Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
Fault Injection Attacks
Mark Tehranipoor
Introduction to Hardware Security & TrustUniversity of Florida
2
What is Fault Injection?
Fault injection attacks intentionally
cause errors in a system in order to
compromise the security of the system
3
Organization of Presentation
n Taxonomy of Attacks, Threats, and Security
n Non-Invasive Attacks
n Semi-Invasive Attacks
n Invasive Attacks
n Countermeasures
n Practical Fault Injection Attacks
4
Taxonomy of Attack Classesn Non-Invasive Attack
q Lowest costq No knowledge of inner workings of targetq No physical tampering
n Semi-Invasive Attackq Intermediate costq Some knowledge of inner workings of targetq Minimal physical tampering required
n Invasive Attackq High costq Full picture of inner workings of targetq Best chance of compromising target
5
Classification of Threatsn Skilled Outsider
q Exploit existing weaknessesq Minimal equipment sophisticationq Black-box understanding of target system
n Knowledgeable Insiderq Advanced education and technical expertiseq Moderate equipment sophisticationq Some functional knowledge of target system
n Funded Organizationq Highest education and technical expertise availableq High equipment sophisticationq High-Complete functional knowledge of target
6
Levels of Securityn Level 1
q Bare minimum required protectionq Minimal defense against glitching and tampering
n Level 2q Some tamper proofingq Some defense against glitch attacks
n Level 3q Passive system lock-outsq Passive tamper proofing
n Level 4q Active system lock-outsq Active tamper detection
7
Cost of Breaking Protectionn None: $N/A Open book to attacker
n Low: $1,000 Security through Obscurity
n Med-Low: $3,000 Regular Microcontroller
n Med: $30,000 Secure Microcontroller
n Med-High:$150,000 ASIC, Secure FPGA, Smartcard
n High: $1,000,000 Secure ASIC
8
Design for Securityn Cost of a security breach
q Loss of customers and reputationq Fines from governmentq Loss of bottom line
n Value of secured data to attackerq Commercial valueq Strategic valueq Profitability
n Cost of security implementationsq Price increaseq Area and complexity increaseq Power consumption increase
9
Overview of Non-Invasive Attacks
n Black Box Attacksq Brute Force Attackq Software Attackq Data Remanence
n Side Channel Attacksq Timing Attackq Power Analysis Attackq Used in conjunction with Fault Injection
n Fault Injection Attacksq Clock Glitchingq Voltage Glitchingq Used to speed up Black Box Attacks
10
Black Box Attacksn Brute Force
q Memory verify guessingq Cryptographic key guessingq Cyphertext-to-Plaintext Guessing
n Software Exploitsq Undocumented functionsq Security function flawsq Test interface flaws
n Data Remanenceq Lower temperature to -20C or lessq Volatile memory retains dataq Read volatile memory contents
11
Side Channel Attacksn Timing Attack
q Number of cycles as a function of subroutineq Number of cycles as a function of subroutine�s outcomeq Number of cycles as a function of secret informationq Can be used to reverse engineer the systemq Can be used to reduce guesses for brute force
n Power Analysis Attackq Current consumption as a function of subroutineq Current consumption as a function of subroutine�s outcomeq Current consumption as a function of secret informationq Can be used to reverse engineer the systemq Can be used to reverse engineer data flowq Can be used to reduce guesses for brute force
13
Fault Injection Attacksn Clock Glitching
q Burst of double clock speed – timing criticalq Requires knowledge gained from side-channel attackq Prevent flip-flops from latching correct dataq Prevent security fuses from setting properlyq Could cause skipping instructions
n Voltage Glitchingq Burst of high or low voltage – timing criticalq Requires knowledge gained from side-channel attackq Force VDD < VTHq Prevent security fuses from setting properlyq Change control logic outputsq Change memory amplifier outputs
