Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Electrical Engineering

to server

advertisement 
Challenges for the
Logic Design of
Secure Embedded Systems
Patrick Schaumont, UCLA
Embedded Security Group (EMSEC) @ UCLA
Schaumont, IWLS 2005, 6/8/05
Acknowledgements
•
ThumbPod2 Design Team:
• Kris Tiri, David Hwang, Alireza Hodjat, Bo-Cheng Lai,
Shenglin Yang, Patrick Schaumont,
Ingrid Verbauwhede
•
Research Support:
•
•
•
•
•
•
NSF CCR 0310527, CCR 0098361
UC Micro
SRC 2003-HJ-1116
SUN
Panasonic
Atmel
Schaumont, IWLS 2005, 6/8/05
2
Secure Embedded Systems
Driver License
Access Control
Vehicle ID
Smart Card
Biometrics
Authentication
Electronic
Purse
Identification
e-Passport
Health Care
Electronic
Ticketing
Secure embedded systems face
specific risks. They are
1. more accessible
2. more resource-constrained
Schaumont, IWLS 2005, 6/8/05
Inventory
Keys
RFID
Tagging
3
Protecting the weakest link
1 proton torpedo in vent
Schaumont, IWLS 2005, 6/8/05
4
[http://www.obh.snafu.de/~madley/starwars/]
On a smaller scale: The X-Box case
To FPGA Board
Sniffer board
Northbridge
(with CPU)
Differential
HyperTransport Bus
Southbridge
(with secret boot rom)
Schaumont, IWLS 2005, 6/8/05
[by A. Huang, http://hackingthexbox.com/]
5
DPA Attack on ThumbPod
Current Probe
ThumbPod Chip
(with 128-bit AES
encryption unit)
WDDL
No full key
disclosure under
similar attack
Schaumont, IWLS 2005, 6/8/05
plain
Under DPA attack,
key disclosure
in 3 minutes
6
Overview
•
The ThumbPod
• Embedded Biometrics Authentication
•
•
Side-channel attacks on embedded systems
Systematic Design Methods for Security
• System Design Methods
• Logic Design Methods
•
Design Challenges for Secure Embedded
Systems
Schaumont, IWLS 2005, 6/8/05
7
The ThumbPod Project
ThumbPod
authenticated
communications
embedded
electronics
bank
fingerprint sensor
Schaumont, IWLS 2005, 6/8/05
8
ThumbPod Operation
1. Enrollment
template
(~30 minutia)
(x, y, angle)
minutia
extraction
2. Normal Use
rand
template
send rand
E
reply token'
User matches
stored template ?
token
=?
Schaumont, IWLS 2005, 6/8/05
9
Securing Thumbpod
Security
Abstraction Level
Security
Objective
Side-channel
attack
Protocol
Authenticated
communications
Man-in-the-middle,
Traffic analysis
Algorithm
Encryption/hashing
Known-plaintext,
Known-cryptext
Architecture
Functional integration
(SW)
Stack smashing
Micro-Architecture
Architecture integration
(HW)
Bus probing
Circuit
Implementation
Differential
Power Analysis
Schaumont, IWLS 2005, 6/8/05
10
Systematic Design Methods
•
System Level
• Partition for security: protect Root of Trust
–Root of Trust = A component that must behave as
expected, because misbehavior cannot be
detected (Trusted Computing Group)
–Root of Trust = The part of the design that can hurt
you ! (D. Gollmann)
• Example to discuss - Secure biometrics in TP2
•
Logic Level
• How to create protection at the lowest abstraction
level ?
