soc it to em: electromagnetic side-channel attacks on … · soc it to em: electromagnetic...
TRANSCRIPT
SoC it to EM: electromagnetic side-channel attacks on a complexsystem-on-chip
Jake Longo1 Elke De Mulder2 Dan Page1 Mike Tunstall2
1University Of Bristol,Merchant Venturers Building,
Woodland Road,Bristol, BS8 1UB. UK.
2Rambus Cryptography Research Division,425 Market Street, 11th Floor,
San Francisco, CA 94105, United States.
16/09/15
SoC it to EM Slide 1 of 23
Presentation Layout
I Motivation?
I Methodology outline and execution
I Summary of attack results
I Further comments
I Future work
SoC it to EM Slide 2 of 23
Motivation?
Address some misconceptions of side-channel attacks on complex devices.
I High-clock rate targets→ high sample rate equipment.
I Complex embedded systems→ difficult DPA.
I High degree of parallelism→ low SNR ∼ intrinsic side-channel resistance.
SoC it to EM Slide 3 of 23
Analysis Plan
I Target selection and identification
I Signal exploration
I Batch signal pre-processing
I Leakage detection
I Signal post-processing
I Textbook DPA
SoC it to EM Slide 4 of 23
Target Platform
BeagleBone Black Attack Environment
Hardware:I ARM Cortex-A8 1 GHz CPU (High clock rate)
I ARM NEON SIMD (High degree of parallelism)
I TI proprietary cryptographic hardware (RNG, SHA-1, AES)
Software:I Debian Wheezy (3.15) (Full unmodified Linux distribution)
I OpenSSL 1.0.1j (Bulk encryption)
SoC it to EM Slide 5 of 23
Target Selection and Identification
Integer core NEON core
L1 I-cache L1 D-cache
L2 cache
OCP bridge
176 kBROM
64 kBRAM
OCP-based L3/L4 NoC interconnect
PowerVRGPU
Cryptographicco-processor
64 kBRAM
Displaycontroller
Networkcontroller
UART
SPI
I2C
USB
...
DMA
RTC
WDT
JTAG
...
DDR-based memory interface
I OpenSSL software AES-128-CBCI OpenSSL NEON Bitsliced AES-128-CBCI OpenSSL hardware accelerated AES-128-CBC
SoC it to EM Slide 6 of 23
Target Selection and Identification
Integer core NEON core
L1 I-cache L1 D-cache
L2 cache
OCP bridge
176 kBROM
64 kBRAM
OCP-based L3/L4 NoC interconnect
PowerVRGPU
Cryptographicco-processor
64 kBRAM
Displaycontroller
Networkcontroller
UART
SPI
I2C
USB
...
DMA
RTC
WDT
JTAG
...
DDR-based memory interface
I OpenSSL software AES-128-CBC
I OpenSSL NEON Bitsliced AES-128-CBCI OpenSSL hardware accelerated AES-128-CBC
SoC it to EM Slide 6 of 23
Target Selection and Identification
Integer core NEON core
L1 I-cache L1 D-cache
L2 cache
OCP bridge
176 kBROM
64 kBRAM
OCP-based L3/L4 NoC interconnect
PowerVRGPU
Cryptographicco-processor
64 kBRAM
Displaycontroller
Networkcontroller
UART
SPI
I2C
USB
...
DMA
RTC
WDT
JTAG
...
DDR-based memory interface
I OpenSSL software AES-128-CBCI OpenSSL NEON Bitsliced AES-128-CBC
I OpenSSL hardware accelerated AES-128-CBC
SoC it to EM Slide 6 of 23
Target Selection and Identification
Integer core NEON core
L1 I-cache L1 D-cache
L2 cache
OCP bridge
176 kBROM
64 kBRAM
OCP-based L3/L4 NoC interconnect
PowerVRGPU
Cryptographicco-processor
64 kBRAM
Displaycontroller
Networkcontroller
UART
SPI
I2C
USB
...
