Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin - - PowerPoint PPT Presentation

Cheap & Cheerful A Low-Cost Digital Sensor for Detecting Laser Fault Injection Attacks

Wei He, Jakub Breier, Shivam Bhasin

Physical Analysis and Cryptographic Engineering (PACE), Nanyang Technological University, Singapore

SPACE 2016, Hyderabad, India.

Dec 16, 2016.

2

SPACE 2016, Hyderabad India

• 1. Context
• 2. Previous Work
• 3. Proposed Countermeasure
• 4. Experimental Results
• 5. Conclusions

Presentation Outline

3

SPACE 2016, Hyderabad India

CONTEXT

4

SPACE 2016, Hyderabad India

• Objectives
• Evaluation of fault tolerance of critical system

(harsh working environment, e.g., high energy cosmic ray)

• Assistant means for reverse engineering
• Bypass security checkes countermeasure
• Induce sensitive computation errors in cryptosystem for

retrieving crypto keys.

• Fault Attack (FA) exploits the intentionally triggered faulty output
• r faulty behaviors from the target devices, in order to extract

confidential information about internals. (e.g., DFA, Algebraic FA, FSA, collision, round reduction, etc.)

Fault Injection Attacks

5

SPACE 2016, Hyderabad India

• Common Fault Injection (FI) techniques:
• Power Line: Power Glitch, Under-Powering

[J Blomer, et al: Fault based crytanalysis… 2003]

• Clock Tree:Clock Glitch,Over-Clocking

[M Agoyan, et al: On critical paths and .., 2010]

• Temperature: slowing downing electrons/holes mobility

[Hamid, H.B.E., et al: The sorcerer’s apprentice .., 2004]

• EM Disturbance: Eddy current caused by intense magnetic

field from a high transient current pulse in near-field [A Dehbaoui, et al: Injection of transient faults…, 2012]

• Laser Disturbance: or Intense White Light

[SP Skorobogatov, et al: Optical fault induction…, 2003]

 Global  Low-precision  Low-cost  Local  High-precision  Expensive

FI Attacks on Embedded System

6

SPACE 2016, Hyderabad India

Laser-Induced Fault on Transistor

• Temporary photocurrent induced by laser radiation.
• Example: A laser injection into drain of the “OFF” CMOS inverter can

temporarily turn the inverter ON.

• In real-world, laser radiates numerous transistors simultaneously,

hence the fault mechanism induced in IC is complicated.

• Laser also impact signal propagation in routings because of its

charging and discharging effects on parasitic capacitance.

PMOS NMOS (source) (drain)

7

SPACE 2016, Hyderabad India

Fault Protection

• Two Approaches:
• Detection
• Prevention
• Fault Detection
• Incremental Approach
• Sensor based (detect physical stress) or,
• Information based (detect data modification)
• Parity, error detection, encoding etc.
• Fault Prevention
• Provable Approach
• Circuit Modification (dual-rail, private circuits)
• Error correction or infection

8

SPACE 2016, Hyderabad India

Sensor Based Countermeasure

• Monitor physical conditions
• Temperature, speed, voltage, laser, EM etc.

Features of a strong sensor:

• Logically independent from the protected algorithm.
• More sensitive than target circuit
• Quick reaction
• Significant Power/Spatial Security Margin.

Cipher fault-sensitive region Injection Detectable region min.power (sensor-alarm) min.power (cipher-fault) Laser power (Power Margin) (Spatial Margin)

9

SPACE 2016, Hyderabad India

• Fault injection based attack has become a critical threat

against prevailing security-critical embedded system

• Security defense can be possibly breached or compromised
• n a number of injected computation faults.
• In massively deployed embedded networks, fortifying the

lightweight devices using heavy countermeasure is costly, or even unaffordable.

• Developing effective and low-cost countermeasure against

fault injection attacks is highly demanded. Rationale for Deploying Injection Detector

Security vs. Efficiency e.g., Lightweight detector is demanded in massively deployed and security- critical end-points in WSNs, IoTs, etc.

