Research Programme in Assuring Hardware Security by Design in Systems on Chip


Research thrusts


Thrust 1 is focused on establishing a solid ground for the architectural investigation in thrust 2, establishing the trusted computing base (TCB) of physically secure primitives and the root of trust, and protection techniques to counteract physical attacks to the TCB and other attacks leveraging hardware vulnerabilities (e.g., Trojans in IPs, side-channel attacks on IPs and memories).

Thrust 1 will leverage the unique expertise and capabilities of the SOCure team, spanning from secure primitives to physical countermeasures. Among the others, our team members lead the current state of the art in lightweight and low-energy crypto-engines (e.g., AES core with sub-pJ/bit and lowest energy reported to date [ZHA15]), and lightweight Physically Unclonable Functions [AZA16], [JYO17], with the recent demonstration of the first PUF that can is designed in a fully automated manner [TAS17].

Team members have also developed interesting internal capabilities that are currently unavailable on the market, such as a Hierarchy Extractor to analyze the functionality from a flattened gate-level and transistor-level netlist of digital ASIC based on simulation traces, including signal monitoring and observation technique, dynamic specification mining technique and result examples [HE17]. Also, the same group has recently developed an approach(Secure-X) to counteract side-channel attacks with low overhead and high security (unpublished, currently under patent filing). An industrial partner is a worldwide leader in chip imaging and probing for failure and reliability analysis purposes [SEM]. Another industrial partner is a leading company in the field of pre- and post-silicon security evaluation [SIC]. Other industrial partners as silicon manufacturers and design companiesare currently on the process of joining our team. Our international partners from Israel are world-renowned experts in SoC design, side-channel attacks and counteraction techniques [FIS], [KER]. 

As fundamental basis for the SOCure architecture, a root of trust is needed for each IP to define a different shared secret to encrypt its incoming and outgoing data, and hence enforce strict isolation between IPs. This requires the local generation of a separate key for each IP, preliminary secure key exchange and IP authentication. In turn, this demands the generation of IP-unique ID that cannot be sniffed or tampered with, which excludes the adoption of conventional memories, as they are well known to be vulnerable to a wide range of attacks [KK99]. For example, ROMs are easily reverse-engineered, as the presence of vias on a bitcell indicates the presence or the absence of a transistor at a given address, or through chemical etching when the ROM is programmed via ion implantation. E-fuses are even easier to reverse-engineer via visual optical/SEM inspection or photoemission imaging [T08]. Antifuses can be reverse-engineered via chemical enhancement and Atomic Force Probing Analysis (although slow), photoemission[MSC06], or SEM voltage contrast [Z09], [R02]. Flash memory is also easily readable with SEM for technologies like 0.18μm or older (and in principle Atomic Force Microscope, although very slowly), or via electrical probing.

A fundamentally more secure approach to generate on-chip ID and enable secure authentication is the adoption of Physically Unclonable Function-based ID. As each IP needs an individual PUF, innovation is required to make PUFs ultra-lightweight and easy to design. The first requirement demands the exploration of novel circuit approaches that drastically mitigate the usage of power/area-hungry Error Correcting Codes (ECC), and hence have an order of magnitude better intrinsic stability compared to the PUF state of the art [AZA16]. The second requirement about PUF ease of design translates into the need for PUF architectures that can be designed automatically, which has been recently demonstrated to be feasible by one of our team members [TAS17]. Unfortunately, PUFs generally lack tamper evidence, as fundamental drawback that limits its applicability to secure key generators [NSH13], [TCS06], [PR02]. Hence, novel PUFs with tamper evidence are neededto raise the PUF to the security standards that are required in secure key generation.

