ENICS -Emerging Nanoscaled Integrated Circuits and Systems Labs Security oriented codes: What we know and what we don’t Osnat Keren Bar-Ilan University
On security oriented codes Outline Fault injection attacks & HW countermeasures Security oriented error detecting codes Codes in practice * Open problems/design challenges are written in red Bottom line: codes are worth using/paying for
Fault injection attacks The attacker injects faults Variations in supply voltage, variations in the external clock, temperature, white light, laser, .. The faults induce errors that modify the behavior of the device The attacker’s goal: Use the information obtained from the incorrectly-functioning hardware to retrieve classified information, or, substitute correct information by a wrong one
Hardware Countermeasures Algorithm/SW level Hardware level Architecture level - hiding and masking (e.g., dummy cycles) Chip level - shielding, sensors and filters (e.g., temperature sensors) Logic block level - hardware redundancy • Parallel computation • Security oriented codes
Codes as a countermeasure Example: A state machine with six states States @ after-office hours A-1000 B-1001 C-1010 States @ working hours D-1100 E-1101 F-1110 1) What is the worst way for an attacker to manipulate the FSM? 2) What is the best way for an attacker to manipulate the FSM? 3) Is there a better code?
Reliability versus security Our goal: provide reliable and secure communication over a noisy channel with minimal cost Encoder – maps an information word into a codeword Channel – distorts the codeword Decoder – recover the information from the distorted word
Reliability versus security • A code is a subset of legal words (codewords) • In reliability-oriented codes the error correcting capability depends on the minimum distance between the codewords (d) The error is detected & The error is masked The error is detected corrected Challenge: capacity achieving codes (solved)
Reliability versus security - the channel Reliability Security Type of channel communication/ memory computation/memory Source of error mother nature (p<0.5) fault injection Error model additive errors (bit-flips) additive errors Error multiplicity small arbitrary Errors correlated with data no sometimes c e Question: is it the worst case scenario? Challenge: find a realistic error model
Reliability versus security - the information Reliability Security Data compression allowed not allowed Entropy high (k) all range (e.g, in FSM) Why to use codes? correct errors detect errors (correct?) Separability not mandatory mandatory Challenge: codes with robust correction capability
Reliability versus security - the codes Reliability Security Linear codes (parity,BCH,etc.) preferable “disaster” Random encoding? no-need better without What is random? error codeword What is fixed? codeword error Analyze average case worst case Performance criterion decoding error error masking probability q r Q Bounds 1 d r Challenge: random encoding MUST have a local, small, secured, TRNG Challenge: for a given r design codes with minimal Q
The attack model An adversary can induce any error he chooses at any part of the circuit An adversary can jam the content of memory or replace it The attacker knows the codewords and their probability distribution Challenge: find a realistic model for the error Challenge: what to do after an attack is detected
For the ease of drawing….. Detailed sketch codewords Group all codewords Red=codewords and their neighbors and their neighbors Blue= non codewords
Security oriented codes Efficiency criterion - Maximal error masking probability max ( ) e C C 0 e Q | | C Q Robust code : 1 Linear codes cannot provide security Challenge: construct high rate, low HW overhead codes
Types of security oriented codes • Deterministic encoding - partially robust codes for uniform distribution Generalized Vasil’ev code(1962), Generalized Phelps code(1983), One Switching code (Etzion-Vardy 1994), Cubic code (Karpovsky-Taubin 2004) • Deterministic encoding - robust codes for uniform distribution Quadratic systematic code (Karpovsky et al 2007) Generalized punctured quadratic/cubic (Adamaty et al 2012, Neumeier-Keren 2013) Challenge: there are only two deterministic encoding high rate robust codes Challenge: design q-ary codes for multi-level memories
Types of security oriented codes Deterministic encoding - robust t-error correcting codes • An attacker can use the decoder to conceal the attack Challenge: concatenation is not good enough, it results in low rate codes
Types of security oriented codes (cont.) • Randomized encoding AMD code (Cramer-Dodis 2008) Generalized Reed-Muller (Karpovsky-Wang 2014), Non-malleable codes (Dziembowski et al 2010) Hardening FSMs (Kahraman et al (2010) Strong attack detecting codes Non-malleable codes Challenge: non perfect RNG
Codes in practice . Non-Uniform Distribution – some errors will be detected with a low probability or in the worst case, will never be detected Challenge: deterministic encoding for non-uniformly distributed codewords
Summary Security oriented codes differ from reliability oriented codes Reliability oriented codes have a long history (since 1949) Security oriented codes are newborns – there are more problems than solutions: Error model Not many deterministic-encoding high rate robust codes Error correction may conceal the attack (no good solutions) The code’s efficiency degrades when codewords are not equally likely to occur …….
Thank you
How to measure non-linearity? • Linear logic function • First order polynomial ( ,... , ) l x x x a x a x a x 2 1 2 2 1 1 n n n • Non-linear function • Correlation attack – entropy loss ( ) 0 , ( ) W HW m f 1 • Algebraic attack - distance from linear func. n 1 2 | ( ) | Max W 0 f 2 • Fault attack – autocorrelation 1 2 ( ( )) Max W W 0 f
Recommend
More recommend