11/08/19

Course Name: Ethical Hacking

Faculty Name: Prof. Indranil Sen Gupta
Department : Computer Science and Engineering

Topic
Lecture 46: Elements of Hardware Security

q A(acks on hardware

q Typical countermeasures

1
 11/08/19

IntroducFon

• How to we characterize hardware in the present context?

• Computer Hardware, which includes processors, firmware and memory.
• Mobile Hardware:
v SIM Card
v RFID
v Smart Card
v PUF

AJacks on Hardware

• Physical AJacks
• Carried out on the actual device using hardware tools.

• Planned AJacks
• Some vulnerability can be deliberately included in the hardware.

• Stealing Secret Data

• Many hardware device carries confidenRal data.
• InternaRonal mobile subscriber idenRty and contact details in a SIM card.
• Unique idenRficaRon codes in RFID tags.
• Secret key and other confidenRal informaRon in a Smart Card.

2
 11/08/19

Types of AJacks

a) Black Box TesFng

• The a(acker sends an input to the circuit and receives an output.
• Based on the input/output behavior, the a(acker decides what kind of algorithm is used.
• This is an non-invasive type of a(ack.

b) Physical Probing
• The a(acker plants a probe into the chip itself and reads data off the chip.
• This is an invasive a(ack, and requires sophisRcated instrumentaRon.

3
 11/08/19

Types of AJacks

• Reverse Engineering
• The a(acker acquires the device (say, smart card) and physically exposes the circuit.
• Each layer of the circuit is removed and high resoluRon photographs are taken.
• Invasive approach, and also requires very sophisRcated instrumentaRon.

• Side Channel Analysis

• The a(acker measures sensiRve parameters during normal operaRon of the circuit.
• Based on the measurements, some secret values can be inferred.
• This is a non-invasive kind of a(ack, and is the subject of intense research.

Typical Countermeasures to Prevent Hardware AJacks

a) Obfuscate data in registers and buses

• Scramble, encrypt, etc.
b) Obfuscate the IC layout
• Use 3D stacking, dummy circuitry, etc.
c) Add metal mesh on top of the circuit.
• If the circuit is probed, it will cause a short and the stored data resets.
d) Countermeasures against side channel a(acks.
• Random noise generator, secret hiding, etc.
e) Physical unclonable funcRon (PUF)
• Can be used to design low-overhead security protocols.

4
 11/08/19

Hardware Trojan

• Malicious logic inserted into a circuit without the knowledge of the designer / user.
• Carries a trigger condiRon and a payload (may be malicious).
• Very difficult to detect.

• Trojans can also be used for defensive purposes.

• Any unauthorized change in the circuit will be detected.
• Can be used for copyright protecRon (IC fingerprinRng).

To Summarize …

• A hardware implementaRon of a security device may be based on well-known

secure algorithms.
• The implementaRon of the hardware may be faulty, resulRng in vulnerabiliRes.
• The a(acker tries to exploit the vulnerabiliRes.

• Next generaRon security chips will include countermeasures to protect against

such a(acks.

10

5
 11/08/19

11

6
 11/08/19

Course Name: Ethical Hacking

Faculty Name: Prof. Indranil Sen Gupta
Department : Computer Science and Engineering

Topic
Lecture 47: Side Channel AFacks (Part I)

q Side channel a0ack

q Timing analysis a0ack

1
 11/08/19

Side Channel AFacks

• Side channel a0ack / cryptanalysis:

• New research area of applied cryptography.
• Gained momentum since mid nineCes.
• Basic idea:
v Capture unintended leakage of informaCon during operaCon.
v Can be exploited to extract key with relaCvely low effort.

Why Important?

• A developer of a secure product has to defend it against all possible a0ack paths.
• In side channel a0ack:
• The mathemaCcal security of the cryptographic algorithms is not being quesConed.
• It is the implementaCon of these algorithms that is at risk to be broken.

2
 11/08/19

Typical Side Channels

Power
Faulty EM
Consumption
Outputs Emissions

Timing Cryptographic
Heat
Device

Scan Data
During Test Data
Coupling

Timing Analysis AFack

3
 11/08/19

IntroducKon

• Basic concept
• The first side-channel based a0ack to be published [Paul Kocher, 1995].
• A0acker tries to break a cryptosystem by analyzing the execuCon Cme for the overall
cryptographic operaCon.

