THRUST
3. SECURITY ANALYSIS AND
EVALUATION
Thrust 3 is
focused on the analysis and the evaluation of the security achieved with the countermeasures investigated in thrust 1
and the architecture in thrust 2. As previously
mentioned, the security evaluation will be pursued
through an adversarial teamorganizationwith
a red team carrying out the security offense, and
challenging the protection
mechanisms explored and demonstrated by the blue team (see details in the “Team
and governance” section).
After every cycle of attacks, the two teams are blended into a “purple team” to close the loop
between threat modeling and attack potential evaluation,
and gain a deep understanding of both threats and countermeasures across the SoC
lifecycle.
On one hand,
security evaluation is performed to quantify
the security improvements enabled by each proposed technique and
combination, on a relative scale (e.g., the factor by which the attack effort increases). On the
other hand, security evaluation is performed to quantify
the level of protection achieved by the proposed approaches on an
absolute and standardized
scale, based on the Common Criteria security metrics of elapsed time, expertise, knowledge of Target of Evaluation
(TOE), access to TOE, equipment [EAL].
At the
beginning of the program, the existing body of knowledge on threats and vulnerabilities
of state-of-the-art SoCs will be expanded by soliciting the discovery of new hardware threats and latent vulnerabilities
through an open-call mechanism where experts
in the field compete to fund the effort required by the vulnerability analysis
and demonstration. This will
permit to involve Universities and Research Institutes and companies in
Singapore, and open further opportunities posed by uncovered threats. The duration
of each proposal is one year, with a typical budget of 100,000S$ each, and
up to 200,000S$. The open call will focus on hardware and
physical threats and related countermeasures. The proposals will be evaluated based on
criteria including quality,
relevance, potential impact,
alignment with the program, leadership.
In the
security evaluation, we will leverage the unique
expertise and capabilities in our team, whose members have proven and unique expertise and instrumentation
to performinvasive and semi-invasive attacks[PAC],
and best-in-the-world equipment
to perform such attacks [SEM] (e.g., finest laser beam for chip probing). Regarding non-invasive attacks, we have more than a decade experience with
side-channel attacks, with one
team member being the first proponent of the well-known Leakage
Power Analysis attacks [AGS10].
Some of the technologies for
side-channel counteraction
recently developed by our team are
now being pushed to commercialization by a startup in Singapore [CHL17].
Some of our industrial
partners are also worldwide leaders in pre-silicon
security evaluation[SIC].
Leveraging
our unique capabilities, our team will pursue a
unique agile security evaluation
framework for fast assessment and iterative fine-tuning of novel countermeasures and architectures,
shortening the R&D cycle. As shown in Fig.
6, this will be
done by combining pre- and post-silicon security evaluation, using the
former to accelerate the
weakness identification and simulate attacks for preliminary assessment, and the latter as ultimate validation and
reference to keep refining the pre-silicon
methods.
The security evaluation
will be performed against a wide
range of attacks that the countermeasures
in thrust 1 and the architecture in thrust 2 aim to contrast:
• INVASIVE: die modification (FIB circuit
edit), reverse engineering, microprobing, countermeasure
bypass
• SEMI-INVASIVE:
photoemission, voltage contrast,
laser probing, laser fault injection
• NON-INVASIVE:
side-channel (DPA, EM), fault
attacks (VDD/CLK glitching, em Pulse
Injection, heating fault attacks)
• ARCHITECTURE-ENABLEDATTACKS: Trojans, IP eavesdropping/man-in-the-middle/replay,
DoS, traffic diversion, exploitation of test features, editing commands, direct protocol attacks, buffer
overflow, privilege
escalation, resource management, code
injection, information leakage
(side-channel on
cache), crypto and
numeric errors [CWE].
Overall, the
design methodology
that will be developed in the
SoCure project follows the principles
of “Design for Security”. The methodology
is based on the fundamental principle that
both the System-on-Chip
(SoC) design flow and the
hardware security assessment workflow
are tightly linked up to each other, and are
executed simultaneously at every step of
conventional SoC design flows.
