Fraunhofer-Institut für Angewandte und Integrierte Sicherheit AISEC

Filters

9
9 9 9
9
Reset filters

Settings
Now showing 1 - 9 of 9
  • Publication
    Temporary Laser Fault Injection into Flash Memory: Calibration, Enhanced Attacks, and Countermeasures
    ( 2020)
    Garb, K.
    ;
    Obermaier, J.
    There exist different attacks on microcontroller and embedded system security. One of them is laser fault injection (LFI). Laser fault injection into flash memory that has only temporary effects has been observed by several research groups. However, up to this date, the experiments have been conducted under specific conditions which differ from realistic applications and the search for the respective laser position was described as being cumbersome. We present several temporary LFI experiments on flash memory that produce reliable results in real-life conditions and discuss a simple method to calibrate the laser to obtain the desired faults and reproduce them reliably. Furthermore, we discuss countermeasures to the described attack, considering flash-aware error detection that is able to detect the injected faults and data degradation.
  • Publication
    Peak clock: Fault injection into PLL-based systems via clock manipulation
    ( 2019)
    Selmke, B.
    ;
    Hauschild, F.
    ;
    Obermaier, J.
    Clock glitches are an inexpensive method to attack embedded systems. Usually the intention is to alter the program flow or to extract cryptographic keys. However, the wide-spread use of Phase Locked Loops (PLLs) prohibits the direct reach-through on the internal clock. Hence, the commonly applied procedure to induce glitches on the external clock does not have any effect on these systems. In this paper, we show by means of two different ARM Cortex-M microcontrollers, that despite the fact that the system clock is derived from the external clock signal by a PLL, fault injection by manipulation of the external clock signal is yet feasible. Even though the process of fault injection is impeded, our results indicate that the risk from this attack vector cannot be eliminated by the use of PLLs. We demonstrate this in practice by successfully performing a differential fault attack on an AES implementation.
  • Publication
    Secure Physical Enclosures from Coverswith Tamper-Resistance
    ( 2019)
    Immler, V.
    ;
    Obermaier, J.
    ;
    Ng, K.K.
    ;
    Ke, F.X.
    ;
    Lee, J.
    ;
    Lim, Y.P.
    ;
    Oh, W.K.
    ;
    Wee, K.H.
    ;
    Sigl, G.
    Ensuring physical security of multiple-chip embedded systems on a PCB is challenging, since the attacker can control the device in a hostile environment. To detect physical intruders as part of a layered approach to security, it is common to create a physical security boundary that is difficult to penetrate or remove, e.g., enclosures created from tamper-respondent envelopes or covers. Their physical integrity is usually checked by active sensing, i.e., a battery-backed circuit continuously monitors the enclosure. However, adoption is often hampered by the disadvantages of a battery and due to specialized equipment which is required to create the enclosure. In contrast, we present a batteryless tamper-resistant cover made from standard flexPCB technology, i.e., a commercially widespread, scalable, and proven technology. The cover comprises a fine mesh of electrodes and an evaluation unit underneath the cover checks their integrity by detecting short and open circuits. Additionally, it measures the capacitances between the electrodes of the mesh. Once its preliminary integrity is confirmed, a cryptographic key is derived from the capacitive measurements representing a PUF, to decrypt and authenticate sensitive data of the enclosed system. We demonstrate the feasibility of our concept, provide details on the layout, electrical properties of the cover, and explain the underlying security architecture. Practical results including statistics over a set of 115 flexPCB covers, physical attacks, and environmental testing support our design rationale. Hence, our work opens up a new direction of counteracting physical tampering without the need of batteries, while aiming at a physical security level comparable to FIPS 140-2 level 3.
  • Publication
    B-TREPID: Batteryless tamper-resistant envelope with a PUF and integrity detection
    ( 2018)
    Immler, V.
    ;
    Obermaier, J.
    ;
    König, M.
    ;
    Hiller, M.
    ;
    Sig, G.
    Protecting embedded devices against physical attacks is a challenging task since the attacker has control of the device in a hostile environment. To address this issue, current countermeasures typically use a battery-backed tamper-respondent envelope that encloses the entire device to create a trusted compartment. However, the battery affects the system's robustness and weight, and also leads to difficulties with the security mechanism while shipping the device. In contrast, we present a batteryless tamper-resistant envelope, which contains a fine mesh of electrodes, and its complementary security concept. An evaluation unit checks the integrity of the sensor mesh by detecting short and open circuits. Additionally, it measures the capacitances of the mesh. Once its preliminary integrity is confirmed, a cryptographic key is derived from the capacitive measurements that represent a PUF, to decrypt and authenticate the firmware of the enclosed host system. We demonstrate the feasibility of our concept, provide details on the layout and electrical properties of the batteryless envelope, and explain the underlying security architecture. Practical results from a set of manufactured envelopes facilitate future research.
  • Publication
    An embedded key management system for PUF-based security enclosures
    ( 2018)
    Obermaier, J.
    ;
    Hauschild, F.
    ;
    Hiller, M.
    ;
    Sigl, G.
    Hardware Security Modules (HSMs) are embedded systems which provide a physically secured environment for data storage and handling. The device is protected by an enclosure against adversaries. A supervisor circuit monitors the enclosure's integrity and deletes all Critical Security Parameters (CSPs), such as keys, upon a tamper event. While current solutions store CSPs in battery-backed memory, our novel batteryless solution exploits the Physical Unclonable Function (PUF) of the enclosure to derive a key encryption key (KEK). However, such a PUF-based solution requires a more complex Embedded Key Management System (EKMS) for integrity verification, PUF usage, and key management. In this paper, we address this issue by discussing an adversary model, deriving design requirements, and presenting a hardened firmware architecture for PUF-based security enclosures. We present the complementing security extensions for FreeRTOS that enhance the operating system's security. To verify the concept's feasibility, we implement the proposed system and evaluate its performance. Our results show that this security architecture for an EKMS can serve as a firmware basis for novel PUF-based HSMs.
