key extraction using thermal laser stimulation a case
play

Key Extraction Using Thermal Laser Stimulation: A Case Study on - PowerPoint PPT Presentation

Aug 23, 2022 •231 likes •557 views

Key Extraction Using Thermal Laser Stimulation: A Case Study on Xilinx Ultrascale FPGAs Heiko Lohrke 1 , Shahin Tajik 1,2 , Thilo Krachenfels 1 , Christian Boit 1 , and Jean-Pierre Seifert 1 1 Technische Universitt Berlin, 2 University of Florida

  1. Key Extraction Using Thermal Laser Stimulation: A Case Study on Xilinx Ultrascale FPGAs Heiko Lohrke 1 , Shahin Tajik 1,2 , Thilo Krachenfels 1 , Christian Boit 1 , and Jean-Pierre Seifert 1 1 Technische Universität Berlin, 2 University of Florida September 10 th , 2018 CHES 2018 CHES 2018 1

  2. Background CHES 2018 2

  3. Bitstream Encryption FPGA JTAG BBRAM / eFuse AES Decryptor CHES 2018 3

  4. Bitstream Encryption FPGA JTAG BBRAM / eFuse AES Decryptor CHES 2018 3

  5. Bitstream Encryption FPGA Design BBRAM / eFuse … AES AES Encryptor NVM Decryptor CHES 2018 3

  6. Bitstream Encryption FPGA BBRAM / eFuse Encrypted Bitstream bitstream AES NVM 010101… Decryptor 10111001010 CHES 2018 3

  7. Case Study: Key Extraction from BBRAM FPGA BBRAM / eFuse TLS Encrypted Bitstream bitstream AES NVM 010101… Decryptor 10111001010 CHES 2018 4

  8. Thermal Laser Stimulation (TLS) ๏ The chip is scanned with a 1.3 ! m laser beam from the backside Chip ๏ The current changes in response to VDD (+) Laser the local thermal stimulations ๏ Measured current is monitored by a Current current amplifier >> a proportional GND (-) PC Amplifier - + analog voltage is generated Power Supply ๏ Analog voltage is fed into image acquisition hardware while scanning the laser CHES 2018 5

  9. SRAM readout using TLS ๏ Thermal stimulation leads to thermal gradient at the source/drain of the transistors ๏ Different materials lead to Seebeck voltage generation ๏ Seebeck voltage alters gate voltage of Seebeck Generator non-conducting transistor -> increased leakage current IC backside Laser beam ๏ Which parts of the cell are sensitive depends on cell logical state CHES 2018 6

  10. SRAM readout using TLS ๏ Thermal stimulation leads to thermal gradient at the source/drain of the transistors ๏ Different materials lead to Seebeck voltage generation ๏ Seebeck voltage alters gate voltage of non-conducting transistor -> increased leakage current ๏ Which parts of the cell are sensitive depends on cell logical state CHES 2018 6

  11. SRAM readout using TLS ๏ Thermal stimulation leads to thermal gradient at the source/drain of the transistors ๏ Different materials lead to Seebeck voltage generation ๏ Seebeck voltage alters gate voltage of non-conducting transistor -> increased leakage current ๏ Which parts of the cell are sensitive depends on cell logical state CHES 2018 6

  12. Experimental Setup CHES 2018 7

  13. Experimental Setup CHES 2018 8

  14. Experimental Setup ๏ Device under Test (DUT): Avnet Kintex UltraScale Development Board - Chip’s technology: 20 nm - No chip preparation (e.g., depackaging, silicon polishing, etc.) required CHES 2018 8

  15. Experimental Setup ๏ Device under Test (DUT): Avnet Kintex UltraScale Development Board - Chip’s technology: 20 nm - No chip preparation (e.g., depackaging, silicon polishing, etc.) required ๏ Optical Setup: Hamamatsu PHEMOS-1000 - Laser wavelength: 1.3 ! m - Laser spot size: approximately 1 ! m CHES 2018 8

  16. Results CHES 2018 9

  17. Localizing the Configuration Logic Xilinx Kintex UltraScale in flip chip package CHES 2018 10

  18. Localizing the Configuration Logic Xilinx Kintex UltraScale Image acquisition with a laser in flip chip package scanning microscope CHES 2018 10

  19. Localizing the Configuration Logic Configuration Logic CHES 2018 10

  20. Localizing BBRAM using Laser Stimulation CHES 2018 11

  21. Localizing BBRAM using Laser Stimulation Laser Stimulation of configuration area and measuring the current on VBATT when BBRAM key is set FPGA is powered off in all experiments! CHES 2018 11

  22. Localizing BBRAM using Laser Stimulation Laser Stimulation of configuration area and measuring the current on VBATT when BBRAM key is not set FPGA is powered off in all experiments! CHES 2018 11