In SOCure, innovative lightweight, natively stable and automatically designed PUFswill be investigated to enable their seamless integration as root of trust in the architecture described in thrust 2. Although often ignored in the literature, there is actually a direct relationship between the area/energy penalty of PUFs and their native stability, since the PUF invariably needs to be followed by an Error Correction Code (ECC) block that fixes its unstable bits. The area and the energy is always dominated by the ECC (instead of the PUF), hence lightweight PUFs (inclusive of ECC) need to have adequate native stability, so that the ECC needs to correct only a few bits, and it can hence be made lightweight. As an example, a PUF as in [TAS17] with 256-bit wordlength and a BCH module as ECC adds an area and energy of 350-500 equivalent PUF bitcells, every time an additional unstable bit is added. In other words, the area/energy ECC cost of each additional unstable bit is enormous compared to the PUF itself. Also, the absolute area (energy) cost of a BCH ECC for a typical 10% instability is in the order of 10-20kgates (20 pJ/bit), which is clearly unaffordable when a separate PUF is needed for each IP (its complexity is comparable to a complete ARM Cortex-M0 microcontroller). For this reason, novel PUFs with strong native stability (deep sub-1%) are investigated in SOCure to enable lightweight root of trust. This objective will be pursued by eliminating the large worst-case design margin that is adopted in conventional PUF designs, which covers the worst case process corner, voltage, temperature, on-chip noise and aging factor (see Fig. 9). Actually, it is extremely unlikely that all such worst-case corners will take place at the same time in the same chip, hence the actual instability is much smaller than the worst-case value. Accordingly, novel PUFs able to quantify the design margin and the actual instability at run timewill be explored. The margin and instability will be quantified by measuring the process, voltage and temperature corner with circuits that can sense the corresponding corner. The impact of noise on run-time instability will be instead quantified by embedding low-cost in-situ instability monitors within the PUF bitcells (e.g., current-mode transition detectors). These pieces of information represent features associated with the actual margin and instability, which are inputted to a machine learning engine (e.g., simple decision tree) that estimates the correct number of bits to be stabilized, instead of over-designing the ECC for the worst case.

In SOCure, several uncommon properties of PUFs will be explored to enable unprecedented capabilities that are prohibited by other more conventional ways to store keys (e.g., Flash memory). In particular, in secure SoCs the Flash memory can be erased if chip intrusion is sensed, by simply overwriting the confidential data stored in the memory.However, the attacker can always tamper the chip and promptly disable the supply (or the charge pump employed for write) to preserve the memory contents even if the anti-tampering sensors capture the intrusion, to successfully complete the attack. The attacker can easily stop the erasure since Flash memories require write energy in the order of 1 nJ/bit, which is too large to be stored on chip, and hence needs to come from the external supply. On the other hand, the content of a PUF can be erased or destroyed with an energy in the order of fJ/bit (e.g., developing an on-chip over-voltage through a simple voltage doubler that destroys the oxide of the PUF transistors). Since this energy is about one million times smaller than Flash, it can be stored on chip with small on-chip capacitors with a size in the order of a few μm. This suggests that PUFs can be enhanced with the self-erasure capability by simply storing energy in on-chip capacitors before operating the PUF(see Fig. 10). Then, if an intrusion is sensed, the voltage across on-chip capacitors is used to destroy PUF transistors locally, and complete the erasure even if the attacker disconnects the supply meanwhile (since the energy is pre-acquired on chip). This novel self-erasure property has interesting implications at the application level, as it enables both tamper evidence and remote attestation, as the key integrity provides a proof to a trusted entity of physical integrity of an SoC. These properties are generally prohibited in conventional PUFs, and extend their usage for key generation.

The same above principle to erase PUFs will also be explored to create the novel class of one-time readable PUFs, whose content can be read from the outside only once. This capability solves another limitation of existing PUFs, whose keys need to be read through the chip test port and stored in a secure server before being deployed. The problem lies in the fact that the key can be actually read multiple times by all the players from manufacturing to distribution, which makes PUF keys potentially known to several parties (e.g., assembly, testing house). In other words, conventional PUFs are not able to certify whether they have been illegitimately read previously. In SOCure, the connection of the PUF bitcells to the test port will be automatically blown up after the first PUF read, using circuit techniques that are similar to the above self-erasing PUFs. The self-erasure of the connection to the test port permits to avoid PUF key sniffing during the lifetime of the devices, and to interestingly add read evidence to verify that other players in the supply chain have not tried to maliciously access the PUF. Distributed connections to the test port will be considered to multiply the number of access points that are blown up, in order to make FIB circuit edit unfeasible even if the attacker aims to bypass the disconnection.

