Biblio

Hardware security is a critical concern in design and fabrication of integrated circuits (ICs). Contemporary hardware threats comprise tens of advance invasive and non-invasive attacks for compromising security of modern ICs. Numerous attack-specific countermeasures against the individual threats have been proposed, trading power, area, speed, and design complexity of a system for security. These typical overheads combined with strict performance requirements in advanced technology nodes and high complexity of modern ICs often make the codesign of multiple countermeasures impractical. In this paper, on-chip distribution networks are exploited for detecting those hardware security threats that require non-invasive, yet physical interaction with an operating device-under-attack (e.g., measuring equipment for collecting sensitive information in side-channel attacks). With the proposed approach, the effect of the malicious physical interference with the device-under-attack is captured in the form of on-chip voltage variations and utilized for detecting malicious activity in the compromised device. A machine learning (ML) security IC is trained to predict system security based on sensed variations of signals within on-chip distribution networks. The trained ML ICs are distributed on-chip, yielding a robust and high-confidence security network on-chip. To halt an active attack, a variety of desired counteractions can be executed in a cost-effective manner upon the attack detection. The applicability and effectiveness of these security networks is demonstrated in this paper with respect to power, timing, and electromagnetic analysis attacks.

The Internet of Things (IoT) and mobile systems nowadays are required to perform more intensive computation, such as facial detection, image recognition and even remote gaming, etc. Due to the limited computation performance and power budget, it is sometimes impossible to perform these workloads locally. As high-performance GPUs become more common in the cloud, offloading the computation to the cloud becomes a possible choice. However, due to the fact that offloaded workloads from different devices (belonging to different users) are being computed in the same cloud, security concerns arise. Side channel attacks on GPU systems have been widely studied, where the threat model is the attacker and the victim are running on the same operating system. Recently, major GPU vendors have provided hardware and library support to virtualize GPUs for better isolation among users. This work studies the side channel attacks from one virtual machine to another where both share the same physical GPU. We show that it is possible to infer other user's activities in this setup and can further steal others deep learning model.

Side-channel attacks allow an adversary to uncover secret program data by observing the behavior of a program with respect to a resource, such as execution time, consumed memory or response size. Side-channel vulnerabilities are difficult to reason about as they involve analyzing the correlations between resource usage over multiple program paths. We present DifFuzz, a fuzzing-based approach for detecting side-channel vulnerabilities related to time and space. DifFuzz automatically detects these vulnerabilities by analyzing two versions of the program and using resource-guided heuristics to find inputs that maximize the difference in resource consumption between secret-dependent paths. The methodology of DifFuzz is general and can be applied to programs written in any language. For this paper, we present an implementation that targets analysis of Java programs, and uses and extends the Kelinci and AFL fuzzers. We evaluate DifFuzz on a large number of Java programs and demonstrate that it can reveal unknown side-channel vulnerabilities in popular applications. We also show that DifFuzz compares favorably against Blazer and Themis, two state-of-the-art analysis tools for finding side-channels in Java programs.

Protection of secured data content in volatile memories (processor caches, embedded RAMs etc) is essential in networking, wireless, automotive and other embedded secure applications. It is utmost important to protect secret data, like authentication credentials, cryptographic keys etc., stored over volatile memories which can be hacked during normal device operations. Several security attacks like cold boot, disclosure attack, data remanence, physical attack, cache attack etc. can extract the cryptographic keys or secure data from volatile memories of the system. The content protection of memory is typically done by assuring data deletion in minimum possible time to minimize data remanence effects. In today's state-of-the-art SoCs, dedicated hardwares are used to functionally erase the private memory contents in case of security violations. This paper, in general, proposes a novel approach of using existing memory built-in-self-test (MBIST) hardware to zeroize (initialize memory to all zeros) on-chip memory contents before it is being hacked either through different side channels or secuirty attacks. Our results show that the proposed MBIST based content zeroization approach is substantially faster than conventional techniques. By adopting the proposed approach, functional hardware requirement for memory zeroization can be waived.

Correct compilers perform program transformations preserving input/output behaviours of programs. Yet, correctness does not prevent program optimisations from introducing information-flow leaks that would make the target program more vulnerable to side-channel attacks than the source program. To tackle this problem, we propose a notion of Information-Flow Preserving (IFP) program transformation which ensures that a target program is no more vulnerable to passive side-channel attacks than a source program. To protect against a wide range of attacks, we model an attacker who is granted arbitrary memory accesses for a pre-defined set of observation points. We propose a compositional proof principle for proving that a transformation is IFP. Using this principle, we show how a translation validation technique can be used to automatically verify and even close information-flow leaks introduced by standard compiler passes such as dead-store elimination and register allocation. The technique has been experimentally validated on the CompCert C compiler.

Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try to guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes, can access the victim's memory and registers, and can perform operations with measurable side effects. Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, including operating system process separation, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing and side-channel attacks. These attacks represent a serious threat to actual systems since vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices. While makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.