10

SPACE 2016, Hyderabad India

PREVIOUS WORKS

12

SPACE 2016, Hyderabad India

 Glitch Detector, proposed in [1], based on “set-up time violation”.  power line disturbance: under-power (deceleration) Previous Work: Glitch Detector

alarm

D Q CK

Delay

CK DCK

CK

power supply

DCK

Normal Normal under-power

delay increased delay 1

alarm

[1] Loic Zussa, et al. Efficiency of a glitch detector against electromagnetic fault injection.

13

SPACE 2016, Hyderabad India

 Glitch Detector, proposed in [1], based on “set-up time violation”.  power line disturbance: over-power (acceleration) Previous Work: Glitch Detector

alarm

D Q CK

Delay

CK DCK

CK

power supply

DCK

Normal Normal

• ver-power

delay reduced delay

alarm

So, glitch detector here is of uni-directional detection.

14

SPACE 2016, Hyderabad India

Ring Oscillator (RO) Watchdog

• Frequency ripple of RO [2] can be temporarily incurred under

external electrical impacts in vicinity, such as intensive EM/laser pulse, or power/clock glitch

(Observable frequency ripple on high-frequency RO) RO Frequency without laser impact RO Frequency with laser impact

[2] N Miura, et al. PLL To the Rescue: A novel EM fault countermeasure.

15

SPACE 2016, Hyderabad India

Previous Work: PLL Sensor System

• Phase-Locked Loop (PLL) is a widely used analog component in

circuitries for providing stable and precise clock source.

• Composed of: (1) Phase-Frequency Detector (PFD), Low Pass Filter

(LF), Voltage-controlled Oscillator (VCO).

• For locking clock phase using a feedback loop.
• A disturbance in PLL clock input may temporarily unlock PLL.
• But PLL is a scarce and expensive resource

unlock locked locked

FPGA

16

SPACE 2016, Hyderabad India

PROPOSED COUNTERMEASURE

17

SPACE 2016, Hyderabad India

• Basic architecture
• Ring-oscillator (similar to PLL sensor introduced before)
• All-Digital Disturbance capture (replacing heavy PLL)

Proposal Digital Sensor

D Q1

FF1

D Q2

FF2

Delay Factor

RO enable

CK CK

f1 f2 ck 1: safe 0: injection detected ck-delay

Watchdog Sensor Disturbance Capture

alarm Q1&Q2

• Detection Principle
• Extract 3 frequencies from a RO (f1, ck, f2)
• Have fixed phase shift (f1 -> ck -> f2)
• f1 and f2 sampled at ck-delay to enhance detection.

18

SPACE 2016, Hyderabad India

• Under stable oscillation, sampling output Q1 and Q2 are constant.
• With frequency disturbance in RO, Alarm=f (Q1, Q2) will be changed.

Detection Mechanism

(b) temporarily decreased frequency

11 10 00

(c) temporarily increased frequency (a) no disturbance

time window for sampling

f1 ck-delay f2 f1 ck-delay f2 f1 ck-delay f2

increased clock period decreased clock period

Decreased frequency Alarm = 1->0 Increased frequency Alarm = 1->0 Stable frequency Alarm = 1

19

SPACE 2016, Hyderabad India

• Merits: versatile and lightweight
• All-digital architecture
• Bi-directional detection
• Negligible hardware cost

Low-cost Implementation

D Q1

FF1

D Q2

FF2

Delay Factor

RO enable

CK CK

f1 f2 ck 1: safe 0: injection detected ck-delay

Watchdog Sensor Disturbance Capture

alarm Q1&Q2

• Demerits:
• Timing constraints required

20

SPACE 2016, Hyderabad India

EXPERIMENTAL RESULTS

21

SPACE 2016, Hyderabad India

• Platform setup details
• Delayered Xilinx 65nm Virtex-5 FPGA on Genesys commercial board
• 2-dimensional (X-Y) stepper stage, 0.05 um min step
• Riscure Pulse diode laser (1064 nm wavelength), with x5 objective

lens

• Synchronized communication with GUI in PC, for observing

computation faults and alarm

Experimental Setup

pulse current

plaintexts ciphertexts & Alarm target FPGA board

diode pulse laser

trigger signal FPGA die motorized 2D stage

digital glitch

glitch generator

Control Interface

Arduino Bridge Board

22

SPACE 2016, Hyderabad India

Target Block Cipher – PRESENT80

• Round data registers (64) are

the target logics for laser injection attacks for bit flips.