As discussed in thrust 2, PUFs will be embedded as building block of trusted routers in the NoC. From a design perspective, this translates into the requirement of low design effort and easy embed-ability of PUFs into digital designs, which can be achieved by enabling fully automated design of PUFs by means of standard cell-based digital design flows. Our team has recently shown the feasibility of automatic design of a specific PUF for the first time [TAS17]. In SOCure, this capability will be systematically explored to design, place and route PUFs along with other digital blocks, achieving immersed-in-logic key generation (see Fig. 11). Among the various advantages, this enables PUF obfuscation within standard-cell designs, as opposed to conventional PUFs that are physically separate on-chip entities, and are hence an easy target for attackers. At further benefit, their design is sped up from months (typical of conventional PUFs) to a day, as was observed in [TAS17].

From the point of view of physical chip security, SOCure aims to introduce innovation to counteract physical attacks, from non-invasive, to semi-invasive and invasive attacks. A wide range of novel techniques will be introduced for truly dense on-chip sensorizationof SoCs, as opposed to conventional approaches that introduce sparse light and laser sensors and can be easily circumvented through imaging or floorplan knowledge. In particular, lightweight laser sensors will be investigated for integration within each standard cell, for ubiquitous detection of laser probing and fault injection attempts. In detail, each standard cell will be equipped with a few properly connected additional sensing transistors that share their diffusions with the transistors implementing the cell, and generate a current when exposed to laser. The output currents of several cells are aggregated hierarchically in current-merging cells that are placed and routed in a fully automated manner, to generate signals that detect intrusion. Interestingly, such hierarchical sensor organization permits to detect both the intrusion and its spatial location, which allows focused and prioritized response depending on which modules are being attacked. Being a largely unaddressed threat, other strategies to counteract laser probing will be explored to achieve a different tradeoff between physical security and area/energy overhead. In particular, in-situ gate-level clock jittering will be explored for the first time to degrade the signal-to-noise ratio of laser probing techniques, and hence quadratically increase the number of averaged acquisitions needed to detect a targeted signal [R11]. Preliminary estimates indicate that 10% jitter (and hence 10% performance degradation) degrades the SNR by 10X, which hence increases the attack effort by two orders of magnitude. In-situ gate-level clock jittering will be introduced with fully automated methodologies that can be integrated in digital design flows, based on the insertion of special standard cells with adjustable pseudo-random delay

In addition to dense sensorization, invasive and semi-invasive physical attacks will be counteracted by introducing true spatial randomizationof critical functions, introducing a new level of obfuscation beyond the traditional concept of (deterministic) scrambling. This is achieved by using the above immersed-in-logic PUFs to randomly steer and reorder randomized signals (e.g., through PUF bitcell-based multiplexing). This drastically increases the physical attack complexity, as the localization of a targeted signal requires the physical attack of a large number of spatial location. As representative example of spatial randomization, we will explore the concept of PUF-decoded PUF, where the data PUF address is in turn generated by a content addressable memory (CAM) coupled with another address-associative PUF. This permits to associate an input address to an unpredictable intermediate address that then drives the data PUF, thus making the location of each bitcell unpredictable. The attacker needs to attack a large portion of the PUF (on average half of it), before being able to read a single PUF word, increasing the attack effort and cost substantially compared to the attack of a single well-localized word.

