Fraunhofer-Institut für Angewandte und Integrierte Sicherheit AISEC

Filters

13
13
Reset filters

Settings
Now showing 1 - 10 of 13
  • Publication
    Breaking TrustZone memory isolation and secure boot through malicious hardware on a modern FPGA-SoC
    ( 2022)
    Gross, M.
    ;
    Jacob, N.
    ;
    Zankl, A.
    ;
    Sigl, G.
    FPGA-SoCs are heterogeneous embedded computing platforms consisting of reconfigurable hardware and high-performance processing units. This combination offers flexibility and good performance for the design of embedded systems. However, allowing the sharing of resources between an FPGA and an embedded CPU enables possible attacks from one system on the other. This work demonstrates that a malicious hardware block contained inside the reconfigurable logic can manipulate the memory and peripherals of the CPU. Previous works have already considered direct memory access attacks from malicious logic on platforms containing no memory isolation mechanism. In this work, such attacks are investigated on a modern platform which contains state-of-the-art memory and peripherals isolation mechanisms. We demonstrate two attacks capable of compromising a Trusted Execution Environment based on ARM TrustZone and show a new attack capable of bypassing the secure boot configuration set by a device owner via the manipulation of Battery-Backed RAM and eFuses from malicious logic.
  • Publication
    Finding the Needle in the Haystack: Metrics for Best Trace Selection in Unsupervised Side-Channel Attacks on Blinded RSA
    ( 2021)
    Kulow, A.
    ;
    Schamberger, T.
    ;
    Tebelmann, L.
    ;
    Sigl, G.
    For asymmetric ciphers, such as RSA and ECC, side-channel attacks on the underlying exponentiation are mitigated by countermeasures like constant-time implementation and blinding. This restricts an attacker to a single side-channel trace for an attack as a different representation of the private key is used for each exponentiation. In this work, we propose an unsupervised machine learning framework for side-channel attacks on asymmetric cryptography that analyzes leakage in multiple side-channel traces, identifying the best trace for key retrieval. We apply Principal Component Analysis (PCA) preprocessing followed by a classification step that assigns segments of traces to elementary operations of the Square and Multiply exponentiation of RSA. In order to estimate the attack complexity for each trace in terms of key enumeration effort, we introduce two new metrics: The Entropy-based Cost Function (EBCF) is used to select a trace for the attack as well as bits which have to be brute-forced if not all bits can be determined correctly from this single trace. To reduce brute-force complexity further, we introduce Illegal Sequence Detection (ISD) to remove brute-force candidates which do not fit to the Square-and-Multiply scheme. We first provide a proof of concept for 320-bit key length traces and, moving towards a more realistic scenario, retrieve the key from a 1024-bit RSA implementation protected by message and exponent blinding. We are able to select the trace with the least remaining brute-force complexity from 1000 power measurements of the signature generation with randomized inputs and blinding values on a 32-bit ARM Cortex-M4 microcontroller.
  • Publication
    DOMREP-An Orthogonal Countermeasure for Arbitrary Order Side-Channel and Fault Attack Protection
    ( 2021)
    Gruber, M.
    ;
    Probst, M.
    ;
    Karl, P.
    ;
    Schamberger, T.
    ;
    Tebelmann, L.
    ;
    Tempelmeier, M.
    ;
    Sigl, G.
    Protection against physical attacks is a major requirement for cryptographic implementations on devices which can be accessed by attackers. Side-channel and fault injection attacks are the most common types of physical attacks. In this work we present a novel generic solution for simultaneous protection against side-channel and fault attacks with arbitrary order. We combine domain oriented masking and repetition codes in an orthogonal way and call this approach DOMREP. The resistance against side-channel attacks and fault attacks can be scaled independently of each other, for the protection against higher-order side-channel analysis and the injection of multiple faults including SIFA. We develop the generic concept of orthogonal protection, and implement the DOMREP concept on GIMLI, a round two NIST LWC competition candidate, on a Xilinx Artix-7 FPGA. Our implementation of GIMLI is verified to be resistant against univariate first-order side-channel attacks by TVLA. The resistance against SIFA is verified by means of fault emulation of single as well as multiple bit faults. Our implementation of GIMLI achieves the expected security level according to these measurements. We also provide numbers for the area overhead for our protected implementation of GIMLI.
  • Publication
    Beyond Cache Attacks: Exploiting the Bus-based Communication Structure for Powerful On-Chip Microarchitectural Attacks
    ( 2021)
    Sepulveda, J.
    ;
    Gross, M.
    ;
    Zankl, A.
