hardware security - indian institute of technology madraschester/courses/17o_sse/slides/7... ·...
TRANSCRIPT
HardwareSecurity
1
ChesterRebeiroIITMadras
Physically Unclonable Functions
PhysicalUnclonableFunc1onsandApplica1ons:ATutorialh8p://ieeexplore.ieee.org/document/6823677/
EdgeDevices
3
1000softhemexpectedtobedeployedLowpower(solarorba8erypowered)SmallfootprintConnectedtosensorsandactuatorsExpectedtooperate24x7almostunmanned24x7thesedeviceswillbecon1nuouslypumpingdataintothesystem,whichmayinfluencethewayci1esoperateWillaffectusinmulRpleways,andwemaynotevenknowthattheyexist.
AuthenRcaRngEdgeDevices• Storedkeys
– EEPROMmanufactureisanoverhead– Publickeycryptographyisheavy– Canbeeasilycopied/cloned
4
EncrypRondoneinedgedevicePublickeysstoredinserver
Privatekeys
PhysicallyUnclonableFuncRons• Nostoredkeys• Nopublickeycryptography• Cannotbecloned/copied• Usesnano-scalevariaRonsinmanufacture.NotwodevicesareexactlyidenRcal
5
EncrypRondoneinedgedevicePublickeysstoredinserver
challenge/response
DigitalFingerprints
PUFs
6
AfuncRonwhoseoutputdependsontheinputaswellasthedeviceexecuRngit.
WhatisExpectedofaPUF?(InterandIntraDifferences)
7
challenge
response
response
challenge
Response
Response
(Reliable)SameChallengetoSamePUFDifferencebetweenresponsesmustbesmallonexpectaRonIrrespecRveoftemperature,noise,aging,etc.
(Unique)SameChallengetodifferentPUFDifferencebetweenresponsesmustbelargeonexpectaRonSignificantvariaRonduetomanufacture
WhatisExpectedofaPUF?(Unpredictability)
8
challenge
response
response
DifficulttopredicttheoutputofaPUFtoarandomlychosenchallengewhenonedoesnothaveaccesstothedevice
IntrinsicPUFs• Completelywithinthechip
– PUF– Measurementcircuit– Post-processing
• Nofancyprocessingsteps!– eg.MostSiliconbasedPUFs
9
SiliconPUFseg.RingOscillatorPUF
10
f = 12nt
FrequencyofringoscillatorNumberofstagesDelayofeachstage
fnt
RingOscillatorwithoddnumberofgates
FrequencyaffectedbyprocessvariaRon.
WhyvariaRonoccurs?
11
Whengate voltage is less than threshold no current flows When gate voltate is greater than threshold current flows from source to drain Threshold voltage is a function of doping concentration, oxide thickness
Delaydependsoncapacitance
ProcessVaria1ons• Oxidethickness• DopingconcentraRon• Capacitance
MOSTransistor CMOSInverter
SiliconPUFseg.RingOscillatorPUF
12
>enable
counter
counter
Nbitchallenge
1
2
3
N
N-1
N-2
1bitresponse
RA
RB
response = 10
fA > fBfA ≤ fB
⎧⎨⎪
⎩⎪
ResultsofaROPUF15Xilinx,Virtex4FPGAs;1024ROsineachFPGA;EachROhad5inverterstagesand1ANDgate
13
Physical Unclonable Functions for Device Authentication and Secret Key Generation https://people.csail.mit.edu/devadas/pubs/puf-dac07.pdf
InterChipVaria1ons(Uniquenessmeasurement)
challenge
response
responseWhen128bitsareproduced,
Avg59.1bitsoutof128bitsdifferent
ResultsofaROPUF15Xilinx,Virtex4FPGAs;1024ROsineachFPGA;EachROhad5inverterstagesand1ANDgate
14
Physical Unclonable Functions for Device Authentication and Secret Key Generation https://people.csail.mit.edu/devadas/pubs/puf-dac07.pdf
IntraChipVaria1ons(Reproducabilitymeasurement)
challenge
response
response0.61bitsonaverageoutof128bitsdiffer
120oC1.08V
20oC;1.2V
ArbiterPUF
15
0
0
1
1
0
0
1
1
01
IdeallydelaydifferencebetweenRedandBluelinesshouldbe0iftheyaresymmetricallylaidout.InpracRcevariaRoninmanufacturingprocesswillintroducerandomdelaysbetweenthetwopaths
Switch
Arbiter
16
DFF
D
clk
Q ?
