Fraunhofer-Institut für Angewandte und Integrierte Sicherheit AISEC

Filters
68
Reset filters

Settings
Now showing 1 - 10 of 68
  • Publication
    Breaking TrustZone memory isolation and secure boot through malicious hardware on a modern FPGA-SoC
    ( 2022)
    Gross, M.
    ;
    Jacob, N.
    ;
    Zankl, A.
    ;
    Sigl, G.
    FPGA-SoCs are heterogeneous embedded computing platforms consisting of reconfigurable hardware and high-performance processing units. This combination offers flexibility and good performance for the design of embedded systems. However, allowing the sharing of resources between an FPGA and an embedded CPU enables possible attacks from one system on the other. This work demonstrates that a malicious hardware block contained inside the reconfigurable logic can manipulate the memory and peripherals of the CPU. Previous works have already considered direct memory access attacks from malicious logic on platforms containing no memory isolation mechanism. In this work, such attacks are investigated on a modern platform which contains state-of-the-art memory and peripherals isolation mechanisms. We demonstrate two attacks capable of compromising a Trusted Execution Environment based on ARM TrustZone and show a new attack capable of bypassing the secure boot configuration set by a device owner via the manipulation of Battery-Backed RAM and eFuses from malicious logic.
  • Publication
    Tapeout of a RISC-V crypto chip with hardware trojans: A case-study on trojan design and pre-silicon detectability
    ( 2021)
    Hepp, A.
    ;
    Sigl, G.
    This paper presents design and integration of four hardware Trojans (HTs) into a post-quantum-crypto-enhanced RISC-V micro-controller, which was taped-out in September 2020. We cover multiple HTs ranging from a simple denial-of-service HT to a side-channel HT transmitting arbitrary information to external observers. For each HT, we give estimations of the detectability by the microcontroller-integration team using design tools or by simulation. We conclude that some HTs are easily detected by design-tool warnings. Other powerful HTs, modifying software control flow, cause little disturbance, but require covert executable code modifications. With this work, we strengthen awareness for HT risks and present a realistic testing device for HT detection tools.
  • Publication
    Finding the Needle in the Haystack: Metrics for Best Trace Selection in Unsupervised Side-Channel Attacks on Blinded RSA
    ( 2021)
    Kulow, A.
    ;
    Schamberger, T.
    ;
    Tebelmann, L.
    ;
    Sigl, G.
    For asymmetric ciphers, such as RSA and ECC, side-channel attacks on the underlying exponentiation are mitigated by countermeasures like constant-time implementation and blinding. This restricts an attacker to a single side-channel trace for an attack as a different representation of the private key is used for each exponentiation. In this work, we propose an unsupervised machine learning framework for side-channel attacks on asymmetric cryptography that analyzes leakage in multiple side-channel traces, identifying the best trace for key retrieval. We apply Principal Component Analysis (PCA) preprocessing followed by a classification step that assigns segments of traces to elementary operations of the Square and Multiply exponentiation of RSA. In order to estimate the attack complexity for each trace in terms of key enumeration effort, we introduce two new metrics: The Entropy-based Cost Function (EBCF) is used to select a trace for the attack as well as bits which have to be brute-forced if not all bits can be determined correctly from this single trace. To reduce brute-force complexity further, we introduce Illegal Sequence Detection (ISD) to remove brute-force candidates which do not fit to the Square-and-Multiply scheme. We first provide a proof of concept for 320-bit key length traces and, moving towards a more realistic scenario, retrieve the key from a 1024-bit RSA implementation protected by message and exponent blinding. We are able to select the trace with the least remaining brute-force complexity from 1000 power measurements of the signature generation with randomized inputs and blinding values on a 32-bit ARM Cortex-M4 microcontroller.
  • Publication
    DOMREP-An Orthogonal Countermeasure for Arbitrary Order Side-Channel and Fault Attack Protection
    ( 2021)
    Gruber, M.
    ;
    Probst, M.
    ;
    Karl, P.
    ;
    Schamberger, T.
    ;
    Tebelmann, L.
    ;
    Tempelmeier, M.
    ;
    Sigl, G.
    Protection against physical attacks is a major requirement for cryptographic implementations on devices which can be accessed by attackers. Side-channel and fault injection attacks are the most common types of physical attacks. In this work we present a novel generic solution for simultaneous protection against side-channel and fault attacks with arbitrary order. We combine domain oriented masking and repetition codes in an orthogonal way and call this approach DOMREP. The resistance against side-channel attacks and fault attacks can be scaled independently of each other, for the protection against higher-order side-channel analysis and the injection of multiple faults including SIFA. We develop the generic concept of orthogonal protection, and implement the DOMREP concept on GIMLI, a round two NIST LWC competition candidate, on a Xilinx Artix-7 FPGA. Our implementation of GIMLI is verified to be resistant against univariate first-order side-channel attacks by TVLA. The resistance against SIFA is verified by means of fault emulation of single as well as multiple bit faults. Our implementation of GIMLI achieves the expected security level according to these measurements. We also provide numbers for the area overhead for our protected implementation of GIMLI.
