![Page 1: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/1.jpg)
HITB 2010
Side Channel Analysis on
Embedded Systems
Job de Haas Riscure
July 2, 2010
![Page 2: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/2.jpg)
Who the hell is…
Job de Haas
• Electro engineer: 1990
• First exploit: 1991
• ITSX: 1998
• Riscure: 2006
Currently at Riscure
• Director Embedded Technology
• Testing security on: Set-top-boxes, mobile phones, smart cards, payment terminals, ADSL routers, VoIP modems, smart meters, airbag controllers, USB tokens, …
• BTW: Riscure is hiring! HITB 2010
![Page 3: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/3.jpg)
Agenda
What is SCA on embedded?
Scope
How do you test for it in practice?
How to assess the strength of a product?
HITB 2010
![Page 4: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/4.jpg)
Embedded systems to consider
‘Complex’ processor based – Mobile devices
– Game consoles
– Multi-media chipsets for pay-TV
Microcontroller based – USB sticks
– Car locks
– Remote access tokens
HITB 2010
![Page 5: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/5.jpg)
Scope
• Device: embedded systems with security functions
• Focus on passive side channels
• Why? – What is the threat from side channel analysis to embedded
systems?
– How does it compare with attacks on smart cards?
– What are future developments?
– Demonstrate side channel analysis.
HITB 2010
![Page 6: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/6.jpg)
What is SCA on embedded?
HITB 2010
![Page 7: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/7.jpg)
7
Attacking Side Channels
• Time
• Power consumption
• Electro-Magnetic radiation
• Light
• Sound
HITB 2010
![Page 8: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/8.jpg)
Power / EM traces
• Signal leakage from busses, registers, ALUs, etc
PIN verification attempts
HITB 2010
![Page 9: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/9.jpg)
HITB 2010
Statistical data detection
• Where is data processed in presence of noise?
![Page 10: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/10.jpg)
Statistical data detection
• Where is data processed in presence of noise?
• Collect many traces with different data (n > 1000)
• Assume data values are: – known (e.g. algorithm input or output)
– uniformly random (typical for crypto)
• We focus on one bit of one variable in the process
HITB 2010
0 0
0 0
1 1
1 1
Group by known data Average trace
Subtract
Differential trace
![Page 11: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/11.jpg)
HITB 2010
Differential trace
• Input: n traces with known variable (e.g. input or output)
• Output: 1 trace with indication where bit causes trace differences
![Page 12: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/12.jpg)
Purpose of SCA on embedded
Not much changes …
• Key • PIN • Unlock code
• Program flow • Crypto protocol • Algorithm
Retrieve secrets Reverse engineer
HITB 2010
![Page 13: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/13.jpg)
When does SCA become interesting?
If side channel threats apply, depends on
• Physical access?
• Access time window?
• Interfacing and control?
• Exploitation equipment $?
A device becomes interesting when • It contains a secret
• It contains a feature that can be unlocked
• Logical or physical access to internals is hard
HITB 2010
![Page 14: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/14.jpg)
Typical SCA set up
Configure / Retrieve
HITB 2010
Commands / data Signal +
Trigger
![Page 15: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/15.jpg)
Typical prerequisites
Access to side channel
Access to input or output data
Minimize noise in side channel
Time measurement of operation (trigger)
Link data to operation
HITB 2010
![Page 16: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/16.jpg)
Comparing to smart cards
So far SCA testing centered on smart cards
A smart card: • Standardized device
• Focus of SCA since its conception
• The benchmark of how SCA is rated
A smart card is an embedded system ... But a very well defined one
HITB 2010
![Page 17: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/17.jpg)
Processor comparison
Smart card Embedded Processor complexity Simple CPU next to
crypto core Complex processor with lots of peripheral next to crypto core(s)
Crypto core size Significant compared to overall chip
tiny compared to overall chip
No. of crypto engines One core per crypto operation
>10 cores for different purposes
SW or HW engine Few SW implementations Both HW and SW implementations
Countermeasures Hardware and software countermeasures against leaking of both CPU and crypto core
No countermeasures and CPU leaks significantly
HITB 2010
![Page 18: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/18.jpg)
Acquisition comparison
Smart card Embedded Power interface Standard interface Implemented on PCB with
dedicated power supply Triggering of acquisition
Standard interface allows controlled trigger
Trigger may be difficult without control over CPU
Flexibility of interfacing
Interface restricted Control over CPU can often be gained through reverse engineering
Power consumption Low power device (few mA)
Low to High power device (0.5A to 4A)
Clocks Moderate clocks speeds (<50MHz), limited number
Moderate to high clock speeds, single or multiple clock domains
Sample preparation Attacks are often noninvasive
Attacks mostly require invasive action
HITB 2010
![Page 19: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/19.jpg)
How do you test for it in practice?
HITB 2010
![Page 20: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/20.jpg)
Test versus attack
An attacker needs to turn a vulnerability into an exploit
A tester needs to gain insight in attacker cost efficiently
How to create the optimal environment to discover a vulnerability?