• What does it try to exploit?

• ComputaCon Cme for a private key operaCon is dependent on the key in some way.
• ParCcularly true for asymmetric key algorithms.

An Example

• Square-and-mulCply algorithm for modular exponenCaCon (used in RSA,

Diffie-Hellman).
• ExecuCon Cme depends linearly on the number of ‘1’ bits of the key.
• Repeated execuCons with the same key and different inputs can be used.
v To perform staCsCcal correlaCon analysis of Cming informaCon.
v The key can be recovered completely.

4
 11/08/19

• Square-and-add exponenKaKon.
• How to calculate xn ?
Power (x,n) = x, if n = 1
= Power (x2, n/2), if n is even
= x . Power (x2, (n-1)/2), if n>2 is odd

• Advantage:
• Simple implementaCon requires (n-1) mulCplicaCons.
• This algorithm uses only O(log2n) mulCplicaCons.

• IllustraCon:
x13 = x1101
= x(1*2^3 + 1*2^2 + 0*2^1 + 1*2^0)
= x2^3 * x2^2 * 1 * x2^0
= x8 * x4 * x1
= (x4)2 * (x2)2 * x
= (x4 * x2)2 * x
= ((x2)2 * x2)2 * x
= ((x2 * x)2)2 * x

• Requires only 3 squarings and 2 mulCplicaCons rather than 12

mulCplicaCons.
• Number of squarings and mulCplicaCons can directly give the number of 1’s
in the key.

10

5
 11/08/19

• Pseudo-code to compute be (mod m)

Bignum modpow (Bignum b, Bignum e, Bignum m) {
Bignum result = 1;
while (e > 0) {
if (e & 1 > 0) result = (result * b) % m;
e = e >> 1;
b = (b * b) % m;
}
return result;
}

11

Test next bit of key

No Yes
Bit = 1?

MulKply

Squaring Squaring

12

6
 11/08/19

• Modified algorithm -- make branches symmetric:

Bignum modpow (Bignum b, Bignum e, Bignum m) {
Bignum result = 1;
while (e > 0) {
if (e & 1 > 0) result = (result * b) % m;
else a = (b * c) % m;
e = e >> 1;
b = (b * b) % m;
}
return result;
}

13

• Timing analysis can reveal the number of 1’s in the secret key.
Time = n * tsquare + k * tmul
n : number of bits in the key
k: number of one bits in the key
tsquare : time to compute square
tmul : time to compute multiplication
• The suggested countermeasure can make the Cme independent of the key.
Time = n * (tsquare + tmul)

14

7
 11/08/19

What it means?

• If the device carrying out the cryptographic operaCon is available for analysis …
• We can gain valuable insight into the internal execuCon.
• For RSA, the complexity of brute-force a0ack can be drasCcally reduced.

• Security implicaCons:
• We use various sorts of smart cards in our daily life.
• Side-channel a0ack can pose a serious threat.
• Secure side-channel a0ack resistant implementaCons are necessary.

15

• An algorithm may be mathemaCcally very secure.

• But weaknesses in hardware or sohware implementaCons may make it
vulnerable against side-channel a0acks.
• Secure implementaCon is very important in this context.

16

8
 11/08/19

17

9
 11/08/19

Course Name: Ethical Hacking

Faculty Name: Prof. Indranil Sen Gupta
Department : Computer Science and Engineering

Topic
Lecture 48: Side Channel AFacks (Part II)

q Power analysis a2ack

q Simple and differen:al power analysis

q Countermeasures

1
 11/08/19

Power Analysis AFack

IntroducJon

• Basic concept:
• A much more effec:ve form of side channel a2ack [Paul Kocher et al, 1998].
• Analyzes the power consumed by a device during the processing of some cryptographic
opera:on.

• What it can yield?

• Informa:on about what the device is doing.
v Can extract the key informa:on.

4 4

2
 11/08/19

Data AcquisiJon Setup

Power Supply

Current
or
R
Power
Measurement
AFacker’s Point

Cryptographic
Device

5 5

3
 11/08/19

Simple Power Analysis (SPA)

• A2acker directly uses power consump:on to learn bits of secret key.