• The timing of injection focuses
• n the last round data registers.

S S …. S S

ciphertext 64 4 4

pLayer

64 plaintext 64 round keys 64 64 D Q round_ctrl round data registers

• Lightweight symmetric PRESENT-80 is selected as the attack cipher,

implemented on target Virtex-5 FPGA

23

SPACE 2016, Hyderabad India

• In practice, frequency disturbance is a complex combination

spanning a number of RO oscillation cycles, several alarms are likely to be triggered by a single injection.

• So, only the falling-edge of the 1st alarm is latched as alarm
• utput.

RO Frequency Ripple under Laser Injection

Injection T rigger R O frequency ( 357MH z ) A larm

Time Line Signal Response

trigger delay to injection action RO frequency ripple A larm R O frequency ( 357MH z )

Alarm response time

24

SPACE 2016, Hyderabad India

• Only protect cipher’s round data register in PRESENT-80
• Watchdog RO is deployed covering 8 CLBs (64-bit registers)

Security Evaluation-1:Local Register

f1 f2 ck-delay ck 8 CLBs for 64-bits cipher round registers

FF1, FF2, XOR gate

Ring Oscillator loop

25

SPACE 2016, Hyderabad India

• 2D plot of the laser scan over the chip region.
• Comparison to PLL based sensor
• Red dots: Only Alarm
• Blue dots: Alarm+Fault
• Green dots: Only Fault

Security Evaluation-1:Local Register

Higher detection rate

PLL-Based Detector Proposed Detector

26

SPACE 2016, Hyderabad India

• Fine-grained scan to single CLB
• Also comparison to PLL based sensor.
• Higher detection rate also observed using digital sensor

Security Evaluation-1:Local Register

 PLL has a fixed and minimum frequency threshold to unlock.  Digital sensor depends on the timing setup of the delay factor, so the alarm threshold can be precisely controlled.

PLL-Based Detector Proposed Detector

27

SPACE 2016, Hyderabad India

• Security elevation: Detection Rate / Alarm Rate

Security Evaluation-1:Local Register

Region scan:

• Detection Rate
• Digital sensor = PLL sensor
• Alarm rate
• Digital sensor >> PLL sensor

CLB scan:

• Detection Rate
• Digital sensor ≈ PLL sensor
• Alarm rate
• Digital sensor >> PLL sensor

28

SPACE 2016, Hyderabad India

• A bigger watchdog RO is embedded inside two complete

PRESENT-80 cipher.

• Scan matrix: 300x300, random power: 40%-100%
• Scan the cipher region
• Observe the induced faults and triggered alarm

Security Evaluation-2:Full Cipher Protection

PRESENT 1 PRESENT 2 Watchdog RO Disturbance Capture

• Lower fault/alarm density, due to the bigger scan step

compared to previous single-CLB scan

• Detection Rate: 94.20%
• Alarm Rate: 2.63:1

Security Evaluation-2:Full Cipher Protection

ar P E 2 - u

Only Alarm Alarm+Fault (cipher1) Alarm+Fault (cipher2) Only Fault (cipher1) Only Fault (cipher2)

PRESENT 1 PRESENT 2 exceptional X Y

30

SPACE 2016, Hyderabad India

CONCLUSIONS

31

SPACE 2016, Hyderabad India

• A low-cost all-digital sensor for detecting the laser fault

injection is presented.

• The system evolves from the previously proposed PLL

based sensor by replacing the analog PLL by a lightweight digital logic.

• This sensor has bi-directional detection capability with

tunable sensitivity at back-end stage.

• Experiments on FPGAs show superior detection rate and

alarm rate, compared to PLL counterpart sensor.

• The proposal is suitable to be applied in any digital/hybrid

IC applications, with very limited power/area overhead. Work Summary

32

SPACE 2016, Hyderabad India

Thanks for your attention! Questions?