Fraunhofer-Institut für Angewandte und Integrierte Sicherheit AISEC

Filters

18
18 18 18
18
Reset filters

Settings
Now showing 1 - 10 of 18
  • Publication
    Tapeout of a RISC-V crypto chip with hardware trojans: A case-study on trojan design and pre-silicon detectability
    ( 2021)
    Hepp, A.
    ;
    Sigl, G.
    This paper presents design and integration of four hardware Trojans (HTs) into a post-quantum-crypto-enhanced RISC-V micro-controller, which was taped-out in September 2020. We cover multiple HTs ranging from a simple denial-of-service HT to a side-channel HT transmitting arbitrary information to external observers. For each HT, we give estimations of the detectability by the microcontroller-integration team using design tools or by simulation. We conclude that some HTs are easily detected by design-tool warnings. Other powerful HTs, modifying software control flow, cause little disturbance, but require covert executable code modifications. With this work, we strengthen awareness for HT risks and present a realistic testing device for HT detection tools.
  • Publication
    The Cost of OSCORE and EDHOC for Constrained Devices
    ( 2021)
    Hristozov, S.
    ;
    Huber, M.
    ;
    Xu, L.
    ;
    Fietz, J.
    ;
    Liess, M.
    ;
    Sigl, G.
    Many modern IoT applications rely on the Constrained Application Protocol (CoAP). Recently, the Internet Engineering Task Force (IETF) proposed two novel protocols for securing it. These are: 1) Object Security for Constrained RESTful Environments (OSCORE) providing authenticated encryption for the CoAP's payload data and 2) Ephemeral Diffie-Hellman Over COSE (EDHOC) providing the symmetric session keys required for OSCORE. In this paper, we present the design of four firmware libraries for these protocols which are especially targeted for constrained microcontrollers and their detailed evaluation. More precisely, we present the design of uOSCORE and mEDHOC libraries for regular microcontrollers and mOSCORE-TEE and mEDHOC-TEE libraries for microcontrollers with a Trusted Execution Environment (TEE), such as microcontrollers featuring ARM TrustZone-M. Our firmware design for the latter class of devices concerns the fact that attackers may exploit common software vulnerabilities, e.g., buffer overflows in the protocol logic, OS or application to compromise the protocol security. We present an evaluation of our implementations in terms of RAM/FLASH requirements and execution speed on a broad range of microcontrollers. Our implementations are available as open-source software.
  • Publication
    Protecting RESTful IoT Devices from Battery Exhaustion DoS Attacks
    ( 2020)
    Hristozov, S.
    ;
    Huber, M.
    ;
    Sigl, G.
    Many IoT use cases involve constrained battery powered devices offering services in a RESTful manner to their communication partners. Such services may involve, e.g., costly computations or actuator/sensor usage, which may have significant influence on the power consumption of the service Providers. Remote attackers may excessively use those services in order to exhaust the Providers' batteries, which is a form of a Denial of Service (DoS) attack. Previous work proposed solutions based on lightweight symmetric authentication. These solutions scale poorly due to requiring pre-shared keys and do not provide protection against compromised service Requesters. In contrast, we consider more powerful attackers even capable of compromising legit Requesters. We propose a method that combines attacker detection and throttling, conducted by a third trusted Backend, with a lightweight authentication protocol. For attacker detection and throttling, we propose a novel approach using rate limitation algorithms. In addition, we propose and formally verify two authentication protocols suitable for different, widely used IoT network topologies. Our protocols ensure service availability for benign Requesters even if Providers are under a battery exhaustion attack. The protocols do neither require pre-shared keys between Requesters and Providers, nor the usage of asymmetric cryptography and public key infrastructures on the Provider. This makes our protocols suitable for a variety of IoT deployments involving constrained devices and constrained networks. We demonstrate the feasibility of our method through a simulation and a proof of concept implementation.
  • Publication
    Secure and user-friendly over-the-air firmware distribution in a portable faraday cage
    ( 2020)
    Striegel, M.
    ;
    Heyszl, J.
    ;
    Jakobsmeier, F.
    ;
    Matveev, Y.
    ;
    Sigl, G.