  23. Localizing the key bits in BBRAM by TLS (1) 1 bit Set 255 bits to “0” and one bit to “1”. Shifting the bit “1” eight times by one bit CHES 2018 12

  24. Localizing the key bits in BBRAM by TLS (2) Set all 256 bits to “1” and reset all bits to “0” again. CHES 2018 13

  25. Automatic Key Recovery Target image containing the key Reference image of the cleared BBRAM CHES 2018 14

  26. Automatic Key Recovery 0xd781b86f274630b561f39c9736f512eb0adf714f0d5c836c7a76ff627aca4923 CHES 2018 14

  27. Conclusion ๏ The required effort to develop the attack is shown to be less than 7 hours . ๏ The lower cost and higher availability of TLS in comparison to other optical attacks makes this technique even more threatening. ๏ The stored key in the BBRAM of the FPGA can be extracted when the FPGA is disconnected from power >> conventional side-channel countermeasures are incapable of preventing such an attack. CHES 2018 15

  28. Thank you CHES 2018 16

  29. Countermeasure: Adding Noise ๏ Countermeasure Requirements: - Preventing the attack, even when the FPGA is turned o ff - Not draining the backup battery excessively, so that the device can be in its powered-o ff state for a long time. - Realizable by standard processes 17 CHES 2018

  30. Countermeasure: Adding Noise ๏ Countermeasure Requirements: - Preventing the attack, even when the FPGA is turned o ff - Not draining the backup battery excessively, so that the device can be in its powered-o ff state for a long time. - Realizable by standard processes 17 CHES 2018

  31. Countermeasure Results 18 CHES 2018

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Laser-Enabled Directed Nanomanufacturing Costas P. Grigoropoulos Laser Thermal Laboratory

Laser-Enabled Directed Nanomanufacturing Costas P. Grigoropoulos Laser Thermal Laboratory

Laser-Enabled Directed Nanomanufacturing Costas P. Grigoropoulos Laser Thermal Laboratory Department of Mechanical Engineering University of California, Berkeley This image cannot currently be displayed. U.S.-Korea Nanotechnology Forum

685 views • 31 slides
Enhancement of productivity after reservoir stimulation of the hydro- thermal reservoir Gross

Enhancement of productivity after reservoir stimulation of the hydro- thermal reservoir Gross

Enhancement of productivity after reservoir stimulation of the hydro- thermal reservoir Gross Schnebeck with different fracturing concepts Gnter Zimmermann & Geothermics Group GeoForschungsZentrum Potsdam Operations overview open hole

464 views • 31 slides
Laser Cladding 11 Hayden Laser Services Hayden Corporation Background Founded in 1919

Laser Cladding 11 Hayden Laser Services Hayden Corporation Background Founded in 1919

Hayden Laser Services Comparison of Thermal Spray Technology vs. Laser Cladding 11 Hayden Laser Services Hayden Corporation Background Founded in 1919 Experts in industrial wear and corrosion control Providing commercial

687 views • 14 slides
RECONSTRUCTION OF TEMPERATURE FIELDS BY USING 2D THERMAL IMAGING MEASUREMENTS Tatiana L. Travina

RECONSTRUCTION OF TEMPERATURE FIELDS BY USING 2D THERMAL IMAGING MEASUREMENTS Tatiana L. Travina

Saratov State University DEVELOPMENT OF A TECHNIQUE OF 3D RECONSTRUCTION OF TEMPERATURE FIELDS BY USING 2D THERMAL IMAGING MEASUREMENTS Tatiana L. Travina Laser hyperthermia of tumors with nanoparticles in Oncology laser heating Temperature

255 views • 22 slides
TFAWS Active Thermal Paper Session Laser Processed Condensing Heat Exchanger (LP-CHX) Test

TFAWS Active Thermal Paper Session Laser Processed Condensing Heat Exchanger (LP-CHX) Test

TFAWS Active Thermal Paper Session Laser Processed Condensing Heat Exchanger (LP-CHX) Test Article Design, Manufacturing, and Testing Scott Hansen & Sarah Wallace: NASA JSC Tanner Hamilton: JES Tech Dr. Dennis Alexander & Dr. Craig

620 views • 32 slides
Microseismicity & Stimulation the case of Soultz-sous-Forts Jean Charlty, Louis Dorbath,

Microseismicity & Stimulation the case of Soultz-sous-Forts Jean Charlty, Louis Dorbath,

Enhanced Geothermal Innovative Network for Europe 29/06-01/07 2006 Microseismicity & Stimulation the case of Soultz-sous-Forts Jean Charlty, Louis Dorbath, Henri Haessler Strasbourg University, EOST jean.charlety@eost.u-strasbg.fr