• Example to discuss - Protection of digital logic
against Differential-Power Analysis
Schaumont, IWLS 2005, 6/8/05
11
Partitioning the ThumbPod
(insecure) ThumbPod-2 Client
Minutiae
Extraction
Matching
Algorithm
Template
Accept
Root-of-Trust
Master
Key
Server
(considered secure)
rand
Reject
Load
Master
Load
Bogus
Master
Key
key
Crypto
plain
plain
Crypto
Session Key Sk
payload
Schaumont, IWLS 2005, 6/8/05
Crypto
crypt
Crypto
payload
12
Partitioning the ThumbPod
ThumbPod-2 Client
Architecture-Level
Secure Partition
Minutiae
Extraction
Accept
Master
Key
Server
Matching
Algorithm
Template
rand
Reject
Load
Master
Load
Bogus
Master
Key
key
plain
Crypto
plain
Crypto
Session Key Sk
payload
Schaumont, IWLS 2005, 6/8/05
Crypto
crypt
Crypto
payload
13
UART
to server
UART
ThumbPod-2 Client Microarchitecture
to sensor
Secure Circuit Style
AMBA
RAM/
FLASH
Bridge
LEON-2
Processor
Crypto Module
In
Port
Chip
Command
Interface
Out
Port
Master Key
Oracle
Template
Matching
Algorithm
Schaumont, IWLS 2005, 6/8/05
14
Secure matching of Minutiae
Input
Template
(secure)
not ok
ok
Untrusted Software
for each input minutia pair I:
for each template minutia pair T:
if (I ~ T)
matching_count++;
Secure Circuit Style
if (matching_count > N) then match = true;
else match = false;
Schaumont, IWLS 2005, 6/8/05
15
HW/SW Partitions for secure matching
main
oracle
secure_initialize( );
extract I
for each input minutia pair I:
for each template pair T
secure_compare( I );
secure
instruction
set
if (secure_match( ))
then match = true;
else match = false;
secure_initialize( ) {
matching_count = 0;
}
secure_compare( I ) {
if (I == T)
matching_count++;
}
secure_match( ) {
if (matching_count > N)
then return true;
else return false;
}
Template
C
secure_initialize( )
secure_compare( )
secure_match( )
software
driver
Schaumont, IWLS 2005, 6/8/05
Template
hardware
oracle
16
System-level Security Partitioning
root-of-trust
Client
Server
Architecture-level
attacks
Protocol/Algorithm-level
validation
Matching &
Crypto
SW
Noncritical
software
Architecture-level
validation
Software
driver
Microarchitecture-level
attacks
Matching &
Crypto
HW
Microarchitecture-level
validation
How to protect circuits from side-channels ?
Schaumont, IWLS 2005, 6/8/05
Circuit-level
attacks
DPA-resistant
HW
17
IBM 4758 Secure Coprocessor
backup
batteries
shield with
tamper-sensors
Schaumont, IWLS 2005, 6/8/05
18
Differential Power Analysis Attacks
Icc(t)
KEY
Vcc
DIN
DOUT
AES
Vdd
Round 11
(1/16 datapath)
• Use DOUT and measured Icc(t) to find KEY
• Attack by correlating measurement and estimate
KEY
DIN
K11
SUB
RB
D11
SHIFT
ROW
MIX
COLUMN
XOR
RC
DOUT
(8 bits)
RC
DOUT
(8 bits)
C11
Predict transition RB
D11 to C11
Round 11+1
KEY
DIN
SUB
RB
C11
Schaumont, IWLS 2005, 6/8/05
SHIFT
ROW
MIX
COLUMN
XOR
C11
19
Example Power Measurement
Start Signal
11 clock cycles
Current Probe
Output
Start Encryption
Schaumont, IWLS 2005, 6/8/05
Store
Peak Value
of last cycle
20
Differential Analysis Phase
Actual
Measurement P
1
2
3
4
5
N
P1
P2
P3
P4
P5
...
C
•
•
•
Est.
P KEY=Ki
E1
E2
E3
E4
E5
...
= S Pi Ei
Ki N
Standard-cell AES is attacked in 3 minutes
• 2128 problem converted into 16 * 28 problem
Attack strength increases with number of measurements
Measurement timing requires a priori knowledge on
•
•
crypto algorithm: cipher operation mode
crypto architecture: operation mapping & scheduling
Schaumont, IWLS 2005, 6/8/05
21
Fighting DPA with constant-power circuits
The problem:
Dynamic power consumption is asymmetrical and dependent on data
Vcc
Vdd
Vcc
Vdd
Vdd
Vdd
The solution:
•
Consume the same current for all input patterns
•
Differential Logic:
•
•
•
Use dual rail logic implementation
Makes '0' the same as '1' (hamming-weight independent)
Dynamic Logic:
•
•
Use pre-charge phase and evaluate phase
Makes '0->0' the same as '0->1', '1->1', '1->0'
(hamming-distance independent)
Schaumont, IWLS 2005, 6/8/05
22
Wave Dynamic Differential Logic
pre
WDDL INPUT
eval
pre
eval
A
WDDL AND
B
A
B
A
B
Q
A
B
Q
Q
Q
clk
pre-charge
clk
A=1
B=0
A=1
B=1
Always a single output transition
evaluate
Schaumont, IWLS 2005, 6/8/05
23
WDDL Library of 128 cells
WDDL AND
WDDL AOI221X2
AOI221X1 INVX2
WDDL OR
OAI221X1
WDDL register
INVX2
clk
Schaumont, IWLS 2005, 6/8/05
24
Matching interconnect capacitance
WDDL AND
WDDL OR
A
B
A
B
Total
capacitance
Output
capacitance
Wiring
capacitance
Input
capacitance
(Cell design)
(Cell design)
Routing
Parallel tracks
for constants
mutual C
Schaumont, IWLS 2005, 6/8/05
Identical
crosstalk cap
Equal via's,
segment lengths, ..
for constant R
Mismatch causes
2nd order effects !
