Holistic Security Design for the ThumbPod Embedded System
26
Holistic Security Design for the ThumbPod Embedded System Herwin Chan Doris Chang Yi Fan Alireza Hodjat David Hwang Bo-Cheng Lai Yusuke Matsuoka Patrick Schaumont Kris Tiri Dzi Tran Shenglin Yang Prof. Ingrid Verbauwhede Embedded Security (EmSec) Group http://www.ivgroup.ee.ucla.edu
Transcript of Holistic Security Design for the ThumbPod Embedded System
Holistic Security Design for the ThumbPod Embedded System
Herwin ChanDoris ChangYi FanAlireza HodjatDavid HwangBo-Cheng Lai
Yusuke MatsuokaPatrick Schaumont Kris TiriDzi TranShenglin Yang
Prof. Ingrid VerbauwhedeEmbedded Security (EmSec) Group
http://www.ivgroup.ee.ucla.edu
Outline
• Embedded Security: Research Challenges• Driver application: ThumbPod• Issues we address:
– Protocol– Algorithm– Architecture– Micro-Architecture– Circuit
• Putting it all together…• Conclusions
Research Challenges
• The world is going embedded and wireless!!
• Wireless embedded security is – extremely important…– …yet unsolved!!
EmSec Mission: How to implement robust security on constrained devices?
Solution: Security Pyramid
• Partition security into five abstraction levels– Each level is secure only if lower levels secure
• Our research: design security at ALL LEVELS and ensure secure TRANSITIONS between levels
Protocol
Algorithm
Architecture (Embedded SW)
Circuit
Micro-Architecture
Cipher Design,Biometrics
DQ
Vcc
CPUCrypto
MEM
JCA
Java
JVM
CLK
Identification
ConfidentialityIntegrity
SIM
DQ
Vcc
CPU
MEM
JCA
Java
KVM
CLK
Identification
ConfidentialityIntegrity
IdentificationIntegrity
SIMSIMSIM
Security dependence
Driver Application: ThumbPod• Currently, most biometric
systems perform processing on server side
• Secure keychain device performs all biometrics and cryptography locally
• Components: – Microcontroller and memory– Fingerprint sensor– Biometric and cryptographic
accelerators– IR and USB
Protocol
Algorithm
Architecture
Circuit
Micro-Architecture
Cipher Design,Biometrics
DQ
Vcc
CPUCrypto
MEM
JCA
Java
JVM
CLK
Identification
ConfidentialityIntegrity
SIM
DQ
Vcc
CPU
MEM
JCA
Java
KVM
CLK
Identification
ConfidentialityIntegrity
IdentificationIntegrity
SIMSIMSIM
Protocol Level:Biometric Authentication Protocol
Server
WEAK
Device User
STRONG
Server
STRONG
Device User
STRONG
STRONG
• Problem: security is weak between user and credit card
• Solution: biometric authentication protocols using biometrics and cryptography
• Security-energy tradeoffs based on local or server signal processing
Protocol
Algorithm
Architecture
Circuit
Micro-Architecture
Cipher Design,Biometrics
DQ
Vcc
CPUCrypto
MEM
JCA
Java
JVM
CLK
Identification
ConfidentialityIntegrity
SIM
DQ
Vcc
CPU
MEM
JCA
Java
KVM
CLK
Identification
ConfidentialityIntegrity
IdentificationIntegrity
SIMSIMSIM
• Problem: How to fit floating-point fingerprint algorithm on constrained embedded devices
Quality maps
Generate maps (MAPS)
Direction maps
Binarized image
Possible minutiae
Final minutiae set
Binarization (BINAR)
Detection (DETECT)
Remove false minutiae
Fingerprint
Algorithm Level:Embedded Fingerprint Matching
Algorithm Level:Embedded Fingerprint Matching
0
1,000
2,000
3,000
4,000
5,000
6,000
ORG S/W OPT H/W Accel
Ene
rgy
cons
umpt
ion
(mJ)
Reduction of the energy consumption for minutiae detection
• Floating point NIST algorithm – Fixed point code and
memory optimizations– New matching
algorithm
• 50% energy reduction with equal detection accuracy– False Accept Rate =
0.01%– False Reject Rate =
0.5%
Protocol
Algorithm
Architecture
Circuit
Micro-Architecture
Cipher Design,Biometrics
DQ
Vcc
CPUCrypto
MEM
JCA
Java
JVM
CLK
Identification
ConfidentialityIntegrity
SIM
DQ
Vcc
CPU
MEM
JCA
Java
KVM
CLK
Identification
ConfidentialityIntegrity
IdentificationIntegrity
SIMSIMSIM
Architecture Level: Embedded Software Design
• Problem: How do you design SW for a secure embedded system?– Secure code: Java with cryptographic libraries
and security functionality
– But constrained embedded devices running Java are slow: require secure SW and HW acceleration
Architecture Level: Embedded Software Design
• Solution: GEZEL environment for design of co-processors and cycle-through accurate simulations
• Each platform corresponds to the addition of an abstraction level• Three simulation platforms of the same system
KVM
Java
KNI
C GEZEL
TSIM EmbeddedInstruction Set Sim. GEZEL
KVMPlatform
Emb. SWPlatform
FPGAPlatform VHDL
LEON IP core AUTOMATICTRANSLATION
Protocol
Algorithm
Architecture
Circuit
Micro-Architecture
Cipher Design,Biometrics
DQ
Vcc
CPUCrypto
MEM
JCA
Java
JVM
CLK
Identification
ConfidentialityIntegrity
SIM
DQ
Vcc
CPU
MEM
JCA
Java
KVM
CLK
Identification
ConfidentialityIntegrity
IdentificationIntegrity
SIMSIMSIM
Main Processor Core
Architecture Level: AES Crypto-processor Design
• Advanced Encryption Standard (AES) based on Rijndael Algorithm
• Symmetric key cipher using Galois Field Arithmetic
• First published IC implementation!