482 views • 29 slides
HIGH VACUUM MULTI-PHASE EXTRACTION CASE STUDIES MWCC CONFERENCE JULY 2019 High Vacuum

HIGH VACUUM MULTI-PHASE EXTRACTION CASE STUDIES MWCC CONFERENCE JULY 2019 High Vacuum

HIGH VACUUM MULTI-PHASE EXTRACTION CASE STUDIES MWCC CONFERENCE JULY 2019 High Vacuum Multi-Phase Extraction Soil vapor and groundwater extraction and treatment system Truck Mounted 450 CFM Air Flow 29 Inches Hg Max Vacuum

307 views • 28 slides
INVESTOR PRESENTATION OCTOBER 24, 2019 Continuous InkJet Printer Thermal Inkjet Printer

INVESTOR PRESENTATION OCTOBER 24, 2019 Continuous InkJet Printer Thermal Inkjet Printer

INVESTOR PRESENTATION OCTOBER 24, 2019 Continuous InkJet Printer Thermal Inkjet Printer High-Resolution Printer Thermal Transfer Overprinter Hot Roll Coder Laser Printer Large Character Printer Consumables An ISO 9001:2008 Company | +91 22

316 views • 12 slides
Management Issues in Hypoglossal Stimulation for OSA Kingman P Strohl M.D. Professor of

Management Issues in Hypoglossal Stimulation for OSA Kingman P Strohl M.D. Professor of

2/13/2018 Management Issues in Hypoglossal Stimulation for OSA Kingman P Strohl M.D. Professor of Medicine, Physiology & Biophysicis, and Oncology Center for sleep Disorders Reseach Case Western Reserve University, Cleveland OH, USA

408 views • 9 slides
Laser Technology of the future OUR TECHNOLOGIES laser WELDING 2d laser CUTTING 3d laser

Laser Technology of the future OUR TECHNOLOGIES laser WELDING 2d laser CUTTING 3d laser

Who we are? Prepared with the most advanced technological background and unique machines coupled with the work done by our experts and senior engineers Our aim is to achieve the highest quality from custom-made prototypes to high-volume complex

597 views • 21 slides
Y P O DIY and Regulatory Aspects of Transcranial Stimulation C T O N O D E S A Anthony

Y P O DIY and Regulatory Aspects of Transcranial Stimulation C T O N O D E S A Anthony

Y P O DIY and Regulatory Aspects of Transcranial Stimulation C T O N O D E S A Anthony Lee; Photo credit, David Yellen (IEEE Spectrum, 3/14/14) Introduction to Transcranial Electrical Stimulation in Neuropsychiatric Research E June

880 views • 48 slides
INVESTOR PRESENTATION JULY 29, 2019 Continuous InkJet Printer Thermal Inkjet Printer

INVESTOR PRESENTATION JULY 29, 2019 Continuous InkJet Printer Thermal Inkjet Printer

INVESTOR PRESENTATION JULY 29, 2019 Continuous InkJet Printer Thermal Inkjet Printer High-Resolution Printer Thermal Transfer Overprinter Hot Roll Coder Laser Printer Large Character Printer Consumables Investor Presentation | Private

472 views • 11 slides
Y P O C T Neurological Applications of O N Transcranial Magnetic Stimulation O D Mouhsin

Y P O C T Neurological Applications of O N Transcranial Magnetic Stimulation O D Mouhsin

Y P O C T Neurological Applications of O N Transcranial Magnetic Stimulation O D Mouhsin Shafi, MD/PhD E Berenson-Allen Center for Noninvasive S Brain Stimulation A E BIDMC, Harvard Medical School L P Y Overview of Talk P O

840 views • 59 slides
Y P O C T O Neurological Applications of N Transcranial Magnetic Stimulation O D Mouhsin

Y P O C T O Neurological Applications of N Transcranial Magnetic Stimulation O D Mouhsin

Y P O C T O Neurological Applications of N Transcranial Magnetic Stimulation O D Mouhsin Shafi, MD/PhD E Berenson-Allen Center for Noninvasive S Brain Stimulation A BIDMC, Harvard Medical School E L P Y P Overview of Talk O

1.22k views • 62 slides
Y P O C T O Neurological Applications of N Transcranial Magnetic Stimulation O D Mouhsin

Y P O C T O Neurological Applications of N Transcranial Magnetic Stimulation O D Mouhsin

Y P O C T O Neurological Applications of N Transcranial Magnetic Stimulation O D Mouhsin Shafi, MD/PhD E Berenson-Allen Center for Noninvasive S Brain Stimulation A BIDMC, Harvard Medical School E L P Y P Overview of Talk O