– Waveforms visually examined.

• Can iden:fy:
– Big features like rounds of DES/AES, square vs. mul:ply in RSA exponen:a:on.
– Small features, like bit value.

• Rela:vely easy to defend against.

How SPA Works?

0 1 0 1 1
Key = 101011
Square-and-MulJply Algorithm

0 1 0 1 1
With “Dummy” OperaJons

Power Traces

4
 11/08/19

DifferenJal Power Analysis

• More complex.
• Par::on the data and related curves into two sets according to selected bits.
• Take the difference, and look for peaks or differences.

DPA Process SchemaJc

DPA
curve
0
SelecJon bit

1
=
C031A0...
185D04D...
B688EE...

Average

10

5
 11/08/19

DPA Result Example

Average Power
ConsumpJon

Power ConsumpJon
DifferenJal Curve
With Correct Key Guess

Power ConsumpJon
DifferenJal Curve
With Incorrect Key Guess

Power ConsumpJon
DifferenJal Curve
With Incorrect Key Guess

11 11

Countermeasures

6
 11/08/19

IntroducJon

• Rela:vely easy to implement for :ming analysis.

• Make the execu:on :me data independent.

• Power analysis a2acks that look at specific intermediate values of the

implementa:on are much harder to defeat.
• Two broad approaches prac:ced:
a) Hardware-based
b) Soaware-based

13 13

a) Hardware-based countermeasures:
• Special logic styles that minimizes data-dependent leakage.
• Implementa:on of masking schemes.
• Addi:on of noise with noise-generators.
• Random process interrupts that provide for an internal :ming de-synchroniza:on.

14 14

7
 11/08/19

b) Soaware-based countermeasures:
• Aim to avoid the occurrence of predictable intermediate results.
• Introduce redundant computa:ons.
• Internal randomiza:on used to mask the data representa:on used.
v A random value, not known to the a2acker, is added or mul:plied with intermediate
values.

15 15

Conclusion

• Side channel a2acks

• Powerful technique but specific.
v Targets a par:cular implementa:on rather than a generic algorithm.
v Most devices as well as so`ware implementa:ons on embedded plaaorms can be targeted.
v Hard to evaluate and prevent.
• Possible loophole:
v Resis:ng one kind of a2ack may introduce weaknesses with respect to another one.
• An ac:ve area of research.

16 16

8
 11/08/19

17

9
 11/08/19

Course Name: Ethical Hacking

Faculty Name: Prof. Indranil Sen Gupta
Department : Computer Science and Engineering

Topic
Lecture 49: Physical Unclonable FuncGons

q Physical Unclonable Func6on (PUF)

q Applica6ons of PUF

q PUF implementa6on

1
 11/08/19

What is a PUF?

• Fingerprint of some device.

• A challenge-response mechanism in which the mapping between an applied input
(“challenge”) and the corresponding observed output (“response”) is dependent on the
complex and variable nature of a physical material.
• The challenge-response mapping is unclonable (ideally) and instance-specific (depends
on manufacturing process varia6ons evident in ASICs).

n-bit Challenge (C) PUF n-bit Response (R)

Some Desirable ProperGes

• Evaluatable:
• Given PUF and x, it is easy to evaluate y = PUF(x).
• Unique:
• The PUF(x) contains some informa6on about the iden6ty of the physical
en6ty embedding the PUF.
• Unclonable:
• Given PUF, it is hard to construct a procedure PUF’, where PUF ≠ PUF’, and
PUF’(x) = PUF(x) for all x.
• One-way:
• Given only y and the corresponding PUF instance, it is hard to find x such
that PUF(x) = y.

2
 11/08/19

An Example with a Simple S-R Latch

• Make the input in=1.