DMA
RTC
WDT
JTAG
...
DDR-based memory interface
I OpenSSL software AES-128-CBCI OpenSSL NEON Bitsliced AES-128-CBCI OpenSSL hardware accelerated AES-128-CBC
SoC it to EM Slide 6 of 23
NEON?
“NEON technology is a 128-bit SIMD (Single Instruction, Multiple Data) architectureextension for the ARM Cortex™-A series processors.”
I Clear use-cases for wide datapath bit-slicing.I Gradually being adopted to accelerate crypto imlementations.
[BS12] D.J. Bernstein and P. Schwabe. “NEON Crypto”. In: CHES. LNCS 7428,2012, pp. 320–339.
[Câm+13] D.F. Câmara et al. “Fast Software Polynomial Multiplication on ARMProcessors Using the NEON Engine”. In: CD-ARES. 2013, pp. 137–154.
[Hol+13] S. Holzer-Graf et al. “Efficient Vector Implementations of AES-BasedDesigns: A Case Study and New Implemenations for Grøstl”. In: CT-RSA.2013, pp. 145–161.
[Seo+14] H. Seo et al. “Montgomery Modular Multiplication on ARM-NEONRevisited”. In: ICISC. 2014, pp. 328–342.
[Wan+15] J. Wang et al. “Higher-Order Masking in Practice: A Vector Implementationof Masked AES for ARM NEON”. In: CT-RSA. 2015, pp. 181–198.
SoC it to EM Slide 7 of 23
Cryptographic Co-processor?
AES
DMA Engine
something in
a key
some mode settings
something out
IRQ_0
IRQ_1
THE DOCUMENTATION HASNOTHING ABOUT IT
IT SORT OF LOOKSSOMETHING LIKE
THIS...
...PROBABLY
SoC it to EM Slide 8 of 23
Signal Exploration (1)
Test loop
1 while true do2 sleep(0.08);3 openssl aes-128-cbc -in pt.bin -out ct.bin;4 sleep(0.025);5 matrixMultiply -in pt.bin;
6 end
Spectrogram
0 10 20 30 40 50 60 70 80
Time (ms)
0
200
400
600
800
1000
1200
Fre
quen
cy(M
Hz)
−70−65−60−55−50−45−40−35−30
Pow
er(d
b)
SoC it to EM Slide 9 of 23
Signal Exploration (1)
Test loop
1 while true do2 sleep(0.08);3 openssl aes-128-cbc -in pt.bin -out ct.bin;4 sleep(0.025);5 matrixMultiply -in pt.bin;
6 end
Spectrogram
0 10 20 30 40 50 60 70 80
Time (ms)
0
200
400
600
800
1000
1200
Fre
quen
cy(M
Hz)
−70−65−60−55−50−45−40−35−30
Pow
er(d
b)
SoC it to EM Slide 9 of 23
Signal Exploration (1)
Test loop
1 while true do2 sleep(0.08);3 openssl aes-128-cbc -in pt.bin -out ct.bin;4 sleep(0.025);5 matrixMultiply -in pt.bin;
6 end
Spectrogram
0 10 20 30 40 50 60 70 80
Time (ms)
0
200
400
600
800
1000
1200
Fre
quen
cy(M
Hz)
−70−65−60−55−50−45−40−35−30
Pow
er(d
b)
SoC it to EM Slide 9 of 23
Signal Exploration (1)
Test loop
1 while true do2 sleep(0.08);3 openssl aes-128-cbc -in pt.bin -out ct.bin;4 sleep(0.025);5 matrixMultiply -in pt.bin;
6 end
Spectrogram
0 10 20 30 40 50 60 70 80
Time (ms)
0
200
400
600
800
1000
1200
Fre
quen
cy(M
Hz)
−70−65−60−55−50−45−40−35−30
Pow
er(d
b)
SoC it to EM Slide 9 of 23
Signal Exploration (1)
Test loop
