fault attacks and countermeasures
play

Fault Attacks and Countermeasures Michael Hutter Summer School on - PowerPoint PPT Presentation

Feb 01, 2024 •525 likes •849 views

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

  1. Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications ˆ Sibenik, Croatia, 1-6 June, 2014 Michael Hutter June 5, 2014

  2. Introduction Threats Setups Attacks Countermeasures Conclusion 2 / 31 Outline 1 Introduction 2 Adversaries and Threats 3 Setups and Examples 4 Exploitation of Faults 5 Countermeasures 6 Conclusion Michael Hutter June 5, 2014

  3. Introduction Threats Setups Attacks Countermeasures Conclusion 3 / 31 What are Fault Attacks? Michael Hutter June 5, 2014

  4. Introduction Threats Setups Attacks Countermeasures Conclusion 4 / 31 Fault Models Duration of faults ◮ Transient ◮ Permanent ◮ Destructive Controllability (precise, loose, no) [15] ◮ Fault location ◮ Fault timing Fault precision ◮ Single bit ◮ Few bits ◮ Byte/word Michael Hutter June 5, 2014

  5. Introduction Threats Setups Attacks Countermeasures Conclusion 5 / 31 Fault Types Let B = { b 0 , b 1 , ..., b n − 1 } be an arbitrary set of bits in memory [15]. Stuck-at faults ◮ Bits of B get fixed to a value { 0 , 1 } and cannot be changed anymore ◮ b i � b ′ ∀ i ∈ [0 , n − 1] i Bit-flip faults ◮ E.g., all bits of B get flipped ◮ b i � b ′ i = 1 − b i ∀ i ∈ [0 , n − 1] Random faults ◮ Bits of B are randomly set ◮ b i � b ′ i ∈ { 0 , 1 } ∀ i ∈ [0 , n − 1] Set/reset faults ◮ Bits of B are set to 1 or 0 ◮ b i � b ′ i = c i c i ∈ { 0 , 1 } ∀ i ∈ [0 , n − 1] Michael Hutter June 5, 2014

  6. Introduction Threats Setups Attacks Countermeasures Conclusion 6 / 31 Adversaries and Threats Class I ◮ Clever outsider Class II ◮ Knowledgeable insider Class III ◮ Company/university Michael Hutter June 5, 2014

  7. Introduction Threats Setups Attacks Countermeasures Conclusion 7 / 31 Adversaries Capability Range Michael Hutter June 5, 2014

  8. Introduction Threats Setups Attacks Countermeasures Conclusion 8 / 31 Fault-Injection Methods Non-invasive ◮ Package left untouched ◮ Modify working conditions Semi-invasive ◮ De-capsulation, e.g., optical inductions ◮ Allows direct contact to the chip die Invasive ◮ Establish electrical contact to chip ◮ Modification, destruction, ... Michael Hutter June 5, 2014

  9. Introduction Threats Setups Attacks Countermeasures Conclusion 9 / 31 Non-Invasive Attack Setups - Spikes and Glitches Michael Hutter June 5, 2014

  10. Introduction Threats Setups Attacks Countermeasures Conclusion 10 / 31 Spike/Glitch Attacks - Examples Under-voltage attacks (CHES 2008 [7]) RF signal Unconf. Unconf. Unconf. Reader Tag Lazy Faulty Successful ◮ RFID antenna tearing - cut-off power request response Write Write Write supply shortly Over-voltage spikes (ECCTD 2009 [8]) t1 t2 ◮ Transistor can switch to higher voltages Time ( > 5 Volts) for a short period of time Clock-glitch attacks ◮ Mostly timing violations (setup/hold) Fault effects ◮ Allow to change memory content ◮ Change of program flow: skipping instructions, program-counter changes, tampering loop bounds, opcode changes, modifications of instruction and/or operand addresses, ... Michael Hutter June 5, 2014

  11. Introduction Threats Setups Attacks Countermeasures Conclusion 11 / 31 Non-Invasive Attack Setups - EM Pulses Michael Hutter June 5, 2014

  12. Introduction Threats Setups Attacks Countermeasures Conclusion 12 / 31 EM Attack - Example EM pulses induce Eddy currents that cause transistors to switch Fault attack on a CRT-RSA signature generation [18, 2] ◮ Let n = pq . Instead of calculating S = m d mod n , you can split the computation into S 1 = m d mod p and S 2 = m d mod q . ◮ Use the Chinese Remainder Theorem (CRT) to combine them such that S = aS 1 + bS 2 mod n = CRT( S 1 , S 2 ) mod n ◮ A faulty computation, e.g., in S 1 , leads to gcd ( S − ˜ S , n ) = gcd ( a ( S 1 − ˜ S 1 ) , n ) = q Michael Hutter June 5, 2014