14
Overview of Semi-Invasive Attacks
n Backside Decapsulationq Backside Imagingq Laser Scanningq Reverse Engineering
n Fault Injection Attacksq Local Heatingq Flash Glitchingq Laser Glitching
16
Backside Decapsulationn Backside Imaging
q Substrate penetrated by infrared lightq Transistor layout is visible through substrateq Reverse engineering of block-level functionality
n Laser Scanningq Optical Beam Induced Current (Unpowered IC)q Light-Induced Voltage Alteration (Powered IC)q See memory structures and read stored values
n Reverse Engineeringq Determine size of data busq Determine location of control logicq Determine location of security logic
19
Fault Injection Attacksn Local Heating
q High power laser is used to selectively heat small areasq Hot enough to change VTH but not hot enough to damageq Trial and error with location is used to determine glitches
n Flash Glitchingq Magnified camera flash can cause mass glitchingq Tinfoil masks created to cause selective glitchingq Trial and error with location and timing is used to determine glitches
n Laser Glitchingq Infrared laser is used to selectively glitch small areasq Trial and error with location and timing is used to determine glitchesq Process is more precise than Flash Glitching
20
Overview of Invasive Attacksn Reverse Engineering
q Decapsulationq Layout Reconstructionq Memory Extraction
n IC Modificationq Laser Cuttingq Test Point Creationq Wire Bonding
n Micro Probingq Eavesdroppingq Signal Injectionq Fault Injection
Decapsulated IC
21
Source: http://en.wikipedia.org/wiki/File:Yamaha_YM3812_audio_IC_decapsulated.jpg
22
Reverse Engineeringn Decapsulation
q Use of acids to remove layers one by oneq Provide physical access to all sections of ICq Provide knowledge about design of IC
n Layout Reconstructionq Image each layer before removing itq Build netlist from all imagesq Reverse engineer all functions of IC
n Memory Extractionq Read contents of ROM with reconstructionq Scan contents of SRAMq Scan contents of EEPROM/FLASH
23
IC Modificationn Laser Cutting
q Not completely destructiveq Selective exposure of lower layersq Selectively disconnect nets
n Test Point Creationq Cut test points into ICq More spots for micro probing below top layerq See more signals on more nets
n Wire Bondingq Use laser cutting to expose netq Cut test point for bonding targetq Modify circuit paths as needed
Source: Skorobogatov. Semi-Invasive Attacks.
Page 85
25
Micro Probingn Eavesdropping
q Listen to control linesq Listen to data busq Full bypass of all protections
n Signal Injectionq Insert control signalsq Modify memory contentsq Forcefully bypass security controls
n Fault Injectionq High voltage between two probesq Destroy transistorsq Destroy traces
28
Overview of Exploitsn Brute Force Attacksn Software Exploitsn Data Remanencen Timing Attacksn Power Analysis Attacksn Clock Glitchingn Voltage Glitchingn Reverse Engineeringn IC Modificationn Micro Probingn Memory Attacksn Optical Glitching
29
Brute Force Attacks
n Do not return piecemeal Verify results
n Large number of possible combinations
n Encryption
30
Software Exploitsn Software Quality Assurance
n Design for security
n Stay one step ahead of attackers
n Exception handling
n No readbacks on memory
n Destroy programming interface after use
31
Data Remanence
n Erase all volatile memory on power-up
n Temperature sensor monitoring
n Erase all memory on out-of-spec temperature
32
Timing Attacks
n Make all outcomes of subroutine same number of cycles
n Insert noops where needed
n Randomize response times
33
Power Analysis Attacks
n Intentionally noisy power signal
n Make operations consume similar power
n Increase the signal-to-noise ratio
34
Clock Glitching
n Internal oscillator for bootloader code
n Internal oscillator for secure functions
n Make security fuses faster than control logic
n Asynchronous logic
36
