Fraunhofer-Institut für Angewandte und Integrierte Sicherheit AISEC

Filters

5
4 4 4 4
5
Reset filters

Settings
Now showing 1 - 5 of 5
  • Publication
    Breaking TrustZone memory isolation and secure boot through malicious hardware on a modern FPGA-SoC
    ( 2022)
    Gross, M.
    ;
    Jacob, N.
    ;
    Zankl, A.
    ;
    Sigl, G.
    FPGA-SoCs are heterogeneous embedded computing platforms consisting of reconfigurable hardware and high-performance processing units. This combination offers flexibility and good performance for the design of embedded systems. However, allowing the sharing of resources between an FPGA and an embedded CPU enables possible attacks from one system on the other. This work demonstrates that a malicious hardware block contained inside the reconfigurable logic can manipulate the memory and peripherals of the CPU. Previous works have already considered direct memory access attacks from malicious logic on platforms containing no memory isolation mechanism. In this work, such attacks are investigated on a modern platform which contains state-of-the-art memory and peripherals isolation mechanisms. We demonstrate two attacks capable of compromising a Trusted Execution Environment based on ARM TrustZone and show a new attack capable of bypassing the secure boot configuration set by a device owner via the manipulation of Battery-Backed RAM and eFuses from malicious logic.
  • Publication
    SCA secure and updatable crypto engines for FPGA SoC bitstream decryption: extended version
    ( 2021)
    Unterstein, F.
    ;
    Jacob, N.
    ;
    Hanley, N.
    ;
    Gu, C.
    ;
    Heyszl, J.
    FPGA system on chips (SoCs) are ideal computing platforms for edge devices in applications which require high performance through hardware acceleration and updatability due to long operation in the field. A secure update of hardware functionality can in general be achieved by using built-in cryptographic engines and provided secret key storage. However, reported examples have shown that such cryptographic engines may become insecure against side-channel attacks at any later point in time. This leaves already deployed systems vulnerable without any clear mitigation options. To solve this, we propose a comprehensive concept that uses an alternative and side-channel protected cryptographic engine within the FPGA logic instead of the built-in one for the crucial task of bitstream decryption. Remarkably this concept even allows to update the cryptographic engine itself. As proof of concept, we describe an application to the Xilinx Zynq-7020 FPGA SoC in detail. We provide two options for a leakage resilient decryption engine which are based on the same primitive, a leakage resilient pseudorandom function (LR-PRF). Depending on a side-channel evaluation of this primitive on the target platform, either a version with additional side-channel countermeasures or a more efficient variant is deployed. The lack of accessible secret key storage poses a significant challenge and requires the use of a physical unclonable function (PUF) to generate a device intrinsic secret within the FPGA logic. At the same time this means that manufacturer-provided secret key storage or cryptography is no longer required; only a public key for signature verification of the first stage bootloader and initial static bitstream. We provide empirical results proving the side-channel security of the protected cryptographic engine as well as an evaluation of the PUF quality. The full design and source code is made available to encourage further research in this direction.
  • Publication
    Review of error correction for PUFs and evaluation on state-of-the-art FPGAs
    ( 2020)
    Hiller, Matthias
    ;
    Kürzinger, Ludwig
    ;
    Sigl, Georg
    Efficient error correction and key derivation is a prerequisite to generate secure and reliable keys from PUFs. The most common methods can be divided into linear schemes and pointer-based schemes. This work compares the performance of several previous designs on an algorithmic level concerning the required number of PUF response bits, helper data bits, number of clock cycles, and FPGA slices for two scenarios. One targets the widely used key error probability of 10 - 6, while the other one requires a key error probability of 10 - 9. In addition, we provide a wide span of new implementation results on state-of-the-art Xilinx FPGAs and set them in context to old synthesis results on legacy FPGAs.
  • Publication
    Your rails cannot hide from localized EM
    ( 2018)
    Immler, V.
    ;
    Specht, R.
    ;
    Unterstein, F.
    Protecting cryptographic implementations against side-channel attacks is a must to prevent leakage of processed secrets. As a cell-level countermeasure, so-called DPA-resistant logic styles have been proposed to prevent a data-dependent power consumption. As most of the DPA-resistant logic is based on dual rails, properly implementing them is a challenging task on FPGAs which is due to their fixed architecture and missing freedom in the design tools. While previous works show a significant security gain when using such logic on FPGAs, we demonstrate this only holds for power analysis. In contrast, our attack using high-resolution electromagnetic analysis is able to exploit local characteristics of the placement and routing such that only a marginal security gain remains, therefore creating a severe threat. To further analyze the properties of both attack and implementation, we develop a custom placer to improve the default placement of the analyzed AES S-box. Different cost functions for the placement are tested and evaluated w.r.t. the resulting side-channel resistance on a Spartan-6 FPGA. As a result, we are able to more than double the resistance of the design compared to cases not benefiting from the custom placement.
  • Publication
    A Highly Time Sensitive XOR Gate for Probe Attempt Detectors
    ( 2013)
    Manich, Salvador
    ;
    Strasser, Martin
    Probe attempt detectors are sensors designed to protect buses of secure chips against the physical contact of probes. The operation principle of these detectors relies on the comparison of the delay propagation times between lines. CMOS XOR gates are very well suited for this comparison since they are small, fast, and compatible with the technology used in secure chips. However, the lack of activity while comparing matched lines and the limited reaction time pose a risk for tampering and decrease the sensitivity of the sensor, respectively. In this brief, a modification of a CMOS XOR gate is presented, which solves both the aforementioned problems.