1 while true do2 sleep(0.08);3 openssl aes-128-cbc -in pt.bin -out ct.bin;4 sleep(0.025);5 matrixMultiply -in pt.bin;
6 end
Spectrogram
0 10 20 30 40 50 60 70 80
Time (ms)
0
200
400
600
800
1000
1200
Fre
quen
cy(M
Hz)
−70−65−60−55−50−45−40−35−30
Pow
er(d
b)
SoC it to EM Slide 9 of 23
Signal Pre-processing (1)
OpenSSL S/W Trace
0 2000 4000 6000 8000 10000 12000
Sample Index
Am
plit
ude
OpenSSL S/W Trace – Filtered
0 2000 4000 6000 8000 10000 12000
Sample Index
Am
plit
ude
OpenSSL S/W Trace – Filtered & De-modulated
0 2000 4000 6000 8000 10000 12000
Sample Index
Am
plit
ude
OpenSSL Frequency Response
Time (ms)0
200
400
600
800
1000
1200
Fre
quen
cy(M
Hz)
−70
−65
−60
−55
−50
−45
−40
−35
−30
Pow
er(d
b)
SoC it to EM Slide 10 of 23
Signal Pre-processing (1)
OpenSSL S/W Trace
0 2000 4000 6000 8000 10000 12000
Sample Index
Am
plit
ude
OpenSSL S/W Trace – Filtered
0 2000 4000 6000 8000 10000 12000
Sample Index
Am
plit
ude
OpenSSL S/W Trace – Filtered & De-modulated
0 2000 4000 6000 8000 10000 12000
Sample Index
Am
plit
ude
OpenSSL Frequency Response
Time (ms)0
200
400
600
800
1000
1200
Fre
quen
cy(M
Hz)
−70
−65
−60
−55
−50
−45
−40
−35
−30
Pow
er(d
b)
SoC it to EM Slide 10 of 23
Signal Pre-processing (1)
OpenSSL S/W Trace
0 2000 4000 6000 8000 10000 12000
Sample Index
Am
plit
ude
OpenSSL S/W Trace – Filtered
0 2000 4000 6000 8000 10000 12000
Sample Index
Am
plit
ude
OpenSSL S/W Trace – Filtered & De-modulated
0 2000 4000 6000 8000 10000 12000
Sample Index
Am
plit
ude
OpenSSL Frequency Response
Time (ms)0
200
400
600
800
1000
1200
Fre
quen
cy(M
Hz)
−70
−65
−60
−55
−50
−45
−40
−35
−30
Pow
er(d
b)
SoC it to EM Slide 10 of 23
Signal Pre-processing (1)
OpenSSL S/W Trace
0 2000 4000 6000 8000 10000 12000
Sample Index
Am
plit
ude
OpenSSL S/W Trace – Filtered
0 2000 4000 6000 8000 10000 12000
Sample Index
Am
plit
ude
OpenSSL S/W Trace – Filtered & De-modulated
0 2000 4000 6000 8000 10000 12000
Sample Index
Am
plit
ude
OpenSSL Frequency Response
Time (ms)0
200
400
600
800
1000
1200
Fre
quen
cy(M
Hz)
−70
−65
−60
−55
−50
−45
−40
−35
−30
Pow
er(d
b)
SoC it to EM Slide 10 of 23
Signal Pre-processing (2)
OpenSSL NEON Trace
0 10000 20000 30000 40000 50000
Sample Index
Am
plit
ude
OpenSSL NEON Trace – Filtered
0 10000 20000 30000 40000 50000
Sample Index
Am
plit
ude
OpenSSL NEON Trace – Filtered & De-modulated
0 10000 20000 30000 40000 50000
Sample Index
Am
plit
ude
SoC it to EM Slide 11 of 23
Signal Pre-processing (3)
OpenSSL H/W Trace
20000 30000 40000 50000 60000 70000
Sample Index
Am
plit
ude
I Number of peaks match number of encryptions! ,
I Peaks track by Hamming weight of plaintext...I Peaks are DMA strobes /
YAY!
