Tamper-Resistant Platforms for Secure Computing
Transcript of Tamper-Resistant Platforms for Secure Computing
Tamper-Resistant Platforms for Secure Computing
G. Edward Suh, Dwaine Clarke,
Blaise Gassend, Marten van Dijk,
Charles W. O'Donnell, Srinivas Devadas
Computer Science & Artificial Intelligence Lab
MIT
Security Goal
Ensure integrity and privacy of programs and data on computing systems in untrusted environments.
Mobile devices, sensor networks, distributed
computation on Internet
Attacks in Untrusted Environments
• Physical Attacks• Invasive probing• Non-invasive measurement• Environmental attacks
• Traditional Attacks:• Break into application on device
exploiting security holes• Expand into other applications
• Malicious Software including OS
Conventional Tamper-Resistant Platforms
Entire system with digital secrets in a tamper-resistant package difficult, closed, and expensive
IBM 4758Tamper-proof packagecontaining a processorwhich has a secret key andmemory
Tens of sensors: resistance,temperature, voltage, etc.
Continually battery-powered
~ $3000 for a 99 MHz processorand 128MB of memory
AEGIS Secure Processor: Architectural EnGine for Information Security
Memory
I/O
Identify orProtect against
Trusted Environment
Physical AttacksSoftware, Physical Attacks
Check Integrity,Encrypt
Integrity Verification
Encryption
Secure Context Manager
UntrustedOS
Challenges
• How to store a secret in the processor?
• How to deal with untrusted software (OS)?
• How to protect contents in off-chip memory?
Definition
A Physical Random Function or Physical Unclonable Function (PUF) is a function that is:• Based on a physical system
• Easy to evaluate (using the physical system)
• Its output looks like a random function
• Unpredictable even for an attacker with physical access
Silicon PUF – Proof of Concept
• Because of process variations, no two Integrated Circuits are identical
• Experiments in which identical circuits with identical layouts were placed on different ICs show that path delays vary enough across ICs to use them for identification.
ChallengeResponse
Combinatorial Circuit
A Candidate Silicon PUF
Each challenge creates two paths through the circuit that are excited simultaneously. The digital response is based on a (timing) comparison of the path delays.
…
AR
BIT
E
Challenge
R 1 if toppath is faster,else 0Rising
Edge
Path delays in an IC are statistically distributed due to random manufacturing variations.
Experiments
• Fabricated candidate PUF on multiple IC’s• Apply 100 random challenges and observe response
100 bits of response
Distance between Chip X and Yresponses = 23 bits
At 70C measurementnoise for chip X = 2
Can identifyindividual ICs
Measurement noise for Chip X = 0.5
A Reliable PUF
• PUF responses can have up to a few percent errors with significant temperature/voltage variations
Error correction based on fuzzy extractors
Responsesw/ errors
Secret(160 bits) Hash
PUFChallengeError
CorrectionRedundant bits
Reliable responsesNeeds 1800 redundant
bits to handle the 4.5% PUF error rate
Physically Obfuscated Keys (POKs)
• PUF secrets can be used to store a digital key such as a private key• Encrypt (XOR) the digital key with a PUF secret• No static information needs to be protected
• If a remote chip stores a private key, Alice can share a secret with the chip since she knows the public key corresponding to the stored private key
Single-Chip Secure Processor
PUF
Processor
CPU
PUF provides tamper-resistance
What about external memory and operating systems?
Computer Systems
CPU
UntrustedOperating
System secondarymemory
primarymemory
Untrusted Storage
Hardware support in CPU for program identification and management
Hardware support in CPU for encryption and integrity verification of untrusted storage
Program Hashes
• Attackers may alter the program on a deviceUse the program hash to identify the program and restrict the use of the secret key
• Signature: a program asks the processor to sign M Always include the program hash in the signature
{H(prog), M}SKproc
• Decryption: a program asks the processor to decrypt {H(prog), M} Verify the program hash
Integrity VerificationUntrusted RAM
TrustedState
ProcessorProgram
VERIFY
E(124), MAC(0x45, 124)
Address 0x45
E(120), MAC(0x45, 120)IGNORE
write
read
Cannot simply MAC on writes and check the MAC on readsReplay attacks
Hash trees for integrity verification
Memory EncryptionUntrusted RAMProcessor
ENCRYPT
DECRYPT
VERIFY
TrustedState
write
read
• Encrypt private program/data on off-chip• Fast hardware encryption based on one-time-pads
Hides encryption and decryption latency
Supported Environments
The computing system provides a multiplicity of:
• Tamper-Evident Environments: Authenticated environments such that any physical or software tampering by the adversary is guaranteed to be detected.• 5-20% performance overhead
• Private Tamper-Resistant Environments: Additionally, the adversary is unable to obtain any information about software or data by tampering with, or otherwise observing, system operation.• 20-50% performance overhead
Certified Computation
• Certified Computation (Grid Computing)Alice wants to run computations on Bob’s remote computer, and
wants to make sure that she is getting correct results. A certificate is returned with her results to show that her program was correctly executed, i.e., without tampering
Job Dispatcher
Processor’s Private Key
Secure Processor
RESULT
RESULT
enter_aegis
Execute
Get results
Verify results
- H(Prog)
- signature
Program,Data
Processor’s Public Key
Secure Environmental Monitoring
• Sign all data produced by device with a secret key stored in the device
• Communicate data in a robust manner to receiver
• Detect corrupted data, devices, sensors and environments
Secure Terminals
• Access sensitive information using a public terminal, and make sure the content is protected
Processor’s Public Key
Sensitive Data
Processor’s Private Key
Authenticated & Encrypted Channel (SSL)
Client
Random nonceSigned nonce
Run Client
- enter_aegis- enter PTR
Secret
Secret
Verify
- H(Client)- nonce- signature Secret
Secure Server Secure Processor
Software IP Protection
• Encrypt software so that attackers cannot use it on other devices or reverse engineer it
Processor’s Private Key
Secure Processor
Processor’s Public Key
IP owner
IP
Encrypted w/ K
EPK{H(prog), K}:K encrypted with
Processor’s public key
Summary• Combinations of physical and software (computational)
attacks are becoming more prevalent• Smart cards, X-box, etc
• Described primitives that protect against physical and computational attacks• PUFs, (PUFs with control)• Integrity verification, secure context manager
• Significant hardware development effort underway• FPGA implementation of AEGIS - 12/04• Custom silicon implementation circa 2005 summer