Sponge-Based Control-Flow Protection for IoT Devices Werner, - - PowerPoint PPT Presentation

Sponge-Based Control-Flow Protection for IoT Devices

Werner, Unterluggauer, Schaffenrath, Mangard 25th April 2018, London

Graz University of Technology

Motivation and Context

Logical Attacks

www.tugraz.at

• Exploit software and design bugs
• Mounted via external interfaces
• Applicable via the Internet
• Attack techniques:
• Code: code injection, ret2libc, ROP

, JOP

• Data: DOP
• Countermeasures:
• Correct software
• SW: W⊕X, ASLR, CFI, CPI, DFI, WIT
• HW: processor privilege levels and access control

1 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Physical Attacks

www.tugraz.at

• Tamper with the operation conditions to induce faults
• Exploit the physical access to a device
• Mostly local exploitation (IoT, cloud)
• Huge portfolio of attacks [BDL97]

and countermeasures for crypto [Bar+04]

• Only little work on protecting processors [Cle+16]
• Prominent example: Xbox 360 reset glitch hack

2 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Contribution

www.tugraz.at

• Sponge-based Control-Flow Protection (SCFP)
• Hardware supported Control-Flow Integrity (CFI) scheme
• Encrypts the instruction stream with instruction granularity
• Protects against logical and physical attacks
• Present and analyzed two suitable sponge constructions
• Discuss three SCFP instantiations (IE, AEE, AEE-Light)
• Evaluate AEE-Light in a RISC-V processor
• 9.1 % runtime overhead
• 19.8 % code size overhead

3 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Why Control-Flow Integrity?

www.tugraz.at unsigned pin = read_pin(); bool auth = check_pin(pin); if( auth ) {

• pen_door();

} else { raise_alarm(); } log_event();

main

check_pin read_pin

• pen_door

raise_alarm log_event

4 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Why Control-Flow Integrity?

www.tugraz.at unsigned pin = read_pin(); bool auth = check_pin(pin); if( auth ) {

• pen_door();

} else { raise_alarm(); } log_event();

main

check_pin read_pin

• pen_door

raise_alarm log_event attack

4 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Why Control-Flow Integrity?

www.tugraz.at unsigned pin = read_pin(); bool auth = check_pin(pin); if( auth ) {

• pen_door();

} else { raise_alarm(); } log_event();

main

check_pin read_pin

• pen_door

raise_alarm log_event

4 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Why Control-Flow Integrity?

www.tugraz.at unsigned pin = read_pin(); bool auth = check_pin(pin); if( auth ) {

• pen_door();

} else { raise_alarm(); } log_event();

check condition perform action handle error continue

4 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Why Control-Flow Integrity?

www.tugraz.at check_auth: // auth in x1 (0 if authentic) BNE x0, x1, not_authenticated authenticated: // open door // ... J next not_authenticated: // raise_alarm next: // log event 5 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Why Control-Flow Integrity?

www.tugraz.at check_auth: // auth in x1 (0 if authentic) BNE x0, x1, not_authenticated authenticated: // open door // ... J next not_authenticated: // raise_alarm next: // log event 5 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Why Control-Flow Integrity?

www.tugraz.at check_auth: // auth in x1 (0 if authentic) BEQ x0, x1, not_authenticated authenticated: // open door // ... J next not_authenticated: // raise_alarm next: // log event 5 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Why Control-Flow Integrity?

www.tugraz.at check_auth: // auth in x1 (0 if authentic) BNE x0, x0, not_authenticated authenticated: // open door // ... J next not_authenticated: // raise_alarm next: // log event 5 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Why Control-Flow Integrity?

www.tugraz.at check_auth: // auth in x1 (0 if authentic) BNE x0, x1, not_authenticated authenticated: // open door // ... J next not_authenticated: // raise_alarm next: // log event 5 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

SCFP Concept

High-Level Concept

www.tugraz.at

Processor

Fetch Fetch Decode Execute Memory Write Back Memory (RAM/Flash) I-Cache D-Cache Register File

6 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

High-Level Concept

www.tugraz.at

Processor

Fetch Fetch Decode Execute Memory Write Back Memory (RAM/Flash) I-Cache D-Cache Register File SCFP