Once laser probing is counteracted, the next most immediate physical threat becomes electrical probing and FIB circuit edit. Traditionally, electrical probing is counteracted by introducing passive and active shielding on top of the chip, using the top metal layers to detect intrusion [LT03], [CDG14], [BCC12]. Passive shielding is well known to be easy to circumvent through FIB circuit edit, as long as the wire replacement has physical properties (e.g., resistance, capacitance) that are not too far from the original properties [CDG14], [SHL], [BCD12]. Active shielding based on the chip side-to-side transmission of encrypted data currently offers the highest degree of security against intrusion from the chip frontside[BR05], [INV], [JE10]. However, a given area can always be penetrated by bypassing the shield wire(s) running onto it by creating a wire detour on top of the external passivation layer (e.g., with RDL layer), so that no interruption is experienced by the shield and hence no intrusion is detected. As innovative research direction, SOCure will investigate the new class of proactive shields, where the top metal layers are used to generate chip-specific keys that are defined by the manufacturing tolerances of these layers (essentially, another PUF). Then, this key is mixed (e.g., XORed) with the keys generated by the more conventional transistor-based PUFs to create the root of trust. In other words, the random variations of shield parasitics are exploited as unique signature of the chip, and they are used as information to be checked at every chip boot to detect circuit edits and intrusions, instead of using other information (e.g., encrypted data) that can always be recreated in a deterministic manner. As interesting implication, the co-generation of keys through the proactive shield and the underlying PUFs leads to a permanent corruption of the keyswhen intrusion form the frontside takes place. This makes the attack pointless, and can also be used as tamper evidence and for remote attestation (i.e., the user can remotely check if the chip has been intruded). Among the other routing options, MOM capacitors will be considered as intrusion sensors, as they are generally laid out automatically in most of commercial design kits. As another interesting implication and advantage over state-of-the-art active shields, the proposed proactive shields do not transmit any ciphertext or plaintext, hence side-channel attacks are completely ineffective and no protection is needed against them.

As opposed to frontside probing, backside electrical probing through FIB circuit edit is broadly acknowledged to be a largely unaddressed threat[CDG14], [HNT13], even when the chip is not thinned down [RHS08]. Accordingly, novel approaches will be introduced in SOCure to counteract backside electrical probing. As first research direction, some unexplored properties of FDSOI will be investigated to create a backside shield. In particular, the FDSOI technology (also manufactured by one of the industrial partners of SOCure) has the unique feature that the diffusion of transistors are not directly accessible from the bulk, due to the presence of the buried oxide layer [PWB12]. In other words, transistors cannot be contacted through backside FIB, leaving the lower metal layers as only option for electrical probing. As unique approach in SOCure, probing of lower metal layers will be prevented by using lower metal layers (e.g., metal 1) as a shield, whereas every transistor is vertically connected to the upper metal layers for routing. This permits to shield the chip from the backside, apply all existing types of frontside protection techniques, and ultimately providing a cohesive solution to the problem of protecting the back side from electrical probing. 

Regarding non-invasive attacks, novel solutions will be explored to counteract side-channel attacks at low area/energy overhead, in line with the general goal of SOCure. Indeed, typical solutions to counteract side-channel attacks introduce at least 3X penalty in terms of area and power consumption. Side Channel Attacks (SCA) have been widely employed to expose confidential information (i.e., secret keys) of cryptographic algorithm implementations by correlating the Physical Leakage Information (PLI) and the data processed on chip (e.g., correlation-based attacks). Examples of PLIs are the power consumption, Electromagnetic (EM) emissions, timing and sound generated during the encryption process. Several correlation-based attacks have been demonstrated in the last two decades, including Correlation Power Analysis (CPA) and Correlation Electromagnetic Analysis (CEMA). To protect against SCA, different countermeasure techniques have been proposed to break the dependency between PLI and processed data and hence prevent SCAs. The countermeasure techniques are usually based on software and/or hardware approaches, which are generally known as masking and hiding. Hiding countermeasure techniques are either vertical (V-hiding) or horizontal hiding (H-hiding). In SOCure, dual-hiding countermeasures (V-hiding in amplitude domain and H-hiding in time domain) will be introduced to achieve higher level of security chip against SCAs. The two main objectives of the proposed countermeasures are:
i. to equalize the power dissipation and randomize the time occurrences of information-sensitive events, protecting the secret key against power and EM attacks up to 10M measurements traces
ii. to demonstrate reconfigurable mode in such a way that the V-hiding and H-hiding can be activated either individually to reduce overhead, or simultaneously to protect against multi-channels attacks (e.g., power and EM).

As second novel research direction to counteract side-channel attacks at low overhead,on-chip machine-learning power modelling approaches will be investigated to estimate the power consumption of information-sensitive parts of the chip at run time, and compensate its variations to again prohibit the malicious key extraction from power measurements. The proposed machine-learning based power flattening has various interesting intrinsic properties that differentiate it from existing hiding and masking techniques. 