This enables true end-to-end
security assessment of an SoC
design, from IP design to production.
Its execution at every step allows
to catch vulnerabilities early in
the design cycle, and hence to correct designs with undiscovered vulnerabilities, thus avoiding costly and
time-consuming redesign
iterations. This approach addresses
the fundamental limitations of conventional design
flows, which decouple SoC design
and security assessment, and test security only after tapeout (post-silicon testing). As main benefits, the adopted methodology
allows cost reduction and faster time-to-market,
which are both key goals in
the design of SoCs.
As shown in
Fig.17, the security design flow
follows the same steps that SoC design consists
of:
1. High-Level Design Step (Register Transfer Level,
RTL)
2. Synthesis Step (Post-Synthesis, PS)
3. Back-end Step (Place&Route,
PR)
4. Tapeout
At every step, the system is realized in a bottom-up fashion,
stating from the individual IPs, to functional blocks of IP, up to the
full SoC. The security conformance is verified at every
stage along with functional and
timing verification, introducing
security check points at every
design step before moving to
the next step. In other words,
in SOCure the SoC design flow steps and the security workflow steps are
interleaved, in order to minimize the extension
of each design loop and hence minimize the cost and time to identify and
correct hardware
vulnerabilities. With reference to Fig. 6, pre-silicon
security evaluation identifies vulnerabilities
that can be exploited in non-invasive
and invasive attacks upstream, from the source
code to the placed-and-routed
design. As further benefit, such interleaved
bottom-up design flow also
permits to extend the understanding of individual blocks to the full SoC.
In the
development of the above security-aware
design flow, the expertise of our team members
will be leveraged. In particular, Secure-IC
is currently worldwide leader in the development
of design flows for security,
and its methodologies and software tools are a solid
starting point to develop comprehensive workflows that incorporate the wide experience
of our academic team members in sub-system
security modelling [ABD14], [APR10],
[APR10b], [AGS10], and design
methodologies[HCZ18], [KAG18], [PCG17], [CHL17], [ZCG14], [MOP09].
The refinement of the security-aware design
methodology in SOCure will
also leverage the adversarial structure of its team (see Sections 2 and 4), where the design methodology developed by
the blue team will also be
tested by the red team to identify vulnerabilities that are less
likely to be caught, and hence correct the methodology
accordingly.
As further
uniqueness of thrust 3, innovation will be introduced at the attack level, exploring and modeling new hardware security
threats that widen the attack surface.
As highly representative
examples, the recently
introduced class of combined attacks (in
which a member of our team has proven expertise [PMB17]) and
attacks on the root of trust (i.e.,
PUF, PUF-based
protocols as in thrust 1) will be explored in this
thrust. In regard to the former
type of attacks, side-c hannel analysis
(SCA) and fault injection
analysis (FIA) are well-known
to be powerful attacks on their own. Recent
literature has also explored means to
enhance the attack potency via
a combination of these attach techniques. Traditionally, SCA has been viewed as
employing non-invasive techniques such as power
detection, while FIA is expected to be the semi-invasive/invasive counterpart in
implementation attacks. The
foremost instance of combined SCA and FIA
on block ciphers is the Differential
Behavioral Analysis (DBA) [RM07], combined SCA with safe-error attacks. Assuming stuck-at fault model, it observes if fault
alters the side-channel
behavior of the computation to
derive the key. A combined SCA and FIA
on AES was proposed in [CFG10]. It targets the first key addition in AES
and based on instruction-skip/change
fault model to preferably force
XOR output to 0. Under this fault model, the ciphertext is compared with the original ciphertext, and
the XOR output is inferred to be 1 or 0 depending
on whether the ciphertext changes or not. The attack was further enhanced using correlation power analysis (CPA) to
break a masked AES implementation. Roche et al.
