1 - 9 of 9
-
PublicationBreaking TrustZone memory isolation and secure boot through malicious hardware on a modern FPGA-SoC( 2022)FPGA-SoCs are heterogeneous embedded computing platforms consisting of reconfigurable hardware and high-performance processing units. This combination offers flexibility and good performance for the design of embedded systems. However, allowing the sharing of resources between an FPGA and an embedded CPU enables possible attacks from one system on the other. This work demonstrates that a malicious hardware block contained inside the reconfigurable logic can manipulate the memory and peripherals of the CPU. Previous works have already considered direct memory access attacks from malicious logic on platforms containing no memory isolation mechanism. In this work, such attacks are investigated on a modern platform which contains state-of-the-art memory and peripherals isolation mechanisms. We demonstrate two attacks capable of compromising a Trusted Execution Environment based on ARM TrustZone and show a new attack capable of bypassing the secure boot configuration set by a device owner via the manipulation of Battery-Backed RAM and eFuses from malicious logic.
-
PublicationSCA secure and updatable crypto engines for FPGA SoC bitstream decryption: extended version( 2021)FPGA system on chips (SoCs) are ideal computing platforms for edge devices in applications which require high performance through hardware acceleration and updatability due to long operation in the field. A secure update of hardware functionality can in general be achieved by using built-in cryptographic engines and provided secret key storage. However, reported examples have shown that such cryptographic engines may become insecure against side-channel attacks at any later point in time. This leaves already deployed systems vulnerable without any clear mitigation options. To solve this, we propose a comprehensive concept that uses an alternative and side-channel protected cryptographic engine within the FPGA logic instead of the built-in one for the crucial task of bitstream decryption. Remarkably this concept even allows to update the cryptographic engine itself. As proof of concept, we describe an application to the Xilinx Zynq-7020 FPGA SoC in detail. We provide two options for a leakage resilient decryption engine which are based on the same primitive, a leakage resilient pseudorandom function (LR-PRF). Depending on a side-channel evaluation of this primitive on the target platform, either a version with additional side-channel countermeasures or a more efficient variant is deployed. The lack of accessible secret key storage poses a significant challenge and requires the use of a physical unclonable function (PUF) to generate a device intrinsic secret within the FPGA logic. At the same time this means that manufacturer-provided secret key storage or cryptography is no longer required; only a public key for signature verification of the first stage bootloader and initial static bitstream. We provide empirical results proving the side-channel security of the protected cryptographic engine as well as an evaluation of the PUF quality. The full design and source code is made available to encourage further research in this direction.
-
PublicationFORTRESS: FORtified Tamper-Resistant Envelope with Embedded Security Sensor( 2021)Protecting security modules from attacks on the hardware level presents a very challenging endeavor since the attacker can manipulate the device directly through physical access. To address this issue, different physical security enclosures have been developed with the goal to cover entire hardware modules and, hence, protect them from external manipulation. Novel concepts are battery-less and based on Physical Unclonable Functions (PUFs), aiming at overcoming the most severe drawbacks of past devices; the need for active monitoring and, thus, limited battery life-time. Although some progress has already been made for certain aspects of PUF-based enclosures, the combination and integration of all required components and the creation of a corresponding architecture for Hardware Security Modules (HSMs) is still an open issue. In this paper, we present FORTRESS, a PUF-based HSM that integrates the tamper-sensitive capacitive PUF-based envelope and its embedded security sensor IC into a secure architecture. Our concept proposes a secure life cycle concept including shipment aspects, a full key generation scheme with re-enrollment capabilities, and our the next generation Embedded Key Management System. With FORTRESS, we take the next step towards the productive operation of PUF-based HSMs.
-
PublicationDeutsche Normungsroadmap Künstliche Intelligenz(DIN, 2020)
-
PublicationReview of error correction for PUFs and evaluation on state-of-the-art FPGAs( 2020)Efficient error correction and key derivation is a prerequisite to generate secure and reliable keys from PUFs. The most common methods can be divided into linear schemes and pointer-based schemes. This work compares the performance of several previous designs on an algorithmic level concerning the required number of PUF response bits, helper data bits, number of clock cycles, and FPGA slices for two scenarios. One targets the widely used key error probability of 10 - 6, while the other one requires a key error probability of 10 - 9. In addition, we provide a wide span of new implementation results on state-of-the-art Xilinx FPGAs and set them in context to old synthesis results on legacy FPGAs.
-
PublicationA Security Architecture for RISC-V based IoT Devices( 2019)
-
PublicationYour rails cannot hide from localized EM( 2018)Protecting cryptographic implementations against side-channel attacks is a must to prevent leakage of processed secrets. As a cell-level countermeasure, so-called DPA-resistant logic styles have been proposed to prevent a data-dependent power consumption. As most of the DPA-resistant logic is based on dual rails, properly implementing them is a challenging task on FPGAs which is due to their fixed architecture and missing freedom in the design tools. While previous works show a significant security gain when using such logic on FPGAs, we demonstrate this only holds for power analysis. In contrast, our attack using high-resolution electromagnetic analysis is able to exploit local characteristics of the placement and routing such that only a marginal security gain remains, therefore creating a severe threat. To further analyze the properties of both attack and implementation, we develop a custom placer to improve the default placement of the analyzed AES S-box. Different cost functions for the placement are tested and evaluated w.r.t. the resulting side-channel resistance on a Spartan-6 FPGA. As a result, we are able to more than double the resistance of the design compared to cases not benefiting from the custom placement.
-
PublicationCapacitive multi-channel security sensor IC for tamper-resistant enclosures( 2018)Physical attacks are a serious threat for embedded devices. Since these attacks are based on physical interaction, sensing technology is a key aspect in detecting them. For highest security levels devices in need of protection are placed into tamper-resistant enclosures. In this paper we present a capacitive multi-channel security sensor IC in a 350 nm CMOS technology. This IC measures more than 128 capacitive sensor nodes of such an enclosure with an SNR of 94.6 dB across a 16×16 electrode matrix in just 19.7 ms. The theoretical sensitivity is 35 aF which is practically limited by noise to 460 aF. While this is similar to capacitive touch technology, it outperforms available solutions of this domain with respect to precision and speed.
-
PublicationA Highly Time Sensitive XOR Gate for Probe Attempt Detectors( 2013)Probe attempt detectors are sensors designed to protect buses of secure chips against the physical contact of probes. The operation principle of these detectors relies on the comparison of the delay propagation times between lines. CMOS XOR gates are very well suited for this comparison since they are small, fast, and compatible with the technology used in secure chips. However, the lack of activity while comparing matched lines and the limited reaction time pose a risk for tampering and decrease the sensitivity of the sensor, respectively. In this brief, a modification of a CMOS XOR gate is presented, which solves both the aforementioned problems.