The security of current key exchange protocols such as Diffie-Hellman key exchange is based on the hardness of number theoretic problems. However, these key exchange protocols are threatened by weak random number generators, advances to CPU power, a new attack from the eavesdropper, and the emergence of a quantum computer. Quantum Key Distribution (QKD) addresses these challenges by using quantum properties to exchange a secret key without the risk of being intercepted. Recent developments on the QKD system resulted in a stable key generation with fewer errors so that the QKD system is rapidly becoming a solid commercial proposition. However, although the security of the QKD system is guaranteed by quantum physics, its careless implementation could make the system vulnerable. In this paper, we proposed the first side-channel attack on plug-and-play QKD system. Through a single electromagnetic trace obtained from the phase modulator on Alice's side, we were able to classify the electromagnetic trace into four classes, which corresponds to the number of bit and basis combination in the BB84 protocol. We concluded that the plug-and-play QKD system is vulnerable to side-channel attack so that the countermeasure must be considered.

We study side-channel attacks for the Shannon cipher system. To pose side channel-attacks to the Shannon cipher system, we regard them as a signal estimation via encoded data from two distributed sensors. This can be formulated as the one helper source coding problem posed and investigated by Ahlswede, Korner(1975), and Wyner(1975). We further investigate the posed problem to derive new secrecy bounds. Our results are derived by a coupling of the result Watanabe and Oohama(2012) obtained on bounded storage eavesdropper with the exponential strong converse theorem Oohama(2015) established for the one helper source coding problem.

Nowadays public-key cryptography is based on number theory problems, such as computing the discrete logarithm on an elliptic curve or factoring big integers. Even though these problems are considered difficult to solve with the help of a classical computer, they can be solved in polynomial time on a quantum computer. Which is why the research community proposed alternative solutions that are quantum-resistant. The process of finding adequate post-quantum cryptographic schemes has moved to the next level, right after NIST's announcement for post-quantum standardization. One of the oldest quantum-resistant proposition goes back to McEliece in 1978, who proposed a public-key cryptosystem based on coding theory. It benefits of really efficient algorithms as well as a strong mathematical background. Nonetheless, its security has been challenged many times and several variants were cryptanalyzed. However, some versions remain unbroken. In this paper, we propose to give some background on coding theory in order to present some of the main flawless in the protocols. We analyze the existing side-channel attacks and give some recommendations on how to securely implement the most suitable variants. We also detail some structural attacks and potential drawbacks for new variants.

We introduce MobiCeal, the first practical Plausibly Deniable Encryption (PDE) system for mobile devices that can defend against strong coercive multi-snapshot adversaries, who may examine the storage medium of a user's mobile device at different points of time and force the user to decrypt data. MobiCeal relies on "dummy write" to obfuscate the differences between multiple snapshots of storage medium due to existence of hidden data. By incorporating PDE in block layer, MobiCeal supports a broad deployment of any block-based file systems on mobile devices. More importantly, MobiCeal is secure against side channel attacks which pose a serious threat to existing PDE schemes. A proof of concept implementation of MobiCeal is provided on an LG Nexus 4 Android phone using Android 4.2.2. It is shown that the performance of MobiCeal is significantly better than prior PDE systems against multi-snapshot adversaries.

Existing works on Three-dimensional (3D) hardware security focus on leveraging the unique 3D characteristics to address the supply chain attacks that exist in 2D design. However, 3D ICs introduce specific and unexplored challenges as well as new opportunities for managing hardware security. In this paper, we analyze new security threats unique to 3D ICs. The corresponding attack models are summarized for future research. Furthermore, existing representative countermeasures, including split manufacturing, camouflaging, transistor locking, techniques against thermal signal based side-channel attacks, and network-on-chip based shielding plane (NoCSIP) for different hardware threats are reviewed and categorized. Moreover, preliminary countermeasures are proposed to thwart TSV-based hardware Trojan insertion attacks.

Hardware Trojan (HT) is one of the well known hardware security issue in research community in last one decade. HT research is mainly focused on HT detection, HT defense and designing novel HT's. HT's are inserted by an adversary for leaking secret data, denial of service attacks etc. Trojan benchmark circuits for processors, cryptography and communication protocols from Trust-hub are widely used in HT research. And power analysis based side channel attacks and designing countermeasures against side channel attacks is a well established research area. Trust-Hub provides a power based side-channel attack promoting Advanced Encryption Standard (AES) HT benchmarks for research. In this work, we analyze the strength of AES HT benchmarks in the presence well known side-channel attack countermeasures. Masking, Random delay insertion and tweaking the operating frequency of clock used in sensitive operations are applied on AES benchmarks. Simulation and power profiling studies confirm that side-channel promoting HT benchmarks are resilient against these selected countermeasures and even in the presence of these countermeasures; an adversary can get the sensitive data by triggering the HT.

Side-channel collision attacks have been one of the most powerful attack techniques, combining advantages of traditional side-channel attack and mathematical cryptanalysis. In this paper, we propose a novel multiple-bits side-channel collision attack based on double distance voting detection, which can find all 120 relations among 16 key bytes with only 32 averaged power traces when applied to AES (Advanced Encryption Standard) algorithm. Practical attack experiments are performed successfully on a hardware implementation of AES on FPGA board. Results show that the necessary number of traces for our method is about 50% less than correlation-enhanced collision attack and 76% less than binary voting test with 90% success rate.