  13. Introduction Threats Setups Attacks Countermeasures Conclusion 13 / 31 Non-Invasive Attack Setups - Temperature Michael Hutter June 5, 2014

  14. Introduction Threats Setups Attacks Countermeasures Conclusion 14 / 31 High-Temperature Fault Attacks - Example CARDIS 2013 [6] or [16] 10 µ C placed on top of a heating plate Frequency of fault occurrence 8 ◮ No response beyond 160 ◦ C 6 ◮ Within 70 minutes, we got 100 faults 4 (between 152 and 158 ◦ C) ◮ Attacking CRT-RSA: 31 revealed one of 2 the prime modulus: 15 revealed p , 16 0 150 152 154 156 158 160 revealed q Temperature [°C] Exploiting data-remanence effects [5, 1] 70 ◮ Extensive heating accelerates aging 65 (Negative Bias Temperature Instability) Success rate [%] 60 ◮ Experiment: 100 ◦ C for 36h at 5.5 V ◮ SRAM cells got biased to either 1 or 0 55 Predicting a "1" ◮ 30 % of memory change after heating 50 Predicting a "0" Data-retention attacks by cooling [20] 45 0 5 10 15 20 25 30 35 Burn−in stress time [h] Michael Hutter June 5, 2014

  15. Introduction Threats Setups Attacks Countermeasures Conclusion 15 / 31 Semi-Invasive Attack Setups Michael Hutter June 5, 2014

  16. Introduction Threats Setups Attacks Countermeasures Conclusion 16 / 31 Semi-Invasive Attack - Example AES on an 8-bit microcontroller (FDTC 2009 [19]) Modifying 256-bit S-box table stored in flash memory using a low-cost UV lamp ◮ UV-light resistant marker protects remaining memory Byte fault allows recovering of entire key (using 2 500 pairs of correct and faulty encryptions) Michael Hutter June 5, 2014

  17. Introduction Threats Setups Attacks Countermeasures Conclusion 17 / 31 Invasive Attack Setups (1) Michael Hutter June 5, 2014

  18. Introduction Threats Setups Attacks Countermeasures Conclusion 18 / 31 Invasive Attack Setups (2) Picture courtesy of Dr. J¨ orn-Marc Schmidt Michael Hutter June 5, 2014

  19. Introduction Threats Setups Attacks Countermeasures Conclusion 19 / 31 Exploitation of Faults Algorithm-specific attacks, e.g., in ECC ◮ Manipulation of input parameters, e.g., base point [3] ◮ Operations are done on a twist where ECDLP is easier to solve ◮ Recover ephemeral key in ECDSA [14] Differential Fault Analysis (DFA) ◮ Exploitation of differential information ◮ Collection of correct and faulty outputs ◮ Solve differential fault equations with cryptanalysis techniques Instruction-skipping attacks ◮ E.g., skip square-and-multiply operations of RSA [17] Safe-error attacks ◮ Exploit faults in key-dependent operations ◮ Faults in computational part: C safe-errors ◮ Faults in memory: M safe-errors Michael Hutter June 5, 2014

  20. Introduction Threats Setups Attacks Countermeasures Conclusion 20 / 31 Hardware Countermeasures Sensors and filters ◮ Detection of frequency changes ◮ Power watchdogs, light detectors, temperature sensors, ... Hardware redundancy ◮ Parallel computation, check result at the end ◮ Double memory, e.g., dual-rail logic Hiding and masking ◮ Randomize the computation (dummy random cycles, asynchronous designs, unstable clocks, ...) ◮ Obfuscation: bus scrambling, memory encryption, glue logic, ... Shielding ◮ Active shielding (wire mesh on chip surface that detects interruptions) ◮ Passive shielding (metal plate, additional metal layers, ...) Switch to newer CMOS process technology ◮ Smaller transistors are usually harder to attack... Michael Hutter June 5, 2014