  • Publication
    Beyond Cache Attacks: Exploiting the Bus-based Communication Structure for Powerful On-Chip Microarchitectural Attacks
    ( 2021)
    Sepulveda, J.
    ;
    Gross, M.
    ;
    Zankl, A.
    ;
    Sigl, G.
    System-on-Chips (SoCs) are a key enabling technology for the Internet-of-Things (IoT), a hyper-connected world where on- and inter-chip communication is ubiquitous. SoCs usually integrate cryptographic hardware cores for confidentiality and authentication services. However, these components are prone to implementation attacks. During the operation of a cryptographic core, the secret key may passively be inferred through cache observations. Access-driven attacks exploiting these observations are therefore a vital threat to SoCs operating in IoT environments. Previous works have shown the feasibility of these attacks in the SoC context. Yet, the SoC communication structure can be used to further improve access-based cache attacks. The communication attacks are not as well-understood as other micro-architectural attacks. It is important to raise the awareness of SoC designers of such a threat. To this end, we present four contributions. First, we demonstrate an improved Prime+Probe attack on four different AES-128 implementations (original transformation tables, T0-Only, T2KB, and S-Box). As a novelty, this attack exploits the collisions of the bus-based SoC communication to further increase its efficiency. Second, we explore the impact of preloading on the efficiency of our communication-optimized attack. Third, we integrate three countermeasures (shuffling, mini-tables, and Time-Division Multiple Access (TDMA) bus arbitration) and evaluate their impact on the attack. Although shuffling and mini-tables countermeasures were proposed in previous work, their application as countermeasures against the bus-based attack was not studied before. In addition, TDMA as a countermeasure for bus-based attacks is an original contribution of this work. Fourth, we further discuss the implications of our work in the SoC design and its perspective with the new cryptographic primitives proposed in the ongoing National Institute of Standard and Technology Lightweight Cryptography competition. The results show that our improved communication-optimized attack is efficient, speeding up full key recovery by up to 400 times when compared to the traditional Prime+Probe technique. Moreover, the protection techniques are feasible and effectively mitigate the proposed improved attack.
  • Publication
    The Cost of OSCORE and EDHOC for Constrained Devices
    ( 2021)
    Hristozov, S.
    ;
    Huber, M.
    ;
    Xu, L.
    ;
    Fietz, J.
    ;
    Liess, M.
    ;
    Sigl, G.
    Many modern IoT applications rely on the Constrained Application Protocol (CoAP). Recently, the Internet Engineering Task Force (IETF) proposed two novel protocols for securing it. These are: 1) Object Security for Constrained RESTful Environments (OSCORE) providing authenticated encryption for the CoAP's payload data and 2) Ephemeral Diffie-Hellman Over COSE (EDHOC) providing the symmetric session keys required for OSCORE. In this paper, we present the design of four firmware libraries for these protocols which are especially targeted for constrained microcontrollers and their detailed evaluation. More precisely, we present the design of uOSCORE and mEDHOC libraries for regular microcontrollers and mOSCORE-TEE and mEDHOC-TEE libraries for microcontrollers with a Trusted Execution Environment (TEE), such as microcontrollers featuring ARM TrustZone-M. Our firmware design for the latter class of devices concerns the fact that attackers may exploit common software vulnerabilities, e.g., buffer overflows in the protocol logic, OS or application to compromise the protocol security. We present an evaluation of our implementations in terms of RAM/FLASH requirements and execution speed on a broad range of microcontrollers. Our implementations are available as open-source software.
  • Publication
    Protecting RESTful IoT Devices from Battery Exhaustion DoS Attacks
    ( 2020)
    Hristozov, S.
    ;
    Huber, M.
    ;
    Sigl, G.
