Authentication, Identity and Trust · • Protect yourself from thieves posing as pest control...

Hardware SecurityDr Naghmeh Moradpoor

Trimester2: 2017-18

Lecture Overview

• Fundamentals about physical attacks

• Physical attack classifications

• Available countermeasure

• How to build a secure system

• Side channel attacks

Dr Naghmeh Moradpoor

What is a “physical attack”?

• The term “physical attacks” has two meanings in the field of IT security

• One: Mechanisms to physically penetrating a rather large perimeter

• Main door or server rack/cabinet security

• e.g. overcoming an access control system for a server room [server room security]

• Two: Physical means against cryptographic devices or its near-by environment (e.g. a smart card)


Borer Rack Handle solution

Borer Rack Handle solution >>• Secure unlimited number of racks• Provide access to users only with RFID Card• Access control levels of authority allow access to single rack/cabinet or many racks

or cabinets• Provide a full audit trail of all users and activity• Prove compliance with security regulations• Monitor temperature of racks/cabinets

In general, it includes the security vulnerabilities in a given system that are available to an attacker in the same location as the target

Physical attack surface – how physical vulnerabilities can be exploited• They are exploitable through insider/outsider threats

• Insider threats• Rogue/disgruntled employees

• Social engineering

• Intruder posing as service workers

• Outsider threats • Password retrieval from carelessly discarded hardware

• Passwords on sticky notes

• Physical break-ins


• Protect yourself from thieves posing as pest control workers

• Panama Papers leak of stolen electronic files exposed thousands of individual and corporate offshore bank account

• Heathrow security breach as memory stick crammed with sensitive info including QUEEN’S airport route is found in street

security by obscurity

Reducing physical attack surface

• Enforcing secure authentication• e.g. by enabling: re-authentication, disabling accounts, proper access control

• Zeroing hard drives; before throwing out old hardware

• Refraining from leaving exploitable information – such as sticky note password reminders – in the physical environment

• Analyse the vulnerabilities of all attack surfaces

• To set up proper security measures


What are the physical attacks? Con.

• Requirements

• Direct access/contact to the chip

• Connection using wires for measurements (e.g. to measure signals)

• Using wireless connections make physical attacks without physical access to the system possible

• Equipment, tools, skills and knowledge (hardware, cryptographic algorithms, data analysis)


What are the physical attacks? Con.

• Example of physical attack that can be performed close to the device without touching them

• Acoustic attacks (using sounds to attack)

• State Department employees at the US Embassy in Havana

• Mosquito attack

• This produces a very high-pitched sound that can be heard by teenagers only and not audible by adults (to prevent people from loitering)

• RFID and NFC attacks

• DoS on RFID e.g. signal blocking, noise, disabling [viruses in future]

• NFC eavesdropping and NFC data manipulation or corruptionDr Naghmeh Moradpoor

Hardware attack phases

• They all have two phases • Interaction • Exploitation

• Interaction phase• Interact with the device to explore some characteristics and to

possibly collect data

• Exploitation phase • Analysing the gathered information (e.g. data) to reveal the secret

and to break the security of the system


Physical attacks and hardware security

• Compared to the attacks at network levels or software levels• Physical attacks have higher requirements

• Physical access to the system • Specialized equipment, tools and knowledge

• Physical attacks are harder to launch

• Building security at hardware level• Pro: provides a better security compared with network layer and

software layer • Con: add a new attacking surface

• Ensure the HW is designed/implemented securely


With the same costs and efforts, investing on hardware security will most likely make the system more secure than adding security from network and software layers – this is one of the main reasons why hardware security has gained a lot of attention in the recent years

Physical attacks: attackers

• They are not necessarily who launch physical attacks

• Clever outsider

• Very intelligent

• Insufficient knowledge of the system

• Limited access to equipment and tools

• Knowledgeable insider

• Knowledge of the system (ins and outs of the system)

• Access to tools and equipment to analyse and break the system

• Funded organisations

• Have team of experts (skills and knowledge)

• Access to all resources (to even invent new attacks)Dr Naghmeh Moradpoor

Physical attacks: Motivations

•Money; also the motivation for almost all the attacks!

