multi level formal analysis
play

Multi-Level Formal Analysis A New Direction for Fault Injection - PowerPoint PPT Presentation

Nov 13, 2022 •212 likes •485 views

Institut Mines-Tlcom Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T. Porteboeuf PROOFS September 17, 2015 Presentation Outline Introduction, Motivation Multi-level Formal Verification

  1. Institut Mines-Télécom Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T. Porteboeuf PROOFS – September 17, 2015

  2. Presentation Outline Introduction, Motivation Multi-level Formal Verification by Example Challenge Regarding EMI Modeling Conclusion & Perspectives 2/24 L. Sauvage et al. PROOFS – September 17, 2015

  3. Presentation Outline Introduction, Motivation Multi-level Formal Verification by Example Challenge Regarding EMI Modeling Conclusion & Perspectives 3/24 L. Sauvage et al. PROOFS – September 17, 2015

  4. Simple & Differential Fault Analyses Are Powerful! ′ ) to disclose the key Number of faulted ciphertexts ( C ′ Algorithm Key space # C Fault model RSA (CRT) [BDL97] 1 Any @ S p (or S q ) 2 1024 RSA (L2R) [BDH + 97] 3083 Bit error @ each S&M 7 Bit error @ 12th round 2 56 DES [BS97, Riv09] 9 Byte error @ 12th round 2 256 AES [PQ03] 4 Byte error @ 8th round ECDSA/P-192 [BBB + 11] 2 192 36 Any in key d @ MULT 4/24 L. Sauvage et al. PROOFS – September 17, 2015

  5. Protections Against FIA: a Classification FIA countermeasures Fault analysis Fault Prevention resilience Analog sensors Protocol Fault detection Package Dual-rail Shield Infective computation PUF Informational Digital sensors redundancy Digest Dual modular • CRC redundancy • Parity Temporal • � / Π of w i x p i i Spatial Linear/non-linear codes Ring Embedding Most countermeasures use fault detection with redundancy/check 5/24 L. Sauvage et al. PROOFS – September 17, 2015

  6. A (Short) History of Shamir’s Trick � S p = m d p � � mod p , � � S = CRT ( S p , S q ) = S q + q I q S p − S q mod p with S q = m d q mod q . [Sha99] Redundancy/check on S p and S q [ABF + 02] Redundancy/check on CRT [YJ00] Infective computation (no decisional test) [YKM06] Broken! [KQ07] 2O-FIA attack and countermeasure [DGRS09] Broken! Counter-countermeasure ? ? Attacker underestimated: she can target operations, not only data. Highly time-consuming verification • All values ( C 1 n , C 2 n , etc. ) • All clock cycles • All order ? 6/24 L. Sauvage et al. PROOFS – September 17, 2015

  7. Overhead of Some Countermeasures Attacker overestimated: she can fault any bit (with SR = 1). Countermeasures designed to detect fault on 1+ bit All bits are considered, hence a high overhead Reference Algorithm Countermeasure Overhead Non-detection [BBK + 03] AES-128 Multiple parity bits 20 % 0.12 2 − 32 [KKT04] AES-128 Partially robust code 80 % 2 − 128 [AKS12] ECC/P-192 Nonlinear robust code 114 % 7/24 L. Sauvage et al. PROOFS – September 17, 2015

  8. Actual Strategy DFA Secret extraction Source (HDL/Soft) Countermeasure ← 01001101 Netlist/Inst. seq. Platform (FPGA/SoC) Disturbance 8/24 L. Sauvage et al. PROOFS – September 17, 2015

  9. Proposal: Multi-Level Formal Analysis DFA Secret extraction Faults properties Source (HDL/Soft) Countermeasure ← 01001101 Netlist/Inst. seq. Delays/placement Platform Sensitivity (FPGA/SoC) Disturbance Accuracy Principle: take into account characteristics of each level 9/24 L. Sauvage et al. PROOFS – September 17, 2015

