytherebyunderminetrustinsystemsthatusethisIC
cryptoModule
key
inputciphertext
1
0
cryptoModule
key
inputciphertext
ExampleofaHardwareTrojanCheatCode(combinationaltrojans)
31
Trigger
If(input==0xcafebeef)select=1elseselect=0
PropertiesofHardwareTrojan:• verysmall• mostlypassive
0xcafebeef1
0
cryptoModule
key
inputciphertext
ExampleofaHardwareTrojanSequentialTrojan(Timebombs)
32
Trigger
PropertiesofHardwareTrojan:• verysmall• mostlypassive
0xca0xaf0xee0xbe0xef
1
0
time
select=1select=0ca
af
eebe
ef
ICLifeCycle(VulnerableSteps)
33
IP ToolsStd. Cells Models
DesignSpecifications Fab Interface Mask Fab
WaferProbe
Dice and Package
PackageTest
Deploy and
Monitor
Trusted
Either
Untrusted
Wafer
*http://www.darpa.mil/MTO/solicitations/baa07-24/index.html
Offshore
Third-party
PropertiesofHardwareTrojan:*verysmall• mostlypassive• Canbeaddedatmultiplestages
HardwareTrojanStructure
34
PayloadTriggerCircuit
TriggerCircuit:Basedonaseldomoccurringevent.Forexample,• whenaddressonaddressbusis0xdeadbeef.• Aparticularlyrarepacketarrivesonnetwork• Sometimehaselapsed
Payload:Dosomethingnefarious:• Makeapageinmemory(un)privileged• Leakinformationtotheoutsideworldthroughnetwork,
covertchannels,etc• Causethesystemtofail
Trojancanbeinsertedanywhereinduringthemanufacturingprocess(eg.InthirdpartyIPcorespurchased,byfabricationplant,etc.)
TrojansinIPs• ThirdpartyIPs
– Cantheybetrusted?– Willtheycontainmalicious
backdoors
• Developersdon’t/can’tsearch1000soflinesofcodelookingoutfortrojans.
35
FANCI:IdentificationofStealthyMaliciousLogic
• FANCI:evaluatehardwaredesignsautomaticallytodetermineifthereisanypossiblebackdoorshidden
• Thegoalistopointouttotestersofpossibletrojanlocationsinahugepieceofcode
36
http://www.cs.columbia.edu/~simha/preprint_ccs13.pdf(someofthefollowingslidesareborrowedfromAdamWaksman’sCCStalk)
BackdoorsareStealthy• Small
– Typicallyafewlinesofcode/area• Stealth
– Cannotbedetectedbyregulartestingmethodologies(raretriggers)– Passivewhennottriggered
37
Unfortunately…Withsomuchofcodeitishighlylikelythatstealthyportionsofthecodearemissedornottestedproperly.
38
FANCI:willdetectthesestealthycircuits.ThesepartsaremostlikelytohaveTrojans.Theaimistohavenofalsenegatives.Afewfalsepositivesareacceptable
ControlValues
A B C O
0 0 0 0
0 0 1 1
0 1 0 1
0 1 1 0
1 0 0 1
1 0 1 1
1 1 0 0
1 1 1 039
ByhowmuchdoesaninputinfluencetheoutputO?
A
B
C
O
ControlValues
A B C O
0 0 0 0
1 0 0 1
0 0 1 1
1 0 1 1
0 1 0 1
1 1 0 0
0 1 1 0
1 1 1 040
Byhowmuchdoesainputinfluencetheoutput0?
A:hasacontrolof0.5ontheoutput(Amattersinthisfunction)
1 1 0 0A B C 0
A
B
C
O
ControlValues
A B C O
0 0 0 0
1 0 0 0
0 0 1 1
1 0 1 1
0 1 0 0
1 1 0 0
0 1 1 0
1 1 1 041
Byhowmuchdoesainputinfluencetheoutput0?
A:hasacontrolof0ontheoutput(Adoesnotmatterinthisfunction)(Aiscalledunaffecting)
1 1 0 0A B C 0
A
B
C
O
ControlValuesforaTriggerinaTrojan
42
if (addr == 0xdeadbeee) then{ trigger = 1 }
A31 A30 A2 A1 A0 trigger
0 0 … 0 0 0 0
0 0 … 0 0 1 0
0 0 … 0 1 0 0
0 0 … 0 1 1 0
: : : : : :
1 1 1 1 0 1
: : : : : :
1 1 1 1 1 1 0
A31hasacontrolvalue1/216
EasiertohideatrojanwhenlargerinputsetsareconsideredAlowchanceofaffectingtheoutputLendsitselftostealthinessàeasiertohideamaliciouscode
AnExampleofaMux
43
<A,B,C,D,S1,S2>=<0.25,0.25,0.25,0.25,0.5,0.5>
Notrojanpresenthere(intutively):*Allmuxinputshaveacontrolvaluearoundmidrange(nottoocloseto0)
AnExampleofaMaliciousMux
44
66extraselectlineswhichareonlymodifyMwhenwheyaresettoaparticularvalue
M
ThecontrolvaluesEandS3toS66aresuspiciousbecausetheyrarelyinfluencethevalueofM.Perfectfordisguisingmaliciousbackdoors
JustsearchingforMINvaluesisoftennotenough.Bettermetricsareneeded.