IfthesignalatDreachesfirstthenQwillbesetto1IfthesignalatclkreachesfirstthenQwillbesetto0
DFF
ArbiterPUF
17
…
challenge
rising Edge
1 if toppath is faster,else 0
D Q1
1
0
0
1
1
0
0
1
1
0
0
1 0 10 0 1
01
G
13.56MHzChipForISO14443Aspec.
ResultsforROPUF
18DesignandImplementa1onofPUF-Based“Unclonable”RFIDICsforAn1-Counterfei1ngandSecurityApplica1onsIEEEInt.Conf.onRFID,2008,S.Devdaset.Al.
ComparingROandArbiterPUF
19
NumberofChallenge:ResponsePairs:
NumberofChallenge:ResponsePairs:
N2
⎛
⎝⎜
⎞
⎠⎟ 2N
#CRPslinearlyrelatedtothenumberofcomponents
#CRPsexponenRallyrelatedtothenumberofcomponents
WEAKPUF STRONGPUF
WeakPUFvsStrongPUF
20
• ComparaRvelyfewnumberofChallengeResponsePairs(CRPs)
• HugenumberofChallengeResponsePairs(CRPs)
• CRPsmustbekeptsecret,becauseana8ackermaybeabletoenumerateallpossibleCRPs
• WeakPUFsusefulforcreaRngcryptographickeys
• Itisassumedthatana8ackercannotEnumerateallCRPswithinafixedRmeinterval.ThereforeCRPscanbemadepublic
• Formally,anadversarygivenapoly-sizedsampleofadapRvelychosenCRPscannotpredictthe
Responsetoanewrandomlychosenchallenge.
• Typicallyusedalongwithacryptographicscheme(likeencrypRon/HMACetc)tohidetheCRP(sincetheCRPsmustbekeptsecret)
• Doesnotrequireanycryptographicscheme,sinceCRPscanbepublic.
WeakPUF StrongPUF
• VeryGoodInterandIntradifferences
PUFBasedAuthenRcaRon(withStrongPUF)
21
CRPs
challenge
response
Bootstrapping:Atmanufacture,serverbuildsadatabaseofCRPsforeachdevice.Atdeployment,serverpicksarandomchallengefromthedatabase,queriesthedeviceandvalidatestheresponse
PUFBasedAuthenRcaRonManintheMiddle
22
CRPs
challenge
response
ManinthemiddlemaybeabletobuildadatabaseofCRPsTopreventthis,CRPsarenotusedmorethanonce
PUFBasedAuthenRcaRonCRPTables
23
CRPs
challenge
response
EachdevicewouldrequireitsownCRPtableandsecurelystoredinatrustedserverTablesmustbelargeenoughtocatertotheenRrelifeRmeofthedeviceorneedtoberechargedperiodically(scalabilityissues)
CRPs
PUFbasedAuthenRcaRon(AlleviaRngCRPProblem)
SecretModelofPUF
24
GateDelaysofPUFcomponents Bootstrapping:Atmanufacture,serverbuildsa
databaseofgatedelaysofeachcomponentinthePUF.Atdeployment,serverpicksarandomchallengeconstructsitsexpectedresponsefromsecretmodel,queriesthedeviceandvalidatestheresponse
SRllRequiresSecureBootstrapping
andSecureStorage
PUFbasedAuthenRcaRon(AlleviaRngCRPProblem)
• PPUF:PublicModelPUF
25
GateDelaysofPUFComponents(Public)
Trustedserver(PKI)
Bootstrapping:DownloadthepublicmodelofPUFfromthetrustedserver.Atdeployment,serverpicksarandomchallengeconstructsexpectedresponsefrompublicmodel,queriesthedeviceandvalidatestheresponse.IfRmeforresponseislessthanathresholdacceptresponseelserejects.
AssumpRon:AdevicetakesmuchlessRmetocomputeaPUFresponsethanana8ackerwhomodelsthePUF.
T<T0?
PUFbasedAuthenRcaRon(AlleviaRngCRPProblem)
HomomorphicEncryp1on
26
EncryptedCRPs
UntrustedCloud
Response
Conclusions• DifferenttypesofPUFsbeingexplored
– AnalogPUFs,SensorPUFsetc.
