securing the core root of trust (research in secure hardware design and test) ramesh karri...
TRANSCRIPT
Securing the core root of trust(research in secure hardware design and test)
Ramesh Karri ([email protected])ECE Department
Who can attack your system?
Hobby (class I) Obsession (class II) Job (class III)
D. Abraham, G. Dolan, G. Double, and J. Stevens. Transaction Security System. IBM Systems Journal 30(2): 206-229, 1991.
Is the problem worth my time?
Source: http://www.uscc.gov/annual_report/2008/annual_report_full_09.pdf, , page 168US-China economic and security review commission hearing on China's proliferation practices and the development of its cyber and space warfare capabilities, testimony of Col. Gary McAlum.
Threat models for hardware Side channels
Power dissipation Timing variation Test infrastructure Faults interactions between side channels
Cloning Overbuilding Reverse Engineering Trojans
Data Encryption Standard (DES)Li
RiRound Key Ki
+
Li+1Ri+1
r
Expansion
+
S-box S-box
Permutation
ab
c
d
Initial Permutation
Input_Reg
+ f
Reverse Permutation
Output_Reg
MUXMUX
R_RegKey Reg
Control
Round key ROM
4
L_Reg
en
en
sel
addr
scan chain test data input, TDI test data output, TDO test clock, TCK test mode select, TMS test reset
chain all flip flops in a design
test infrastructure
identify critical registers
attack step 1
Initial Permutation
Input_Reg
+ f
Reverse Permutation
Output_Reg
MUXMUX
R_RegKey Reg
Control
Round key ROM
4
L_Reg
en
en
sel
addr
apply selected inputs
attack step 2
3 plain texts 2 clock cycles in normal mode (plaintext reaches R,L) 198 clock cycles in test mode (R0, L0 scanned out) 1 clock cycle in normal mode (plaintext reaches R, L) 198 clock cycles in test mode (R1, L1 scanned out)
399×3=1197 clock cycles
• Can leak secrets from DES, AES etc • >80 % of all ASICs use scan chains for test/debug • Readback/test infrastructure in FPGAs
• Load configuration stream• Read-out bitstream for debug
test
normal
Secure normal
Insecure
Power offSecure scan
Standards compliant3rd Prize, 2008-2009 IEEE TTTC PhD dissertation contest
Hardware threat models Side channels
Power dissipation Timing variation Test infrastructure Faults interactions between side channels
Cloning Overbuilding Reverse Engineering Trojans
Leak AES key 40 registrations, 10 finalists, 3 winners, 2 honorable mentionshttp://isis.poly.edu/csaw/embedded
Trojan challenge
Physically unclonable functions
• Uses physical structure of a device to give a unique response
• Used as device IDs• The ring oscillator frequency varies with process variations.
A trojan defense
Trivium
JTAG
Interpreter
Transmit DataRS232 UARTReceive Data
I/O SELECT
CLOCK
RS232-DCE_RXD
RESET
REC_READY
RS232_DCE_TXDUART CLK
FREQUENCYCOUNTER
C0
A1
B1
A2
B2
S1
S2
C1
C2
DETECTIONRING
OSCILLATOR OUTPUT
PUF gives unique ID to hardwareCan we give a unique ID to a design?
A preliminary defense
Trivium
JTAG
Interpreter
Transmit DataRS232 UARTReceive Data
I/O SELECT
CLOCK
RS232-DCE_RXD
RESET
REC_READY
RS232_DCE_TXDUART CLK
FREQUENCYCOUNTER
Questions? [email protected], 917 363 9703