Research Programme in Assuring Hardware Security by Design in Systems on Chip


Research thrusts


Thrust 3 is focused on the analysis and the evaluation of the security achieved with the countermeasures investigated in thrust 1 and the architecture in thrust 2. As previously mentioned, the security evaluation will be pursued through an adversarial teamorganizationwith a red team carrying out the security offense, and challenging the protection mechanisms explored and demonstrated by the blue team (see details in the “Team and governance” section). After every cycle of attacks, the two teams are blended into a “purple team” to close the loop between threat modeling and attack potential evaluation, and gain a deep understanding of both threats and countermeasures across the SoC lifecycle.

On one hand, security evaluation is performed to quantify the security improvementenabled by each proposed technique and combination, on a relative scale (e.g., the factor by which the attack effort increases). On the other hand, security evaluation is performed to quantify the level of protection achieved by the proposed approaches on an absolute and standardized scale, based on the Common Criteria security metrics of elapsed time, expertise, knowledge of Target of Evaluation (TOE), access to TOE, equipment [EAL].

At the beginning of the program, the existing body of knowledge on threats and vulnerabilities of state-of-the-art SoCs will be expanded by soliciting the discovery of new hardware threats and latent vulnerabilities through an open-call mechanism where experts in the field compete to fund the effort required by the vulnerability analysis and demonstration. This will permit to involve Universities and Research Institutes and companies in Singapore, and open further opportunities posed by uncovered threats. The duration of each proposal is one year, with a typical budget of 100,000S$ each, and up to 200,000S$. The open call will focus on hardware and physical threats and related countermeasures. The proposals will be evaluated based on criteria including quality, relevance, potential impact, alignment with the program, leadership.

In the security evaluation, we will leverage the unique expertise and capabilities in our team, whose members have proven and unique expertise and instrumentation to performinvasive and semi-invasive attacks[PAC], and best-in-the-world equipment to perform such attacks [SEM] (e.g., finest laser beam for chip probing). Regarding non-invasive attacks, we have more than a decade experience with side-channel attacks, with one team member being the first proponent of the well-known Leakage Power Analysis attacks [AGS10]. Some of the technologies for side-channel counteraction recently developed by our team are now being pushed to commercialization by a startup in Singapore [CHL17]. Some of our industrial partners are also worldwide leaders in pre-silicon security evaluation[SIC].

Leveraging our unique capabilities, our team will pursue a unique agile security evaluation framework for fast assessment and iterative fine-tuning of novel countermeasures and architectures, shortening the R&D cycle. As shown in Fig. 6, this will be done by combining pre- and post-silicon security evaluation, using the former to accelerate the weakness identification and simulate attacks for preliminary assessment, and the latter as ultimate validation and reference to keep refining the pre-silicon methods.

The security evaluation will be performed against a wide range of attacks that the countermeasures in thrust 1 and the architecture in thrust 2 aim to contrast:
• INVASIVE: die modification (FIB circuit edit), reverse engineering, microprobing, countermeasure bypass
• SEMI-INVASIVE: photoemission, voltage contrast, laser probing, laser fault injection
• NON-INVASIVE: side-channel (DPA, EM), fault attacks (VDD/CLK glitching, em Pulse Injection, heating fault attacks)
• ARCHITECTURE-ENABLEDATTACKS: Trojans, IP eavesdropping/man-in-the-middle/replay, DoS, traffic diversion, exploitation of test features, editing commands, direct protocol attacks, buffer overflow, privilege escalation, resource management, code injection, information leakage (side-channel on cache), crypto and numeric errors [CWE].

Overall, the design methodology that will be developed in the SoCure project follows the principles of “Design for Security”. The methodology is based on the fundamental principle that both the System-on-Chip (SoC) design flow and the hardware security assessment workflow are tightly linked up to each other, and are executed simultaneously at every step of conventional SoC design flows. This enables true end-to-end security assessment of an SoC design, from IP design to production. Its execution at every step allows to catch vulnerabilities early in the design cycle, and hence to correct designs with undiscovered vulnerabilities, thus avoiding costly and time-consuming redesign iterations. This approach addresses the fundamental limitations of conventional design flows, which decouple SoC design and security assessment, and test security only after tapeout (post-silicon testing). As main benefits, the adopted methodology allows cost reduction and faster time-to-market, which are both key goals in the design of SoCs.

As shown in Fig.17, the security design flow follows the same steps that SoC design consists of:
1. High-Level Design Step (Register Transfer Level, RTL)
2. Synthesis Step (Post-Synthesis, PS)
3. Back-end Step (Place&Route, PR)
4. Tapeout

At every step, the system is realized in a bottom-up fashion, stating from the individual IPs, to functional blocks of IP, up to the full SoC. The security conformance is verified at every stage along with functional and timing verification, introducing security check points at every design step before moving to the next step. In other words, in SOCure the SoC design flow steps and the security workflow steps are interleaved, in order to minimize the extension of each design loop and hence minimize the cost and time to identify and correct hardware vulnerabilities. With reference to Fig. 6, pre-silicon security evaluation identifies vulnerabilities that can be exploited in non-invasive and invasive attacks upstream, from the source code to the placed-and-routed design. As further benefit, such interleaved bottom-up design flow also permits to extend the understanding of individual blocks to the full SoC.