• CRPissuesRllabigproblem
• Severala8acksfeasibleonPUFs.– Modelbuildinga8acks(SVMs)– TamperingwithPUFcomputaRon(eg.Forcingasine-waveontheground
plane,canaltertheresultsofthePUF)
• PUFsareaverypromisingwayforlightweightauthenRcaRonofedgedevices.
27
HardwareTrojans
Hardware Security: Design, Threats, and Safeguards; D. Mukhopadhyay and R.S. Chakraborty
29
h8ps://www.theguardian.com/technology/2012/may/29/cyber-a8ack-concerns-boeing-chiph8ps://techcrunch.com/2013/09/05/nsa-subverts-most-encrypRon-works-with-tech-companies-for-back-door-access-report-says/h8ps://www.theregister.co.uk/2013/07/29/lenovo_accused_backdoors_intel_ban/h8ps://www.technologyreview.com/s/519661/nsas-own-hardware-backdoors-may-sRll-be-a-problem-from-hell/
ICLifeCycle(VulnerableSteps)
30
IP ToolsStd. Cells Models
DesignSpecifications Fab Interface Mask Fab
WaferProbe
Dice and Package
PackageTest
Deploy and
Monitor
Trusted
Either
Untrusted
Wafer
*hbp://www.darpa.mil/MTO/solicita1ons/baa07-24/index.html
Offshore
Third-party
MalwareinThirdPartyIPs
• ThirdpartyIPs– Cantheybetrusted?– Willtheycontainmaliciousbackdoors
• Developersdon’t/can’t
search1000soflinesofcodelookingoutfortrojans.
31
FANCI:IdenRficaRonofStealthyMaliciousLogic
• FANCI:evaluatehardwaredesignsautomaRcallytodetermineifthereisanypossiblebackdoorshidden
• ThegoalistopointouttotestersofpossibletrojanlocaRonsinahugepieceofcode
32
h8p://www.cs.columbia.edu/~simha/preprint_ccs13.pdf(someofthefollowingslidesareborrowedfromWaksman’sCCStalk)
HardwareTrojanStructure
33
PayloadTriggerCircuit
TriggerCircuit:Basedonaseldomoccurringevent.Forexample,• whenaddressonaddressbusis
0xdeadbeef.• AparRcularlyrarepacketarriveson
network• SomeRmehaselapsed
Payload:Dosomethingnefarious:• Makeapageinmemory(un)privileged• LeakinformaRontotheoutsideworld
throughnetwork,covertchannels,etc• Causethesystemtofail
Trojancanbeinsertedanywhereinduringthemanufacturingprocess(eg.InthirdpartyIPcorespurchased,byfabricaRonplant,etc.)
Trojan=Trigger+Payload
34
Trojan=Trigger+Payload
35
BackdoorsareStealthy
• Small– Typicallyafewlinesofcode/area
• Stealth– CannotbedetectedbyregulartesRngmethodologies(raretriggers)
– Passivewhennottriggered
36
Unfortunately…
WithsomuchofcodeitishighlylikelythatstealthyporRonsofthecodearemissedornottestedproperly.
37
FANCI:willdetectthesestealthycircuits.Thesepartsaremostlikelyto
haveTrojans.TheaimistohavenofalsenegaRves.AfewfalseposiRvesareacceptable
ControlValues
A B C O
0 0 0 0
0 0 1 1
0 1 0 1
0 1 1 0
1 0 0 1
1 0 1 1
1 1 0 0
1 1 1 038
ByhowmuchdoesaninputinfluencetheoutputO?
A
B
C
O
ControlValues
A B C O
0 0 0 0
1 0 0 1
0 0 1 1
1 0 1 1
0 1 0 1
1 1 0 0
0 1 1 0
1 1 1 039
Byhowmuchdoesainputinfluencetheoutput0?
A:hasacontrolof0.5ontheoutput(Ama8ersinthisfuncRon)1 1 0 0A B C 0
A
B
C
O
ControlValues
A B C O
0 0 0 0
1 0 0 0
0 0 1 1
1 0 1 1
0 1 0 0
1 1 0 0
0 1 1 0
1 1 1 040
Byhowmuchdoesainputinfluencetheoutput0?