  • Publication
    A measurement system for capacitive PUF-based security enclosures
    ( 2018)
    Obermaier, J.
    ;
    Immler, V.
    ;
    Hiller, M.
    ;
    Sigl, G.
    Battery-backed security enclosures that are permanently monitored for penetration and tampering are common solutions for providing physical integrity to multi-chip embedded systems. This paper presents a well-tailored measurement system for a batteryless PUF-based capacitive enclosure. The key is derived from the PUF and encrypts the underlying system. We present a system concept for combined enclosure integrity verification and PUF evaluation. The system performs differential capacitive measurements inside the enclosure by applying stimulus signals with a 180° phase shift that isolate the local variation in the femtofarad range. The analog circuitry and corresponding digital signal processing chain perform precise PUF digitization, using a microcontroller-based digital lock-in amplifier. The system's measurement range is approximately ±73 fF, the conversion time per PUF node is less than 0.6 ms, and the raw data shows a measurement noise of 0.3 fF. This is the base for a high-entropy key generation while enabling a short system startup time. The system is scalable to the enclosure size and has been experimentally verified to extract information from 128 PUF nodes, using a system prototype. The results show that our concept forms a cornerstone of a novel batteryless PUF-based security enclosure.
  • Publication
    The Past, Present, and Future of Physical Security Enclosures: From Battery-Backed Monitoring to PUF-Based Inherent Security and Beyond
    ( 2018)
    Obermaier, J.
    ;
    Immler, V.
    Withstanding physical attacks in a hostile environment is of utmost importance for nowadays electronics. However, due to the long and costly development of integrated circuits (ICs), IC-level countermeasures are typically only included in varying degree and not in every chip of a device. Therefore, multiple-chip modules requiring higher levels of security are additionally protected against tampering by a physical security enclosure, e.g., by an envelope that completely encloses the device. For decades, these physical boundaries on a device-level were monitored using battery-backed mechanisms to enable detection of an attempted physical intrusion even if the underlying system is powered off. However, the battery affects the system's robustness, weight, prevents extended storage, and also leads to difficulties with the security mechanism while shipping the device. In this position paper, we present our assessment of various battery-backed tamper-respondent solutions and argue that while offering the intriguing benefit of instantaneous detection and response, the low-power nature of battery-backup contradicts a tamper-sensitive measurement, among other problems. We are therefore of the opinion that more effort should be spent towards enclosures that are based on tamper-evident physical unclonable functions (PUFs), as they are designated to provide a high level of security on the one hand and do not require a battery on the other hand. To further substantiate our argument, we summarize the work in this domain to also facilitate future research.
  • Publication
    Fuzzy-glitch: A practical ring oscillator based clock glitch attack
    ( 2017)
    Obermaier, J.
    ;
    Specht, R.
    ;
    Sigl, G.
    Clock glitches are useful in hardware security applications, where systems are tested for vulnerabilities emerging from fault attacks. Usually a precisely timed and controlled glitch signal is employed. However, this requires complex generators and deep knowledge about the system under attack. Therefore we present a novel approach on clock glitch fault attacks that replaces the single precise glitch by a fuzzy glitch signal. We propose a compact FPGA design for fuzzy clock glitch generation, that is based on mixing two adjustable ring oscillators of different frequencies. The combination of these oscillators creates a glitch containing random and high frequency signal components. We show on the basis of a practical implementation on a Spartan-3E, that the proposed method is able to generate the desired fuzzy clock glitch. We verified experimentally, that the fuzzy clock glitch succeeds in error injection on an STM32F030, an ARM CORTEX-M0 based microcontroller. Our results demonstrate that the fuzzy glitch is an adequate solution for fault injection.
  • Publication
    Take a moment and have some t: Hypothesis testing on raw PUF data
    ( 2017)
    Immler, V.
    ;
    Hiller, M.
    ;
    Obermaier, J.
    ;
    Sigl, G.
    Systems based on PUB derive secrets from physical variation and it is difficult to measure the security level of the obtained PUF response bits in practice. We evaluate raw NW data to assess the quality of the physical source to detect undesired imperfections in the circuit to provide feedback for the PUF designer and improve the achieved security level. Complementing previous work on correlations across a PUF structure, we apply Welch's t-test to quantify the indistinguishability between distributions of different PUF responses, i.e., the values from on-chip locations measured across multiple devices. The threshold levels of the t-test depend on the number of evaluated PUF cells and the desired confidence of the hypothesis test. These t-values are computed from the statistical moments, such as mean and variance, of the tested distributions and indicate if they were not drawn from the same source. We identify that the quantization of the raw PUF data evaluates different statistical moments. Therefore, it is important to evaluate the indistinguishability of the raw PIT data concerning the critical moment which is used by the quantizer. To demonstrate the benefits of the presented evaluation method, we apply this test to public, real-world RO PUF data. As result, the designer is given specific information to optimize later processing steps or the underlying PUF structure. Complementing tests of the NIST 800-90b test suite further substantiate the chosen approach.