SoC it to EM Slide 12 of 23
Signal Pre-processing (3)
OpenSSL H/W Trace
20000 30000 40000 50000 60000 70000
Sample Index
Am
plit
ude
I Number of peaks match number of encryptions! ,I Peaks track by Hamming weight of plaintext...
I Peaks are DMA strobes /
HMMMM...
SoC it to EM Slide 12 of 23
Signal Pre-processing (3)
OpenSSL H/W Trace
20000 30000 40000 50000 60000 70000
Sample Index
Am
plit
ude
I Number of peaks match number of encryptions! ,I Peaks track by Hamming weight of plaintext...I Peaks are DMA strobes /
DAMN!
SoC it to EM Slide 12 of 23
Signal Pre-processing (3)
OpenSSL H/W Trace
20000 30000 40000 50000 60000 70000
Sample Index
Am
plit
ude
I Number of peaks match number of encryptions! ,I Peaks track by Hamming weight of plaintext...I Peaks are DMA strobes /
DAMN!
SoC it to EM Slide 12 of 23
Leakage detection (1)
Fixed-versus-Random Test
10
PRG mf
DUT
0 1
b
λ
Fixed-versus-Random Test
1 mf$←− {0, 1}128
2 for i← 0 to n do
3 b $←− {0, 1}
4 if b = 0 then
5 mr$←− {0, 1}128
6 Λ0 ← Λ0 ∪ {λ(AES-128-CBCk(mr))}7 else8 Λ1 ← Λ1 ∪ {λ(AES-128-CBCk(mf ))}9 end
10 end
Welch’s t-testt =
Λ̄0−Λ̄1√σ2
0|Λ0 |
+σ2
1|Λ1 |
SoC it to EM Slide 13 of 23
Leakage detection (2)
OpenSSL S/W Average
Sample Index
Am
plit
ude
OpenSSL NEON Average
Sample Index
Am
plit
ude
FvR OpenSSL S/W t-test
Sample Index−100
−50
0
50
100
t-st
atis
tic
FvR OpenSSL NEON t-test
Sample Index−100
−50
0
50
100
t-st
atis
tic
SoC it to EM Slide 14 of 23
Leakage detection (3)
OpenSSL H/W Average
Sample Index
−300
−200
−100
0
100
200
Am
plit
ude
FvR OpenSSL H/W t-test
Sample Index−6
−4
−2
0
2
4
6
t-st
atis
tic
SoC it to EM Slide 15 of 23
Leakage detection (4)
Semi Fixed-versus-Random
10
PRG msf
DUT
0 1
b
λ
Semi Fixed-versus-Random Example Vectors
round[00].input:A6FE44D9FF7596F884BEDBAAFDBD3ABEround[00].k_sch:382CDECF122333C71B124386107CE34Fround[00].start:9ED29A16ED56A53F9FAC982CEDC1D9F1round[01].s_box:0BB5B84755B10675DB914671557835A1round[01].s_row:0BB146A155913547DB78B87555B50671round[01].m_col:3919CEB3707467D5E88D575C195F7FAE
.
.
.
round[09].k_sch:EDF9BA88533EBAB600001D3E003C1D00round[10].start:0D848A8D000000000000000000000000round[10].s_box:D75F7E5D636363636363636363636363round[10].s_row:D76363636363635D63637E63635F6363round[10].k_sch:305DD9EB6363635D63637E63635F6363round[10].s_out:E73EBA88000000000000000000000000
SoC it to EM Slide 16 of 23
Leakage detection (4)
Semi Fixed-versus-Random
10
PRG msf
DUT
0 1
b
λ
Semi Fixed-versus-Random Example Vectors
round[00].input:DBF0AE75B2BB6B56E89ECAC78188CF86round[00].k_sch:C5D06552504A626F9F1B62E0B458A219round[00].start:1E20CB27E2F109397785A82735D06D9Fround[01].s_box:72B71FCC98A10112F597C2CC96703CDBround[01].s_row:72A1C2DB98973CCCF5701F1296B701CCround[01].m_col:05AD3A587925389B6C268D4F382C6C94
.
