in mixed signal iot devices
play

in Mixed-Signal IoT Devices Dennis R. E. Gnad, Jonas Krautter, Mehdi - PowerPoint PPT Presentation

Feb 14, 2023 •114 likes •480 views

Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices Dennis R. E. Gnad, Jonas Krautter, Mehdi B. Tahoori I NSTITUT FR T ECHNISCHE I NFORMATIK C HAIR OF D EPENDABLE N ANO C OMPUTING KIT University of the State of

  1. Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices Dennis R. E. Gnad, Jonas Krautter, Mehdi B. Tahoori I NSTITUT FÜR T ECHNISCHE I NFORMATIK – C HAIR OF D EPENDABLE N ANO C OMPUTING KIT – University of the State of Baden-Wuerttemberg and 1 www.kit.edu 2019-08-27 National Research Center of the Helmholtz Association

  2. Leaky Noise ??? + Noise that leaks information? Yes, … 2 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  3. Motivation Analog + Digital Future: sensitive causes Everything Mixed-Signal to noise noise Everything Networked / Multi-User 0 1 0 1 0 Component A 1 0 1 1 Internet logical 1 0 1 0 1 isolation 0 1 1 0 1 Component B New security threats? 1 0 1 0 1 0 digital circuits affect analog subsystem 3 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  4. Analog Digital Paper at a Glance ADC 0 1 0 1 1 Attacker 1 0 1 1 0 Goal: Prove Information Leakage inside Chip: logical Digital (Attacker) → Analog → Digital (Victim) isolation Method: Victim Sample ADC during cryptographic algorithm Attacker: ADC Victim: Crypto Leakage Assessment + Correlation Power Analysis (CPA) Time Results: Most tested platforms leak Successful key recovery with CPA ADC=Analog-to-Digital Converter 4 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  5. Outline Background & Related Work Experimental Setup Results Conclusion 5 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  6. Outline Background & Related Work Experimental Setup Results Conclusion 6 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  7. Background: Power Distribution Networks (PDNs) Supplies current to all transistors in a chip Complex network: Resistors (R), Capacitors (C), Inductors (L) Some by design , others unwanted = parasitic Circuit activity causes voltage fluctuations by current changes i(t) Package Analog Digital 𝑒i(t) Package V 𝑜𝑝𝑗𝑡𝑓 = 𝑀 𝑒𝑢 + i(t)𝑆 Pins Silicon Die 7 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  8. Detailed Adversarial Model – Possible Attack Vectors Analog Digital ADC – or any sensor (e.g. Temperature) allowed Logical Isolation: Memory Protection, etc. 1. Attacker or ADC 0 1 0 1 1 Unsuspecting Attacker Victim leaks information into analog part 1 0 1 1 0 samples ADC Victim samples ADC Affects ADC! 1. Attacker: acquires leakage by ADC logical “Leaky Noise” isolation 2. Attacker Victim Cryptography with remote access to ADC data 8 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  9. Background: Power Analysis and Leakage Assessment Power Analysis Side-Channel Attacks (Kocher et al. 1999) Secret key recovery by analyzing power measurement traces Correlation Power Analysis (CPA), Brier et al. 2004 Correlate power measurements with secret key-based hypothesis Leakage Assessment (Goodwill et al. 2011, Schneider et al. 2015) Welch’s t-test: Compare: µ 𝑠𝑏𝑜𝑒𝑝𝑛 − µ 𝑔𝑗𝑦𝑓𝑒 Set of power traces from random encryptions 𝑢 = Set of power traces from fixed (same) encryptions 2 2 𝑜 𝑠𝑏𝑜𝑒𝑝𝑛 + 𝑡 𝑔𝑗𝑦𝑓𝑒 𝑡 𝑠𝑏𝑜𝑒𝑝𝑛 𝑜 𝑔𝑗𝑦𝑓𝑒 Statistical difference indicates leakage, allow attacks |t| > 4.5 considered sufficient 9 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  10. Selected related work “Inside Job” (Schellenberg et al. DATE’18), extended by (Zhao et al. S&P’18) CPA inside FPGA or FPGA-SoC Indirect voltage measurement “Screaming Channels” (Camurati et al. CCS’18) Mixed-Signal Chip, leak over radio, in proximity Digital → Analog Receiver (Attacker) “Side - channel leakage across borders” (Schmidt et al. CARDIS’10) Successful power analysis on I/O port pins of various chips  Here: Digital → Analog → Digital possible on-chip? 10 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  11. Outline Background & Related Work Experimental Setup Results Conclusion 11 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  12. Experimental Setup Platforms Espressif ESP32 ESP32-devkitC – Dual-Core Xtensa CPU, Wifi, .. @ 80MHz ST Microelectronics STM32 L4 IoT Node – Single-Core ARM CPU, Wifi On-Board, .. @ 80MHz F407 Discovery – Single-Core ARM CPU, Ethernet @ 168MHz Software provided by both vendors: mbedTLS – AES and modular exponentiation (used in RSA, ..) FreeRTOS GCC with standard c ompiler optimization “ -Os ” 12 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  13. Experimental Setup Microcontroller Workstation *Victim Task* *Attacker Task* Helper signal on encryption Measurement Leakage Assessment Encryption ADC trace or CPA Voltage Noise, Crosstalk, .. “Leaky Noise” ADC trace UART TX ADC UART RX Encryption Request {Vdd, GND, N/C} ADC=Analog-to-Digital Converter 13 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  14. Outline Background & Related Work Experimental Setup Results Conclusion 14 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  15. Basic Test: Compare ADC with Oscilloscope –– Average V dd Value for 1000 traces Voltage (V) Average STM32F407 Discovery Time (µs) ADC not connected (‘N/C’) stress phases idle phases 1,000 traces –– Average ADC Value for 1000 traces ADC Value Average ADC 0 1 0 1 1 0 1 1 Time (µs) 15 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  16. Leakage Assessment Prerequisites Modular Exponentiation –– Average ADC Value for Fixed Traces 1,000 traces averaged Fixed + Random Encryptions ADC Average t-test: –– Average ADC Value for Random Traces µ 𝑠𝑏𝑜𝑒𝑝𝑛 − µ 𝑔𝑗𝑦𝑓𝑒 𝑢 = 2 2 𝑡 𝑔𝑗𝑦𝑓𝑒 𝑡 𝑠𝑏𝑜𝑒𝑝𝑛 𝑜 𝑠𝑏𝑜𝑒𝑝𝑛 + 𝑜 𝑔𝑗𝑦𝑓𝑒 Samples over Time 16 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  17. Leakage Assessment Results Summary AES: 1,000,000 traces, Modular Exponentiation: 100,000 traces ADC not always noisy ( σ =0) Most cases with noise leaky, |t| >> 4.5 Platform Leakage detected ? AES-128 (Fast ADC) Modular Exponentiation (Slow ADC) Vdd GND N/C Vdd GND N/C ESP32-devkitC σ =0 no σ =0 no yes yes STM32L4 IoT Node σ =0 σ =0 σ =0 yes yes yes 2x STM32F407 Discovery yes yes yes yes yes yes 18 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  18. Correlation Power Analysis Attack on AES STM32F407 Discovery CPA: 10 Million traces, simple alignment applied Ciphertext-based 1. Default setup: ADC@GND, 168MHz, -Os Optimization Less than 25 ADC samples for full AES 2 secret key bytes recovered with high confidence 2. Simplified setup: ADC@Vdd, 56MHz, -O0 Optimization: ~60 samples for full AES 6 secret key bytes recovered with high confidence 19 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  19. Correlation Power Analysis results (best bytes) GND, -Os Optimization: “Hard” ~ 2 Million Traces Vdd, -O0 Optimization “Easy” ~ 500k Traces 20 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  20. Outline Background & Related Work Experimental Setup Results Conclusion 21 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  21. “Leaky Noise” – Conclusion Analog Digital ADC Internet 0 1 0 1 1 Attacker 1 0 1 1 0 Data-dependent noise Attacker can recover the data Victim  Feasible: Attacks across security domains in Mixed-Signal Chips Remote power analysis attacks  Application developers: Prevent ADC-use during cryptography  SoC integrators: Consider digital noise a security risk Potentially: Always apply power analysis countermeasures (?!) 22 2019-08-27 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019