• But, how money can be made from successful physical attacks?• Direct stealing (money or service)

• Smart cards, breaking TV set up box or game console

• Sell/re-sell of products illegally

• IP piracy (theft of material, theft of trade secrets, and trademark violations), cloning, counterfeiting

• Interrupt/damaging the service provided by the competitors (DoS)

• Competitor’s device (e.g. inserting malicious patches, updates, hardware trojan)

• This gives their own product a boost in sell (unfair competition)


Physical attacks: goal

• Goal: “Breaking”- not physically destroying the system but breaking the crypto system• Learn information without authorisation

• Example: secret key/data (cryptosystem), detailed design info (system/chip/IP)

• Physical attack vs. cryptoanalysis • Both: the goal is to break the crypto system but using different ways

• Cryptoanalysis: mathematical analysis to find the theoretical weakness • Birthday attack (to find collisions in a cryptographic hash function)

• But this become harder and harder

• Physical attacks: exploit weakness/flaws in the implementation of the cryptographic algorithms


Physical attacks: classification

• Based on whether the targeted system or device will be damaged during or after the attack• Invasive attacks

• Non- invasive attacks

• Semi-invasive attacks

• Based on ways to perform the attacks• Reverse engineering (invasive)

• Micro-probing (invasive)

• Fault generation (can be semi or non-invasive)

• Side-channel attacks (non-invasive)

• Software attacks (non-invasive)Dr Naghmeh Moradpoor

Physical attacks: classification – damaged or not damaged that is the question• This classification is based on whether the targeted system or

device will be damaged during or after the attack

• Invasive attacks• Non- invasive attacks • Semi-invasive attacks


Physical attacks: classification Con.

• Invasive attacks

• e.g. physical tampering

• Require direct access to inside of the chip/device

• Normally device damaged after attack

• Tamper evidence left

• Costly (actual cost and skills)

• The required cost and skills are normally high but based on

• How the attack perform

• What system they target

• They can be repeated/non repeatedDr Naghmeh Moradpoor


• Non-invasive attacks

• e.g. side channel attack

• The attacker will interact with the device via its interface (voltage, current, clock, I/O interface)

• Generally no damage on the device

• Depends: if the attack just monitors the device or injects inputs to cause system malfunction

• No tamper evidence will be left after the attack

• Mostly low cost

• Mostly repeatable

• It can be passive or active Dr Naghmeh Moradpoor


• Semi-invasive attacks

• e.g. fault injection attack

• It is in the middle, between invasive attack and non-invasive attack

• Requires an access to the surface of the chip, but will not create contacts with internal wires

• Normally does not damage the system

• May or may not leave tamper evidence

• Depends on how the attacks are performed

• Moderate cost and some special skills

• Lower than very expensive invasive attacks

• Repeatable Dr Naghmeh Moradpoor

Meltdown, Spectre computer bugs

• It is different to other viruses

• Malicious actors can read system memory that should have been inaccessible

• Sensitive data stored on the system (e.g. passwords and secret keys)

• Probably your devices have been affected

• We shouldn’t panic yet

• Work being done about it:

• ARM said: patches have been already shared

• AMD said: near zero risk to AMD products at this time

• Intel working on the patches released security fixes

• OSs have already

• Keep updating to protect your devices

• In theory it is possible that hackers already have your data but no way of tracing

• More affect on the companies to go forward but little affect on home users

• Requires the redesign of chip architecture and operating system software

• Could have effect on performance and efficiency


-The "serious security flaws" in the design of Intel, AMD and ARM processors-The security flaw could allow hackers to take control of your device even when it’s switched off

Physical attacks: classification – based on ways to perform the attacks • Reverse engineering (invasive)


• Fault generation (can be semi or non-invasive)

• Side-channel attacks (non-invasive)

• Software attacks (non-invasive)


Physical attacks: classification – based on ways to perform the attacks – Con.• Reverse engineering (invasive)

• Study the chip’s inner structure to determine the functionality

• High cost

• Required similar capabilities of the designer/manufacturing


• Directly accesses the chip surface

• Observe, manipulate, and interact with the chip


Physical attacks: classification – based on ways to perform the attacks – Con.• Fault generation (can be semi or non-invasive)