  21. Introduction Threats Setups Attacks Countermeasures Conclusion 21 / 31 Software Countermeasures (1) General countermeasures [10] ◮ Checking input/output parameters (e.g., ECC point-validity checks) ◮ Loop counters (use invariants, calc round signature) ◮ Cyclic redundancy checks (checksum is stored together with data) ◮ Hiding and masking (randomization limits precision) ◮ Time redundancy (calc twice and check, but: permanent faults?) ◮ Inverse computations (decrypt after encryption and check input) r Protocol-level countermeasures ◮ Fresh re-keying [13] k g k ( r ) ◮ ”all-or-nothing“ transforms [11] ◮ Message modifications [4] k ∗ m f k ∗ ( m ) c Michael Hutter June 5, 2014

  22. Introduction Threats Setups Attacks Countermeasures Conclusion 22 / 31 Software Countermeasures (2) Information redundancy ◮ Add parities E.g., with linear codes Problems: not compatible with non-linear functions like AES S-box ◮ Ring embeddings [12] Idea: perform operations on both data and check elements E.g., embed AES field into a larger ring with data and check algebra ◮ Infective computations [21] Idea: output only random data if there was a fault E.g., add secret error and remove it again at the end (or apply bit scrambling [9]) Michael Hutter June 5, 2014

  23. Introduction Threats Setups Attacks Countermeasures Conclusion 23 / 31 Conclusions There is NO 100% protection! ◮ Fault attacks are very powerful ◮ If you have enough resources, there are almost no limits Countermeasures are needed to make attacks harder ◮ Designer needs to know attack types and techniques ◮ Attacks are always improving - countermeasures too Future work ◮ Passive and Active Combined Attacks (PACA) Michael Hutter June 5, 2014

Recommend

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

358 views • 25 slides
EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies

679 views • 22 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

549 views • 40 slides
FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies Alternatives 2 ENSM.SE Ecole Nationale

456 views • 22 slides
Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir 2 , Sylvain Guilley 1 , Fran Pablo Rauzy 1 , Pierre-Yves Strub 2 1 Telecom ParisTech 2 IMDEA Software Institute Crypto Seminar Day @ IMDEA

101 views • 9 slides
MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS12 ACM CCS'12 C Peng (UCLA)

480 views • 27 slides
Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain Guilley rauzy@enst.fr guilley@enst.fr pablo.rauzy.name perso.enst.fr/ guilley Telecom ParisTech CNRS LTCI / COMELEC / SEN FDTC 2014 Eleventh

460 views • 43 slides
A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain Guilley rauzy@enst.fr sylvain.guilley@enst.fr pablo.rauzy.name perso.enst.fr/~guilley Telecom ParisTech LTCI / COMELEC / SEN August 24, 2013

711 views • 47 slides
Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net CryptoPuces 2009 Porquerolles, June 26, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures

363 views • 24 slides
Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018 Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0

797 views • 53 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
channel and fault attacks Jasper van Woudenberg @jzvw January 10, 2019 1 Our vision

channel and fault attacks Jasper van Woudenberg @jzvw January 10, 2019 1 Our vision

Practicing the art and science of side channel and fault attacks Jasper van Woudenberg @jzvw January 10, 2019 1 Our vision certificate recommendations countermeasures 2 Where we are today Science Art Bit of both certificate 2 weeks

998 views • 41 slides
I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

This time Continuing with Software Getting insane with Security I n p u t sanitization); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web architecture Client

1.22k views • 102 slides
Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple

Automated combination of tolerance and control flow integrity countermeasures against multiple fault attacks on embedded systems Thierno Barry PhD Candidate in security of Embedded Systems at CEA ( the French Atomic Energy Commission )

681 views • 18 slides
Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA August 2, 2007 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

533 views • 41 slides
Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia Laguna, Sardinia (Italy) 19 October 2015 Introduction to Fault Attacks 19 October 2015 What are fault attacks? Active attacks against

571 views • 27 slides
Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet

Randomness as countermeasures against Side Channel Attacks Nadia El Mrabet nadia.el-mrabet@emse.fr Mines St Etienne WRACH2019, April 17, 2019 Side channel attacks Physical counter measures Algorithmic counter measures Arithmetical

900 views • 36 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 21

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer ESC 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

476 views • 33 slides
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner

T-79.194 Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures C. Karlof and D. Wagner presentation by Maarit Hietalahti Helsinki University of Technology Laboratory for Theoretical Computer Science

298 views • 14 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group

Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group

Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group Marcel.medwed@uclouvain.be Design and Security of Cryptographic Algorithms and Devices 1 Albena, May 2011 Outline 1. Motivation & general

787 views • 40 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides

More recommend