  10. Presentation Outline Introduction, Motivation Multi-level Formal Verification by Example Challenge Regarding EMI Modeling Conclusion & Perspectives 10/24 L. Sauvage et al. PROOFS – September 17, 2015

  11. Hardware Implementation of AES-128 Probability to be faulted of each SBox Tc = 10 . 64 ns: 1 bit of SBox7 is faulted Tc = 10 . 56 ns: SBox6&7 are faulted 11/24 L. Sauvage et al. PROOFS – September 17, 2015

  12. Hardware Implementation of AES-128 Probability to be faulted of slowest bits of SBox7 and SBox6 Bit b faulted if it has to be updated and t b < Tc Model complexity for verification: 16 × 2 2 × 8 × 128 only Countermeasure design: SBox6-bit7 faulted highly implies SBox6-bit7 is also faulted. Possibility to use this information? 12/24 L. Sauvage et al. PROOFS – September 17, 2015

  13. Hardware Implementation of AES-128 Probability of key space. Sufficient to protect only some SBoxes (instead of 16)? 13/24 L. Sauvage et al. PROOFS – September 17, 2015

  14. Presentation Outline Introduction, Motivation Multi-level Formal Verification by Example Challenge Regarding EMI Modeling Conclusion & Perspectives 14/24 L. Sauvage et al. PROOFS – September 17, 2015

  15. Characterization of EMI Impact SASEBO-W/Spartan-6 16x16 array of sensors ( blue ) plus control block ( red ) 15/24 L. Sauvage et al. PROOFS – September 17, 2015

  16. Characterization of EMI Impact SASEBO-W/Spartan-6 (zoom) Each sensor is placed into a single configurable logic block (CLB). 16/24 L. Sauvage et al. PROOFS – September 17, 2015

  17. Scan over Spartan-6 with 1 mm EM probe 17/24 L. Sauvage et al. PROOFS – September 17, 2015

  18. Impact on sensor #12 @ (x=16,y=16) a ( 16 , 16 ) = 1 . 74 ps / dB 12 Asymptotic standard error with linearity: 3.782 % 18/24 L. Sauvage et al. PROOFS – September 17, 2015

  19. Impact on sensor #12 @ (x=17,y=14) a ( 17 , 14 ) = 2 . 11 ps / dB > a ( 16 , 16 ) : greater impact 12 12 Asymptotic standard error with linearity: 5.324 % 19/24 L. Sauvage et al. PROOFS – September 17, 2015

  20. Impact on sensor #12 Susceptibility maps: what happens outside the FPGA According to the EMI probe position, the delay is increased or decreased. The spatial distribution is not trivial ( e.g. , Gaussian). Model complexity: multiplied by the number of spatial points. 20/24 L. Sauvage et al. PROOFS – September 17, 2015

  21. Impact on all sensors @ ( x =16, y =16) Functionnal maps: what happens inside the FPGA All delays are impacted 21/24 L. Sauvage et al. PROOFS – September 17, 2015

  22. Presentation Outline Introduction, Motivation Multi-level Formal Verification by Example Challenge Regarding EMI Modeling Conclusion & Perspectives 22/24 L. Sauvage et al. PROOFS – September 17, 2015

  23. Conclusion & Perspectives FIA countermeasure verification is highly time-consuming. FIA countermeasure overhead is high. Proposal take into account characteristics of each level. Does it help reduce verification time/overhead? 23/24 L. Sauvage et al. PROOFS – September 17, 2015

