On-Device Power Analysis Across Hardware Security Domains Colin - - PowerPoint PPT Presentation

on device power analysis across hardware security domains
SMART_READER_LITE
LIVE PREVIEW

On-Device Power Analysis Across Hardware Security Domains Colin - - PowerPoint PPT Presentation

Dec 15, 2022 233 likes •676 views

On-Device Power Analysis Across Hardware Security Domains Colin OFlynn , Alex Dewar Dalhousie University CHES 2019 - Atlanta, Georgia 1 What am I doing for next 17 mins (in 42 slides)? Introduction Remote & Cross-Domain Attacks

slide-1
SLIDE 1

On-Device Power Analysis Across Hardware Security Domains

Colin O’Flynn, Alex Dewar Dalhousie University

CHES 2019 - Atlanta, Georgia 1

slide-2
SLIDE 2

What am I doing for next 17 mins (in 42 slides)?

  • Introduction Remote & Cross-Domain Attacks
  • Attacker Model, TrustZone-M, and SAML11
  • Basic CPA Attack on SAML11, bit depth / sample rate effect
  • Internal regulator attack experiments
  • Attacking a standard SAML11 development kit
  • Countermeasures

CHES 2019 - Atlanta, Georgia 2

slide-3
SLIDE 3

On-Device Power Analysis

CHES 2019 - Atlanta, Georgia 3

slide-4
SLIDE 4

Introducing… TrustZone-M

CHES 2019 - Atlanta, Georgia 4

slide-5
SLIDE 5

On-Device Power Analysis across Hardware Security Boundaries

CHES 2019 - Atlanta, Georgia 5

slide-6
SLIDE 6

Specific Implementation Example

  • SAML11  One of first M23 cores available on market (June 2018)
  • Original datasheet (since changed) made an interesting claim…

CHES 2019 - Atlanta, Georgia 6

slide-7
SLIDE 7

Product Usage of TrustZone-M / SAML11

  • When starting work no products on market used the SAML11
  • Made some assumptions about design of products, backed up by

datasheet examples:

CHES 2019 - Atlanta, Georgia 7

slide-8
SLIDE 8

Assumptions / Attacker Powers

  • Attacker must have previously performed an attack to gain code

execution on the non-secure space (or otherwise has such access).

  • Attacker can run considerable amount of tests / data recovery.
  • We can consider a remote attacker as in-scope… realistically we will look at

“quasi-remote”.

  • Quasi-remote means not full system access (cannot do DPA at board-level), but

perhaps has debugger/communication access.

CHES 2019 - Atlanta, Georgia 8

slide-9
SLIDE 9

Example of “Quasi-Remote” Attacker Threat

  • Unlocking ECUs is big business.
  • Requiring tuners to solder to PCB

& capture power traces is a large hurdle.

  • But requiring them to plug in a

debug connector is very much “in- scope” for these attacks.

  • If DPA attack runs in

reasonable time, allows tuners to perform such attacks even with unique keys.

CHES 2019 - Atlanta, Georgia 9

slide-10
SLIDE 10

TrustZone-A Attacks

  • 1. General remote attacks presented by Bernstein [Ber05].
  • 2. Arm Cache-timing attacks used to break TrustZone-A [LGS+16],

[ZSS+16], [ZSS+18], [LW19], [NCC18].

  • 3. Remote fault attacks also demonstrated on TrustZone-A, such as

RowHammer shown on TrustZone-A by [Car17] and CLKscrew [TSS17].

CHES 2019 - Atlanta, Georgia 10

slide-11
SLIDE 11

“Remote” Side-Channel Attacks

  • Cortex-M frequently lack a true cache, making cache-timing attacks

difficult.

  • Previous work on side-channel power analysis done with a ‘remote’ threat

model includes:

  • 1. Building voltage-monitoring circuitry on a shared FPGA fabric

([SGMT18b] initially, [RPD+18] and [ZS18] show follow-on).

  • 2. Using on-board ADC of a microcontroller [GKT19].

May require very large set of data transferred out!

CHES 2019 - Atlanta, Georgia 11

slide-12
SLIDE 12

“Nearby” Side-Channel Attacks

  • Measuring voltage on I/O pin leaks information [SPK+10].
  • Band-limited signal measured on switch-mode “line” side can be used for

AES attack [SLT16].

  • Band-limited radio signals have been previously used in attacking

RSA/asymmetric [GST14], [GPPT15].

  • Recently AES attacked with radio signal leakage [CPM+18].

CHES 2019 - Atlanta, Georgia 12

slide-13
SLIDE 13

Part 1 – External CPA Attack

CHES 2019 - Atlanta, Georgia 13

slide-14
SLIDE 14

AES Accelerator Attack

CHES 2019 - Atlanta, Georgia 14

slide-15
SLIDE 15

CHES 2019 - Atlanta, Georgia 15

slide-16
SLIDE 16

AES Accelerator Attack

CHES 2019 - Atlanta, Georgia 16

slide-17
SLIDE 17

Effective Bit Depth of Samples?