In the development of the above security-aware design flow, the expertise of our team members will be leveraged. In particular, Secure-IC is currently worldwide leader in the development of design flows for security, and its methodologies and software tools are a solid starting point to develop comprehensive workflows that incorporate the wide experience of our academic team members in sub-system security modelling [ABD14], [APR10], [APR10b], [AGS10], and design methodologies[HCZ18], [KAG18], [PCG17], [CHL17], [ZCG14], [MOP09]. The refinement of the security-aware design methodology in SOCure will also leverage the adversarial structure of its team (see Sections 2 and 4), where the design methodology developed by the blue team will also be tested by the red team to identify vulnerabilities that are less likely to be caught, and hence correct the methodology accordingly.

As further uniqueness of thrust 3, innovation will be introduced at the attack level, exploring and modeling new hardware security threats that widen the attack surface. As highly representative examples, the recently introduced class of combined attacks (in which a member of our team has proven expertise [PMB17]) and attacks on the root of trust (i.e., PUF, PUF-based protocols as in thrust 1) will be explored in this thrust. In regard to the former type of attacks, side-c hannel analysis (SCA) and fault injection analysis (FIA) are well-known to be powerful attacks on their own. Recent literature has also explored means to enhance the attack potency via a combination of these attach techniques. Traditionally, SCA has been viewed as employing non-invasive techniques such as power detection, while FIA is expected to be the semi-invasive/invasive counterpart in implementation attacks. The foremost instance of combined SCA and FIA on block ciphers is the Differential Behavioral Analysis (DBA) [RM07], combined SCA with safe-error attacks. Assuming stuck-at fault model, it observes if fault alters the side-channel behavior of the computation to derive the key. A combined SCA and FIA on AES was proposed in [CFG10]. It targets the first key addition in AES and based on instruction-skip/change fault model to preferably force XOR output to 0. Under this fault model, the ciphertext is compared with the original ciphertext, and the XOR output is inferred to be 1 or 0 depending on whether the ciphertext changes or not. The attack was further enhanced using correlation power analysis (CPA) to break a masked AES implementation. Roche et al. proposed a DFA on AES key schedule in [RLK11] by injecting faults in pen-ultimate round key computation. They further extend this attack to a combined setting, where SCA measurements are used to aid DFA on the key schedule of a masked AES. This attack was subsequently improved in [DV12], where the authors reduce the strict restrictions on fault repeatability, model and location, which were imposed by the original attack. All these attacks were demonstrated in simulated settings. A different family of fault attack, i.e. Fault Sensitivity Analysis (FSA), was also combined with side-channel. Moradi et al. [MMP11]combined Collision Correlation Attack (CCA) and FSA. The combined attack exploits either non-uniform fault distribution or data-dependent timing of faults, and was successfully demonstrated on several unprotected and protected AES cores on SASEBO LSI chips. In another work [LED13], the authors use FSA to develop a leakage model which is then used to launch a power based key recovery attack. Both these attacks were demonstrated with real measurements.

The first work demonstrating a practical attack combining Differential Fault Analysis (DFA) with SCA was recently presented by a SOCure team member [PMB17]. It exploits properties of bit permutation diffusion function in lightweight block ciphers, where side-channel leakage can efficiently reveal the value of the fault that was injected in the cipher state. Combined attacks in hardware security are challenging for various reasons. Firstly, they require a deep knowledge of both SCA and FIA attacks. Secondly, exploiting combined attacks requires finding new attack vectors that deviate from the existing ones associated with each technique. Thirdly, combined attack need to be made synergistic to offer an attack efficiency and effectiveness that is superior to SCA/FIA alone. Based on the above recent findings, thrust 4 will investigate new combined attacks. Two representative examples of promising directions that will be explored in thrust 4 are:
• exploiting state-wise diffusion functions that are different from bit permutations, e.g. MDS matrices used in AES, or bit shifts used in SIMON and SPECK
• devise attacks that defeat combined SCA/FIA countermeasures