HITB 2010
![Page 21: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/21.jpg)
General aspects
Controlling the crypto
Linking data with measurements
Efficiency of acquisition
Increased speed versus increased complexity
HITB 2010
![Page 22: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/22.jpg)
Timing analysis
Peripheral outputs assist (example XBOX 360)
Exploiting runtime access (cache)
Increasing accuracy with EM and power
Timing is a risk in many software implementations: both crypto and comparisons
HITB 2010
![Page 23: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/23.jpg)
XBOX 360 with Infectus board
HITB 2010
source: http://beta.ivancover.com
![Page 24: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/24.jpg)
XBOX 360 timing attack
• XBOX 360 has a secure boot chain
• First boot loader security implemented with a HMAC-SHA1
• Sequence: – Hash secret key + boot loader with SHA1
– Compare 16 bytes result with stored 16 bytes
• Comparison is per byte timing attack
• Implementation in Infectus board: – It can modify stored HMAC-SHA1 value in NAND flash
– Observes timing of diagnostic POST byte on PCB
– Reset CPU with nTRST
• Brute forcing 16*128 = 2048 values on average takes about 2 hrs
HITB 2010
source: http://www.xboxhacker.net
![Page 25: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/25.jpg)
Power analysis
Tapping power or supplying it
Reaching rails
Identifying the correct supply rail
Disabling power domains
Disabling peripherals
All require (more detailed) knowledge on target
http://www.phonewreck.com
HITB 2010
![Page 26: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/26.jpg)
EM Analysis
EM signal adds dimension
How to locate?
When can EM be better?
EMA is an active research topic
EM seems to add most when target operation is small relative to overall chip
HITB 2010
![Page 27: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/27.jpg)
EM probe
• Probe is a coil for magnetic field
• Generally the near field (distance << λ) is most suitable
HITB 2010
![Page 28: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/28.jpg)
EM scanning DEMO
HITB 2010
![Page 29: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/29.jpg)
XY scan examples
HITB 2010
Full spectrum Around 40MHz
Scans above same chip running at 20MHz
Clock pin! (20MHz)
![Page 30: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/30.jpg)
Bonding wire effects
HITB 2010
Full spectrum Full spectrum logarithmic
![Page 31: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/31.jpg)
Hotspot is clock line
HITB 2010
Corresponding trace shows no pattern: base clock
![Page 32: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/32.jpg)
Hotspot after resampling
XY plot full spectrum (left); selected higher harmonic (right)
Trace shows pattern
HITB 2010
![Page 33: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/33.jpg)
Practical encounters (1)
CPU
Power
HITB 2010
![Page 34: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/34.jpg)
Practical encounters (2) Package-on-package Main power rails
HITB 2010
![Page 35: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/35.jpg)
How to assess the security strength of a product?
HITB 2010
![Page 36: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/36.jpg)
Threat and impact
SCA can break security functions, because:
– Few countermeasures
– Significant leakage
– Fast acquisition
– Examples in the field: Keeloq, …
However…
HITB 2010
![Page 37: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/37.jpg)
Effort can be considerable
Required level of control
Attacks needed to achieve control
High noise level, increased acquisition times
Even without countermeasures, but countermeasures do improve this!
HITB 2010
![Page 38: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/38.jpg)
Countermeasures
Patented by Cryptography Research Inc (CRI) Licenses required and taken by major vendors
(Infineon, NXP, Renesas, Samsung, …) Check with CRI
• Random Interrupts • Data / key masking • Shielding • Balancing
• Randomizing flow • Blinding / masking • Algorithm • Protocol design
Hardware Software
HITB 2010
![Page 39: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/39.jpg)
Side channel resistance
CPU type Counter-measure
Effort (inc setup)
Skills Strength
Basic microcontroller
No 1-2 weeks SPA/DPA 0
Basic microcontroller
Basic 2-6 weeks + Adv sig proc 1
Complex processor
No 2-6 weeks + Adv sig proc 1
Complex processor
Basic 1-3 months + Adv sig proc 2
Both Strong >3 months + High order DPA
3
Note: A complex processor with a bad RSA can still break in less than a week! These are only indicators.
![Page 40: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/40.jpg)
Developments
Side channel analysis related – Increasingly high speed acquisition
– Combined analysis of EM and power
– SCA becomes more mainstream
• Tools
• Techniques
Processor related – More security features everywhere
– Basic countermeasure introduced
HITB 2010
http://opensca.sf.net http://www.dpacontest.org
![Page 41: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/41.jpg)
Side Channel on RSA - DEMO
Key bits revealed signal processing to high-light dips
variation of interval between dips
HITB 2010
![Page 42: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/42.jpg)
HITB 2010
RSA implementation
• Algorithm for M=cd, with di is exponent bits (0≤i≤t) – M := 1
– For i from t down to 0 do:
• M := M * M
• If di = 1, then M := M*C
![Page 43: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/43.jpg)
Demo Target
• Dev board with LPC2468
• ISP + JTAG can be locked
• Internal Flash for boot and storage
• Internal SRAM
• Can be moderately secured
• Running RSA with internal key
HITB 2010
![Page 44: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/44.jpg)
Conclusion
HITB 2010
![Page 45: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/45.jpg)
Findings
Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering
– Potential exposure due to: limited/no countermeasures, speed of acquisition, software implementations
Side channel is primarily a threat to – Devices with basic microcontrollers
– High security devices that protect something very valuable
HITB 2010
![Page 46: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/46.jpg)
Recommendations
• To achieve strong protection against SCA, strong countermeasures must be added
• Demand countermeasures from manufacturers if you need the security level
• Do not rely solely on the hardware for protection
• Verify SCA protection if you need that security level
HITB 2010
![Page 47: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/47.jpg)
Looking for a job?
HITB 2010
Riscure is Hiring!
![Page 48: Side Channel Analysis of Embedded Systems - Job de... · Embedded systems provide a different environment for SCA – New obstacles for attackers: interfacing, noise, triggering –](https://reader033.vdocuments.site/reader033/viewer/2022042216/5ebeeee4bb2a210f8533741b/html5/thumbnails/48.jpg)
HITB 2010
Discussion
Thank you
Job de Haas
Director Embedded Technology
Riscure B.V. Frontier Building Delftechpark 49 2628 XJ Delft The Netherlands
Phone: +31 (0)15 251 4090 www.riscure.com