Securing Low-cost RFID Systems: an Unconditionally Secure ...
Securing the core root of trust ( research in secure hardware design and test )
description
Transcript of Securing the core root of trust ( research in secure hardware design and test )
![Page 1: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/1.jpg)
Securing the core root of trust(research in secure hardware design and test)
Ramesh Karri ([email protected])ECE Department
![Page 2: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/2.jpg)
Who can attack your system?
Hobby (class I) Obsession (class II) Job (class III)
D. Abraham, G. Dolan, G. Double, and J. Stevens. Transaction Security System. IBM Systems Journal 30(2): 206-229, 1991.
![Page 3: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/3.jpg)
How can your system be compromised?
Application software Protocols Operating system software
![Page 4: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/4.jpg)
Is the problem worth my time?
Source: http://www.uscc.gov/annual_report/2008/annual_report_full_09.pdf, , page 168US-China economic and security review commission hearing on China's proliferation practices and the development of its cyber and space warfare capabilities, testimony of Col. Gary McAlum.
![Page 5: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/5.jpg)
How can your system be protected?
Fix applications Fix protocols Fix operating systems
![Page 6: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/6.jpg)
“the core root of trust” is secure
This assumes that…
![Page 7: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/7.jpg)
“the core root of trust” is secure
But…
![Page 8: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/8.jpg)
Outline
1. threat models2. defenses3. conclusions
![Page 9: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/9.jpg)
Threat models for hardware Side channels
Power dissipation Timing variation Test infrastructure Faults interactions between side channels
Cloning Overbuilding Reverse Engineering Trojans
![Page 10: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/10.jpg)
An example: test infrastructure side channel
![Page 11: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/11.jpg)
Data Encryption Standard (DES)Li
RiRound Key Ki
+
Li+1Ri+1
r
Expansion
+
S-box S-box
Permutation
ab
c
d
Initial Permutation
Input_Reg
+ f
Reverse Permutation
Output_Reg
MUXMUX
R_RegKey Reg
Control
Round key ROM
4
L_Reg
en
en
sel
addr
![Page 12: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/12.jpg)
DES layout
![Page 13: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/13.jpg)
scan chain test data input, TDI test data output, TDO test clock, TCK test mode select, TMS test reset
chain all flip flops in a design
test infrastructure
![Page 14: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/14.jpg)
identify critical registers
attack step 1
Initial Permutation
Input_Reg
+ f
Reverse Permutation
Output_Reg
MUXMUX
R_RegKey Reg
Control
Round key ROM
4
L_Reg
en
en
sel
addr
![Page 15: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/15.jpg)
apply selected inputs
attack step 2
3 plain texts 2 clock cycles in normal mode (plaintext reaches R,L) 198 clock cycles in test mode (R0, L0 scanned out) 1 clock cycle in normal mode (plaintext reaches R, L) 198 clock cycles in test mode (R1, L1 scanned out)
399×3=1197 clock cycles
![Page 16: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/16.jpg)
• Can leak secrets from DES, AES etc • >80 % of all ASICs use scan chains for test/debug • Readback/test infrastructure in FPGAs
• Load configuration stream• Read-out bitstream for debug
![Page 17: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/17.jpg)
test
normal
Secure normal
Insecure
Power off
A fix: secure scan
![Page 18: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/18.jpg)
test
normal
Secure normal
Insecure
Power offSecure scan
Standards compliant3rd Prize, 2008-2009 IEEE TTTC PhD dissertation contest
![Page 19: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/19.jpg)
Hardware threat models Side channels
Power dissipation Timing variation Test infrastructure Faults interactions between side channels
Cloning Overbuilding Reverse Engineering Trojans
![Page 20: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/20.jpg)
T
DD
F
UU
U
Background: IC design process
D: Design, F: FabricationT: Test, U: User
![Page 21: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/21.jpg)
Rev. engineering
T
DD
F
UU
U
Reverse engineering
D: Design, F: FabricationT: Test, U: User
![Page 22: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/22.jpg)
3500 counterfeit Cisco networking components recovered • estimated retail value ~ $3.5 million
![Page 23: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/23.jpg)
cloningT
DD
F
UU
U
Cloning
D: Design, F: FabricationT: Test, U: User
![Page 24: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/24.jpg)
Trojans
T
DD
F
UU
U
Hardware Trojans
D: Design, F: FabricationT: Test, U: User
![Page 25: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/25.jpg)
The kill switch ?
IEEE Spectrum, 2008
![Page 26: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/26.jpg)
Only 2% of ~$3.5 billion of DoD ICs manufactured intrusted foundries !!!
![Page 27: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/27.jpg)
Taxonomy of trojans
![Page 28: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/28.jpg)
Leak AES key 40 registrations, 10 finalists, 3 winners, 2 honorable mentionshttp://isis.poly.edu/csaw/embedded
Trojan challenge
![Page 29: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/29.jpg)
![Page 30: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/30.jpg)
Trojans in the development cycle
![Page 31: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/31.jpg)
Trojans at different abstractions
![Page 32: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/32.jpg)
Location of the inserted trojans
![Page 33: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/33.jpg)
Where are the trojans inserted?
2 1 3 4
![Page 34: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/34.jpg)
Next steps
develop defenses investigate effectiveness developing benchmarks metrics?
![Page 35: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/35.jpg)
Physically unclonable functions
• Uses physical structure of a device to give a unique response
• Used as device IDs• The ring oscillator frequency varies with process variations.
![Page 36: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/36.jpg)
A trojan defense
Trivium
JTAG
Interpreter
Transmit DataRS232 UARTReceive Data
I/O SELECT
CLOCK
RS232-DCE_RXD
RESET
REC_READY
RS232_DCE_TXDUART CLK
FREQUENCYCOUNTER
![Page 37: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/37.jpg)
C0
A1
B1
A2
B2
S1
S2
C1
C2
DETECTIONRING
OSCILLATOR OUTPUT
PUF gives unique ID to hardwareCan we give a unique ID to a design?
![Page 38: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/38.jpg)
A preliminary defense
Trivium
JTAG
Interpreter
Transmit DataRS232 UARTReceive Data
I/O SELECT
CLOCK
RS232-DCE_RXD
RESET
REC_READY
RS232_DCE_TXDUART CLK
FREQUENCYCOUNTER
![Page 39: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/39.jpg)
Next steps
develop defenses investigate effectiveness developing benchmarks metrics?
![Page 40: Securing the core root of trust ( research in secure hardware design and test )](https://reader036.fdocuments.in/reader036/viewer/2022062410/5681594b550346895dc688e4/html5/thumbnails/40.jpg)
Questions? [email protected], 917 363 9703