Cheap & Cheerful A Low-Cost Digital Sensor for Detecting Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and Cryptographic Engineering (PACE), Nanyang Technological University, Singapore SPACE 2016, Hyderabad, India. Dec 16, 2016.
Presentation Outline 1. Context 2. Previous Work 3. Proposed Countermeasure 4. Experimental Results 5. Conclusions 2 SPACE 2016, Hyderabad India
CONTEXT 3 SPACE 2016, Hyderabad India
Fault Injection Attacks Objectives • Evaluation of fault tolerance of critical system (harsh working environment, e.g., high energy cosmic ray) • Assistant means for reverse engineering • Bypass security checkes countermeasure • Induce sensitive computation errors in cryptosystem for retrieving crypto keys. Fault Attack (FA) exploits the intentionally triggered faulty output or faulty behaviors from the target devices, in order to extract confidential information about internals. (e.g., DFA, Algebraic FA, FSA, collision, round reduction, etc.) 4 SPACE 2016, Hyderabad India
FI Attacks on Embedded System Common Fault Injection (FI) techniques: • Power Line : Power Glitch, Under-Powering Global [J Blomer, et al: Fault based crytanalysis … 2003] Low-precision • Clock Tree :Clock Glitch,Over-Clocking Low-cost [M Agoyan, et al: On critical paths and .., 2010] • Temperature : slowing downing electrons/holes mobility [Hamid, H.B.E., et al: The sorcerer’s apprentice .., 2004] • EM Disturbance : Eddy current caused by intense magnetic Local field from a high transient current pulse in near-field High-precision [A Dehbaoui, et al: Injection of transient faults…, 2012] • Laser Disturbance: or Intense White Light Expensive [SP Skorobogatov, et al: Optical fault induction… , 2003 ] 5 SPACE 2016, Hyderabad India
Laser-Induced Fault on Transistor Temporary photocurrent induced by laser radiation. • Example: A laser injection into drain of the “OFF” CMOS inverter can temporarily turn the inverter ON. PMOS (drain) NMOS (source) • In real-world, laser radiates numerous transistors simultaneously, hence the fault mechanism induced in IC is complicated. • Laser also impact signal propagation in routings because of its charging and discharging effects on parasitic capacitance. 6 SPACE 2016, Hyderabad India
Fault Protection Two Approaches: Detection Prevention Fault Detection Incremental Approach Sensor based (detect physical stress) or, Information based (detect data modification) Parity, error detection, encoding etc. Fault Prevention Provable Approach Circuit Modification (dual-rail, private circuits) Error correction or infection 7 SPACE 2016, Hyderabad India
Sensor Based Countermeasure Monitor physical conditions Temperature, speed, voltage, laser, EM etc. Features of a strong sensor: Logically independent from the protected algorithm. More sensitive than target circuit Quick reaction Significant Power/Spatial Security Margin. (Spatial Margin) (Power Margin) Cipher fault-sensitive region min.power (cipher-fault) min.power (sensor-alarm) Laser power Injection Detectable region 8 SPACE 2016, Hyderabad India
Rationale for Deploying Injection Detector • Fault injection based attack has become a critical threat against prevailing security-critical embedded system • Security defense can be possibly breached or compromised on a number of injected computation faults. • In massively deployed embedded networks, fortifying the lightweight devices using heavy countermeasure is costly, or even unaffordable. • Developing effective and low-cost countermeasure against fault injection attacks is highly demanded. Security vs. Efficiency e.g., Lightweight detector is demanded in massively deployed and security- critical end-points in WSNs, IoTs, etc. 9 SPACE 2016, Hyderabad India
PREVIOUS WORKS 10 SPACE 2016, Hyderabad India
Previous Work: Glitch Detector Glitch Detector, proposed in [1], based on “set -up time violation” . CK alarm D Q CK Delay DCK power line disturbance: under-power (deceleration) delay increased delay CK Normal Normal power under-power supply DCK alarm 1 [1] Loic Zussa, et al. Efficiency of a glitch detector against electromagnetic fault injection. 12 SPACE 2016, Hyderabad India
Previous Work: Glitch Detector Glitch Detector, proposed in [1], based on “set -up time violation” . CK alarm D Q CK Delay DCK power line disturbance : over-power (acceleration) reduced delay delay CK over-power Normal Normal power supply DCK alarm So, glitch detector here is of uni-directional detection. 13 SPACE 2016, Hyderabad India