6 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

High-Level Concept

www.tugraz.at

Processor

Fetch Fetch Decode Execute Memory Write Back Memory (RAM/Flash) I-Cache D-Cache Register File State SCFP

6 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Decryption/Execution Example

www.tugraz.at

s t r c m p : e c d e e 9 7 : 2 8 c e 7 7 8 : 7 5 4 1 6 4 b 1 : 4 b f 4 5 1 7 5 : d 9 a 6 2 a d : 5 1 7 d 3 4 4 3 : 4 d 1 b c f : a 3 f 2 1 3 e

7 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Decryption/Execution Example

www.tugraz.at

s t r c m p 0x1b2a0645 : e c d e e 9 7 : 2 8 c e 7 7 8 : 7 5 4 1 6 4 b 1 : 4 b f 4 5 1 7 5 : d 9 a 6 2 a d : 5 1 7 d 3 4 4 3 : 4 d 1 b c f : a 3 f 2 1 3 e

7 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Decryption/Execution Example

www.tugraz.at

s t r c m p x 1 b 2 a 6 4 5 0xdd3fbcce : 03 06 05 00 : lb a2, 0(a0) : 2 8 c e 7 7 8 : 7 5 4 1 6 4 b 1 : 4 b f 4 5 1 7 5 : d 9 a 6 2 a d : 5 1 7 d 3 4 4 3 : 4 d 1 b c f : a 3 f 2 1 3 e

7 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Decryption/Execution Example

www.tugraz.at

s t r c m p x 1 b 2 a 6 4 5 x d d 3 f b c c e : 3 6 5 : l b a 2 , ( a ) 0xf5a92604 : 83 86 05 00 : lb a3, 0(a1) : 7 5 4 1 6 4 b 1 : 4 b f 4 5 1 7 5 : d 9 a 6 2 a d : 5 1 7 d 3 4 4 3 : 4 d 1 b c f : a 3 f 2 1 3 e

7 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Decryption/Execution Example

www.tugraz.at

s t r c m p x 1 b 2 a 6 4 5 x d d 3 f b c c e : 3 6 5 : l b a 2 , ( a ) x f 5 a 9 2 6 4 : 8 3 8 6 5 : l b a 3 , ( a 1 ) 0x58c04f0a : 5b 0c 06 00 : beqz a2, 24 : 4 b f 4 5 1 7 5 : d 9 a 6 2 a d : 5 1 7 d 3 4 4 3 : 4 d 1 b c f : a 3 f 2 1 3 e

7 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Decryption/Execution Example

www.tugraz.at

s t r c m p x 1 b 2 a 6 4 5 x d d 3 f b c c e : 3 6 5 : l b a 2 , ( a ) x f 5 a 9 2 6 4 : 8 3 8 6 5 : l b a 3 , ( a 1 ) 0x58c04f0a : 5b 0c 06 00 : beqz a2, 24 0x58c04f0a : 4 b f 4 5 1 7 5 : d 9 a 6 2 a d : 5 1 7 d 3 4 4 3 0x58c04f0a : 4 d 1 b c f : a 3 f 2 1 3 e

7 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Decryption/Execution Example

www.tugraz.at

s t r c m p x 1 b 2 a 6 4 5 x d d 3 f b c c e : 3 6 5 : l b a 2 , ( a ) x f 5 a 9 2 6 4 : 8 3 8 6 5 : l b a 3 , ( a 1 ) x 5 8 c 4 f a : 5 b c 6 : b e q z a 2 , 2 4 x 5 8 c 4 f a 0xe70771a6 : 13 05 15 00 : addi a0, a0, 1 : d 9 a 6 2 a d : 5 1 7 d 3 4 4 3 x 5 8 c 4 f a : 4 d 1 b c f : a 3 f 2 1 3 e

7 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Decryption/Execution Example

www.tugraz.at

s t r c m p x 1 b 2 a 6 4 5 x d d 3 f b c c e : 3 6 5 : l b a 2 , ( a ) x f 5 a 9 2 6 4 : 8 3 8 6 5 : l b a 3 , ( a 1 ) x 5 8 c 4 f a : 5 b c 6 : b e q z a 2 , 2 4 x 5 8 c 4 f a x e 7 7 7 1 a 6 : 1 3 5 1 5 : a d d i a , a , 1 0x5b26165e : 93 85 15 00 : addi a1, a1, 1 : 5 1 7 d 3 4 4 3 x 5 8 c 4 f a : 4 d 1 b c f : a 3 f 2 1 3 e

