Credentials & Capabilities

advertisement
Securing the core root of trust
(research in secure hardware design and test)
Ramesh Karri (rkarri@duke.poly.edu)
ECE Department
Who can attack your system?
 Hobby (class I)
 Obsession (class II)
 Job (class III)
D. Abraham, G. Dolan, G. Double, and J. Stevens. Transaction Security System. IBM
Systems Journal 30(2): 206-229, 1991.
How can your system be compromised?
 Application software
 Protocols
 Operating system software
Is the problem worth my time?
Source: http://www.uscc.gov/annual_report/2008/annual_report_full_09.pdf, , page 168
US-China economic and security review commission hearing on China's proliferation practices and
the development of its cyber and space warfare capabilities, testimony of Col. Gary McAlum.
How can your system be protected?
 Fix applications
 Fix protocols
 Fix operating systems
This assumes that…
“the core root of trust” is secure
But…
“the core root of trust” is secure
Outline
1. threat models
2. defenses
3. conclusions
Threat models for hardware
 Side channels
 Power dissipation
 Timing variation
 Test infrastructure
 Faults
 interactions between side channels
 Cloning
 Overbuilding
 Reverse Engineering
 Trojans
An example: test infrastructure side channel
Data Encryption Standard (DES)
Li
Input_Reg
Round Key Ki
r
Expansion
en
Initial Permutation
MUX
MUX
L_Reg
R_Reg
+
sel
a
b
S-box
Key Reg
+
Ri
f
Reverse Permutation
Output_Reg
c
Round key
ROM
addr
4
Control
S-box
+
Permutation
d
en
Ri+1
Li+1
DES layout
test infrastructure
 scan chain
 test data input, TDI
 test data output, TDO
 test clock, TCK
 test mode select, TMS
 test reset
chain all flip flops in a design
attack step 1
Input_Reg
en
Initial Permutation
MUX
MUX
L_Reg
R_Reg
identify critical registers
sel
Key Reg
+
f
Round key
ROM
addr
Reverse Permutation
Output_Reg
4
Control
en
attack step 2
apply selected inputs
 3 plain texts
 2 clock cycles in normal mode (plaintext reaches R,L)
 198 clock cycles in test mode (R0, L0 scanned out)
 1 clock cycle in normal mode (plaintext reaches R, L)
 198 clock cycles in test mode (R1, L1 scanned out)
 399×3=1197 clock cycles
• Can leak secrets from DES, AES etc
• >80 % of all ASICs use scan chains for test/debug
• Readback/test infrastructure in FPGAs
• Load configuration stream
• Read-out bitstream for debug
A fix: secure scan
Power off
Insecure
test
normal
Secure
normal
Secure scan
Power off
Insecure
test
Secure
normal
normal
Standards compliant
3rd Prize, 2008-2009 IEEE TTTC PhD dissertation contest
Hardware threat models
 Side channels
 Power dissipation
 Timing variation
 Test infrastructure
 Faults
 interactions between side channels
 Cloning
 Overbuilding
 Reverse Engineering
 Trojans
Background: IC design process
U
U
D
D
F
U
T
D: Design, F: Fabrication
T: Test, U: User
Reverse engineering
Rev. engineering
U
U
D
D
F
U
T
D: Design, F: Fabrication
T: Test, U: User
3500 counterfeit Cisco networking components recovered
• estimated retail value ~ $3.5 million
Cloning
U
U
D
D
F
U
T
cloning
D: Design, F: Fabrication
T: Test, U: User
Hardware Trojans
Trojans
U
U
D
D
F
U
T
D: Design, F: Fabrication
T: Test, U: User
The kill switch ?
IEEE Spectrum, 2008
Only 2% of ~$3.5 billion of DoD ICs manufactured in
trusted foundries !!!
Taxonomy of trojans
Trojan challenge
Leak AES key
40 registrations, 10 finalists, 3 winners, 2 honorable mentions
http://isis.poly.edu/csaw/embedded
Trojans in the development cycle
Trojans at different abstractions
Location of the inserted trojans
Where are the trojans inserted?
2 1 3 4
Next steps
 develop defenses
 investigate effectiveness
 developing benchmarks
 metrics?
Physically unclonable functions
• Uses physical structure of a device to give a unique
response
• Used as device IDs
• The ring oscillator frequency varies with process variations.
A trojan defense
REC_READY
I/O SELECT
JTAG
CLOCK
RESET
RS232-DCE_RXD
UART CLK
Interpreter
Trivium
Receive Data
RS232 UART
FREQUENCY
COUNTER
Transmit Data
RS232_DCE_TXD
RING
OSCILLATOR
OUTPUT
DETECTION
C2
B2
S2
A2
C1
B1
S1
A1
C0
PUF gives unique ID to hardware
Can we give a unique ID to a design?
A preliminary defense
REC_READY
I/O SELECT
JTAG
CLOCK
RESET
RS232-DCE_RXD
UART CLK
Interpreter
Trivium
Receive Data
RS232 UART
FREQUENCY
COUNTER
Transmit Data
RS232_DCE_TXD
Next steps
 develop defenses
 investigate effectiveness
 developing benchmarks
 metrics?
Questions?
rkarri@duke.poly.edu, 917 363 9703
Download