    ;
    Sigl, G.
    System-on-Chips (SoCs) are a key enabling technology for the Internet-of-Things (IoT), a hyper-connected world where on- and inter-chip communication is ubiquitous. SoCs usually integrate cryptographic hardware cores for confidentiality and authentication services. However, these components are prone to implementation attacks. During the operation of a cryptographic core, the secret key may passively be inferred through cache observations. Access-driven attacks exploiting these observations are therefore a vital threat to SoCs operating in IoT environments. Previous works have shown the feasibility of these attacks in the SoC context. Yet, the SoC communication structure can be used to further improve access-based cache attacks. The communication attacks are not as well-understood as other micro-architectural attacks. It is important to raise the awareness of SoC designers of such a threat. To this end, we present four contributions. First, we demonstrate an improved Prime+Probe attack on four different AES-128 implementations (original transformation tables, T0-Only, T2KB, and S-Box). As a novelty, this attack exploits the collisions of the bus-based SoC communication to further increase its efficiency. Second, we explore the impact of preloading on the efficiency of our communication-optimized attack. Third, we integrate three countermeasures (shuffling, mini-tables, and Time-Division Multiple Access (TDMA) bus arbitration) and evaluate their impact on the attack. Although shuffling and mini-tables countermeasures were proposed in previous work, their application as countermeasures against the bus-based attack was not studied before. In addition, TDMA as a countermeasure for bus-based attacks is an original contribution of this work. Fourth, we further discuss the implications of our work in the SoC design and its perspective with the new cryptographic primitives proposed in the ongoing National Institute of Standard and Technology Lightweight Cryptography competition. The results show that our improved communication-optimized attack is efficient, speeding up full key recovery by up to 400 times when compared to the traditional Prime+Probe technique. Moreover, the protection techniques are feasible and effectively mitigate the proposed improved attack.
  • Publication
    A calibratable detector for invasive attacks
    ( 2019)
    Weiner, M.
    ;
    Wieser, W.
    ;
    Lupon, E.
    ;
    Sigl, G.
    ;
    Manich, S.
    Microprobing is commonly used by adversaries to extract firmware or cryptographic keys from microcontrollers. We introduce the calibratable lightweight invasive attack detector (CaLIAD) to detect microprobing attacks. The CaLIAD measures timing imbalances between lines that are caused by the capacitive load of a probe. Compared to protection mechanisms from industry, it does not require an additional protection layer such as meshes do; in contrast to bus encryption, it does not introduce delay cycles. Compared to state-of-the-art low area probing detectors, it can be calibrated and, thus, allows compensating manufacturing variations as well as small layout imbalances. This capability allows us to significantly reduce the detection margin compared to the prior art while maintaining the low rate of false positives. We can finally show that capacitive loads of 23 fF or less can be detected, depending on how the CaLIAD is used. This includes all state-of-the-art commercial microprobes we are aware of.
  • Publication
    Secure Physical Enclosures from Coverswith Tamper-Resistance
    ( 2019)
    Immler, V.
    ;
    Obermaier, J.
    ;
    Ng, K.K.
    ;
    Ke, F.X.
    ;
    Lee, J.
    ;
    Lim, Y.P.
    ;
    Oh, W.K.
    ;
    Wee, K.H.
    ;
    Sigl, G.
    Ensuring physical security of multiple-chip embedded systems on a PCB is challenging, since the attacker can control the device in a hostile environment. To detect physical intruders as part of a layered approach to security, it is common to create a physical security boundary that is difficult to penetrate or remove, e.g., enclosures created from tamper-respondent envelopes or covers. Their physical integrity is usually checked by active sensing, i.e., a battery-backed circuit continuously monitors the enclosure. However, adoption is often hampered by the disadvantages of a battery and due to specialized equipment which is required to create the enclosure. In contrast, we present a batteryless tamper-resistant cover made from standard flexPCB technology, i.e., a commercially widespread, scalable, and proven technology. The cover comprises a fine mesh of electrodes and an evaluation unit underneath the cover checks their integrity by detecting short and open circuits. Additionally, it measures the capacitances between the electrodes of the mesh. Once its preliminary integrity is confirmed, a cryptographic key is derived from the capacitive measurements representing a PUF, to decrypt and authenticate sensitive data of the enclosed system. We demonstrate the feasibility of our concept, provide details on the layout, electrical properties of the cover, and explain the underlying security architecture. Practical results including statistics over a set of 115 flexPCB covers, physical attacks, and environmental testing support our design rationale. Hence, our work opens up a new direction of counteracting physical tampering without the need of batteries, while aiming at a physical security level comparable to FIPS 140-2 level 3.