ComputingStealthfromControl
45
ComputingStealthfromControl
46
FANCI:TheCompleteAlgorithm
47
ICLifeCycle(TheFab)
48
IP ToolsStd. Cells Models
DesignSpecifications Fab Interface Mask Fab
WaferProbe
Dice and Package
PackageTest
Deploy and
Monitor
Trusted
Either
Untrusted
Wafer
*http://www.darpa.mil/MTO/solicitations/baa07-24/index.html
Third-party
DetectingTrojansinICs• OpticalInspectionbasedtechniques
ScanningOpticalMicroscopy(SOM),ScanningElectronMicroscopy(SEM),andpico-secondimagingcircuitanalysis(PICA)
– Drawbacks:CostandTime!
• Testingtechniques– Notaverypowerfultechnique
• Sidechannelbasedtechniques– Nonintrusivetechnique– Compareside-channelswithagoldenmodel
49ASurveyonHardwareTrojanDetectionTechniqueshttp://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7169073
SideChannelBasedTrojanDetection
50
LightweightPRESENTImplementation PowerTraces
Hardwaretrojandesignanddetection:apracticalevaluationhttps://dl.acm.org/citation.cfm?id=2527318
SideChannelBasedTrojanDetection(ICwithTrojan)
51
DifferenceofDistributions
52
HardwareTrojanPrevention(Ifyoucan’tdetectthenprevent)
53
SilencingHardwareBackdoorswww.cs.columbia.edu/~simha/preprint_oakland11.pdfSlidestakenfromAdamWaksman’sOaklandtalk
HardwareTrojanPrevention
54
EnsurethatahardwareTrojanisneverdeliveredthecorrectTrigger
Example(A5stageprocessor)
55
Example(A5stageprocessor)
56
TypesofTrojans
57
TickingTimebomb
58
TickingTimebomb
59
CheatCodes
60
CheatCodes
61
SequenceCheatCodes
62
HardwareTrojanSilencing(withObfuscation)
63
SilencingTickingTimebombs• PowerResets:flushpipeline,writecurrentIPandregistersto
memory,savebranchhistorytargets
64
SilencingTickingTimebombs• Cantriggerbestoredtoarchitecturalstateandrestoredlater
– No.Unitvalidationtestspreventthis– Reasonfortrustingvalidationepoch
LargevalidationteamsOrganizedhierarchically
• Cantriggersbestoredinnon-volatilestateinternaltotheunit?– Eg.Malwareconfiguresahiddennon-volatilememory
• UnmaskableInterrupts?– UseaFIFOtostoreunmaskableinterrupts
• PerformanceCountersarehiddentimebombs 65
DataObfuscation
66
HomomorphicEncryption(Gentry2009)IdealsolutionButpracticalhurdles
DataObfuscation
67
DataObfuscation
68
StoreData5toAddress7
DataObfuscation(ComputationalCase)
69
SequenceBreaking(Reordering)
70Ensurefunctionalityismaintained
SequenceBreaking(Insertingevents)
71Insertarbitraryeventswhenreorderingisdifficult
CatchAll(Duplication)
72
Expensive:Non-recurring:design;verificationcostsduetoduplicationRecurring:Powerandenergycosts
PowerAnalysis
73
CMOSTechnology• AlmosteverydigitaldeviceisbuiltusingCMOS
technology.• CMOS–complimentarymetaloxide
semiconductor
74
CMOSInverter
• Whentheinputswitchesfrom0à1,TransistorT1turnsonandT2turnsoff.CapcitorCLgetscharged.
• Whentheinputswitchsfrom1à0,transitorT1isturnedoffandT2turnson.CapacitorCLdischarges.
