Tamper-Resistant Platforms for Secure Computing

G. Edward Suh, Dwaine Clarke,

Blaise Gassend, Marten van Dijk,

Charles W. O'Donnell, Srinivas Devadas

Computer Science & Artificial Intelligence Lab

MIT

Security Goal

Ensure integrity and privacy of programs and data on computing systems in untrusted environments.

Mobile devices, sensor networks, distributed

computation on Internet

Attacks in Untrusted Environments

• Physical Attacks• Invasive probing• Non-invasive measurement• Environmental attacks

• Traditional Attacks:• Break into application on device

exploiting security holes• Expand into other applications

• Malicious Software including OS

Conventional Tamper-Resistant Platforms

Entire system with digital secrets in a tamper-resistant package difficult, closed, and expensive

IBM 4758Tamper-proof packagecontaining a processorwhich has a secret key andmemory

Tens of sensors: resistance,temperature, voltage, etc.

Continually battery-powered

~ $3000 for a 99 MHz processorand 128MB of memory

AEGIS Secure Processor: Architectural EnGine for Information Security

Memory

I/O

Identify orProtect against

Trusted Environment

Physical AttacksSoftware, Physical Attacks

Check Integrity,Encrypt

Integrity Verification

Encryption

Secure Context Manager

UntrustedOS

Challenges

• How to store a secret in the processor?

• How to deal with untrusted software (OS)?

• How to protect contents in off-chip memory?

Physical Random Functions (PUFs)

Extract secret key information from a complex physical system.

Definition

A Physical Random Function or Physical Unclonable Function (PUF) is a function that is:• Based on a physical system

• Easy to evaluate (using the physical system)

• Its output looks like a random function

• Unpredictable even for an attacker with physical access

Silicon PUF – Proof of Concept

• Because of process variations, no two Integrated Circuits are identical

• Experiments in which identical circuits with identical layouts were placed on different ICs show that path delays vary enough across ICs to use them for identification.

ChallengeResponse

Combinatorial Circuit

A Candidate Silicon PUF

Each challenge creates two paths through the circuit that are excited simultaneously. The digital response is based on a (timing) comparison of the path delays.

…

AR

BIT

E

Challenge

R 1 if toppath is faster,else 0Rising

Edge

Path delays in an IC are statistically distributed due to random manufacturing variations.

Experiments

• Fabricated candidate PUF on multiple IC’s• Apply 100 random challenges and observe response

100 bits of response

Distance between Chip X and Yresponses = 23 bits

At 70C measurementnoise for chip X = 2

Can identifyindividual ICs

Measurement noise for Chip X = 0.5

A Reliable PUF

• PUF responses can have up to a few percent errors with significant temperature/voltage variations

Error correction based on fuzzy extractors

Responsesw/ errors

Secret(160 bits) Hash

PUFChallengeError

CorrectionRedundant bits

Reliable responsesNeeds 1800 redundant

bits to handle the 4.5% PUF error rate

Physically Obfuscated Keys (POKs)

• PUF secrets can be used to store a digital key such as a private key• Encrypt (XOR) the digital key with a PUF secret• No static information needs to be protected

• If a remote chip stores a private key, Alice can share a secret with the chip since she knows the public key corresponding to the stored private key

Single-Chip Secure Processor

PUF

Processor

CPU

PUF provides tamper-resistance

What about external memory and operating systems?

Computer Systems

CPU

UntrustedOperating

System secondarymemory

primarymemory

Untrusted Storage

Hardware support in CPU for program identification and management

Hardware support in CPU for encryption and integrity verification of untrusted storage

Program Hashes

• Attackers may alter the program on a deviceUse the program hash to identify the program and restrict the use of the secret key

• Signature: a program asks the processor to sign M Always include the program hash in the signature

{H(prog), M}SKproc

• Decryption: a program asks the processor to decrypt {H(prog), M} Verify the program hash

Integrity VerificationUntrusted RAM

TrustedState

ProcessorProgram

VERIFY

E(124), MAC(0x45, 124)

Address 0x45

E(120), MAC(0x45, 120)IGNORE

write

read

Cannot simply MAC on writes and check the MAC on readsReplay attacks

Hash trees for integrity verification

Memory EncryptionUntrusted RAMProcessor

ENCRYPT

DECRYPT

VERIFY

TrustedState

write

read

• Encrypt private program/data on off-chip• Fast hardware encryption based on one-time-pads

Hides encryption and decryption latency

Supported Environments

The computing system provides a multiplicity of:

• Tamper-Evident Environments: Authenticated environments such that any physical or software tampering by the adversary is guaranteed to be detected.• 5-20% performance overhead

• Private Tamper-Resistant Environments: Additionally, the adversary is unable to obtain any information about software or data by tampering with, or otherwise observing, system operation.• 20-50% performance overhead

Certified Computation

• Certified Computation (Grid Computing)Alice wants to run computations on Bob’s remote computer, and

wants to make sure that she is getting correct results. A certificate is returned with her results to show that her program was correctly executed, i.e., without tampering

Job Dispatcher

Processor’s Private Key

Secure Processor

RESULT

RESULT

enter_aegis

Execute

Get results

Verify results

- H(Prog)

- signature

Program,Data

Processor’s Public Key

Secure Environmental Monitoring

• Sign all data produced by device with a secret key stored in the device

• Communicate data in a robust manner to receiver

• Detect corrupted data, devices, sensors and environments

Secure Terminals

• Access sensitive information using a public terminal, and make sure the content is protected

Processor’s Public Key

Sensitive Data

Processor’s Private Key

Authenticated & Encrypted Channel (SSL)

Client

Random nonceSigned nonce

Run Client

- enter_aegis- enter PTR

Secret

Secret

Verify

- H(Client)- nonce- signature Secret

Secure Server Secure Processor

Software IP Protection

• Encrypt software so that attackers cannot use it on other devices or reverse engineer it

Processor’s Private Key

Secure Processor

Processor’s Public Key

IP owner

IP

Encrypted w/ K

EPK{H(prog), K}:K encrypted with

Processor’s public key

Summary• Combinations of physical and software (computational)

attacks are becoming more prevalent• Smart cards, X-box, etc

• Described primitives that protect against physical and computational attacks• PUFs, (PUFs with control)• Integrity verification, secure context manager

• Significant hardware development effort underway• FPGA implementation of AEGIS - 12/04• Custom silicon implementation circa 2005 summer