  22. Thanks for your Attention! Acknowledgements: Kevin Schäfer from Rutronik & All Reviewers Questions? 23 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  23. Following: Backup Slides 24 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  24. Tasks Experimental Setup in FreeRTOS Simplified Flow: 25 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  25. Experimental Setup – Software Details 26 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

  26. Experimental Setup – Sampling Details 27 Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices - CHES 2019 2019-08-27

Recommend

Cirrus Logic Mixed-Signal Leadership Mixed-Signal Technologies Explained Analog-to-Digital

Cirrus Logic Mixed-Signal Leadership Mixed-Signal Technologies Explained Analog-to-Digital

Cirrus Logic Mixed-Signal Leadership Mixed-Signal Technologies Explained Analog-to-Digital Converter (ADC) ADC 0001101001 Used for Microphone or other analog inputs in audio systems Digital to Analog Converter (DAC)

197 views • 15 slides
A mixed-signal ic for managing power in 5G applications IPSOC 2018 Introduction

A mixed-signal ic for managing power in 5G applications IPSOC 2018 Introduction

A mixed-signal ic for managing power in 5G applications IPSOC 2018 Introduction Architecture of mixed-signal ics in handsets IPSOC 2018 2 MODEM architecture Protocol stack (RTOS) Transceiver soup letter TDMA, OFDM, CDMA

365 views • 15 slides
Analog Mixed signal Analog Mixed signal Examiners: Prof. Henrik Sjland (Analog+ Mixed) Dr.