CHES 2019 - Atlanta, Georgia 17

slide-18
SLIDE 18

Adjusting Bit Depth

CHES 2019 - Atlanta, Georgia 18

slide-19
SLIDE 19

Sample Rate Reduction due to Internal ADC

CLKcore State Sample Busy

CHES 2019 - Atlanta, Georgia 19

slide-20
SLIDE 20

Synchronous Sampling Mode

ADC clock (even when under sampling) is still fully synchronous. Sample point does not have time jitter relative to clock edge. Similar sample rate measured without clock synchronization will have very substantial jitter due to minor frequency mismatches.

CHES 2019 - Atlanta, Georgia 20

slide-21
SLIDE 21

Adjusting Sample Rate

CHES 2019 - Atlanta, Georgia 21

slide-22
SLIDE 22

Part 2 – On-Board Attack

Segger RTT (JTAG data transfer) ~1100 traces/second

CHES 2019 - Atlanta, Georgia 22

slide-23
SLIDE 23

Test Boards

Expected reduction of SNR from AD

CHES 2019 - Atlanta, Georgia 23

slide-24
SLIDE 24

Test A – Highest SNR

CHES 2019 - Atlanta, Georgia 24

slide-25
SLIDE 25

Sidenote about Internal Regulators

Does not react to fast transients, external decoupling capacitor required in most devices.

CHES 2019 - Atlanta, Georgia 25

slide-26
SLIDE 26

Sidenote about Internal Regulators

Majority of high-freq currents flowing from capacitor.

CHES 2019 - Atlanta, Georgia 26

slide-27
SLIDE 27

Sidenote about Internal Regulators

Regulator recharges capacitor (shows up as noise).

CHES 2019 - Atlanta, Georgia 27

slide-28
SLIDE 28

CHES 2019 - Atlanta, Georgia 28

slide-29
SLIDE 29

Clock Cycle Offset for AES to Measurement

CLKcore State Sample Busy

CHES 2019 - Atlanta, Georgia 29

slide-30
SLIDE 30

Guessing Entropy & Cycle Offset

Cycle offset from AES call to start

  • f sampling.

PGE of byte after 200K samples (considering all output samples, not selecting best leakage points).

CHES 2019 - Atlanta, Georgia 30

slide-31
SLIDE 31

Board ‘B’

CHES 2019 - Atlanta, Georgia 31

slide-32
SLIDE 32

CHES 2019 - Atlanta, Georgia 32

slide-33
SLIDE 33

Board C/D  Dev Kit

CHES 2019 - Atlanta, Georgia 33

slide-34
SLIDE 34

Part 3 - Development Kit Attack

CHES 2019 - Atlanta, Georgia 34

slide-35
SLIDE 35

CHES 2019 - Atlanta, Georgia 35

slide-36
SLIDE 36

Finding Leakage – TVLA Testing

Aligns with peak from CPA results Caveat: Due to strong down-sampling, hard to focus T-Test on middle 1/3 of AES only

CHES 2019 - Atlanta, Georgia 36

slide-37
SLIDE 37

Switching Power Supply Mode

CHES 2019 - Atlanta, Georgia 37

slide-38
SLIDE 38

Switching Power Supply Mode

High Pass Filter

CHES 2019 - Atlanta, Georgia 38

slide-39
SLIDE 39

TVLA of Switching Regulator

CHES 2019 - Atlanta, Georgia 39

slide-40
SLIDE 40

CHES 2019 - Atlanta, Georgia 40

slide-41
SLIDE 41

Cross-Domain Attacks

  • Cross-domain attack uses availability of peripherals in non-secure world to

attack secure world.

  • A remote exploit in non-secure world could be used to recover data from

secure world.

  • Requires lots of data (~160 000 000 traces, 5GB).
  • Is ‘remote’ plausible  Not convinced.
  • Is ‘nearby’ plausible  Yes.
  • Countermeasures include:
  • Moving peripherals to secure world (caveat – we don’t want some libs in non-secure).
  • Validating environment (caveat – secure code cannot touch non-secure).

CHES 2019 - Atlanta, Georgia 41

slide-42
SLIDE 42

Availability of Datasets, Code, Etc

https://github.com/colinoflynn/xdomain-dpa-m23

  • 520M+ trace sets
  • 285GB of data files…

CHES 2019 - Atlanta, Georgia 42

slide-43
SLIDE 43

Thank-You and Questions

https://github.com/colinoflynn/xdomain-dpa-m23

Email: colin@oflynn.com (Colin) adewar@dal.ca (Alex) Twitter: @colinoflynn

Thank you to many reviews & notes from those that wished to remain anonymous.

CHES 2019 - Atlanta, Georgia 43