As second representative example of new threat development, new attacks to Physically Unclonable Functions(PUFs) will be explored. PUFs have emerged as chip-specific digital fingerprint that exploits imperfection in manufacturing, and causes physical differences from one sample to another[SD07]. The quality of PUF is evaluated on three key metrics: uniformity, reliability and uniqueness [HYK10], [MGS11]. Several efficient PUF designs have been proposed which evaluate well on these metrics [SD07], [SV12], [KGM08], [MTV08], [SVV12], [YSI11], [TKX15], [XSA16], [KMY15], [SJ14]. However, as a building block of hardware intrinsic security, the security of PUF has become a concern [RSS13], [GTS15], [GTS15b], [GTF16], [MKP08].The two key security requirements are unpredictability and unclonability. Statistical and modeling attacks try to undermine these security metrics. Recent PUF designs have exploited internal non-linearity in PUF structure to resist such attacks [HMV12]. However, these only apply when the modeling is performed directly on challenge-response pairs. When these modeling attacks are assisted by extra information, for instance, from side-channel or fault injection, modeling attacks were shown to be feasible [XB14],[DV14]. Although most assisted modeling has been performed only in simulation, a few experimental attacks have recently been shown [SPN17a]. Moreover, the practical application was just scratching the surface or a heap of exploits that could be possible, with the latest attack techniques available. As interesting implication, it was also recently shown that there is a strong link between reliability and feasibility of modeling attack [B15]. In fact, most reliable PUFs have proved to be easy to model and break, thus challenging their fundamental definition and properties of PUFs in the context of hardware security. Exploring the resistance of state-of-the-art PUF designs [AZA15], [SSS16] and the PUFs investigated in thrust 1 against modeling under side-channel and fault attacks is an open challenge, and will be pursued accordingly in thrust 4. In particular, security analysis of existing and new PUFs against statistical and modeling attacks will be performed new machine learning approaches that target side-channel and fault attacks, as well as their above discussed combinations. In particular, novel methods on profiling SCAs by adopting machine learning techniques to learn the dependency and the correlation between PLI and the processed data will be explored. The related research will have a double-sided impact: on one hand, it permits to better understand the information leakage and the side-channel attack potential, whereas on the other hand it also provides valuable information on how to increase the level of protection (e.g., by using the machine-learning power leveling approach discussed in thrust 1).

Based on preliminary results, the three main objectives of machine learning-based side-channel attacks are as follows:
i. shorten the attack to break the secret key embedded in smartphone by 5-10X
ii. eliminate the time-consuming pre-processing phase of power traces (i.e.,trace filtering and alignment) of PLI before performing SCAs
iii. predict the future secret key by learning the pseudo-random generation patterns.

Being the SOCure architecture based on PUFs as a hardware root of trust, it introduces intra-chip protocols to assure secure intra-chip communications and IP authentication (see thrust 2). Various PUF-based authentication protocols have been proposed to date [DSV14], [DPG15]. Recent studies have shown that almost all security protocols based on PUF have evident vulnerabilities [B15a],[DV14a],[DV14b]. Accordingly, thrust 4 will also evaluate security of PUFs as well as the protocols based on them, to assure end-to-end security from primitives to systems.

Finally, security evaluation will also involve attacks leveraging chip reverse engineering, and the specific capabilities of our team. Conventionally, reverse engineering consists in delayering a chip and capturing images at every single layer. Our team already has an in-house developed complete set of software tools to convert images into a detailed circuit netlist to facilitate attacks. Recently, new non-invasive technology for IC chip imaging using 3D X-ray have been developed that require much less invasive procedures and shorten preserves the chip and is much faster compared to the conventional 2D approach.Leveraging the wide experience with 2D imaging, novel 3D image processing and analysis methodologieswill be explored to study and interpret the 3D images captured through non-invasive techniques.

The detailed objectives of this research direction are as follows:
i. re-construct the IC layout from 3D images
ii. identify the chip schematic from layout
iii. extract the chip functionality from the schematic

Regarding the deliverables(see details in Section 5), thrust 3 pursues the analysis and the evaluation of the proposed techniques in both relative and absolute terms through a unitary framework. As distinctive element, thrust 3 includes a preliminary security evaluation survey through an open call for proposals scheme, where proposals aim to identify and uncover new hardware-level vulnerabilities, threats and types of attacks, through the demonstration on state-of-the-art commercial chips. The call will be open to IHLs, RIs and companies in Singapore, and it will serve as a further source of valuable information on vulnerabilities and attacks that will be explicitly taken into account in the execution of the SOCure program, and hence incorporated in the framework developed in thrust 3. The security evaluation framework and capabilities developed in thrust 3 also leverage the unique software tools for pre-silicon evaluation shared by one of the industrial partners of SOCure [SIC], post-silicon techniques offered by another industrial partner [SEM], the attack setups and techniques available in three of the research groups led by the team members. These capabilities will be coordinated and further developed to perform the targeted attacks on the two stand-alone silicon demonstrators from thrust 1, the architectural attacks counteracted through architectural countermeasures in thrust 2, and the system demonstrator in thrust 4 focusing on their interaction. The output of all these activities will be a set of reports that present an extensive relative comparison of the proposed techniques and approaches, as well as the comparison with the state of the art. In absolute terms, the attack potential, the attack time/cost/resource increase, residual potential weaknesses and tradeoff with power/performance/area will be quantified and publicly disseminated whenever appropriate.

In regard to the collaboration with RISE, the research relevant to thrust 3 will be devoted to a systematic analysis of
a) what energy
-aware computing approaches are currently being deployed
b) if/how they influence the leakage c
haracteristics of a target device,
c) whether
their behavior can be adversarially controlled. This analysis will be translated into concrete attacks on one or more exemplar targets.

For each target, a set of necessary and sufficient conditions that can inform energy- and security-aware co-design will be derived. This will include:
a) design rules that facilitate secure execution, and
b) techniques to implement
(generic) countermeasures that are energy-aware.