877 views • 56 slides
Single Event Laser Fusion with 10-MJ Laser Pulses H. Hora, G.H. Miley, and F. Osman Laser ICF

Single Event Laser Fusion with 10-MJ Laser Pulses H. Hora, G.H. Miley, and F. Osman Laser ICF

Single Event Laser Fusion with 10-MJ Laser Pulses H. Hora, G.H. Miley, and F. Osman Laser ICF in physics solved with todays technology by - using NIF-like lasers producing ns-10MJ pulses (red!) - direct drive - adiabatic self similarity

516 views • 18 slides
GAC Underserved Regions Working Group Meeting 2 November 2019 13:30 - 14:30 Pua Hunter

GAC Underserved Regions Working Group Meeting 2 November 2019 13:30 - 14:30 Pua Hunter

GAC Underserved Regions Working Group Meeting 2 November 2019 13:30 - 14:30 Pua Hunter (Co-Chair) Luisa Paez (Canada) ICANN66 GAC USR WG Meeting Agenda Item 3.0 Agenda 1. FY20 GAC Capacity Building Workshops 2. Work plan actions

436 views • 14 slides
Feedback-controlled Random Test Generation Kohsuke Yatoh 1* , Kazunori Sakamoto 2 , Fuyuki

Feedback-controlled Random Test Generation Kohsuke Yatoh 1* , Kazunori Sakamoto 2 , Fuyuki

Feedback-controlled Random Test Generation Kohsuke Yatoh 1* , Kazunori Sakamoto 2 , Fuyuki Ishikawa 2 , Shinichi Honiden 12 1:University of Tokyo, 2:National Institute of Informatics 1 * He is currently affiliated with Google Inc., Japan. All

659 views • 31 slides
Multiclass Neural Network Minimization via Tropical Newton Polytope Approximation Georgios

Multiclass Neural Network Minimization via Tropical Newton Polytope Approximation Georgios

Multiclass Neural Network Minimization via Tropical Newton Polytope Approximation Georgios Smyrnis & Petros Maragos S c h o o l o f EC E , N at i o n a l Te c h n i c a l U n i ve r s i t y o f A t h e n s , A t h e n s , G r e e c e

575 views • 33 slides
Darrell Bethea May 13, 2011 1 3 Review of String methods Keyboard and Screen

Darrell Bethea May 13, 2011 1 3 Review of String methods Keyboard and Screen

Darrell Bethea May 13, 2011 1 3 Review of String methods Keyboard and Screen Input/Output Introduction to Java Swing See May13.java, StringsAndChars.java, and TypeCasting.java on the Course Website for more details Screen

417 views • 23 slides
harmonius Concept Noise-reducing technology for loud, unbearable environments Helps relieve

harmonius Concept Noise-reducing technology for loud, unbearable environments Helps relieve

Red A harmonius Concept Noise-reducing technology for loud, unbearable environments Helps relieve anxiety from over-stimulation Kid-friendly, easy to use and remove Questions 1. How do we integrate noise reduction and audio inputs? 2.

325 views • 9 slides
NATx4 Port Allocation and Logging [Cheng] draft-cheng-behave-nat44-pre-allocated-ports-01 [Tsou]

NATx4 Port Allocation and Logging [Cheng] draft-cheng-behave-nat44-pre-allocated-ports-01 [Tsou]

NATx4 Port Allocation and Logging [Cheng] draft-cheng-behave-nat44-pre-allocated-ports-01 [Tsou] draft-tsou-behave-natx4-log-reduction-02 [Durand] draft-durand-server-logging-recommendations-00 Note Nokia-Siemens IPR declaration on [Tsou]

234 views • 11 slides
THE FUTURE OF UNIFIED MEMORY Nikolay Sakharnykh, 4/5/2016 Logistics Havent graded midterm

THE FUTURE OF UNIFIED MEMORY Nikolay Sakharnykh, 4/5/2016 Logistics Havent graded midterm

April 4-7, 2016 | Silicon Valley THE FUTURE OF UNIFIED MEMORY Nikolay Sakharnykh, 4/5/2016 Logistics Havent graded midterm yet, will be finished on Wednesday May 22 nd last day to drop without a W or change to S/NS with no fee or

572 views • 46 slides
Working with time series data in pandas CUS TOMER AN ALYTICS AN D A/B TES TIN G IN P YTH ON

Working with time series data in pandas CUS TOMER AN ALYTICS AN D A/B TES TIN G IN P YTH ON

Working with time series data in pandas CUS TOMER AN ALYTICS AN D A/B TES TIN G IN P YTH ON Ryan Grossman Data Scientist, EDO Exploratory Data Analysis Exploratory Data Analysis (EDA) Working with time series data Uncovering trends in KPIs

770 views • 49 slides

More recommend