proposed a DFA on AES key schedule in [RLK11]
by injecting faults in pen-ultimate
round key computation. They
further extend this attack to a combined setting, where SCA measurements are used to aid DFA on the key
schedule of a masked AES. This attack was subsequently
improved in [DV12], where the
authors reduce the strict restrictions on fault
repeatability, model and
location, which were imposed
by the original attack. All these attacks
were demonstrated in simulated settings. A different family of fault attack,
i.e. Fault Sensitivity
Analysis (FSA), was also
combined with side-channel. Moradi et al. [MMP11]combined Collision Correlation Attack (CCA)
and FSA. The combined attack exploits either non-uniform fault distribution or data-dependent timing of faults, and was
successfully demonstrated on
several unprotected and protected AES cores
on SASEBO LSI chips. In another
work [LED13], the authors use
FSA to develop a leakage model which is then used to launch a power based key recovery
attack. Both these attacks were demonstrated with real measurements.
The first work demonstrating a practical attack
combining Differential Fault Analysis (DFA)
with SCA was recently presented
by a SOCure team member [PMB17].
It exploits properties of bit
permutation diffusion function in lightweight block ciphers, where side-channel leakage can efficiently reveal the
value of the fault that was injected in the cipher state.
Combined attacks in hardware security are challenging for various reasons. Firstly, they
require a deep knowledge of
both SCA and FIA attacks. Secondly, exploiting combined attacks requires finding new
attack vectors that deviate from the existing ones associated with each technique. Thirdly,
combined attack need to be made synergistic to offer
an attack efficiency and effectiveness that is superior to SCA/FIA alone.
Based on the above recent
findings, thrust 4 will investigate new combined attacks. Two representative examples of promising directions that will be explored in thrust 4 are:
• exploiting state-wise diffusion functions that are different
from bit permutations, e.g. MDS matrices used in AES, or bit shifts used in SIMON and SPECK
• devise attacks that defeat
combined SCA/FIA
countermeasures
As second
representative example of new threat development, new attacks to Physically Unclonable Functions(PUFs) will be explored. PUFs have emerged
as chip-specific digital fingerprint that exploits imperfection in manufacturing, and
causes physical differences from one sample to another[SD07].
The quality of PUF is evaluated on three key
metrics: uniformity, reliability
and uniqueness [HYK10], [MGS11]. Several efficient PUF designs have been proposed which evaluate
well on these metrics [SD07],
[SV12], [KGM08],
[MTV08], [SVV12], [YSI11],
[TKX15], [XSA16], [KMY15],
[SJ14]. However, as a building block of hardware intrinsic
security, the security of PUF has become a concern [RSS13],
[GTS15], [GTS15b], [GTF16],
[MKP08].The two key security
requirements are unpredictability
and unclonability. Statistical and modeling attacks try to undermine these security metrics. Recent PUF designs have
exploited internal non-linearity
in PUF structure to resist such attacks [HMV12].
However, these only apply when the modeling is performed directly on challenge-response pairs.
When these modeling attacks are assisted by extra information, for instance, from side-channel or fault injection, modeling attacks
were shown to be feasible [XB14],[DV14]. Although most assisted modeling has been
performed only in simulation,
a few experimental attacks have recently been shown [SPN17a]. Moreover, the practical application was just scratching
the surface or a heap of exploits that could be possible,
with the latest attack techniques available. As interesting implication, it was also recently
shown that there is a strong link between reliability and feasibility of
modeling attack [B15].
In fact, most reliable PUFs
have proved to be easy to model and
break, thus challenging their
fundamental definition and
properties of PUFs in the context of hardware
security. Exploring the resistance of state-of-the-art
PUF designs [AZA15], [SSS16] and the PUFs
investigated in thrust 1 against modeling under side-channel and fault attacks is an open challenge, and will be pursued accordingly
in thrust 4. In particular,
security analysis of existing and new PUFs against statistical and modeling attacks
will be performed new machine learning approaches that target side-channel and fault attacks, as well as their
above discussed combinations.
In particular, novel methods on
profiling SCAs by adopting machine learning techniques to learn the dependency and the correlation
between PLI and the processed data will
be explored. The related
research will have a double-sided
impact: on one hand, it permits
to better understand the information leakage and the side-channel attack potential, whereas on the
other hand it also provides valuable information on how to increase the level of protection
(e.g., by using the machine-learning
power leveling approach
discussed in thrust 1).