    Many IoT use cases involve constrained battery powered devices offering services in a RESTful manner to their communication partners. Such services may involve, e.g., costly computations or actuator/sensor usage, which may have significant influence on the power consumption of the service Providers. Remote attackers may excessively use those services in order to exhaust the Providers' batteries, which is a form of a Denial of Service (DoS) attack. Previous work proposed solutions based on lightweight symmetric authentication. These solutions scale poorly due to requiring pre-shared keys and do not provide protection against compromised service Requesters. In contrast, we consider more powerful attackers even capable of compromising legit Requesters. We propose a method that combines attacker detection and throttling, conducted by a third trusted Backend, with a lightweight authentication protocol. For attacker detection and throttling, we propose a novel approach using rate limitation algorithms. In addition, we propose and formally verify two authentication protocols suitable for different, widely used IoT network topologies. Our protocols ensure service availability for benign Requesters even if Providers are under a battery exhaustion attack. The protocols do neither require pre-shared keys between Requesters and Providers, nor the usage of asymmetric cryptography and public key infrastructures on the Provider. This makes our protocols suitable for a variety of IoT deployments involving constrained devices and constrained networks. We demonstrate the feasibility of our method through a simulation and a proof of concept implementation.
  • Publication
    Secure and user-friendly over-the-air firmware distribution in a portable faraday cage
    ( 2020)
    Striegel, M.
    ;
    Heyszl, J.
    ;
    Jakobsmeier, F.
    ;
    Matveev, Y.
    ;
    Sigl, G.
    Setting up a large-scale wireless sensor networks (WSNs) is challenging, as firmware must be distributed and trust between sensor nodes and a backend needs to be established. To perform this task efficiently, we propose an approach named Box, which utilizes an intelligent Faraday Cage (FC). The FC acquires firmware images and secret keys from a backend, patches the firmware with the keys and deploys those customized images over-the-air (OTA) to sensor nodes placed in the FC. Electromagnetic (EM) shielding protects this exchange against passive attackers. We place few demands on the sensor node, not requiring additional hardware components or firmware customized by the manufacturer. We describe this novel workflow, implement the Box and a backend system and demonstrate the feasibility of our approach by batch-deploying firmware to multiple commercial off-the-shelf (COTS) sensor nodes. We conduct a user-study with 31 participants with diverse backgrounds and find, that our approach is both faster and more user-friendly than firmware distribution over a wired connection.
  • Publication
    Breaking TrustZone memory isolation through malicious hardware on a modern FPGA-SoC
    ( 2019)
    Gross, M.
    ;
    Jacob, N.
    ;
    Zankl, A.
    ;
    Sigl, G.
    FPGA-SoCs are heterogeneous computing systems consisting of reconfigurable hardware and high performance processing units. This combination enables a flexible design methodology for embedded systems. However, the sharing of resources between these heterogeneous systems opens the door to attacks from one system on the other. This work considers Direct Memory Access attacks from a malicious hardware block inside the reconfigurable logic on the CPU. Previous works have shown similar attacks on FPGA-SoCs containing no memory isolation between the FPGA and the CPU. Our work studies the same idea on a system based on the Xilinx Zynq Ultrascale+ architecture. This platform contains memory isolation mechanisms such as a system memory management unit, memory protection units and supports ARM TrustZone technology. Despite the existence of these protection mechanisms, the two attacks presented in this work show that a malicious hardware block can still interfere with a security critical task executed on the CPU inside ARM TrustZone.
  • Publication
    Secure Physical Enclosures from Coverswith Tamper-Resistance
    ( 2019)
    Immler, V.
    ;
    Obermaier, J.
    ;
    Ng, K.K.
    ;
    Ke, F.X.
    ;
    Lee, J.
    ;
    Lim, Y.P.
    ;
    Oh, W.K.
    ;
    Wee, K.H.
    ;
    Sigl, G.
    Ensuring physical security of multiple-chip embedded systems on a PCB is challenging, since the attacker can control the device in a hostile environment. To detect physical intruders as part of a layered approach to security, it is common to create a physical security boundary that is difficult to penetrate or remove, e.g., enclosures created from tamper-respondent envelopes or covers. Their physical integrity is usually checked by active sensing, i.e., a battery-backed circuit continuously monitors the enclosure. However, adoption is often hampered by the disadvantages of a battery and due to specialized equipment which is required to create the enclosure. In contrast, we present a batteryless tamper-resistant cover made from standard flexPCB technology, i.e., a commercially widespread, scalable, and proven technology. The cover comprises a fine mesh of electrodes and an evaluation unit underneath the cover checks their integrity by detecting short and open circuits. Additionally, it measures the capacitances between the electrodes of the mesh. Once its preliminary integrity is confirmed, a cryptographic key is derived from the capacitive measurements representing a PUF, to decrypt and authenticate sensitive data of the enclosed system. We demonstrate the feasibility of our concept, provide details on the layout, electrical properties of the cover, and explain the underlying security architecture. Practical results including statistics over a set of 115 flexPCB covers, physical attacks, and environmental testing support our design rationale. Hence, our work opens up a new direction of counteracting physical tampering without the need of batteries, while aiming at a physical security level comparable to FIPS 140-2 level 3.