laser fault injection attacks
play

Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin - PowerPoint PPT Presentation

Cheap & Cheerful A Low-Cost Digital Sensor for Detecting Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and Cryptographic Engineering (PACE), Nanyang Technological University, Singapore SPACE 2016,


  1. Cheap & Cheerful A Low-Cost Digital Sensor for Detecting Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and Cryptographic Engineering (PACE), Nanyang Technological University, Singapore SPACE 2016, Hyderabad, India. Dec 16, 2016.

  2. Presentation Outline 1. Context 2. Previous Work 3. Proposed Countermeasure 4. Experimental Results 5. Conclusions 2 SPACE 2016, Hyderabad India

  3. CONTEXT 3 SPACE 2016, Hyderabad India

  4. Fault Injection Attacks  Objectives • Evaluation of fault tolerance of critical system (harsh working environment, e.g., high energy cosmic ray) • Assistant means for reverse engineering • Bypass security checkes countermeasure • Induce sensitive computation errors in cryptosystem for retrieving crypto keys.  Fault Attack (FA) exploits the intentionally triggered faulty output or faulty behaviors from the target devices, in order to extract confidential information about internals. (e.g., DFA, Algebraic FA, FSA, collision, round reduction, etc.) 4 SPACE 2016, Hyderabad India

  5. FI Attacks on Embedded System  Common Fault Injection (FI) techniques: • Power Line : Power Glitch, Under-Powering  Global [J Blomer, et al: Fault based crytanalysis … 2003]  Low-precision • Clock Tree :Clock Glitch,Over-Clocking  Low-cost [M Agoyan, et al: On critical paths and .., 2010] • Temperature : slowing downing electrons/holes mobility [Hamid, H.B.E., et al: The sorcerer’s apprentice .., 2004] • EM Disturbance : Eddy current caused by intense magnetic  Local field from a high transient current pulse in near-field  High-precision [A Dehbaoui, et al: Injection of transient faults…, 2012] • Laser Disturbance: or Intense White Light  Expensive [SP Skorobogatov, et al: Optical fault induction… , 2003 ] 5 SPACE 2016, Hyderabad India

  6. Laser-Induced Fault on Transistor  Temporary photocurrent induced by laser radiation. • Example: A laser injection into drain of the “OFF” CMOS inverter can temporarily turn the inverter ON. PMOS (drain) NMOS (source) • In real-world, laser radiates numerous transistors simultaneously, hence the fault mechanism induced in IC is complicated. • Laser also impact signal propagation in routings because of its charging and discharging effects on parasitic capacitance. 6 SPACE 2016, Hyderabad India

  7. Fault Protection  Two Approaches:  Detection  Prevention  Fault Detection  Incremental Approach  Sensor based (detect physical stress) or,  Information based (detect data modification)  Parity, error detection, encoding etc.  Fault Prevention  Provable Approach  Circuit Modification (dual-rail, private circuits)  Error correction or infection 7 SPACE 2016, Hyderabad India

  8. Sensor Based Countermeasure  Monitor physical conditions  Temperature, speed, voltage, laser, EM etc. Features of a strong sensor:  Logically independent from the protected algorithm.  More sensitive than target circuit  Quick reaction  Significant Power/Spatial Security Margin. (Spatial Margin) (Power Margin) Cipher fault-sensitive region min.power (cipher-fault) min.power (sensor-alarm) Laser power Injection Detectable region 8 SPACE 2016, Hyderabad India

  9. Rationale for Deploying Injection Detector • Fault injection based attack has become a critical threat against prevailing security-critical embedded system • Security defense can be possibly breached or compromised on a number of injected computation faults. • In massively deployed embedded networks, fortifying the lightweight devices using heavy countermeasure is costly, or even unaffordable. • Developing effective and low-cost countermeasure against fault injection attacks is highly demanded. Security vs. Efficiency e.g., Lightweight detector is demanded in massively deployed and security- critical end-points in WSNs, IoTs, etc. 9 SPACE 2016, Hyderabad India

  10. PREVIOUS WORKS 10 SPACE 2016, Hyderabad India

  11. Previous Work: Glitch Detector  Glitch Detector, proposed in [1], based on “set -up time violation” . CK alarm D Q CK Delay DCK  power line disturbance: under-power (deceleration) delay increased delay CK Normal Normal power under-power supply DCK alarm 1 [1] Loic Zussa, et al. Efficiency of a glitch detector against electromagnetic fault injection. 12 SPACE 2016, Hyderabad India

  12. Previous Work: Glitch Detector  Glitch Detector, proposed in [1], based on “set -up time violation” . CK alarm D Q CK Delay DCK  power line disturbance : over-power (acceleration) reduced delay delay CK over-power Normal Normal power supply DCK alarm So, glitch detector here is of uni-directional detection. 13 SPACE 2016, Hyderabad India

