securing the core root of trust (research in secure hardware design and test) ramesh karri...
TRANSCRIPT
Securing the core root of trust(research in secure hardware design and test)
Ramesh Karri ([email protected])ECE Department
Who can attack your system?
Hobby (class I) Obsession (class II) Job (class III)
D. Abraham, G. Dolan, G. Double, and J. Stevens. Transaction Security System. IBM Systems Journal 30(2): 206-229, 1991.
How can your system be compromised?
Application software Protocols Operating system software
Is the problem worth my time?
Source: http://www.uscc.gov/annual_report/2008/annual_report_full_09.pdf, , page 168US-China economic and security review commission hearing on China's proliferation practices and the development of its cyber and space warfare capabilities, testimony of Col. Gary McAlum.
How can your system be protected?
Fix applications Fix protocols Fix operating systems
“the core root of trust” is secure
This assumes that…
“the core root of trust” is secure
But…
Outline
1. threat models2. defenses3. conclusions
Threat models for hardware Side channels
Power dissipation Timing variation Test infrastructure Faults interactions between side channels
Cloning Overbuilding Reverse Engineering Trojans
An example: test infrastructure side channel
Data Encryption Standard (DES)Li
RiRound Key Ki
+
Li+1Ri+1
r
Expansion
+
S-box S-box
Permutation
ab
c
d
Initial Permutation
Input_Reg
+ f
Reverse Permutation
Output_Reg
MUXMUX
R_RegKey Reg
Control
Round key ROM
4
L_Reg
en
en
sel
addr
DES layout
scan chain test data input, TDI test data output, TDO test clock, TCK test mode select, TMS test reset
chain all flip flops in a design
test infrastructure
identify critical registers
attack step 1
Initial Permutation
Input_Reg
+ f
Reverse Permutation
Output_Reg
MUXMUX
R_RegKey Reg
Control
Round key ROM
4
L_Reg
en
en
sel
addr
apply selected inputs
attack step 2
3 plain texts 2 clock cycles in normal mode (plaintext reaches R,L) 198 clock cycles in test mode (R0, L0 scanned out) 1 clock cycle in normal mode (plaintext reaches R, L) 198 clock cycles in test mode (R1, L1 scanned out)
399×3=1197 clock cycles
• Can leak secrets from DES, AES etc • >80 % of all ASICs use scan chains for test/debug • Readback/test infrastructure in FPGAs
• Load configuration stream• Read-out bitstream for debug
test
normal
Secure normal
Insecure
Power off
A fix: secure scan
test
normal
Secure normal
Insecure
Power offSecure scan
Standards compliant3rd Prize, 2008-2009 IEEE TTTC PhD dissertation contest
Hardware threat models Side channels
Power dissipation Timing variation Test infrastructure Faults interactions between side channels
Cloning Overbuilding Reverse Engineering Trojans
T
DD
F
UU
U
Background: IC design process
D: Design, F: FabricationT: Test, U: User
Rev. engineering
T
DD
F
UU
U
Reverse engineering
D: Design, F: FabricationT: Test, U: User
3500 counterfeit Cisco networking components recovered • estimated retail value ~ $3.5 million
cloningT
DD
F
UU
U
Cloning
D: Design, F: FabricationT: Test, U: User
Trojans
T
DD
F
UU
U
Hardware Trojans
D: Design, F: FabricationT: Test, U: User
The kill switch ?
IEEE Spectrum, 2008
Only 2% of ~$3.5 billion of DoD ICs manufactured intrusted foundries !!!
Taxonomy of trojans
Leak AES key 40 registrations, 10 finalists, 3 winners, 2 honorable mentionshttp://isis.poly.edu/csaw/embedded
Trojan challenge
Trojans in the development cycle
Trojans at different abstractions
Location of the inserted trojans
Where are the trojans inserted?
2 1 3 4
Next steps
develop defenses investigate effectiveness developing benchmarks metrics?
Physically unclonable functions
• Uses physical structure of a device to give a unique response
• Used as device IDs• The ring oscillator frequency varies with process variations.
A trojan defense
Trivium
JTAG
Interpreter
Transmit DataRS232 UARTReceive Data
I/O SELECT
CLOCK
RS232-DCE_RXD
RESET
REC_READY
RS232_DCE_TXDUART CLK
FREQUENCYCOUNTER
C0
A1
B1
A2
B2
S1
S2
C1
C2
DETECTIONRING
OSCILLATOR OUTPUT
PUF gives unique ID to hardwareCan we give a unique ID to a design?
A preliminary defense
Trivium
JTAG
Interpreter
Transmit DataRS232 UARTReceive Data
I/O SELECT
CLOCK
RS232-DCE_RXD
RESET
REC_READY
RS232_DCE_TXDUART CLK
FREQUENCYCOUNTER
Next steps
develop defenses investigate effectiveness developing benchmarks metrics?
Questions? [email protected], 917 363 9703