Analog Mixed signal Analog Mixed signal Examiners: Prof. Henrik Sjland (Analog+ Mixed) Dr.

ETI210 IC Project and Verification IC Design Challenges Thermal noise A+D co-simulation Device nonlinearity Supply noise Limited bandwidth Substrate noise IC Project 2010 Process variations Crosstalk IC Project 2008 Device mismatch

196 views • 4 slides
Approximate property checking of mixed-signal circuits Parijat Mukherjee, Texas A&M

Approximate property checking of mixed-signal circuits Parijat Mukherjee, Texas A&M

Approximate property checking of mixed-signal circuits Parijat Mukherjee, Texas A&M University Chirayu Amin, Intel Corporation Peng Li, Texas A&M University TAU 2014 Thursday, March 6 th 2014 Outline Mixed-signal design

669 views • 54 slides
An Event-Driven Simulation of Analog/Mixed-Signal Systems and Its Implications to Property

An Event-Driven Simulation of Analog/Mixed-Signal Systems and Its Implications to Property

An Event-Driven Simulation of Analog/Mixed-Signal Systems and Its Implications to Property Assertions Prof. Jaeha Kim Mixed-Signal IC and System Group Seoul National University XMODEL and Property Assertions XMODEL is a SystemVerilog-based

426 views • 30 slides
BK2540C series Digital Storage and Mixed Signal Oscilloscopes BK2540C series Digital Storage and

BK2540C series Digital Storage and Mixed Signal Oscilloscopes BK2540C series Digital Storage and

BK2540C series Digital Storage and Mixed Signal Oscilloscopes BK2540C series Digital Storage and Mixed Signal Oscilloscopes Overview Large 8 widescreen display with 256-level color gradient Bandwidth up to 200 MHz 1 GSa/s sample

519 views • 14 slides
BK2560 series Digital Storage and Mixed Signal Oscilloscopes BK2560 series Digital Storage and

BK2560 series Digital Storage and Mixed Signal Oscilloscopes BK2560 series Digital Storage and

BK2560 series Digital Storage and Mixed Signal Oscilloscopes BK2560 series Digital Storage and Mixed Signal Oscilloscopes Overview Large 8 widescreen display Bandwidth up to 300 MHz 2 GSa/s maximum sample rate 140 Mpts

434 views • 15 slides
Mastering Complex Complex Analogue Analogue Mixed Signal Mixed Signal Mastering Systems with

Mastering Complex Complex Analogue Analogue Mixed Signal Mixed Signal Mastering Systems with

Mastering Complex Complex Analogue Analogue Mixed Signal Mixed Signal Mastering Systems with with SystemC SystemC- -AMS AMS Systems Karsten Einwich Fraunhofer IIS EAS Dresden karsten.einwich@eas.iis.fraunhofer.de Thomas Arndt, Uwe

410 views • 22 slides
Challenges and Opportunities April 5, 2010 Boris Murmann murmann@stanford.edu Murmann Murmann

Challenges and Opportunities April 5, 2010 Boris Murmann murmann@stanford.edu Murmann Murmann

Digitizing the Analog World: Challenges and Opportunities April 5, 2010 Boris Murmann murmann@stanford.edu Murmann Murmann Mixed-Signal Group Mixed-Signal Group Murmann Mixed-Signal Group 2 Research Overview Digital enhancement MEMS

836 views • 45 slides
Challenges and Opportunities April 12, 2010 Boris Murmann murmann@stanford.edu Murmann Murmann

Challenges and Opportunities April 12, 2010 Boris Murmann murmann@stanford.edu Murmann Murmann

Digitizing the Analog World: Challenges and Opportunities April 12, 2010 Boris Murmann murmann@stanford.edu Murmann Murmann Mixed-Signal Group Mixed-Signal Group Murmann Mixed-Signal Group 2 Research Overview Digital enhancement MEMS

518 views • 49 slides
PROMISE An End-To-End Design of a PROgrammable MIxed-Signal AccElerator for Machine Learning

PROMISE An End-To-End Design of a PROgrammable MIxed-Signal AccElerator for Machine Learning

PROMISE An End-To-End Design of a PROgrammable MIxed-Signal AccElerator for Machine Learning Algorithms Prakalp Srivastava *, Mingu Kang *, Sujan K. Gonugondla, Sungmin Lim, Jungwook Choi, Vikram Adve, Nam S. Kim, Naresh Shanbhag