.
.
round[09].k_sch:CD2CF959BC89F9320000C76B00A6C700round[10].start:CD071DBF000000000000000000000000round[10].s_box:BDC5A408636363636363636363636363round[10].s_row:BD636363636363086363A46363C56363round[10].k_sch:DFEA9A3A636363086363A46363C56363round[10].s_out:6289F959000000000000000000000000
SoC it to EM Slide 16 of 23
Leakage detection (4)
Semi Fixed-versus-Random
10
PRG msf
DUT
0 1
b
λ
Semi Fixed-versus-Random Example Vectors
round[00].input:0B02F73CE36B4B962062B70737727265round[00].k_sch:365FD0AE866D066A327CC70ED1BE4AD4round[00].start:3D5D279265064DFC121E7009E6CC38B1round[01].s_box:274CCC4F4D6FE3B0C97251018E4B07C8round[01].s_row:276F51C84D72074FC94BCCB08E4CE301round[01].m_col:66C2A9DC44EFE03C28A0CABC31291C24
.
.
.
round[09].k_sch:4B028D14D2898D0E0000C81A0027C800round[10].start:74860EAF000000000000000000000000round[10].s_box:9244AB79636363636363636363636363round[10].s_row:92636363636363796363AB6363446363round[10].k_sch:B1EAEE77636363796363AB6363446363round[10].s_out:23898D14000000000000000000000000
SoC it to EM Slide 16 of 23
Leakage detection (4)
Semi Fixed-versus-Random
10
PRG msf
DUT
0 1
b
λ
OpenSSL H/W Average
Sample Index
−300
−200
−100
0
100
200
Am
plit
ude
SFvR OpenSSL H/W t-test
Sample Index−150−100−50
050
100150200250300
t-st
atis
tic
SoC it to EM Slide 16 of 23
Signal Post-processing (1)
OpenSSL S/W Bulk Encryption
0 1000 2000 3000 4000 5000
Am
plit
ude
OpenSSL S/W Bulk Encryption Interrupted
0 1000 2000 3000 4000 5000
Am
plit
ude
OpenSSL S/W Bulk Encryption Difference Trace
0 1000 2000 3000 4000 5000
Sample Index
Am
plit
ude
SoC it to EM Slide 17 of 23
Signal Post-processing (1)
OpenSSL S/W Bulk Encryption
0 1000 2000 3000 4000 5000
Am
plit
ude
OpenSSL S/W Bulk Encryption Interrupted
0 1000 2000 3000 4000 5000
Am
plit
ude
OpenSSL S/W Bulk Encryption Difference Trace
0 1000 2000 3000 4000 5000
Sample Index
Am
plit
ude
SoC it to EM Slide 17 of 23
Signal Post-processing (1)
OpenSSL S/W Bulk Encryption
0 1000 2000 3000 4000 5000
Am
plit
ude
OpenSSL S/W Bulk Encryption Interrupted
0 1000 2000 3000 4000 5000
Am
plit
ude
OpenSSL S/W Bulk Encryption Difference Trace
0 1000 2000 3000 4000 5000
Sample Index
Am
plit
ude
SoC it to EM Slide 17 of 23
Signal Post-processing (1)
OpenSSL S/W Bulk Encryption
0 1000 2000 3000 4000 5000
Am
plit
ude
OpenSSL S/W Bulk Encryption Interrupted
0 1000 2000 3000 4000 5000
Am
plit
ude
OpenSSL S/W Bulk Encryption Difference Trace
0 1000 2000 3000 4000 5000
Sample Index
Am
plit
ude
SoC it to EM Slide 17 of 23
Signal Post-processing (1)
OpenSSL S/W Bulk Encryption
0 1000 2000 3000 4000 5000
Am
plit
ude
OpenSSL S/W Bulk Encryption Interrupted
0 1000 2000 3000 4000 5000
Am
plit
ude
OpenSSL S/W Bulk Encryption Difference Trace
0 1000 2000 3000 4000 5000