• Attacker generates fault (e.g. faulty input) and runs in normal environmental condition with the hope that the chip will malfunction

• The attacker goal is to cause chip to malfunction, leak information or give additional access to the system

• They can be semi invasive or non-invasive depends on how the fault is generated


Physical attacks: classification – based on ways to perform the attacks – Con.• Side-channel attacks (non-invasive)

• Has two phases

• Attacker monitors the chip to measure chip’s physical characteristics (power, current, timing, EM radiation) during it’s normal operation mode and then collect data

• Perform data analysis to learn hidden information/pattern


Physical attacks: classification – based on ways to perform the attacks – Con.• Software attacks (non-invasive)

• Use normal I/O interface

• The goal is to explore known security vulnerabilities in

• Protocols, algorithms, and the software implementation

• They are repeatable


Physical Attacks and Countermeasures -Invasive attacks • So far we learn about: physical attackers, their motivations, and physical

attack classification (x2). For attack countermeasures, we start from invasive attacks

• Invasive attacks and countermeasures

• The attack starts with de-capsulation and de-packaging (e.g. chip or device)

• Remove the package (de-packaging) to expose the silicon die

• For complicated chips this happens layer by layer

• Reverse engineering

• Reveal chip inner structure and functionality after de-packaging (e.g. using an optical microscope with digital camera)


Physical Attacks and Countermeasures -Invasive attacks Con. • Invasive attacks and countermeasures

• De-passivation and micro-probing

• To get more detailed information about a chip

• Probe signal bus activity without damaging them

• Inject test signals and observe the chip's response (e.g. to extract secret keys from memory)

• Required the most expensive equipment


Physical Attacks and Countermeasures -Invasive attacks Con. • Invasive attacks and countermeasures

• Chip modification (rebuild or modify)

• For example by disabling a chip component by cute wire (e.g. encryption blocks)

• Cost varies (e.g. low for old smart cards)

• The cost is increasing very fast for modern chips where the size keeps on shrinking and design complexity keeps increasing


Invasive attacks: tools

• IC soldering/de-soldering station

• Simple chemical lab

• High-resolution optical microscope

• Oscilloscope, logic analyser, signal generator

• Wire bonding machine, laser cutting system, micro-probing station

• Scanning electron microscope

• Focused ion beam (FIB) station


Laser cutter can be used to remove passivation and cut metal wires

Semi- invasive attacks

• Decapsulation and de-processing (de-packaging)

• Remove the package to expose the chip

• But will not contact internal bus lines

• Therefor, the expensive equipment (e.g. micro-probing) may not be required

• Attackers needs to use other equipment to launch semi-invasive attacks


Semi- invasive attacks Con-

• Launching semi-invasive attacks • Imaging attack

• Using special/modern cameras to read layout of the chip• Fault injection attack

• Local heating to change some memory cells • Laser attacks to write into SRAM • Laser attacks to disable the write operation in the embedded

flash memory (memory masking)• Laser attack to point to a particular transistor (collect the

power trace before and after laser attack and compare)


Non-invasive attacks: types (x4 types)

• Side channel analysis (passive- doesn’t need interaction with the chip)

• Brute force (active- need interaction with the chip)

• Data remanence (active- need interaction with the chip)

• Fault injection (active- need interaction with the chip)


Non-invasive attacks: types (x4 types) Con.

• Side channel analysis (passive)

• Monitors chip’s execution and collects some measurements

• Timing, power, acoustics

• Brute force (active)

• Search for sensitive information (e.g. secret keys, passwords)

• For example, when the memory address is limited it can be predicted

• Rebuilding the truth table of input and output pairs (restricted to small design)

• Find backdoors - access to factory test or programming mode by applying high voltage (just about twice as the normal voltage)


Data remanence

• Data remanence allows recovery of erased data

• Data remanence in SRAM

• Retaining data after power down

• Retrieve data short time after power down (stealing data)

• Data “frozen” at low temperature (-20’C)

• Freeze data and read it

• Data “burned-in” after long time storage

• Retrieve data right after power up

• Data remanence in EEPROM and Flash

• Extract data after multiple write/erase cycles Dr Naghmeh Moradpoor

Fault injection attacks

• The idea is

• Have the chip/system execute with faulty or unexpected input/command/instruction