The globalization of integrated circuit (IC) supply chain and the emergence of threats, such as intellectual property (IP) piracy, reverse engineering, and hardware Trojans, have forced semiconductor companies to revisit the trust in the supply chain. Logic locking is emerging as a popular and effective countermeasure against these threats. Over the years, multiple logic techniques have been developed. Moreover, a number of attacks have been proposed that expose the security vulnerabilities of these techniques. This paper highlights the key developments in the logic locking research and presents a comprehensive literature review of logic locking.

We propose to use a genetic algorithm to evolve novel reconfigurable hardware to implement elliptic curve cryptographic combinational logic circuits. Elliptic curve cryptography offers high security-level with a short key length making it one of the most popular public-key cryptosystems. Furthermore, there are no known sub-exponential algorithms for solving the elliptic curve discrete logarithm problem. These advantages render elliptic curve cryptography attractive for incorporating in many future cryptographic applications and protocols. However, elliptic curve cryptography has proven to be vulnerable to non-invasive side-channel analysis attacks such as timing, power, visible light, electromagnetic, and acoustic analysis attacks. In this paper, we use a genetic algorithm to address this vulnerability by evolving combinational logic circuits that correctly implement elliptic curve cryptographic hardware that is also resistant to simple timing and power analysis attacks. Using a fitness function composed of multiple objectives - maximizing correctness, minimizing propagation delays and minimizing circuit size, we can generate correct combinational logic circuits resistant to non-invasive, side channel attacks. To the best of our knowledge, this is the first work to evolve a cryptography circuit using a genetic algorithm. We implement evolved circuits in hardware on a Xilinx Kintex-7 FPGA. Results reveal that the evolutionary algorithm can successfully generate correct, and side-channel resistant combinational circuits with negligible propagation delay.

Two recent proposals by Bernstein and Pornin emphasize the use of deterministic signatures in DSA and its elliptic curve-based variants. Deterministic signatures derive the required ephemeral key value in a deterministic manner from the message to be signed and the secret key instead of using random number generators. The goal is to prevent severe security issues, such as the straight-forward secret key recovery from low quality random numbers. Recent developments have raised skepticism whether e.g. embedded or pervasive devices are able to generate randomness of sufficient quality. The main concerns stem from individual implementations lacking sufficient entropy source and standardized methods for random number generation with suspected back doors. While we support the goal of deterministic signatures, we are concerned about the fact that this has a significant influence on side-channel security of implementations. Specifically, attackers will be able to mount differential side-channel attacks on the additional use of the secret key in a cryptographic hash function to derive the deterministic ephemeral key. Previously, only a simple integer arithmetic function to generate the second signature parameter had to be protected, which is rather straight-forward. Hash functions are significantly more difficult to protect. In this contribution, we systematically explain how deterministic signatures introduce this new side-channel vulnerability.

This paper presents a new type of online password guessing attack called "WiPING" (Wi-Fi signal-based PIN Guessing attack) to guess a victim's PIN (Personal Identification Number) within a small number of unlock attempts. WiPING uses wireless signal patterns identified from observing sequential finger movements involved in typing a PIN to unlock a mobile device. A list of possible PIN candidates is generated from the wireless signal patterns, and is used to improve performance of PIN guessing attacks. We implemented a proof-of-concept attack to demonstrate the feasibility of WiPING. Our results showed that WiPING could be practically effective: while pure guessing attacks failed to guess all 20 PINs, WiPING successfully guessed two PINs.

Robust and stringent fault detection and correction techniques in executing Advanced Encryption Standard (AES) are still interesting issues for many critical applications. The purpose of fault detection and correction techniques is not only to ensure the reliability of a cryptosystem, but also protect the system against side channel attacks. Such errors could result due to a fault injection attack, production faults, noise or radiation effects in deep space. Devising a proper error control mechanisms for AES cipher during execution would improve both system reliability and security. In this work a novel fault detection and correction algorithm is proposed. The proposed mechanism is making use of the linear mappings of AES round structure to detect errors in the ShiftRow (SR) and MixColumn (MC) transformations. The error correction is achieved by creating temporary redundant check words through the combined SR and MC mapping to create in case of errors an error syndrome leading to error correction with relatively minor additional complexity. The proposed technique is making use of an error detecting and correcting capability in the combined mapping of SR and MC rather than detecting and/or correcting errors in each transformation separately. The proposed technique is making use especially of the MC mapping exhibiting efficient ECC properties, which can be deployed to simplify the design of a fault-tolerance technique. The performance of the algorithm proposed is evaluated by a simulated system model in FPGA technology. The simulation results demonstrate the ability to reach relatively high fault coverage with error correction up to four bytes of execution errors in the merged transformation SR-MC. The overall gate complexity overhead of the resulting system is estimated for proposed technique in FPGA technology.