• We shall get y=1, y’=1.
• Now make the input in=0, both of the following states are possible:
a) y=1, y’=0
b) y=0, y’=1
Source of randomness in

From Theory to PracGce

The non-determinism and
• FPGAs are ideal for security implementa6ons. hence the randomness is
• In-house and high-performance. gone!
• Programmability is an added feature.
• But careful implementa6on is needed.

module SR (in, Q, Qbar); in

input in;
OR Qbar
output Q, Qbar; AND

nand N1(Q, ~in, Qbar); LUT2

nand N2(Qbar, ~in, Q); LUT1
endmodule Q

3
 11/08/19

Another AVempt
• This design has the non-determinism as expected!
• We can also design using NAND primi6ves.
module SR (in, Q, Qbar);
input in;
output Q, Qbar; Qbar
in OR
wire w1, w2;
nand N1(Q, ~in, w1); w1
nand N2(Qbar, ~in, w2);
assign w1 = Qbar; w2
assign w2 = Q;
endmodule Q
OR

The Silicon Space 0 1

Values of Q
1 0 1

• Mismatch in driving capabili6es of (x1,y1) (x2,y2) (x3,y3) (x4,y4) (x5,y5)

the gates.
(x6,y6) (x7,y7) (x8,y8) (x9,y9) (x10,y10)
• Difference in rou6ng delays of the
feedback path.
(x11,y11) (x12,y12) (x13,y13) (x14,y14) (x15,y15)
• A latch cell will give either 0 or 1 as
output.
(x16,y16) (x17,y17) (x18,y18) (x19,y19) (x20,y20)
• Depends on the (x,y) posi6on of the
silicon area.
(x21,y21) (x22,y22) (x23,y23) (x24,y24) (x25,y25)

4
 11/08/19

PUF as Security
Advantages PrimiGve
of PUF
Reduce Cost Increase Security

World without PUF World with PUF

§ Trusted party embeds and tests § Intrinsic proper6es of device is

secret keys in a secure non-vola6le used to generate secret key.
memory (NVM). § Key never leaves the IC’s
§ EEPROM adds addi6onal complexity cryptographic boundary, nor be
to manufacturing. stored in a non-vola6le memory.
§ Adversaries may physically extract § Key is deleted aeer usage in
secret key from non-vola6le memory. encryp6on or decryp6on process.

PUFs for IdenGficaGon

AuthenGc
Untrusted ??? Is this the
Device A
Supply Chain / authenGc
• Protects against ASIC PUF
Environments PUF Device A?
subs6tu6on and Challenge Response
counterfeits without Record Challenge Response’
using cryptographic
Challenge Response
opera6ons.
1001010 010101
1011000 101101 =?
0111001 000110
Database for Device A

IC rejected if Response’ does not

match the enrolled Response

10

5
 11/08/19

PUFs for Private/Public Key Pair GeneraGon

• PUF response is used as random seed to a private/ public key genera6on algorithm.
• No secret needs to be handled by a manufacturer.
• A device generates a key pair on-chip, and outputs a public key.
• The public key can be endorsed at any 6me.

Private key

Seed
Key
ECC + PUF Public key
GeneraGon

11

PracGcal Designs of PUF

• We are interested in Silicon-PUF circuits

• U6lize the unavoidable and inpredictable process varia6on effects of modern deep-
submicron MOSFET devices.
• From circuit design perspec6ve, process varia6on is a challenge, but is useful for PUF
design.

• Various designs of PUFs have been explored.

12

6
 11/08/19

(a) Arbiter PUF

• Composed of n two-port switching stages, for an n-bit challenge size.

• Number of possible paths is 2n.
• A challenge selects a unique path.
• Accumulated delay at the end of the path is compared by an arbiter circuit, which
gives a 1-bit decision.

13

(b) Ring Oscillator PUF (ROPUF)

• An n-bit challenge selects two

different ROs from a bank of 2n ROs.
• Process varia6on results in ROs to have
different oscilla6on frequencies.
• Compare frequencies of two oscillators
using counters.
• A comparator generates the final
decision.

14

7
 11/08/19

(c) SRAM PUF

• Power-up ini6al value of SRAM cell can be

used as response; cell address is the challenge.
• SRAM fabrica6on compa6ble with digital logic
process in regular ICs.
• FPGA implementa6on of SRAM PUF is very
difficult.
• Since SRAM modules are cleared by default on
power-up.

15

Summary

• PUFs are not very expensive to realize.

• Many recent security protocols are based on PUFs.
• Makes it difficult to mount hardware-based ajacks.