7 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Decryption/Execution Example

www.tugraz.at

s t r c m p x 1 b 2 a 6 4 5 x d d 3 f b c c e : 3 6 5 : l b a 2 , ( a ) x f 5 a 9 2 6 4 : 8 3 8 6 5 : l b a 3 , ( a 1 ) x 5 8 c 4 f a : 5 b c 6 : b e q z a 2 , 2 4 x 5 8 c 4 f a x e 7 7 7 1 a 6 : 1 3 5 1 5 : a d d i a , a , 1 x 5 b 2 6 1 6 5 e : 9 3 8 5 1 5 : a d d i a 1 , a 1 , 1 0xa4e9634c : db 04 d6 fe : beq a2, a3, -24 x 5 8 c 4 f a : 4 d 1 b c f : a 3 f 2 1 3 e

7 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Decryption/Execution Example

www.tugraz.at

s t r c m p 0x1b2a0645 x d d 3 f b c c e : 3 6 5 : l b a 2 , ( a ) x f 5 a 9 2 6 4 : 8 3 8 6 5 : l b a 3 , ( a 1 ) x 5 8 c 4 f a : 5 b c 6 : b e q z a 2 , 2 4 x 5 8 c 4 f a x e 7 7 7 1 a 6 : 1 3 5 1 5 : a d d i a , a , 1 x 5 b 2 6 1 6 5 e : 9 3 8 5 1 5 : a d d i a 1 , a 1 , 1 0xa4e9634c : db 04 d6 fe : beq a2, a3, -24 0x58c04f0a : 4 d 1 b c f : a 3 f 2 1 3 e

7 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Decryption/Execution Example

www.tugraz.at

s t r c m p x 1 b 2 a 6 4 5 x d d 3 f b c c e : 3 6 5 : l b a 2 , ( a ) x f 5 a 9 2 6 4 : 8 3 8 6 5 : l b a 3 , ( a 1 ) x 5 8 c 4 f a : 5 b c 6 : bpeqz a2, 24 x 5 8 c 4 f a x e 7 7 7 1 a 6 : 1 3 5 1 5 : a d d i a , a , 1 x 5 b 2 6 1 6 5 e : 9 3 8 5 1 5 : a d d i a 1 , a 1 , 1 x a 4 e 9 6 3 4 c : d b 4 d 6 f e : bpeq a2, a3,-24 0xa4e9634c : 4 d 1 b c f : a 3 f 2 1 3 e

apply patch2 apply patch1

7 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Patching Branches

www.tugraz.at

A B D C

Branch

8 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Patching Branches

www.tugraz.at

A B D C

Branch

Patch

8 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Patching Direct Function Calls

www.tugraz.at

Function A

A1 B A2

Call Return

Function C

C1 C2

Call

Function B

9 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Patching Direct Function Calls

www.tugraz.at

Function A

A1 B A2

PatchA Call Return

Function C

C1 C2

PatchC Call

Function B

9 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Patching Indirect Function Calls

www.tugraz.at

PatchE2 PatchD2

Function A

A1 D A2

ICall Return

Function C

C1 C2

ICall

Function D

E

Return

Function E

10 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Patching Indirect Function Calls

www.tugraz.at

Function A

A1 D A2

PatchA1 ICall Return

Function C

C1 C2

PatchC1 ICall

Function D

PatchA2 PatchD1 PatchD2 PatchC2

E

Return

Function E

PatchE1 PatchE2

10 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Sponge Constructions for SCFP

Cryptographic Sponge Construction Recap

www.tugraz.at

• Mode of operation developed by Bertoni et al. [Ber+07]
• Based on a fixed-length permutation + padding rule
• Keccak standardized as SHA-3 and SHAKE
• Hash functions, XOFs, MACs, stream and AEAD ciphers

M0 f M1 f x0 r0 f Z0 Z1 f M2

11 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

SpongeWrap Decryption Mode

www.tugraz.at

• Original construction by Bertoni et al. [Ber+11]

C0 f f P0 C1 f P1 r0' x0' x1 r1 x2 r2 r1' x1'