Ring Oscillator (RO) Watchdog Frequency ripple of RO [2] can be temporarily incurred under external electrical impacts in vicinity, such as intensive EM/laser pulse, or power/clock glitch RO Frequency without laser impact RO Frequency with laser impact (Observable frequency ripple on high-frequency RO) [2] N Miura, et al. PLL To the Rescue: A novel EM fault countermeasure. 14 SPACE 2016, Hyderabad India
Previous Work: PLL Sensor System Phase-Locked Loop (PLL) is a widely used analog component in circuitries for providing stable and precise clock source. • Composed of: (1) Phase-Frequency Detector (PFD), Low Pass Filter (LF), Voltage-controlled Oscillator (VCO). • For locking clock phase using a feedback loop. • A disturbance in PLL clock input may temporarily unlock PLL. • But PLL is a scarce and expensive resource FPGA unlock locked locked 15 SPACE 2016, Hyderabad India
PROPOSED COUNTERMEASURE 16 SPACE 2016, Hyderabad India
Proposal Digital Sensor Basic architecture • Ring-oscillator (similar to PLL sensor introduced before) • All-Digital Disturbance capture (replacing heavy PLL) FF1 RO enable f1 D Q1 CK ck 1: safe ck-delay Delay 0: injection detected Factor alarm FF2 Q1&Q2 f2 D Q2 CK Watchdog Sensor Disturbance Capture Detection Principle • Extract 3 frequencies from a RO ( f1, ck, f2 ) • Have fixed phase shift ( f1 -> ck -> f2 ) • f1 and f2 sampled at ck-delay to enhance detection. 17 SPACE 2016, Hyderabad India
Detection Mechanism Under stable oscillation, sampling output Q1 and Q2 are constant. With frequency disturbance in RO, Alarm= f (Q1, Q2 ) will be changed. time window for sampling Stable f1 frequency 10 ck-delay Alarm = 1 f2 (a) no disturbance increased clock period f1 Decreased ck-delay 11 frequency f2 Alarm = 1->0 (b) temporarily decreased frequency Increased f1 frequency ck-delay 00 Alarm = 1->0 f2 decreased clock period (c) temporarily increased frequency 18 SPACE 2016, Hyderabad India
Low-cost Implementation Merits: versatile and lightweight • All-digital architecture • Bi-directional detection • Negligible hardware cost FF1 RO enable f1 D Q1 CK ck 1: safe ck-delay Delay 0: injection detected Factor FF2 alarm Q1&Q2 f2 D Q2 CK Watchdog Sensor Disturbance Capture Demerits: • Timing constraints required 19 SPACE 2016, Hyderabad India
EXPERIMENTAL RESULTS 20 SPACE 2016, Hyderabad India
Experimental Setup Platform setup details • Delayered Xilinx 65nm Virtex-5 FPGA on Genesys commercial board • 2-dimensional (X-Y) stepper stage, 0.05 um min step • Riscure Pulse diode laser (1064 nm wavelength), with x5 objective lens • Synchronized communication with GUI in PC, for observing computation faults and alarm Control digital glitch Interface diode pulse glitch pulse current laser generator trigger signal plaintexts ciphertexts & Alarm Arduino FPGA die Bridge Board target FPGA board motorized 2D stage 21 SPACE 2016, Hyderabad India
Target Block Cipher – PRESENT80 Lightweight symmetric PRESENT-80 is selected as the attack cipher, implemented on target Virtex-5 FPGA plaintext • 64 64 Round data registers (64) are round_ctrl the target logics for laser pLayer injection attacks for bit flips. 64 round keys 4 S S …. S S • The timing of injection focuses 64 4 on the last round data registers. D round data Q registers 64 ciphertext 22 SPACE 2016, Hyderabad India
RO Frequency Ripple under Laser Injection In practice, frequency disturbance is a complex combination spanning a number of RO oscillation cycles, several alarms are likely to be triggered by a single injection. So, only the falling-edge of the 1 st alarm is latched as alarm output. trigger delay to injection action Injection T rigger Signal Response R O frequency ( 357MH z ) A larm Time Line RO frequency ripple R O frequency ( 357MH z ) Alarm response time A larm 23 SPACE 2016, Hyderabad India
Security Evaluation-1:Local Register Only protect cipher’s round data register in PRESENT-80 • Watchdog RO is deployed covering 8 CLBs (64-bit registers) ck FF1, FF2, XOR gate 8 CLBs for 64-bits cipher round registers f1 f2 Ring Oscillator loop ck-delay 24 SPACE 2016, Hyderabad India
Security Evaluation-1:Local Register 2D plot of the laser scan over the chip region. Comparison to PLL based sensor • Red dots: Only Alarm • Blue dots: Alarm+Fault • Green dots: Only Fault PLL-Based Detector Proposed Detector Higher detection rate 25 SPACE 2016, Hyderabad India
Recommend
More recommend