• Observe chip/system execution

• To gain unauthorized access to systems or learn secret data (e.g. passwords, secret keys)

• But secure systems can easily detect such faulty input before the execution starts

• So how can attackers inject faults? There are many ways to do so…


Fault injection attacks

• Fault generation techniques

• Glitches (clock, power)

• Changing the temperature

• Expose the chip to white light or laser

• X-ray and ion beams

• Electromagnetic radiation


Fault injection attacks: glitch

• Glitch is a fast change in chip’s supply signals (e.g. supplying power, clock signals)

• Affect some transistors or flip-flops

• The attackers may not have control on which transistor or flip-flop will change, but the can do a systematic search to find some security holes

• Examples

• A shorter clock pulse cause incorrect instruction fetch in Motorola controllers

• Power supply glitches can break 128 bit AES key in 2 to the power 12 attempts


Non-invasive attacks: tools

• IC soldering/de-soldering station

• Oscilloscope, logic analyser, signal generator

• PC with data acquisition board, FPGA boards, prototyping boards

• Digital multi-meter

• Universal programmer and IC tester

• Programmer power supplies


Non-invasive attacks: tools – Con.

• Optical fault injection attack (optical microscope and laser)• Using laser attached to optical microscope to inject fault into chip operation

• Chip is decapsulated and placed on a test board under optical microscope

• Red laser (635nm) for front approach and IR (1065nm) for backside

• Control board is used to operate the chip and trigger the laser pulse


Countermeasures for fault injection – fault tolerant techniques • Fault-tolerant techniques can be used to defend both at software and

hardware level

• Software approach• Checksum on data transfers • Randomized execution • Produce some overhead and can drop the performance

• Hardware approach • Fault detector • Produce some overhead and can drop the performance


Sometimes, detecting fault injection attacksafter the attack might be too late

Some countermeasures for invasive attacks

• Bus scrambling (to confuse the attacker)

• Change the order/connection of data bus

• Data encryption

• Encrypt data and decrypt in a trusted zone

• Hiding the design

• Hide the data bus (standard building blocks such as register files, instruction decoders, arithmetic and logical units, and input/output circuits)

• Implement sensor mesh at top of metal layer (in most of smart cards)

• Continues monitor of all paths in the mesh

• Triggers and alarm and resets memory to protect sensitive data

• Micro-probing will cause short circuits


Building Secure Systems

• So far, we learn about physical attacks and some countermeasures

• Now it is time to understand how to build a secure system we start with tamper resistance of a system


Tamper protection levels –x5 levels

• Zero

• No security features (all the components are open to access)

• Example

• Microcontroller and FPGA chips with external memory

• No special equipment/tools

• Takes minutes to hours to break


Tamper protection levels –x5 levels Con.

• Low

• Basic security features, but the system is easy to break

• Example

• Microcontroller with internal memory and proprietary programming algorithms, but no security mechanisms to protect the memory

• Required low cost tools and they even keeps dropping

• Takes hours to days to break


Tamper protection levels – x5 levels Con.

• Moderate Low (MODL) level

• Security features against low cost attacks

• Example

• Micro-controller with protection against common attacks, but sensitive to power analysis or power glitches

• More expensive tools and more skills are required

• They take days to weeks to break



• Moderate (MOD) level

• Example

• Microcontroller with protection against UV light attacks, secure memory chips, smart cards

• Special tools/equipment/skills/knowledge

• More expensive tools and more skills are required

• They take weeks to months to break a system



• Moderate High (MODH) level

• Application specific security features

• Example

• Military chips, banking systems

• Supposed to be secure against all the known attacks

• Group of attackers (team of specialists)

• Sometimes they need new attacks/tools to be created

• Way more expensive

• Needs months to break a system


The classification of these levels are relative

New materials/design process will increase the tamper resistance level of certain devices

Federal Information Processing Standard (FIPS) - security levels • Level 1: (the lowest level)

• Specifies basic security requirements for a cryptographic module

• Level 2: (improved level 1)

• Adds physical security

• Tamper evident, coating or seals, pick-resistant locks

• Level 3:

• Enhances physical security to prevent unauthorised access to critical data

• Level 4: (the highest level)