  • Publication
    The low area probing detector as a countermeasure against invasive attacks
    ( 2018)
    Weiner, M.
    ;
    Manich, S.
    ;
    Rodriguez-Montanes, R.
    ;
    Sigl, G.
    Microprobing allows intercepting data from on-chip wires as well as injecting faults into data or control lines. This makes it a commonly used attack technique against security-related semiconductors, such as smart card controllers. We present the low area probing detector (LAPD) as an efficient approach to detect microprobing. It compares delay differences between symmetric lines such as bus lines to detect timing asymmetries introduced by the capacitive load of a probe. Compared with state-of-the-art microprobing countermeasures from industry, such as shields or bus encryption, the area overhead is minimal and no delays are introduced; in contrast to probing detection schemes from academia, such as the probe attempt detector, no analog circuitry is needed. We show the Monte Carlo simulation results of mismatch variations as well as process, voltage, and temperature corners on a $65$-nm technology and present a simple reliability optimization. Eventually, we show that the detection of state-of-the-art commercial microprobes is possible even under extreme conditions and the margin with respect to false positives is sufficient.
  • Publication
    Fast FPGA Implementations of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve
    ( 2018)
    Koppermann, P.
    ;
    Santis, F. De
    ;
    Heyszl, J.
    ;
    Sigl, G.
    We present the first hardware implementations of Diffie-Hellman key exchange based on the Kummer surface of Gaudry and Schost's genus-2 curve targeting a 128-bit security level. We describe a single-core architecture for lowlatency applications and a multi-core architecture for high-throughput applications. Synthesized on a Xilinx Zynq-7020 FPGA, our architectures perform a key exchange with lower latency and higher throughput than any other reported implementation using prime-field elliptic curves at the same security level. Our single-core architecture performs a scalar multiplication with a latency of 82 microseconds while our multicore architecture achieves a throughput of 91,226 scalar multiplications per second. When compared to similar implementations of Microsoft's Fourℚ on the same FPGA, this translates to an improvement of 48% in latency and 40% in throughput for the single-core and multi-core architecture, respectively. Both our designs exhibit constant-time execution to thwart timing attacks, use the Montgomery ladder for improved resistance against SPA, and support a countermeasure against fault attacks.
  • Publication
    Low-latency X25519 hardware implementation
    ( 2017)
    Koppermann, P.
    ;
    Santis, F. de
    ;
    Heyszl, J.
    ;
    Sigl, G.
    In the past few years, there has been a growing interest in Curve25519 due to its elegant design aimed at both high-security and high-performance, making it one of the most promising candidates to secure IoT applications. Until now Curve25519 hardware implementations were mainly optimized for high throughput applications, while no special care was given to low-latency designs. In this work, we close this gap and provide a Curve25519 hardware design targeting low-latency applications. We present a fast constant-time variable-base-point elliptic curve scalar multiplication using Curve25519 that computes a session key in less than 100 its. This is achieved by using a high-speed prime field multiplier that smartly combines the reduction procedure with the summation of the digit-products. As a result, our presented implementation requires only 10465 cycles for one session key computation. Synthesized on a Zynq-7030 and operating with a clock frequency of 115 MHz this translates to a latency of 92 kts which represents an improvement of factor 3.2 compared to other Curve25519 implementations. Our implementation uses Montgomery ladder as the scalar multiplication algorithm and includes randomized projective coordinates to thwart side-channel attacks.
  • Publication
    Fast and reliable PUF response evaluation from unsettled bistable rings
    ( 2017)
    Hesselbarth, R.
    ;
    Heyszl, J.
    ;
    Sigl, G.
    Bistable ring (BR) based strong PUFs are promising candidates for lightweight authentication applications. It has been observed that a good '0'/'1'-balance of their responses correlates with longer settling times. This is problematic, since the state-of-the-art evaluation method requires the BR to be settled in order to generate a reliable PUF response. We show that settling times can easily extend beyond 100 ms for 70 percent of the responses in the TBR PUF, which is a BR-based PUF with good '0'/'1'-balance characteristics. Hence, it is practically impossible to wait for all BRs to settle, which results in a reliability penalty. In order to solve this problem, we present three new methods, which allow the evaluation of unsettled BRs with increased reliability compared to the state-of-the-art method. We were able to improve response reliability from 81 percent to up to 98.5 percent and achieve response reliabilities of 97 percent at an evaluation time of 320 ns. This enables the fast and reliable use of BR-based PUFs in strong PUF applications.