12 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

SpongeWrap-like Decryption Mode

www.tugraz.at

• Original construction by Bertoni et al. [Ber+11]

C0 f f P0 Patch0 C1 f P1 Patch1 r0' x0' x1 r1 x2 r2 r1' x1'

12 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

SpongeWrap-like Decryption Mode

www.tugraz.at

• Unmodified duplex construction when Patch = 0
• Full state has to be patched for branches
• Patch can be considered as associated data (AD)
• Absorbing AD into the capacity is allowed for keyed

sponges [MRV15; SY15]

• Errors propagate directly from ciphertext to plaintext

13 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

APE Decryption Mode

www.tugraz.at

• Original construction by Andreeva et al. [And+14]

f f C1 f C2 x1 x0 x2 C0 x0' x1' P0 P1

14 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

APE-like Decryption Mode

www.tugraz.at

• Original construction by Andreeva et al. [And+14]

P0 f f C1 Patch0 f P1 C2 Patch1 x1 x0 x2 C0 x0' x1'

14 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

APE-like Decryption Mode

www.tugraz.at

• Removes direct dependency of Pi on Ci+1
• Permutation between Pi and Ci
• Only the capacity has to be patched
• Non-inverse free regarding the permutation
• Encryption has to be performed backward

15 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Instantiations and Security

www.tugraz.at

• Extremely flexible due to the sponge-based design
• Security as well as overhead scales with the sponge
• Three different instantiations of the APE-like mode
• 32-bit instruction encodings

16 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Instantiations and Security

www.tugraz.at

• Extremely flexible due to the sponge-based design
• Security as well as overhead scales with the sponge
• Three different instantiations of the APE-like mode
• 32-bit instruction encodings

Parameters [bit] Name Permutation Crypt. Attack Compl. x sp Security CIA CRA AEE Keccak-p[200,12] 168 — 84 168 168

16 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Instantiations and Security

www.tugraz.at

• Extremely flexible due to the sponge-based design
• Security as well as overhead scales with the sponge
• Three different instantiations of the APE-like mode
• 32-bit instruction encodings

Parameters [bit] Name Permutation Crypt. Attack Compl. x sp Security CIA CRA AEE Keccak-p[200,12] 168 — 84 168 168 IE Keccak-p[50,12] 16 — 8 16 16

16 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Instantiations and Security

www.tugraz.at

• Extremely flexible due to the sponge-based design
• Security as well as overhead scales with the sponge
• Three different instantiations of the APE-like mode
• 32-bit instruction encodings

Parameters [bit] Name Permutation Crypt. Attack Compl. x sp Security CIA CRA AEE Keccak-p[200,12] 168 — 84 168 168 IE Keccak-p[50,12] 16 — 8 16 16 AEE-Light PRINCE 32 96 16 128 32

16 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Evaluation and Summary

Implementation

www.tugraz.at

• Added SCFP the RI5CY [ETH17] RISC-V processor core
• 4 or 5 pipeline stages
• AEE-Light with PRINCE in APE-like mode
• ∼30 kGE of area for SCFP at 100 MHz in UMC65
• Benchmarks using a very simple software toolchain