    Setting up a large-scale wireless sensor networks (WSNs) is challenging, as firmware must be distributed and trust between sensor nodes and a backend needs to be established. To perform this task efficiently, we propose an approach named Box, which utilizes an intelligent Faraday Cage (FC). The FC acquires firmware images and secret keys from a backend, patches the firmware with the keys and deploys those customized images over-the-air (OTA) to sensor nodes placed in the FC. Electromagnetic (EM) shielding protects this exchange against passive attackers. We place few demands on the sensor node, not requiring additional hardware components or firmware customized by the manufacturer. We describe this novel workflow, implement the Box and a backend system and demonstrate the feasibility of our approach by batch-deploying firmware to multiple commercial off-the-shelf (COTS) sensor nodes. We conduct a user-study with 31 participants with diverse backgrounds and find, that our approach is both faster and more user-friendly than firmware distribution over a wired connection.
  • Publication
    EyeSec: A Retrofittable Augmented Reality Tool for Troubleshooting Wireless Sensor Networks in the Field
    ( 2019)
    Striegel, M.
    ;
    Rolfes, C.
    ;
    Heyszl, J.
    ;
    Helfert, F.
    ;
    Hornung, M.
    ;
    Sigl, G.
    Wireless Sensor Networks (WSNs) often lack interfaces for remote debugging. Thus, fault diagnosis and troubleshooting are conducted at the deployment site. Currently, WSN operators lack dedicated tools that aid them in this process. Therefore, we introduce EyeSec, a tool for WSN monitoring and maintenance in the field. An Augmented Reality Device (AR Device) identifies sensor nodes using optical markers. Portable Sniffer Units capture network traffic and extract information. With those data, the AR Device network topology and data flows between sensor nodes are visualized. Unlike previous tools, EyeSec is fully portable, independent of any given infrastructure and does not require dedicated and expensive AR hardware. Using passive inspection only, it can be retrofitted to already deployed WSNs. We implemented a proof of concept on low-cost embedded hardware and commodity smart phones and demonstrate the usage of EyeSec within a WSN test bed using the 6LoWPAN transmission protocol.
  • Publication
    Locked out by Latch-up? An Empirical Study on Laser Fault Injection into Arm Cortex-M Processors
    ( 2018)
    Selmke, B.
    ;
    Zinnecker, K.
    ;
    Koppermann, P.
    ;
    Miller, K.
    ;
    Heyszl, J.
    ;
    Sigl, G.
    Laser-based fault injection (LFI) is considered as one of the most powerful tools for active attacks against integrated circuits. However, only few empirical results are published for LFI into modern low-power microcontrollers with current process technologies. To fill this gap, we investigate LFI in four Cortex-M microcontrollers from different manufacturers: ST Microelectronics, NXP and Infineon. We note that those controllers differ from the ones used in high-security smartcard devices but argue that they are possibly built in similar process technologies making our results relevant for security evaluations. We were able to successfully inject precise faults into either the SRAM or the register file in all tested devices. We report our settings and fault maps in order to facilitate further fault attack investigations on these microcontrollers. As another contribution, we would like to emphasize the significant difficulties we encountered in some measurements due to the occurrence of latch-up effects. In many cases, the latch-up behavior of the integrated circuit prevented successful fault injections. This observation is largely underrepresented in scientific publications, which leads to an overestimation of the effectiveness of laser-based fault injection attacks under realistic circumstances.
  • Publication
    An embedded key management system for PUF-based security enclosures
    ( 2018)
    Obermaier, J.
    ;
    Hauschild, F.
    ;
    Hiller, M.
    ;
    Sigl, G.
    Hardware Security Modules (HSMs) are embedded systems which provide a physically secured environment for data storage and handling. The device is protected by an enclosure against adversaries. A supervisor circuit monitors the enclosure's integrity and deletes all Critical Security Parameters (CSPs), such as keys, upon a tamper event. While current solutions store CSPs in battery-backed memory, our novel batteryless solution exploits the Physical Unclonable Function (PUF) of the enclosure to derive a key encryption key (KEK). However, such a PUF-based solution requires a more complex Embedded Key Management System (EKMS) for integrity verification, PUF usage, and key management. In this paper, we address this issue by discussing an adversary model, deriving design requirements, and presenting a hardened firmware architecture for PUF-based security enclosures. We present the complementing security extensions for FreeRTOS that enhance the operating system's security. To verify the concept's feasibility, we implement the proposed system and evaluate its performance. Our results show that this security architecture for an EKMS can serve as a firmware basis for novel PUF-based HSMs.
  • Publication
    Where Technology Meets Security: Key Storage and Data Separation for System-on-Chips
    ( 2018)
    Sigl, G.