Sample Index
Am
plit
ude
SoC it to EM Slide 17 of 23
Signal Post-processing (3)
Sample Index
−300
−200
−100
0
100
200A
mpl
itud
e
Fourier Transform computation
X(f ) =∫∞
−∞x(t)e−j2πftdt
Continuous Wavelet Transform computation
CWT(d, s) = 1√
d
∫f (t)ψ
(t−sd
)dt
SoC it to EM Slide 18 of 23
Signal Post-processing (3)
Fourier Transform computation
X(f ) =∫∞
−∞x(t)e−j2πftdt
Continuous Wavelet Transform computation
CWT(d, s) = 1√
d
∫f (t)ψ
(t−sd
)dt
Sample Index
−300
−200
−100
0
100
200
Am
plit
ude
h
g
↓
↓ A[1]
D[1]
h
g
↓
↓ A[n]
D[n]
SoC it to EM Slide 18 of 23
Signal Post-processing (3)
Fourier Transform computation
X(f ) =∫∞
−∞x(t)e−j2πftdt
Continuous Wavelet Transform computation
CWT(d, s) = 1√
d
∫f (t)ψ
(t−sd
)dt
Sample Index
−300
−200
−100
0
100
200
Am
plit
ude
h
g
↓
↓ A[1]
D[1]
Sample Index−500
−400
−300
−200
−100
0
100
200
300
Am
plit
ude
Sample Index−300
−200
−100
0
100
200
Am
plit
ude
SoC it to EM Slide 18 of 23
Signal Post-processing (3)
OpenSSL H/W Average
Sample Index
−300
−200
−100
0
100
200
Am
plit
ude
SFvR OpenSSL H/W t-test
Sample Index−150−100−50
050
100150200250300
t-st
atis
tic
OpenSSL H/W details (D[1])
Sample Index−300
−200
−100
0
100
200
Am
plit
ude
SFvR OpenSSL H/W details (D[1]) t-test
Sample Index−150−100−50
050
100150200250300
t-st
atis
tic
SoC it to EM Slide 19 of 23
Attack Results
Summary of Attack Results
Implementation Hardware Trigger Acquisitions Data
T-tables ARM core GPIO-based 3000 46 kBT-tables ARM core Network-based 100 400 kBHardware Co-processor DMA-based
50 000
500 000
<1GB
7GBBit-sliced NEON core GPIO-based 5000 625 kB
SoC it to EM Slide 20 of 23
Attack Results
Summary of Attack Results
Implementation Hardware Trigger Acquisitions Data
T-tables ARM core GPIO-based 3000 46 kBT-tables ARM core Network-based 100 400 kBHardware Co-processor DMA-based
50 000
500 000
<1GB
7GBBit-sliced NEON core GPIO-based 5000 625 kB
OpenSSL S/W Bit Correlation
Sample Index
Cor
rela
tion
OpenSSL S/W Bit Key Rank
0 200 400 600 800 1000 1200 1400
Number of Traces
0
50
100
150
200
250K
eyR
ank
SoC it to EM Slide 20 of 23
Attack Results
Summary of Attack Results
Implementation Hardware Trigger Acquisitions Data
T-tables ARM core GPIO-based 3000 46 kBT-tables ARM core Network-based 100 400 kBHardware Co-processor DMA-based 50 000 500 000 <1GB 7GBBit-sliced NEON core GPIO-based 5000 625 kB
OpenSSL H/W HD Byte Correlation
Sample Index
Cor
rela
tion
OpenSSL H/W Byte Key Rank
0 10000 20000 30000 40000 50000
Number of Traces
0
50
100
150
200
250K
eyR
ank
SoC it to EM Slide 20 of 23
Attack Results
Summary of Attack Results
Implementation Hardware Trigger Acquisitions Data
T-tables ARM core GPIO-based 3000 46 kBT-tables ARM core Network-based 100 400 kBHardware Co-processor DMA-based 50 000 500 000 <1GB 7GBBit-sliced NEON core GPIO-based 5000 625 kB