25
Differential Routing Technique
•
•
•
Gridless routers do no scale well to complex netlists
Gridded routers avoid parallel routing
Enhanced gridded router with 'fat-wire' transformation
technique produces accurate matching
Schaumont, IWLS 2005, 6/8/05
26
UART
LEON-2
Processor
AMBA
In
Port
RAM/
FLASH
Schaumont, IWLS 2005, 6/8/05
Bridge
to server
UART
ThumbPod-2 Secure Coprocessor
Out
Port
to sensor
WDDL
oracle
+ AES
+ template
direct
27
UART
LEON-2
Processor
AMBA
In
Port
RAM/
FLASH
Bridge
to server
UART
DPA on ThumbPod-2
Out
Port
to sensor
Measurements to
disclosure
WDDL
direct
min
21,185
320
mean 255,391
2,133
max 1,276,186
8,168
(11 key bytes from 16
are disclosed)
Schaumont, IWLS 2005, 6/8/05
28
UART
LEON-2
Processor
AMBA
In
Port
RAM/
FLASH
Bridge
to server
UART
DPA on ThumbPod-2
Out
Port
to sensor
Cost
Area 3X
Power 4X
6 sq.mm
600 Kgate
Schaumont, IWLS 2005, 6/8/05
2 sq.mm
200 Kgate
29
Challenges for secure system design
•
System level:
•
•
•
Trusted computing aims to support protected capabilities,
integrity measurement, integrity reporting.
http://www.trustedcomputinggroup.org
'Trusted computing' covers only the general case,
application-specific solutions are still needed
Tool support (for Thumbpod-type of designs)
– Make security and trust 'measurable' as a quality of
individual bits & operations on these bits (modeling issue)
– Partition algorithms in secure/non-secure parts: measure
information spread in the algorithm
– Transform secure part to minimize complexity
– Validate & verify security protocol and protocol faults
Schaumont, IWLS 2005, 6/8/05
30
Challenges for secure system design
•
Logic level:
•
•
•
•
Two approaches to make DPA hard:
– Make measurements harder (random power variations etc):
risky .. better to remove a side channel instead of
obfuscating it
– Make estimates harder: has algorithmic impact
Key issue in WDDL is to maintain symmetry.
– Other technologies (e.g. FPGA) ? Other concepts (RAM) ?
Masking requires glitch-free implementation and is expensive:
how to solve this ? (Mangard et al, RSA 2004)
qa
a
Tools:
q
b
– Accurate estimation (Power, Cap)
qb
qq
WDDL is 'perfect' according to tools,
but imperfect in real life ...
Corollary: Measurement is the best estimation
Schaumont, IWLS 2005, 6/8/05
31
Challenges for secure system design
•
Circuit level:
•
•
•
•
Reduce area/power overhead of secure implementation
Differential routing techniques for DPA resistance
Uniqueness (cfr Physically Unclonable Functions, PUF)
for key-pair generation, tagging applications
Additional notes
•
Embedded Security is a big opportunity for hardware and logic
•
Hardware offers qualities that software has lost (viruses etc)
– Besides performance, offers assured and constant-time behavior
– Recent attack on hyper-threaded processors clarifies the issue for
software
•
But for Big Time Secure Hardware
– need modeling & design support for the complete security pyramid
(protocol, algorithm, ..., circuit)
– need to recognize the weakest link principle:
look at the complete system and at multiple abstraction levels
Schaumont, IWLS 2005, 6/8/05
32
References
•
ThumbPod Project
•
•
Security Partitioning
•
•
P. Schaumont, I. Verbauwhede, "Domain specific codesign for
embedded security," IEEE Computer, April 2003.
WDDL
•
•
D. Hwang, I. Verbauwhede, "Design of Portable Biometric
Authenticators—Energy, Performance, and Security Tradeoffs", IEEE
Trans. Consumer Electronics, November 2004.
Embedded Security & Codesign
•
•
http://www.emsec.ee.ucla.edu/thumbpod
K. Tiri and I. Verbauwhede, "A logic level design methodology for a
secure DPA resistant ASIC or FPGA implementation," DATE 2004.
Measurement is the best estimation
•
K. Tiri and I. Verbauwhede, "Simulation Models for Side-Channel
Information Leaks", DAC 2005 (Session 14.2)
Schaumont, IWLS 2005, 6/8/05
33
Related documents
Project Analysis Form
Project Analysis Form
Sample PPT Template
Sample PPT Template
Week Seven Assignment Three: Cost Benefit Analysis (Due on Day
Week Seven Assignment Three: Cost Benefit Analysis (Due on Day
Download
advertisement