Securing the core root of trust (research in secure hardware design and test) Ramesh Karri (rkarri@duke.poly.edu) ECE Department Who can attack your system? Hobby (class I) Obsession (class II) Job (class III) D. Abraham, G. Dolan, G. Double, and J. Stevens. Transaction Security System. IBM Systems Journal 30(2): 206-229, 1991. How can your system be compromised? Application software Protocols Operating system software Is the problem worth my time? Source: http://www.uscc.gov/annual_report/2008/annual_report_full_09.pdf, , page 168 US-China economic and security review commission hearing on China's proliferation practices and the development of its cyber and space warfare capabilities, testimony of Col. Gary McAlum. How can your system be protected? Fix applications Fix protocols Fix operating systems This assumes that… “the core root of trust” is secure But… “the core root of trust” is secure Outline 1. threat models 2. defenses 3. conclusions Threat models for hardware Side channels Power dissipation Timing variation Test infrastructure Faults interactions between side channels Cloning Overbuilding Reverse Engineering Trojans An example: test infrastructure side channel Data Encryption Standard (DES) Li Input_Reg Round Key Ki r Expansion en Initial Permutation MUX MUX L_Reg R_Reg + sel a b S-box Key Reg + Ri f Reverse Permutation Output_Reg c Round key ROM addr 4 Control S-box + Permutation d en Ri+1 Li+1 DES layout test infrastructure scan chain test data input, TDI test data output, TDO test clock, TCK test mode select, TMS test reset chain all flip flops in a design attack step 1 Input_Reg en Initial Permutation MUX MUX L_Reg R_Reg identify critical registers sel Key Reg + f Round key ROM addr Reverse Permutation Output_Reg 4 Control en attack step 2 apply selected inputs 3 plain texts 2 clock cycles in normal mode (plaintext reaches R,L) 198 clock cycles in test mode (R0, L0 scanned out) 1 clock cycle in normal mode (plaintext reaches R, L) 198 clock cycles in test mode (R1, L1 scanned out) 399×3=1197 clock cycles • Can leak secrets from DES, AES etc • >80 % of all ASICs use scan chains for test/debug • Readback/test infrastructure in FPGAs • Load configuration stream • Read-out bitstream for debug A fix: secure scan Power off Insecure test normal Secure normal Secure scan Power off Insecure test Secure normal normal Standards compliant 3rd Prize, 2008-2009 IEEE TTTC PhD dissertation contest Hardware threat models Side channels Power dissipation Timing variation Test infrastructure Faults interactions between side channels Cloning Overbuilding Reverse Engineering Trojans Background: IC design process U U D D F U T D: Design, F: Fabrication T: Test, U: User Reverse engineering Rev. engineering U U D D F U T D: Design, F: Fabrication T: Test, U: User 3500 counterfeit Cisco networking components recovered • estimated retail value ~ $3.5 million Cloning U U D D F U T cloning D: Design, F: Fabrication T: Test, U: User Hardware Trojans Trojans U U D D F U T D: Design, F: Fabrication T: Test, U: User The kill switch ? IEEE Spectrum, 2008 Only 2% of ~$3.5 billion of DoD ICs manufactured in trusted foundries !!! Taxonomy of trojans Trojan challenge Leak AES key 40 registrations, 10 finalists, 3 winners, 2 honorable mentions http://isis.poly.edu/csaw/embedded Trojans in the development cycle Trojans at different abstractions Location of the inserted trojans Where are the trojans inserted? 2 1 3 4 Next steps develop defenses investigate effectiveness developing benchmarks metrics? Physically unclonable functions • Uses physical structure of a device to give a unique response • Used as device IDs • The ring oscillator frequency varies with process variations. A trojan defense REC_READY I/O SELECT JTAG CLOCK RESET RS232-DCE_RXD UART CLK Interpreter Trivium Receive Data RS232 UART FREQUENCY COUNTER Transmit Data RS232_DCE_TXD RING OSCILLATOR OUTPUT DETECTION C2 B2 S2 A2 C1 B1 S1 A1 C0 PUF gives unique ID to hardware Can we give a unique ID to a design? A preliminary defense REC_READY I/O SELECT JTAG CLOCK RESET RS232-DCE_RXD UART CLK Interpreter Trivium Receive Data RS232 UART FREQUENCY COUNTER Transmit Data RS232_DCE_TXD Next steps develop defenses investigate effectiveness developing benchmarks metrics? Questions? rkarri@duke.poly.edu, 917 363 9703