Firstly, the proposed approach aims to flatten only the (generally small) power contribution that is related to the information under attack, while preserving the variations of the remaining (dominant) power. In other words, the additional power required to flatten the sensitive part is typically only a small fraction of the overall power, thus keeping the power overhead at a minimum compared to existing hiding techniques that indiscriminately flatten and increase all power contributions. Secondly, the on-chip power flattener can be reconfigured to protect different parts of the chip, depending on which block is processing the sensitive data (in neural networks, reconfiguration translates into changing only the network weights, not the network itself). This enables the reuse of the same power flattening circuit to protect several areas of the chip, thus reducing the area overhead. Thirdly, the on-chip machine learning algorithm for power flattening can be dynamically changed to achieve different accuracies at different power penalty, depending on the targeted level of security. In other words, this approach enables the unprecedented property of having dynamically scalable security-power tradeoff. As further novel approach to counteract power analysis attacks, "intra-cycle power encryption" will be explored. In this approach, the randomization of the power profile is achieve through data-dependent delays. This approach is also expected to be effective against EM attacks, which will be investigated in this thrust. 

As another fundamental threat associated with earlier phases in the lifecycle of chips, vulnerabilities can be created if hardware Trojans are inserted during design or fabrication.In SOCure, Trojan detection will be pursued through novel techniques to extract fine-graintiming signatures at run time, to increase the sensitivity to Trojans by orders of magnitude compared to conventional path delay fingerprinting and other coarse-grain approaches [JM08], [ZHT12], [BT18], [TK10]. This will be enabled by exploring for the first time the adoption of in-situ timing sensors to detect the presence of unintended and malicious logic, leveraging on the fact that additional circuitry invariably modifies timing. Interestingly, timing sensors are traditionally used to enhance the robustness against process/voltage/temperature variations, and are here retooled in a completely different context, to enable Trojan detection. The above mentioned timing sensors also introduce a new lever to counteract fault attacks and FIB circuit edit (especially from the chip back side). Indeed, timing sensors interestingly enable the locationing of timing violations at run- time (as opposed to prior techniques), hence identifying where timing faults are occurring due to VDD/clock pulsing and heating, and enabling more focused reaction.

Regarding the deliverables (see details in Section 5), thrust 1 will be validated through the experimental characterization of two testchips that include the fundamental blocks described above (i.e., PUFs with lightweight ECC/automated design/single-read/tamper evidence/margin-aware/self-erasing, dense intrusion sensors, core with in-situ gate-level clock jittering and spatial randomization, proactive shields, back-side shielding, core with side-channel counteraction at gate level and power flattening). The first testchip (1st silicon round) will allow a first-cut analysis and validation of the proposed techniques, the quantification of the overheads and the benefits, and the identification of the residual vulnerabilities and weaknesses. The second testchip (2nd silicon round) will allow the demonstration of stand-alone techniques in their refined version, based on the results obtained from the first testchip and the outcome of the related hardware attacks. The results obtained in these two testchips will serve as an invaluable feedback in the final demonstrator, which is delivered in thrust 4.

Regarding the collaboration with RISE, the research relevant to this thrust will be focused on intrinsic processor-based PUF design (“software PUFs”). Novel software PUF designs will be investigated and will focus initially on three main areas: timing (in the context of Frequency Failure Point analysis and phase locked loop (PLL)/clock units to over-clock dedicated multiplier or divider circuits to generate an incorrect response; analog to digital converters (ADCs), as these have been explored for MCU-based RNGs; and interrupts (the asynchronous nature of the interrupt pathway means it may also be suited to the generation of a PUF response. The potential benefit of multi-cycle PUF designs to consider whether entropy can be accumulated to generate a PUF response will also be investigated.

In regard to the collaboration with Technion, the scope of the joint research is centered around memristors for hardware security. Two different lines of research will be jointly undertaken in this collaboration. The first line of research will be focused on the design of security primitive using ReRAM, such as authentication primitives (Hash functions), encryption primitives (block/stream ciphers), Physically Unclonable Functions (PUFs), True Random Number Generator (TRNG), general-purpose in-memory computing blocks and benchmarking for the improvement of memory bandwidth. The second line of research will be devoted to the study of vulnerabilities of ReRAM-based circuits, including the identification of classical information leakage sources, study of lightweight countermeasures for the side-channels, analysis of Hardware Trojan Horse (HTH) based on ReRAM.