OpenSSL Neon HW Byte Correlation
Sample Index
Cor
rela
tion
OpenSSL Neon Byte Key Rank
0 500 1000 1500 2000 2500 3000 3500 4000
Number of Traces
0
50
100
150
200
250K
eyR
ank
SoC it to EM Slide 20 of 23
NEON Analysis
I NEON use-cases obviously extend beyond wide datapath for bit-slicing.I Good: constant-time, e.g., for MAC verification
/* Verify tag */A = vceqq_u32(A, LOADU(c + 0));return 0xFFFFFFFF == (vgetq_lane_u32(A, 0) & vgetq_lane_u32(A, 1) &
vgetq_lane_u32(A, 2) & vgetq_lane_u32(A, 3)) ? 0 : -1;
x32[0] x32[1]d1 =
y32[0] = x32[0] y32[1] , x32[1]d2 =
== ==
1111 . . . 1 0000 . . . 0d0 =
vceq.u32 d0, d1, d2
I Bad: strong EM-based leakage; ad hoc countermeasures can be tricky.
0 20 40 60 80 100 120
Sample Index
SoC it to EM Slide 21 of 23
NEON Analysis
I NEON use-cases obviously extend beyond wide datapath for bit-slicing.I Good: constant-time, e.g., for MAC verification
/* Verify tag */A = vceqq_u32(A, LOADU(c + 0));return 0xFFFFFFFF == (vgetq_lane_u32(A, 0) & vgetq_lane_u32(A, 1) &
vgetq_lane_u32(A, 2) & vgetq_lane_u32(A, 3)) ? 0 : -1;
I Bad: strong EM-based leakage; ad hoc countermeasures can be tricky.
0 20 40 60 80 100 120
Sample Index
SoC it to EM Slide 21 of 23
Conclusions
Take away points:I Device complexity does not necessitate a complex attack. Main core and NEON
attacks can both be carried out with a low-end oscilloscope and handmade probes.
I A clear attack methodology is invaluable to attack an unknown device.
I Using advanced hardware features (i.e. NEON SIMD) may accelerate animplementation but also inadvertently introduce new side-channel leaks.
I OS-level software that targets embedded systems should (long-term) consider theimpact of side-channels attacks in deployment.
Future Work:I Semi-fixed versus random tests are a great tool but how do we translate this into a
leakage model?
I Hardware engine are increasingly common (ARMv8 architecture even has provisionsfor it). How do we synchronise on a signal we can’t identify?
SoC it to EM Slide 22 of 23
Questions?
THANK YOU FOR THE TALK
JUST ONE SMALL QUESTION...
...WHAT IS THIS DPA THINGY?
SoC it to EM Slide 23 of 23
Clock scaling?
300 MHz
0 100 200 300 400 500
Sample Index
Am
plit
ude
600 MHz
0 50 100 150 200 250
Sample Index
Am
plit
ude
800 MHz
0 50 100 150 200
Sample Index
Am
plit
ude
1000 MHz
0 20 40 60 80 100 120 140 160
Sample Index
Am
plit
ude
SoC it to EM Slide 1 of 2
Clock scaling cleaned up!
300 MHz
0 100 200 300 400 500
Sample Index
Am
plit
ude
600 MHz
0 50 100 150 200 250
Sample Index
Am
plit
ude
800 MHz
0 50 100 150 200
Sample Index
Am
plit
ude
1000 MHz
0 20 40 60 80 100 120 140 160
Sample Index
Am
plit
ude
SoC it to EM Slide 2 of 2