Reverse Engineeringn Security through Obscurity
n Additional metal layers to cover design
n Re-mark or un-mark all ICs on PCB
n Glue logic
n Small transistor size
n Use of ASICs to replace glue logic on PCB
37
IC Modification
n Metal protection layers on top
n Critical signals routed on top of important targets
n Tamper sensors in metal layers
38
Micro Probingn Tamper sensors in metal layers
n Small transistor size
n Internal shielding
n Top level shielding
n Security through obscurity
n Glue Logic
39
Memory Attacks
n UV Protection
n Temperature lockout sensors
n Tamper sensors to detect decapsulation
n Close proximity between security fuses and memory
40
Optical Glitching
n Protective metal layers to block optical penetration
n Tamper sensors in metal layers
n UV Protection
n IR Protection
n Proximity of security fuses and control logic to memory
42
Overiew of Attacksn Bumping: Extract contents of protected memory with
Verifyq Step 1: Backside Decapsulationq Step 2: Backside Imagingq Step 3: Side Channel Attackq Step 4: Laser Glitching Locationq Step 5: Laser Glitching Timingq Step 6: Brute Force Attack
n Attacks on Cryptographic Algorithmsq Attack RSA Repeated Squaring – Retrieve Secret Keyq Bellcore Attack – Find Prime Factorq Sign Change Fault – Elliptic Curve System Attackq Directly attack cryptoprocessor
43
Step 1: Backside Decapsulationn Use dremel tool to remove backside of outer casingn Clean surface of exposed substrate materialn Install the IC upside-down to a test interface board
Source: Skorobogatov. Semi-Invasive Attacks. Page 75
44
Step 2: Backside Imagingn Use 1000nm infrared light and an optical microscopen Identify the location of the EEPROM/FLASH memoryn Identify the locations of the memory control logicn Determine memory bus width
Source: Skorobogatov. Optical Fault Masking Attacks. Page 4
45
Step 3: Side Channel Attackn Set up a power analysis attack using a 10ohm sense resistorn Perform a Verify function on a dummy inputn Monitor transient current to reverse engineer the processn Determine packet size of Verify function
Source: Skorobogatov. Flash Memory Bump Attacks. Page 7
46
Step 4: Laser Glitching Locationn Set Verify to a pattern of all �1� or all �0�n Find a location in the memory control logic to attackn Keep trying until your verify pattern succeeds
Source: Skorobogatov. Flash Memory Bump Attacks. Page 5
47
Step 5: Laser Glitching Timingn Configure Laser timing to attack all but one blockn Verify that your timing delivers repeatable resultsn Maximum unmasked length is the data bus widthn The fewer bits you can unmask at a time the better
Source: Skorobogatov. Flash Memory Bump Attacks. Page 12
48
Step 6: Brute Force Attackn Perform a brute force attack on the first unmasked segmentn Unmask the next segment and repeatn Repeat until all segments are determined
n Example: Verification of a 1024 bit memory on an 8-bit busn Traditional Brute Force = 2^1024 Combinationsn Bump Attack = 128*2^8 = 2^15 Combinations
n Example: Verification of a 16384 bit memory on a 16-bit busn Traditional Brute Force = 2^16384 Combinationsn Bump Attack = 1024*2^16 = 2^26 Combinations
49
To the Victor go the Spoils:
n Commercial IP theft
n Recovery of cryptographic keys
n Modify software to insert exploits
n See plaintext messages
n Use stolen keys to extract encrypted data
Works Citedn Otto, Martin. 2004. Dissertation, Fault Attacks and Countermeasures.n Skorobogatov, Sergei. Flash Memory �Bumping� Attacks.n Skorobogatov, Sergei. 2009. Local Heating Attacks on Flash Memory Devices.n Skorobogatov, Sergei. Optical Fault Masking Attacks.n Skorobogatov, Sergei. 2005. Technical Report, Semi-invaseive Attacks – A new Approach
to Hardware Security Analysis.n Giraud and Thiebeauld. 2004. Basics of Fault Attacks.n Skorobogatov, Sergei. 2011. Fault Attacks on Secure Chips: From Glitch to Flash. Design
and Security of Cryptographic Algorithms and Devices (ECRYPT II).
12 March 2018 51