• Co-processor design of Rijndael cores
Coprocessor Top Controller
Controller
Datapath
Input Interfacing
Module
Memory Mapped Interface
32Coprocessor
Datapath
Crypto Coprocessor
Controller
Datapath
Output Interfacing
Module
32
Data Bus
Address Bus
324 328 8 4
• Interface overhead for co-processor consumes cycles but still 333X improvement
• Better improvement if separate data and control flow– Currently, data flow and control flow are merged– Co-processors with direct memory access would reduc e interface overhead
Javacycles
Ccycles
AES301,034
Interface367 Interface
892AES44,063
AES11
Co-processorcycles
301, 034 44,430 903Total Cycles
acceleration
6.8X 333XImprovement
Architecture Level: AES Crypto-processor Design
Protocol
Algorithm
Architecture
Circuit
Micro-Architecture
Cipher Design,Biometrics
DQ
Vcc
CPUCrypto
MEM
JCA
Java
JVM
CLK
Identification
ConfidentialityIntegrity
SIM
DQ
Vcc
CPU
MEM
JCA
Java
KVM
CLK
Identification
ConfidentialityIntegrity
IdentificationIntegrity
SIMSIMSIM
• Differential Power Analysis (DPA) exploits power properties of CMOS transitions– 0�0 no power dissipation– 0�1 power dissipation
• Our sense amplifier based logic (SABL) charges constant capacitance – Minimizes transition power
variations
Circuit Level: Combating Power Analysis Attacks
0
50
100
150
200
250
300
350
400
450
scCMOS
min=0.00 Max=10.42m=5.92
m-s=4.19 m+s=7.66
SABL
x5m=11.32Max=11.51
m-s=11.26
min=11.14
m+s=11.38
Number of observations
0 2 4 6 8 10 12Energy per cycle - [pJ]
Circuit Level: Combating Power Analysis Attacks
���� Reduction of power variation by 116x!
Protocol
Algorithm
Architecture
Circuit
Micro-Architecture
Cipher Design,Biometrics
DQ
Vcc
CPUCrypto
MEM
JCA
Java
JVM
CLK
Identification
ConfidentialityIntegrity
SIM
DQ
Vcc
CPU
MEM
JCA
Java
KVM
CLK
Identification
ConfidentialityIntegrity
IdentificationIntegrity
SIMSIMSIM
Putting it together…FPGA
Putting it together…FPGA• Xilinx Virtex-II
FPGA– Embedded LEON
32-b Sparc processor
– Memory-mapped co-processors
Xilinx Virtex-II FPGA
DFTCo-Proc.
AMBA AHB
APB Bridge
UARTLEON
32- SparcProc.
AESCo-Proc.
APB
Mem. Controller Boot PROM
32 MB SRAM
KVM
Application
NativeBiometrics
NativeSecurity
JAM
Embedded Software Architecture
Server
AuthentecAF-2
Putting it together…FPGA
• Working demo on an FPGA board (two ThumbPods shown) and PC connected over RS-232
• Demonstration at DAC 2003 and today!!
Protocol
Algorithm
Architecture
Circuit
Micro-Architecture
Cipher Design,Biometrics
DQ
Vcc
CPUCrypto
MEM
JCA
Java
JVM
CLK
Identification
ConfidentialityIntegrity
SIM
DQ
Vcc
CPU
MEM
JCA
Java
KVM
CLK
Identification
ConfidentialityIntegrity
IdentificationIntegrity
SIMSIMSIM
Putting it together…ASIC
Putting it together…ASIC
• Secure ASIC Design• Unprotected
– LEON processor– Memory and buses
• Protected by SABL– AES crypto-processor– Matching oracle for
secure matching decisions
– Secure storage
LEON Processor
AHB/APB Bridge
Boot PROM I/F Boot ROM
Memory Controller
Integer UnitAHB I/F
Cache
D-Cache 2KB
I-Cache2KB
AMBA Peripheral
Bus
AHB Controller
ASIC NON-DPA
Fingerprint Sensor
RS232
2MB SRAM
UART1
UART2
AES Coprocessor
ASIC DPA
Comparator
Template/ HG Storage
32 b Memory Bus
LEON Processor
AHB/APB Bridge
Boot PROM I/F Boot ROM
Memory Controller
Integer UnitAHB I/F
Cache
D-Cache 2KB
I-Cache2KB
AMBA Peripheral
Bus
AHB Controller
ASIC NON-DPA
Fingerprint Sensor
RS232
2MB SRAM
UART1
UART2
AES Coprocessor
ASIC DPA
Comparator
Template/ HG Storage
32 b Memory Bus
Conclusion
• EmSec researches on all levels of the embedded security pyramid– Example driver: ThumbPod
• Other projects: – GEZEL for multi/co-processor simulation
– Optical CDMA cryptography– Wireless sensor network security
Thank You