Based on
preliminary results, the three
main objectives of machine
learning-based side-channel attacks are as follows:
i. shorten the attack to break
the secret key embedded in smartphone by 5-10X
ii. eliminate
the time-consuming pre-processing phase of power traces (i.e.,trace filtering and alignment) of PLI before
performing SCAs
iii. predict
the future secret key by learning
the pseudo-random generation patterns.
Being the SOCure architecture based on PUFs
as a hardware root of trust,
it introduces intra-chip protocols
to assure secure intra-chip communications and IP authentication
(see thrust 2). Various PUF-based authentication protocols have been proposed to date [DSV14],
[DPG15]. Recent studies have
shown that almost all security protocols
based on PUF have evident vulnerabilities [B15a],[DV14a],[DV14b].
Accordingly, thrust 4 will
also evaluate security of PUFs
as well as the protocols based on them, to assure end-to-end security
from primitives to systems.
Finally, security evaluation will also involve
attacks leveraging chip reverse engineering, and
the specific capabilities of our team. Conventionally, reverse engineering consists in delayering a chip and capturing
images at every single layer.
Our team already has an in-house developed complete set of software
tools to convert images into a detailed circuit netlist
to facilitate attacks. Recently, new non-invasive
technology for IC chip imaging using 3D
X-ray have been developed that require much less
invasive procedures and
shorten preserves the chip and
is much faster compared to the conventional 2D
approach.Leveraging the wide
experience with 2D imaging, novel
3D image processing and analysis
methodologieswill be explored to study and interpret the 3D images
captured through non-invasive
techniques.
The detailed
objectives of this research direction are as
follows:
i. re-construct
the IC layout from 3D images
ii. identify
the chip schematic from layout
iii. extract
the chip functionality
from the schematic
Regarding
the deliverables(see details in Section 5), thrust 3 pursues the analysis and the evaluation of the proposed techniques in both relative and absolute terms through
a unitary framework. As distinctive element, thrust 3 includes a
preliminary security evaluation survey
through an open call for proposals scheme, where proposals aim to identify and uncover new hardware-level vulnerabilities, threats and types of
attacks, through the demonstration
on state-of-the-art commercial chips. The call will be open
to IHLs, RIs and companies in Singapore, and it will serve
as a further source of valuable information
on vulnerabilities and attacks that will be
explicitly taken into account in the execution of the SOCure program, and hence incorporated in
the framework developed in thrust 3. The security
evaluation framework and capabilities developed in thrust 3 also leverage the unique software
tools for pre-silicon
evaluation shared by one of the industrial partners of SOCure [SIC], post-silicon techniques
offered by another industrial partner [SEM], the attack
setups and techniques available
in three of the research groups led by the team members.
These capabilities will be coordinated and further developed to perform the targeted attacks on the two stand-alone silicon demonstrators from thrust 1,
the architectural attacks counteracted through architectural
countermeasures in thrust 2, and the
system demonstrator in thrust 4 focusing on their interaction. The output of all these activities will be a set of reports that
present an extensive relative comparison of the proposed
techniques and approaches, as well as the comparison with the state of the art.
In absolute terms, the attack
potential, the attack
time/cost/resource increase, residual potential
weaknesses and tradeoff with power/performance/area will be quantified and publicly disseminated whenever appropriate.
In regard to
the collaboration with RISE, the research relevant to thrust 3 will be
devoted to a systematic
analysis of
a) what energy-aware computing
approaches are currently being deployed
b) if/how they influence the leakage characteristics
of a target device,
c) whether their behavior can
be adversarially controlled. This
analysis will be translated into concrete attacks
on one or more exemplar targets.
For each
target, a set of necessary and sufficient conditions
that can inform energy- and
security-aware co-design will
be derived.
This will include:
a) design rules that facilitate secure execution, and
b) techniques to implement(generic)
countermeasures that are energy-aware.