75
T1
T2
PowerConsumptionofaCMOSInverter
• PowerisconsumedwhenCLchargesordischarges(i.e.thereisatransitionintheoutputfrom0à1or1à0)
• Usinganoscilloscopewecanmeasurethepowertodeterminewhentheinverteroutputchangesstate
76
Outputofinverter
Powerconsumption
SynchronousDigitalCircuits• Mostelectronicequipmentuseaclockasreference• Allstatetransitionsaredonewithrespecttothisclock
– Powerconsumptionisthereforeatclockedges
77
EssenceofPowerAnalysis• Wedon’tknowwhatishappeninginsidethedevice,butweknowthepower
consumption• Canwededucesecretinformationfromthepowerconsumption
78
TheTypesofPowerAnalysis• SPA:SimplePowerAnalysis
• DPA:DifferentialPowerAnalysis
Requiresmorestrategyandstatisticstogleansecretinformation
• Templatebasedattacks
79
DifferentialPowerAnalysis(asaglance)
80
Inputdata
Key
Guessedkey
deviceundertest
Modelof
device
StatisticallyCompare
Powerconsumption Hypotheticalpowerconsumption
HypotheticalPowerConsumption• CMOScircuitsfollowtheHammingweightandHammingdistancepower
models• HammingDistanceModel
– ConsidertransitionsofregisterR
• HammingWeightModel
TheHammingweightmodelwillwork,whenRisprechargedtoeither0or1
81
K
P CFR
(1011)à(1101)à(1001)à(0010)à(0011)3131#toggles
(1011)à(1101)à(1001)à(0010)à(0011)3213#toggles
ASmallExample
P K C
0000 1010 1010
0001 1010 1011
0010 1010 1000
0011 1010 1001
0100 1010 1110
0101 1010 1111
.. … …82
K
P C
Device
Malloryhascontrolofthisdevice.--Shecanmonitoritspowerconsumption--ShecanfeedinputsP--Sheevenknowswhatoperationsgoesoninside.Thethingsshedoesn’tknowisKandCHeraimistoobtainthesecretkeyK
F
DPAAttack
83
P Kguess C HypotheticalPower
RealPowerMeasured
0000 1111 1111 4
0001 1111 1110 3
0010 1111 1101 3
0011 1111 1100 2
0100 1111 1011 3
0101 1111 1010 2
⁞ ⁞ ⁞ ⁞ ⁞
notethatthisisawaveformwhichchangesw.r.ttime
P=0000
P=0001
P=0010Chereiscomputedwrttotheguessedkeyi.e.C=F(P,Kguess)
84
DPA:WhatwemeanbycorrelationHypotheticalPower
4
3
3
Thesewaveformsarediscrete,theyhaveseveralpointsPerformcorrelationofhypotheticalPowerwrteachpointinthewaveformsConsideronlythemaximumcorrelation
correlate
DPA:Asmallexample
85
P Kguess C HypotheticalPower
RealPowerMeasured
0000 1111 1111 4 xx
0001 1111 1110 3 xx
0010 1111 1101 3 xx
0011 1111 1100 2 xx
0100 1111 1011 3 xx
0101 1111 1010 2 xx
⁞ ⁞ ⁞ ⁞ ⁞
correlate
ρ15
P Kguess C HypotheticalPower
RealPowerMeasured
0000 1110 1110 3 xx
0001 1110 1111 4 xx
0010 1110 1100 2 xx
0011 1110 1101 3 xx
0100 1110 1010 2 xx
0101 1110 1011 3 xx
⁞ ⁞ ⁞ ⁞ ⁞correlate
ρ14
P Kguess C HypotheticalPower
RealPowerMeasured
0000 1101 1101 3 xx
0001 1101 1100 2 xx
0010 1101 1111 4 xx
0011 1101 1110 3 xx
0100 1101 1001 2 xx
0101 1101 1000 1 xx
⁞ ⁞ ⁞ ⁞ ⁞correlate
ρ13 ρ12 ρ11 ρ10Findmaximumcorrelation
SampleOutput
86https://iis-people.ee.ethz.ch/~kgf/acacia/acacia.html
StatisticalComparison• Correlation:
Providesavaluebetween-1and+1.Avalueclosertothesignifieslineardependencebetweenthehypotheticalpowerandtherealpowerconsumption
• MutualInformationQuantifiesmutualdependencebetweenhypotheticalpowerandrealpowerconsumption
87
StatisticalComparison• BayesAnalysisWhatistheprobabilityofahypothesisgivenaspecificleakage
Pr[Hypothesis|Leakage]• DifferenceofMeansnext…
88
DifferenceofMeans• Guessakey:kguess• ComputeCguess=F(P,Kguess)• Findthekguesssuchthat|AVG(B0)–AVG(B1)|ismaximum
89
Device
B0 B1
BIT(Cguess,0)=0
P=0000Cguess=1111
P=0001Cguess=1110
P=0010Cguess=1101
K
P CF
BIT(Cguess,0)=1
PreventingDPA• Byhardwaremeans
– Differentiallogic• ByImplementation
– Masking
• ByAlgorithm– DPAresistantciphers(DRECON)– Rekeying
90