659 views • 30 slides
ABCD: Booleanizing Continuous Systems for Analog/Mixed-Signal Design, Simulation, and

ABCD: Booleanizing Continuous Systems for Analog/Mixed-Signal Design, Simulation, and

ABCD: Booleanizing Continuous Systems for Analog/Mixed-Signal Design, Simulation, and Verification Aadithya V. Karthik, Sayak Ray, Pierluigi Nuzzo, Alan Mishchenko, Robert Brayton, and Jaijeet Roychowdhury EECS Dept., The University of

635 views • 19 slides
Assertions and Measurements for Mixed-Signal Simulation PhD Thesis Thomas Ferr` ere VERIMAG,

Assertions and Measurements for Mixed-Signal Simulation PhD Thesis Thomas Ferr` ere VERIMAG,

Assertions and Measurements for Mixed-Signal Simulation PhD Thesis Thomas Ferr` ere VERIMAG, University of Grenoble (directeur: Oded Maler) Mentor Graphics Corporation (co-encadrant: Ernst Christen) October 28, 2016 Cyber-Physical Systems

1.43k views • 92 slides
ESA-ESTEC GSTP - Analog Silicon Compiler for Mixed Signal ASICs Irradiation of CSA-PSA &

ESA-ESTEC GSTP - Analog Silicon Compiler for Mixed Signal ASICs Irradiation of CSA-PSA &

ESA-ESTEC GSTP - Analog Silicon Compiler for Mixed Signal ASICs Irradiation of CSA-PSA & Design of a CMOS High-Speed 8-bit 100MS/S ADC core Outline ! Irradiation of CSA-PSA chip [designed and fabricated in ASTP4 project] " Objectives

531 views • 52 slides
Analog/Mixed-Signal Design Challenges in 7-nm CMOS and Beyond A.L.S. Loke, D. Yang, T.T. Wee,

Analog/Mixed-Signal Design Challenges in 7-nm CMOS and Beyond A.L.S. Loke, D. Yang, T.T. Wee,

Session 15 Design Foundations for Advanced Technologies Analog/Mixed-Signal Design Challenges in 7-nm CMOS and Beyond A.L.S. Loke, D. Yang, T.T. Wee, J.L. Holland, P. Isakanian, K. Rim, S. Yang, J.S. Schneider, G. Nallapati, S. Dundigal, H.

558 views • 39 slides
Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 2:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 2:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 2: January 14, 2019 Instructor Name: M. Shojaei Baghini E-Mail ID: mshojaei@ee.iitb.ac.in 1 2 2 Module 1 Sampling Concept and Bandwidth Limitation

300 views • 29 slides
Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 5:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 5:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 5: January 15, 2018 Instructor Name: M. Shojaei Baghini E-Mail ID: mshojaei@ee.iitb.ac.in 1 2 2 Module 7 Speed and Accuracy Considerations of Analog

322 views • 11 slides
Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 14:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 14:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 14: February 05, 2018 Instructor Name: M. Shojaei Baghini E-Mail ID: mshojaei@ee.iitb.ac.in 1 2 2 Module 18 Sample & Hold Circuit with Buffer

733 views • 12 slides
Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 19:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 19:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 19: February 15, 2018 Instructor Name: M. Shojaei Baghini E-Mail ID: mshojaei@ee.iitb.ac.in 1 2 2 Module 24 Performance Parameters of Data Converters -

349 views • 15 slides
Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 18:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 18:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 18: February 13, 2018 Instructor Name: M. Shojaei Baghini E-Mail ID: mshojaei@ee.iitb.ac.in 1 2 2 Module 23 Performance Parameters of Data Converters

344 views • 11 slides
Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 10:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 10:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 10: February 03, 2020 Instructor Name: M. Shojaei Baghini E-Mail ID: mshojaei@ee.iitb.ac.in 1 2 2 Module 10 Precision and Speed Considerations Unity

114 views • 9 slides
Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 4:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 4:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 4: January 19, 2020 Instructor Name: M. Shojaei Baghini E-Mail ID: mshojaei@ee.iitb.ac.in 1 2 2 Module 3 Coherent Sampling and FFT Simulation

119 views • 11 slides
Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 14:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 14:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 14: February 11, 2020 Instructor Name: M. Shojaei Baghini E-Mail ID: mshojaei@ee.iitb.ac.in 1 2 2 Module 15 Introduction to Quantization (Analog to

341 views • 19 slides
Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 11:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 11:

Mixed-Signal VLSI Design Course Code: EE719 Department: Electrical Engineering Lecture 11: February 04, 2020 Instructor Name: M. Shojaei Baghini E-Mail ID: mshojaei@ee.iitb.ac.in 1 2 2 Module 11 Introduction to the Comparators References

516 views • 17 slides

More recommend