• Detects penetrations to the cryptographic module/device from all directions (all kind of security attacks)


This is published by the US Department of Commerce to identify how secure a crypto module is implemented

Known security failures

• Hitachi smartcard

• Information leakage on a product CD

• Full data sheet about the smartcard is accidentally included in the product CD

• Actel secure FPGA chip

• Programming software bug

• Devices were always programmed with a specific passkey

• Dallas SHA-1 secure memory

• Factory initialisation bug

• Some security features were not activated and it failed to provide the required protection


Understanding the attacks - before building your secured system • Understand the attackers

• Outsiders, insiders, funded organisations

• Understand the attacker’s motivations

• Theft, access, DoS, IP piracy

• Attacking categories

• Invasive, semi-invasive, non-invasive

• Attacking methods

• Reverse engineering, probing, fault injection, side channel, software


Securing your system

• Threat estimation

• System security evaluation

• In many cases, there's no security benchmark

• Locating weak points

• Enhancing system security • Choose/upgrade secure components • Redesign for security

• System engineering approach • Security has to be built into the system, not onto a given system


Side Channel Attacks

• This is the most successful attacks to modern cryptographic systems• Use the signals leaked from side channels during system's normal

execution• They target the weakness of the implementation of the crypto-

algorithms, not the algorithms themselves• The purpose is to reveal the secret information• They are non invasive

• They are passive (use signal leaks from side channels during system's normal execution) so they don’t leave any trace of attack • It is hard to detect and catch such attacks


Side Channel Attacks – Con.

• Side channel attacks, normally have two phases• Monitoring phase

• Measuring and monitoring the system’s physical characteristics on normal mode operation (power consumption, current, timing, delay, acoustic information, optical information)

• Data analysis phase• Performing data analysis on the collected side channel data to

determine the on-chip secret information of interest

• Normally further measurements will be collected to confirm the reveled secret information


Side Channel Attacks – characteristics

• They are non invasive

• Not required to open up the chip

• Some of the attacks do not need to have physical access to the chip either

• EM attacks and acoustic attacks

• They are passive

• Attacker will be monitoring the normal operation of the chip

• Many set channels to be used by attackers

• Power consumption, execution time, electromagnetic information, the optical, and acoustic emission and the system's output signals


Side Channel Attacks – Con.

• Power analysis

• Timing attacks

• Cache attacks

• Acoustic information


Power & the current side channel

• Chips power consumption mainly comes from two sources

• Dynamic power • Power that is needed to charge and discharge the capacitors

• Information may leak from dynamic power consumption when switching happens (when a logical 0 changed to a logical 1 or vice versa)

• Leakage current • This may leak information about the system because the leakage current of a logical

device is related to the input value to this device• Example: leakage current when the input is 11: x12 higher than the leakage when the input is

00

• Leakage current will occur even when the system is idle


Timing & delay (control flow) side channel

• They are related to the execution time of an operation

• Different operations may have different execution time

• Same operation but different operands under different conditions may have different execution time

• This will give attackers some insight, about the system's internal information

• Example: false branch takes longer here


Attacker can manage to measure the execution of this portion of the code, whether a and b have the same value can be releveled

Timing & delay (data dependency) side channel • The data dependency nature of many operations can also leak

information

• Example

• A simple multiplication operation of (x = x * y) and the product to x

• The execution time is longer when the y is a bigger number (e.g. y=190 compare to y=0 or y=1)

• y=190 compare to y = 64 (64 is equal to: 2 power 6)

• y=64 is implemented by a logical shift which takes much shorter time


Timing & delay (cache miss, pipeline stall) side channel • In addition monitoring execution time can also reveal whether cache

misses and pipeline stores have happened

• Cache hit is faster than cache miss

• Pipeline stall is slower than pipeline


Side channel: acoustic information

• Acoustic information has been used to attack hardware systems for several decades

• Examples by using a microphone• Phone numbers leaked from the dial tone

• Sounds from key entered to the system from keyboard

• Sounds from the running system component

• Tell when the RSA encryption algorithm is running

• The runs of the RSA with different key values give different acoustic traces


Date post:	17-Jul-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Authentication, Identity and Trust · • Protect yourself from thieves posing as pest control...

Documents