  24. Thanks for your attention. Any question? 24/24 L. Sauvage et al. PROOFS – September 17, 2015

  25. References [ABF + 02] Christian Aumüller, Peter Bier, Wieland Fischer, Peter Hofreiter, and Jean-Pierre Seifert, Fault attacks on RSA with CRT: concrete results and practical countermeasures , Cryptographic Hardware and Embedded Systems - CHES 2002, 4th International Workshop, Redwood Shores, CA, USA, August 13-15, 2002, Revised Papers (Burton S. Kaliski Jr., Çetin Kaya Koç, and Christof Paar, eds.), Lecture Notes in Computer Science, vol. 2523, Springer, 2002, pp. 260–275. [AKS12] Kahraman D. Akdemir, Deniz Karakoyunlu, and Berk Sunar, Non-linear error detection for elliptic curve cryptosystems , IET Information Security 6 (2012), no. 1, 28–40. [BBB + 11] Alessandro Barenghi, Guido Marco Bertoni, Luca Breveglieri, Gerardo Pelosi, and Andrea Palomba, Fault attack to the elliptic curve digital signature algorithm wit multiple bit faults , Proceedings of the 4th International Conference on Security of Informatio and Networks, SIN 2011, Sydney, NSW, Australia, November 14-19, 2011 (Mehmet A. Orgun an Atilla Elçi an Oleg B. Makarevich an Sorin A. Huss an Josef Pieprzyk an Lyudmila K. Babenko an Alexander G. Chefranov an Rajan Shankaran, ed.), ACM, 2011, pp. 63–72. [BBK + 03] Guido Bertoni, Luca Breveglieri, Israel Koren, Paolo Maistri, and Vincenzo Piuri, Error analysis and detection procedures for a hardware implementation of the advanced encryption standard , IEEE Trans. Computers 52 (2003), no. 4, 492–505. [BDH + 97] Feng Bao, Robert H. Deng, Yongfei Han, Albert B. Jeng, A. Desai Narasimhalu, and Teow-Hin Ngair, Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults , Security Protocols, 5th International Workshop, Paris, France, April 7-9, 1997, Proceedings (Bruce Christianson, Bruno Crispo, T. Mark A. Lomas, and Michael Roe, eds.), Lecture Notes in Computer Science, vol. 1361, Springer, 1997, pp. 115–124. [BDL97] Dan Boneh, Richard A. DeMillo, and Richard J. Lipton, On the importance of checking cryptographic protocols for faults (extended abstract) , Advances in Cryptology - EUROCRYPT ’97, International Conference on the Theory and Application of Cryptographic Techniques, Konstanz, Germany, May 11-15, 1997, Proceeding (Walter Fumy, ed.), Lecture Notes in Computer Science, vol. 1233, Springer, 1997, pp. 37–51. [BS97] Eli Biham and Adi Shamir, Differential fault analysis of secret key cryptosystems , Advances in Cryptology - CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, California, 24/24 L. Sauvage et al. PROOFS – September 17, 2015

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

! Belohlavek R., Trnecka M. (DAMOL) Basic Level in Formal Concept Analysis August 8, 2013 1 /

! Belohlavek R., Trnecka M. (DAMOL) Basic Level in Formal Concept Analysis August 8, 2013 1 /

Basic Level in Formal Concept Analysis: Interesting Concepts and Psychological Ramifications Radim Belohlavek, Martin Trnecka Palacky University, Olomouc, Czech Republic ! ! ! Belohlavek R., Trnecka M. (DAMOL) Basic Level in Formal Concept

510 views • 32 slides
Formal Handling of the Level 2 Uncertainty Sources and Their Combination with the Level 1 PSA

Formal Handling of the Level 2 Uncertainty Sources and Their Combination with the Level 1 PSA

OECD/NEA/CSNI Workshop on Evaluation of Uncertainties in Relation to Severe Accidents and Level 2 Probabilistic Safety Analysis 7-9 November 2005, Aix-en-Provence, France Formal Handling of the Level 2 Uncertainty Sources and Their Combination

705 views • 36 slides
Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web

Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web Storage Crypto on the Web Motivations Formal analysis of cryptographic web

1.19k views • 106 slides
Insights from a multi-level analysis of bribe prevalence in developing countries Jol Cariolle

Insights from a multi-level analysis of bribe prevalence in developing countries Jol Cariolle

Insights from a multi-level analysis of bribe prevalence in developing countries Jol Cariolle Fondation pour les tudes et recherches sur le dvelopment international (Ferdi) EPCS meeting, Freiburg, March 2016 . 1 Highlights Objective: This