A:hasacontrolof0ontheoutput(Adoesnotma8erinthisfuncRon)(AiscalledunaffecRng)
1 1 0 0A B C 0
A
B
C
O
ControlValuesforaTriggerinaTrojan
41
if (addr == 0xdeadbeee) then{ trigger = 1 }
A31 A30 A2 A1 A0 trigger
0 0 … 0 0 0 0
0 0 … 0 0 1 0
0 0 … 0 1 0 0
0 0 … 0 1 1 0
: : : : : :
1 1 1 1 0 1
: : : : : :
1 1 1 1 1 1 0
A31hasacontrolvalue1/232
EasiertohideatrojanwhenlargerinputsetsareconsideredAlowchanceofaffecRngtheoutputLendsitselftostealthinessàeasiertohideamaliciouscode
AnExampleofaMux
42
<A,B,C,D,S1,S2>=<0.25,0.25,0.25,0.25,0.5,0.5>Notrojanpresenthere(intuRvely):*Allmuxinputshaveacontrolvaluearoundmidrange(nottoocloseto0)
AnExampleofaMaliciousMux
43
66extraselectlineswhichareonlymodifyMwhenwheyaresettoaparRcularvalue
M
ThecontrolvaluesEandS3toS66aresuspiciousbecausetheyrarelyInfluencethevalueofM.Perfectfordisguisingmaliciousbackdoors
JustsearchingforMINvaluesisowennotenough.Be8ermetricsAreneeded.
CompuRngStealthfromControl
44
CompuRngStealthfromControl
45
FANCI:TheCompleteAlgorithm
46
ICLifeCycle(TheFab)
47
IP ToolsStd. Cells Models
DesignSpecifications Fab Interface Mask Fab
WaferProbe
Dice and Package
PackageTest
Deploy and
Monitor
Trusted
Either
Untrusted
Wafer
*hbp://www.darpa.mil/MTO/solicita1ons/baa07-24/index.html
Offshore
Third-party
DetecRngTrojansinICs• OpRcalInspecRonbasedtechniques
ScanningOpRcalMicroscopy(SOM),ScanningElectronMicroscopy(SEM),andpico-secondimagingcircuitanalysis(PICA)
– Drawbacks:CostandTime!
• TesRngtechniques– Notaverypowerfultechnique
• Sidechannelbasedtechniques– Nonintrusivetechnique– Compareside-channelswithagoldenmodel
48
ASurveyonHardwareTrojanDetecRonTechniquesh8p://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7169073
SideChannelBasedTrojanDetecRon
49
LightweightPRESENTImplementaRonPowerTraces
Hardwaretrojandesignanddetec1on:aprac1calevalua1onh8ps://dl.acm.org/citaRon.cfm?id=2527318
SideChannelBasedTrojanDetecRon(ICwithTrojan)
50
DifferenceofDistribuRons
51
HardwareTrojanPrevenRon(Ifyoucan’tdetectthenprevent)
52
SilencingHardwareBackdoorswww.cs.columbia.edu/~simha/preprint_oakland11.pdfSlidestakenfromAdamWaksman’sOaklandtalk
HardwareTrojanPrevenRon
53
EnsurethatahardwareTrojanisneverdeliveredthecorrectTrigger
Example(A5stageprocessor)
54
Example(A5stageprocessor)
55
TypesofTrojans
56
TickingTimebomb
57
TickingTimebomb
58
CheatCodes
59
CheatCodes
60
SequenceCheatCodes
61
HardwareTrojanSilencing(withObfuscaRon)
62
SilencingTickingTimebombs• PowerResets:flushpipeline,writecurrentIPandregistersto
memory,savebranchhistorytargets
63
SilencingTickingTimebombs• Cantriggerbestoredtoarchitecturalstateandrestoredlater
– No.UnitvalidaRontestspreventthis– ReasonfortrusRngvalidaRonepoch
LargevalidaRonteamsOrganizedhierarchically
• Cantriggersbestoredinnon-volaRlestateinternaltotheunit?– Eg.Malwareconfiguresahiddennon-volaRlememory
• UnmaskableInterrupts?– UseaFIFOtostoreunmaskableinterrupts
• PerformanceCountersarehiddenRmebombs
64
DataObfuscaRon
65
HomomorphicEncrypRon(Gentry2009)IdealsoluRonButpracRcalhurdles
DataObfuscaRon
66
DataObfuscaRon
67
StoreData5toAddress7
DataObfuscaRon(ComputaRonalCase)
68
SequenceBreaking(Reordering)
69
EnsurefuncRonalityismaintained
SequenceBreaking(InserRngevents)
70
Insertarbitraryeventswhenreorderingisdifficult
CatchAll(DuplicaRon)
71
Expensive:Non-recurring:design;verificaRoncostsduetoduplicaRonRecurring:Powerandenergycosts