  13. Ring Oscillator (RO) Watchdog  Frequency ripple of RO [2] can be temporarily incurred under external electrical impacts in vicinity, such as intensive EM/laser pulse, or power/clock glitch RO Frequency without laser impact RO Frequency with laser impact (Observable frequency ripple on high-frequency RO) [2] N Miura, et al. PLL To the Rescue: A novel EM fault countermeasure. 14 SPACE 2016, Hyderabad India

  14. Previous Work: PLL Sensor System  Phase-Locked Loop (PLL) is a widely used analog component in circuitries for providing stable and precise clock source. • Composed of: (1) Phase-Frequency Detector (PFD), Low Pass Filter (LF), Voltage-controlled Oscillator (VCO). • For locking clock phase using a feedback loop. • A disturbance in PLL clock input may temporarily unlock PLL. • But PLL is a scarce and expensive resource FPGA unlock locked locked 15 SPACE 2016, Hyderabad India

  15. PROPOSED COUNTERMEASURE 16 SPACE 2016, Hyderabad India

  16. Proposal Digital Sensor  Basic architecture • Ring-oscillator (similar to PLL sensor introduced before) • All-Digital Disturbance capture (replacing heavy PLL) FF1 RO enable f1 D Q1 CK ck 1: safe ck-delay Delay 0: injection detected Factor alarm FF2 Q1&Q2 f2 D Q2 CK Watchdog Sensor Disturbance Capture  Detection Principle • Extract 3 frequencies from a RO ( f1, ck, f2 ) • Have fixed phase shift ( f1 -> ck -> f2 ) • f1 and f2 sampled at ck-delay to enhance detection. 17 SPACE 2016, Hyderabad India

  17. Detection Mechanism  Under stable oscillation, sampling output Q1 and Q2 are constant.  With frequency disturbance in RO, Alarm= f (Q1, Q2 ) will be changed. time window for sampling Stable f1 frequency 10 ck-delay Alarm = 1 f2 (a) no disturbance increased clock period f1 Decreased ck-delay 11 frequency f2 Alarm = 1->0 (b) temporarily decreased frequency Increased f1 frequency ck-delay 00 Alarm = 1->0 f2 decreased clock period (c) temporarily increased frequency 18 SPACE 2016, Hyderabad India

  18. Low-cost Implementation  Merits: versatile and lightweight • All-digital architecture • Bi-directional detection • Negligible hardware cost FF1 RO enable f1 D Q1 CK ck 1: safe ck-delay Delay 0: injection detected Factor FF2 alarm Q1&Q2 f2 D Q2 CK Watchdog Sensor Disturbance Capture  Demerits: • Timing constraints required 19 SPACE 2016, Hyderabad India

  19. EXPERIMENTAL RESULTS 20 SPACE 2016, Hyderabad India

  20. Experimental Setup  Platform setup details • Delayered Xilinx 65nm Virtex-5 FPGA on Genesys commercial board • 2-dimensional (X-Y) stepper stage, 0.05 um min step • Riscure Pulse diode laser (1064 nm wavelength), with x5 objective lens • Synchronized communication with GUI in PC, for observing computation faults and alarm Control digital glitch Interface diode pulse glitch pulse current laser generator trigger signal plaintexts ciphertexts & Alarm Arduino FPGA die Bridge Board target FPGA board motorized 2D stage 21 SPACE 2016, Hyderabad India

  21. Target Block Cipher – PRESENT80  Lightweight symmetric PRESENT-80 is selected as the attack cipher, implemented on target Virtex-5 FPGA plaintext • 64 64 Round data registers (64) are round_ctrl the target logics for laser pLayer injection attacks for bit flips. 64 round keys 4 S S …. S S • The timing of injection focuses 64 4 on the last round data registers. D round data Q registers 64 ciphertext 22 SPACE 2016, Hyderabad India

  22. RO Frequency Ripple under Laser Injection  In practice, frequency disturbance is a complex combination spanning a number of RO oscillation cycles, several alarms are likely to be triggered by a single injection.  So, only the falling-edge of the 1 st alarm is latched as alarm output. trigger delay to injection action Injection T rigger Signal Response R O frequency ( 357MH z ) A larm Time Line RO frequency ripple R O frequency ( 357MH z ) Alarm response time A larm 23 SPACE 2016, Hyderabad India

  23. Security Evaluation-1:Local Register  Only protect cipher’s round data register in PRESENT-80 • Watchdog RO is deployed covering 8 CLBs (64-bit registers) ck FF1, FF2, XOR gate 8 CLBs for 64-bits cipher round registers f1 f2 Ring Oscillator loop ck-delay 24 SPACE 2016, Hyderabad India

  24. Security Evaluation-1:Local Register  2D plot of the laser scan over the chip region.  Comparison to PLL based sensor • Red dots: Only Alarm • Blue dots: Alarm+Fault • Green dots: Only Fault PLL-Based Detector Proposed Detector Higher detection rate 25 SPACE 2016, Hyderabad India

Recommend


More recommend