652 views • 29 slides
MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors Pedro

MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors Pedro

MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors Pedro Fonseca, Xi Wang, Arvind Krishnamurthy Hypervisor correctness is critical Hypervisors need to virtualize correctly all the architecture details

388 views • 19 slides
Experimental design for multi-level data: Improving our approach to power analysis using Monte

Experimental design for multi-level data: Improving our approach to power analysis using Monte

Experimental design for multi-level data: Improving our approach to power analysis using Monte Carlo simulation-based parameter recovery estimation Chadwick, S. 1 , &amp; Davies, R. 1 International Multilevel Conference 2019 1 Department of

657 views • 30 slides
VAT: Asymptotic Cost Analysis for Multi-Level Key-Value Stores Graduate Students Conference

VAT: Asymptotic Cost Analysis for Multi-Level Key-Value Stores Graduate Students Conference

VAT: Asymptotic Cost Analysis for Multi-Level Key-Value Stores Graduate Students Conference Nikos Batsaras 25 October 2019 Computer Science Department, University of Crete Key-Value (KV) Store Application data Client KV store :

305 views • 12 slides
Multi Level Modeling in the Wild with AutomationML Invited Talk @ Multi Level Modeling

Multi Level Modeling in the Wild with AutomationML Invited Talk @ Multi Level Modeling

Multi Level Modeling in the Wild with AutomationML Invited Talk @ Multi Level Modeling Workshop, MODELS 2018 Copenhagen, October 2018 Manuel Wimmer CDL MINT Business Informatics Group Institute of Information Systems Engineering Vienna

993 views • 71 slides
Formal Hardware Verification (some key ideas) Mary Sheeran Idealised Flow High level Not

Formal Hardware Verification (some key ideas) Mary Sheeran Idealised Flow High level Not

4/3/2008 Formal Hardware Verification (some key ideas) Mary Sheeran Idealised Flow High level Not formal 1 4/3/2008 Idealised Flow High level Not formal Equally high level Formal spec. Math, expressive logic Idealised Flow High level

402 views • 22 slides
A Scalable Multi-level Preconditioner for Matrix-Free -Finite Element Analysis of Human Bone

A Scalable Multi-level Preconditioner for Matrix-Free -Finite Element Analysis of Human Bone

FE Modeling Mathematical Model System solving AMG preconditioning Experiments Conclusions A Scalable Multi-level Preconditioner for Matrix-Free -Finite Element Analysis of Human Bone Structures Peter Arbenz 1 1 Institute of

513 views • 32 slides
Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal verification uses algorithms to rigorously prove properties of hardware or software design. 20 years ago, we had the FDIV bug: 42.0 / 7.0 = 8.0 Formal

576 views • 6 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
The Multi-Level Feedback Queue Operating System: Three Easy Pieces 1 Youjip Won Multi-Level

The Multi-Level Feedback Queue Operating System: Three Easy Pieces 1 Youjip Won Multi-Level

8: Scheduling: The Multi-Level Feedback Queue Operating System: Three Easy Pieces 1 Youjip Won Multi-Level Feedback Queue (MLFQ) A Scheduler that learns from the past to predict the future. Objective: Optimize turnaround time

180 views • 16 slides
Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking, Theorem Proving SMT Solving, Abstraction, and Static Analysis With SAL, PVS, and Yices, and more John Rushby Computer Science Laboratory SRI

1.89k views • 161 slides
Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal and Automated Theorem Proving and Applications. Belgrade, February 3-4, 2012. Marko Malikovi Mirko ubrilo Predrag Janii Faculty of Humanities

406 views • 27 slides
Multi-level stochastic approximation algorithms Noufel Frikha Universit e Paris Diderot, LPMA

Multi-level stochastic approximation algorithms Noufel Frikha Universit e Paris Diderot, LPMA

Introduction Analysis of the SA scheme Multi-level stochastic approximation algorithms Numerical results Multi-level stochastic approximation algorithms Noufel Frikha Universit e Paris Diderot, LPMA 28th October, 2013. Stochastic