    ;
    Gross, M.
    ;
    Pehl, M.
    This article investigates the dependency between advances in chip technology, architectures, and security. Two major properties of secure systems are analyzed in this context: data separation of different applications and secure storage of cryptographic keys. We discuss first examples for compromising data separation, e.g. the Rowhammer attack on modern DRAMs, enabled by the sensitivity of shrinked DRAM cells for crosstalk effects, or Meltdown and Spectre attacks using cache side channels. These attacks show the dependency between data separation and advances in technology and architecture. Even more powerful attacks exploiting bus and network-on-chip traffic are possible. Another area where technology meets security is the storage of cryptographic keys. New technologies offer new ways to realize non-volatile memory (NVM) for secret data storage and to implement physical unclonable functions (PUFs), which generate the key during system start and do not store it permanently in NVM. To enable good PUFs, technology and security people should work together as early as possible in the development phase, since PUFs must be characterized carefully. Ideally a PUF module is provided as a characterized and reliable security primitive in the design library. If we manage to take security already into account in early technology development phases and during architecture definition, we will get more secure systems-on-chip in the future.
  • Publication
    DATA - Differential address trace analysis: Finding address-based side-channels in binaries
    ( 2018)
    Weiser, S.
    ;
    Zankl, A.
    ;
    Spreitzer, R.
    ;
    Miller, K.
    ;
    Mangard, S.
    ;
    Sigl, G.
    Cryptographic implementations are a valuable target for address-based side-channel attacks and should, thus, be protected against them. Countermeasures, however, are often incorrectly deployed or completely omitted in practice. Moreover, existing tools that identify information leaks in programs either suffer from imprecise abstraction or only cover a subset of possible leaks. We systematically address these limitations and propose a new methodology to test software for information leaks. In this work, we present DATA, a differential address trace analysis framework that detects address-based side-channel leaks in program binaries. This accounts for attacks exploiting caches, DRAM, branch prediction, controlled channels, and likewise. DATA works in three phases. First, the program under test is executed to record several address traces. These traces are analyzed using a novel algorithm that dynamically re-aligns traces to increase detection accuracy. Second, a generic leakage test filters differences caused by statistically independent program behavior, e.g., randomization, and reveals true information leaks. The third phase classifies these leaks according to the information that can be obtained from them. This provides further insight to security analysts about the risk they pose in practice. We use DATA to analyze OpenSSL and PyCrypto in a fully automated way. Among several expected leaks in symmetric ciphers, DATA also reveals known and previously unknown leaks in asymmetric primitives (RSA, DSA, ECDSA), and DATA identifies erroneous bug fixes of supposedly fixed constant-time vulnerabilities.
  • Publication
    High-resolution EM attacks against leakage-resilient PRFs Explained
    ( 2018)
    Unterstein, F.
    ;
    Heyszl, J.
    ;
    Santis, F. de
    ;
    Specht, R.
    ;
    Sigl, G.
    Achieving side-channel resistance through Leakage Resilience (LR) is highly relevant for embedded devices where requirements of other countermeasures such as e.g. high quality random numbers are hard to guarantee. The main challenge of LR lays in the initialization of a secret pseudorandom state from a long-term key and public input. Leakage-Resilient Pseudo-Random Functions (LR-PRFs) aim at solving this by bounding side-channel leakage to non-exploitable levels through frequent re-keying. Medwed et al. recently presented an improved construction at ASIACRYPT 2016 which uses ""unknown-inputs"" in addition to limited data complexity and correlated algorithmic noise from parallel S-boxes. However, a subsequent investigation uncovered a vulnerability to high-precision EM analysis on FPGA. In this paper, we follow up on the reasons why such attacks succeed on FPGAs. We find that in addition to the high spatial resolution, it is mainly the high temporal resolution which leads to the reduction of algorithmic noise from parallel S-boxes. While spatial resolution is less threatening for smaller technologies than the used FPGA, temporal resolution will likely remain an issue since balancing the timing behavior of signals in the nanosecond range seems infeasible today. Nonetheless, we present an improvement of the ASIACRYPT 2016 construction to effectively protect against EM attacks with such high spatial and high temporal resolution. We carefully introduce additional key entropy into the LR-PRF construction to achieve a high remaining security level even when implemented on FPGAs. With this improvement, we finally achieve side-channel secure LR-PRFs in a practical and simple way under verifiable empirical assumptions.