16

8
 11/08/19

17

9
 11/08/19

Course Name: Ethical Hacking

Faculty Name: Prof. Indranil Sen Gupta
Department : Computer Science and Engineering

Topic
Lecture 50: Hardware Trojan

q What is hardware trojan?

q Types of trojans

q Trojan detec:on

1
 11/08/19

What is Hardware Trojan (HT)?

• It is a malicious modifica:on of the

circuitry of an IC chip.
• During design of fabrica:on.
• A HT is completely characterized by its
physical representa:on and its behavior.
• The payload of a HT is the en:re ac:vity
that the trojan executes when it is
triggered.

2
 11/08/19

Effects of Prevalent PracMces

• Prevalence of IP based design.

• Rou:ne use of CAD tools from EDA vendors.
• Fabless manufacturing model (trend on the rise).
• Outsourcing of manufacturing to offshore fabs.
• Loss of control over design and manufacture.
• Poten:ally untrusted par:es geVng involved.

55

Modern IC Design and Manufacturing

Third-party

Std.
IP Tools Cells Models
Offshore

Specifications Design Fab Interface Mask Fab

Trusted Wafer
Deploy
Package Dice and Wafer
Either and
Test Package Probe
Monitor
Untrusted
Not really Trusted!!

3
 11/08/19

Hardware Trojans really are …

• Malicious modificaMons to design

• Can take place pre or post manufacturing.
• Inserted by intelligent adversary.
• Extremely small hardware overhead.
• Stealthy => difficult to detect.
• Causes IC to malfunc:on in-field.
• Results:
• Poten:ally disastrous consequences.
• Loss of human life and property.

How RealisMc are Hardware Trojans?

• Do hardware trojans really exist?

• No concrete proof obtained as yet.
• Tampering masks in fab is not easy (highly complex).
• Reverse-engineering a single IC can take months.

• But there is strong evidence they do….

• Numerous suspected military / commercial cases (as early as 1976!!).
• Reverse-engineering of ICs is widely believed to be performed by reputed
companies (IBM has patents).
• Highly sophis:cated commercial sogware tools for reverse-engineering are
available (Chipworks, etc.), and academic efforts (Cambridge University).

4
 11/08/19

Trojan Taxonomy
Hardware Trojans

CombinaMonal SequenMal Trigger Payload

Banga and Hsiao [HOST’08]

Physical a]ribute AcMvaMon a]ribute AcMon a]ribute

Digital Trojans
A C
B Cmodified
Trigger CombinaMonal Trojan
(simplest)
Payload

ER ER*

Trigger
Sequential (Synchronous) Trojan
(“Time Bomb”)
0 1 2 k-1
Payload
CLK

10

5
 11/08/19

ER ER*

Trigger
Sequential (Asynchronous)
Trojan
0 1 2 k-1
p Payload
q

ER ER*

k1-bit
CLK CLK Counter
Hybrid Trojans
k2-bit
CLK Counter

11

Analog Trojans

Analog Trojan
(acMvity-triggered)

Analog payload Trojan

12

6
 11/08/19

InformaMon Leakage Trojans

Logic-value Based
Side-channel Leakage Based

13

Trojan Detection
Approaches

Mainstream Non-mainstream

Non-destructive Destructive
Approaches to
Trojan
DetecMon
Invasive Non-
invasive

Preventive Assistive Run-time Test-time

Logic Test

Side-
channel

14

7
 11/08/19

Why is Trojan detecMon difficult?

• High overhead.
• Trojans are stealthy.
• Trigger nodes have very low observability.
• Extremely large number of Trojan types possible.
• No single method can detect all types of Trojans.

15

MulM-Level A]ack

• Uses nexus between mul:ple par:es.

• Only par:es which are part of the nexus can benefit.
• The nexus eases the burden on individual par:es.
• Addi:onal challenges to detect.

16

8
 11/08/19

17

Conclusion
• IC design/manufacturing prac:ces are insecure.
• Third-party IPs and off-shore manufacturing.
• Poten:ally untrusted par:es pay a major role.
• Hardware Trojans are malicious circuit modifica:ons.
• Small overhead, hugely destruc:ve impact.
• Difficult to detect by tradi:onal tes:ng means.
• State-of-the-art:
• Both design and test techniques have been proposed.
• Effec:veness of the proposed techniques limited to the par:cular types of
Trojans.

18

9
 11/08/19

19

10