746 views • 35 slides
Psychology-Driven Design of Intelligent Interfaces T. Metin Sezgin Assoc. Prof. College of

Psychology-Driven Design of Intelligent Interfaces T. Metin Sezgin Assoc. Prof. College of

Psychology-Driven Design of Intelligent Interfaces T. Metin Sezgin Assoc. Prof. College of Engineering Ko University http://iui.ku.edu.tr mtsezgin@alum.mit.edu BYOYO 01/07/20 Intelligent User Interfaces Group Dr. Metin Sezgin,

1.24k views • 92 slides
Transfer Matrix Formulation of Scattering Theory in Arbitrary Dimensions Ali Mostafazadeh (Ko

Transfer Matrix Formulation of Scattering Theory in Arbitrary Dimensions Ali Mostafazadeh (Ko

Transfer Matrix Formulation of Scattering Theory in Arbitrary Dimensions Ali Mostafazadeh (Ko University) in collaboration with Farhang Loran (Isfahan Univ. Tech.) Supported by Turkish Acad. Sci. &amp; TB TAK (Project 112T951) Outline: -

669 views • 62 slides
CSE 262 Lecture 11 GPU Implementation of stencil methods (II) Announcements Final

CSE 262 Lecture 11 GPU Implementation of stencil methods (II) Announcements Final

CSE 262 Lecture 11 GPU Implementation of stencil methods (II) Announcements Final presentations u Friday March 13 th , 10:30 AM to 1:00PM u Room 3217, CSE Building (EBU3B) Scott B. Baden / CSE 262 / UCSD, Wi '15 2 Todays lecture

641 views • 31 slides
Recognize some structural properties of a finite group from the orders of its elements Mercede

Recognize some structural properties of a finite group from the orders of its elements Mercede

Recognize some structural properties of a finite group from the orders of its elements Mercede MAJ UNIVERSIT DEGLI STUDI DI SALERNO Cemal Ko - Algebra Days Middle East Technical University April, 22-23, 2016 Let G be a periodic group.

889 views • 68 slides
Trojans Modifying Soft-Processor Instruction Sequences Embedded in FPGA Bitstreams Ismail

Trojans Modifying Soft-Processor Instruction Sequences Embedded in FPGA Bitstreams Ismail

Trojans Modifying Soft-Processor Instruction Sequences Embedded in FPGA Bitstreams Ismail San, Nicole Fern, C etin Kaya Ko c and Kwang-Ting (Tim) Cheng University of California Santa Barbara Anadolu University FPL 2016 August 31,

72 views • 6 slides
Designing and Developing Person-Based and Topic-Based Person-Based and Topic-Based Data

Designing and Developing Person-Based and Topic-Based Person-Based and Topic-Based Data

Designing and Developing Person-Based and Topic-Based Person-Based and Topic-Based Data Collection Instruments Emily A. Johnson Thomas C Melaney Thomas C. Melaney US Census Bureau, USA Summary The American Community Survey (ACS) tests

202 views • 16 slides
Simultaneous and sequential detection of multiple interacting change points Long Nguyen

Simultaneous and sequential detection of multiple interacting change points Long Nguyen

Simultaneous and sequential detection of multiple interacting change points Long Nguyen Department of Statistics University of Michigan Joint work with Ram Rajagopal (Stanford University) 1 Introduction Statistical inference in the

786 views • 39 slides
22 nd International Systems and Software Product Line Conference Sep. 10-14, 2018 sponsors

22 nd International Systems and Software Product Line Conference Sep. 10-14, 2018 sponsors

Thorsten Berger Paulo Borba Associate Professor Professor Chalmers | University of Gothenburg Universidade Federal de Pernambuco Gothenburg, Sweden Recife, Brazil http://www.cse.chalmers.se/~bergert http://www.cin.ufpe.br/~phmb 22 nd

354 views • 21 slides

More recommend