17 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Overhead Evaluation

www.tugraz.at a e s c b c c

• n

v 2 d d h r y s t

• n

e e c c e c c

• p

t fi r f f t i p m

5 10 15 20 25 30

14.8 25.6 20.1 21 20.1 20.9 16.8 19.4

Overhead [%] Code Size

18 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Overhead Evaluation

www.tugraz.at a e s c b c c

• n

v 2 d d h r y s t

• n

e e c c e c c

• p

t fi r f f t i p m

5 10 15 20 25 30

19.8 14.8 25.6 20.1 21 20.1 20.9 16.8 19.4

Overhead [%] Code Size

18 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Overhead Evaluation

www.tugraz.at a e s c b c c

• n

v 2 d d h r y s t

• n

e e c c e c c

• p

t fi r f f t i p m

5 10 15 20 25 30

19.8 14.8 25.6 20.1 21 20.1 20.9 16.8 19.4 9.5 4.8 14.4 9.2 3.8 9.5 7 14.9

Overhead [%] Code Size Runtime

18 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Overhead Evaluation

www.tugraz.at a e s c b c c

• n

v 2 d d h r y s t

• n

e e c c e c c

• p

t fi r f f t i p m

5 10 15 20 25 30

19.8 9.1 14.8 25.6 20.1 21 20.1 20.9 16.8 19.4 9.5 4.8 14.4 9.2 3.8 9.5 7 14.9

Overhead [%] Code Size Runtime

18 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Summary

www.tugraz.at

• Physical attacks have to be considered
• Sponge-based Control-Flow Protection
• Hardware supported CFI scheme
• Encrypts the instruction stream with instruction granularity
• Presented and analyzed two suitable sponge constructions
• Discussed three SCFP instantiations (IE, AEE, AEE-Light)
• Implemented AEE-Light into a RISC-V processor
• 9.1 % runtime overhead
• 19.8 % code size overhead

19 Werner, Unterluggauer, Schaffenrath, Mangard — Graz University of Technology

Sponge-Based Control-Flow Protection for IoT Devices

Werner, Unterluggauer, Schaffenrath, Mangard 25th April 2018, London

Graz University of Technology

References i

www.tugraz.at

References

Elena Andreeva, Beg¨ ul Bilgin, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha, and Kan Yasuda. “APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography”. In: Fast Software Encryption – FSE 2014. Ed. by Carlos Cid and Christian Rechberger. Vol. 8540. LNCS. Springer, 2014, pp. 168–186.

DOI: 10.1007/978-3-662-46706-0_9.

Hagai Bar-El, Hamid Choukri, David Naccache, Michael Tunstall, and Claire Whelan. “The Sorcerer’s Apprentice Guide to Fault Attacks”. In: IACR Cryptology ePrint Archive 2004 (2004), p. 100. URL: http://eprint.iacr.org/2004/100.

References ii

www.tugraz.at Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. “On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract)”. In: Advances in Cryptology – EUROCRYPT 97. Ed. by Walter Fumy. Vol. 1233. LNCS. Springer, 1997, pp. 37–51. DOI: 10.1007/3-540-69053-0_4. Guido Bertoni, Joan Daemen, Micha¨ el Peeters, and Gilles Van Assche. “Sponge functions”. In: ECRYPT Hash Workshop. 2007. URL: https://keccak.team/files/SpongeFunctions.pdf (visited on 01/19/2016). Guido Bertoni, Joan Daemen, Micha¨ el Peeters, and Gilles Van Assche. “Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications”. In: Selected Areas in Cryptography – SAC 2011.

• Ed. by Ali Miri and Serge Vaudenay. Vol. 7118. LNCS. Springer, 2011,
• pp. 320–337. DOI: 10.1007/978-3-642-28496-0_19.

References iii

www.tugraz.at Ruan de Clercq, Ronald De Keulenaer, Bart Coppens, Bohan Yang, Pieter Maene, Koen De Bosschere, Bart Preneel, Bjorn De Sutter, and Ingrid Verbauwhede. “SOFIA: Software and control flow integrity architecture”. In: 2016 Design, Automation & Test in Europe Conference & Exhibition, DATE 2016, Dresden, Germany, March 14-18, 2016. Ed. by Luca Fanucci and J¨ urgen Teich. IEEE, 2016,

• pp. 1172–1177. URL:

http://ieeexplore.ieee.org/document/7459489/. ETH Zurich. RI5CY Source Repository. 2017. URL: https://github.com/pulp-platform/riscv (visited on 03/26/2018). Bart Mennink, Reza Reyhanitabar, and Damian Viz´

• ar. “Security of

Full-State Keyed Sponge and Duplex: Applications to Authenticated Encryption”. In: Advances in Cryptology – ASIACRYPT 2015. Ed. by Tetsu Iwata and Jung Hee Cheon. Vol. 9453. LNCS. Springer, 2015,

• pp. 465–489. DOI: 10.1007/978-3-662-48800-3_19.

References iv

www.tugraz.at Yu Sasaki and Kan Yasuda. “How to Incorporate Associated Data in Sponge-Based Authenticated Encryption”. In: Topics in Cryptology – CT-RSA 2015. Ed. by Kaisa Nyberg. Vol. 9048. LNCS. Springer, 2015,

• pp. 353–370. DOI: 10.1007/978-3-319-16715-2_19.