ASHES '23
Proceedings of the 2023 Workshop on Attacks and Solutions in Hardware Security
Last Update : [26 November, 2023]
SESSION: Keynote Talks
In Search of Trust: 30 Years of Evolution of Trusted Computing and Hardware Security
- Claire Vishik
Hardware has been long considered as the source and root of trust in computing, but the nature of its trust characteristics and views on trust technologies have evolved over time. The infancy of hardware security and trust, decades ago, emerged in the days when security attacks were limited in number and sophistication, the computing environment was relatively simple and homogeneous, the population of connected users was small, and the use cases where computing played a key role were very far from ubiquitous. Today, the situation is diametrically different from the early days of hardware trust and trusted computing. The talk will provide an overview of the evolution of technology and use cases in this area, examine persistent challenges, analyze mistakes we made along the way, look into the intersections with adjacent areas of research and practice and finally outline some promising directions for the next generation of trusted technologies.
Physical Unclonable Functions: The First Fifty Years
- Ravikanth Pappu
For over twenty years, Physical Unclonable Functions (PUFs) have spurred innovation in hardware security, giving rise to novel systems, protocols, attacks, and a deeper understanding of extracting entropy from the inherent disorder in physical structures. Despite this progress, a crucial gap remains.
In this talk, I'll recount the (un)fortunate events that led me to discover PUFs and share key highlights of PUF research since. Looking back from a vantage point twenty years in the future, I'll explore some desired results required to bridge the gap and establish a theoretical framework for unclonability.
SESSION: Workshop Full Papers
FOBOS 3: An Open-Source Platform for Side-Channel Analysis and Benchmarking
- Eduardo Ferrufino
- Luke Beckwith
- Abubakr Abdulgadir
- Jens-Peter Kaps
The lightweight cryptography (LWC) standardization process by the National Institute of Standards and Technology (NIST) of the US is the latest example of competitions that require benchmarking and side-channel leakage evaluation of hardware implementations of a multitude of candidate algorithms. A common hardware application programming interface (API) streamlines the development of a test harness. However, no existing platform is directly compatible with the LWC algorithms' hardware interface. Hence, a significant effort is needed to evaluate and benchmark a large number of candidates.
This paper presents an open-source, multi-user platform for side-channel analysis and benchmarking we call FOBOS 3. It contains its own measurement board (FOBOS Shield) and target board (FBD-A7 with Xilinx Artix-7-A12 FPGA) and enables side-channel leakage evaluation as well as measurement of power and energy consumption. Case studies are included to highlight both features.
Better Side-Channel Attacks Through Measurements
- Alok K. Singh
- Ryan M. Gerdes
In recent years, there has been a growing focus on improving the efficiency of the power side-channel analysis (SCA) attack by using machine learning or artificial intelligence methods, however, they can only be as good as the data they are trained on. Previous work has not given much attention to improving the accuracy of measurements by optimizing the measurement setup and the parameters, and most new researchers rely on heuristics to make measurements. This paper proposes an effective methodology to launch power SCA and increase the efficiency of the attack by improving the measurements. We examine the heuristics related to measurement parameters, investigate ways to optimize the parameters, determine their effects empirically, and provide a theoretical analysis to support the findings. To demonstrate the shortcomings of commercial measurement devices, we present a low-cost measurement board design and its hardware realization. In doing so, we are able to improve the power measurements, by optimizing the measurement setup, which in turn improves the efficiency of the attack.
A Side-Channel Attack on a Masked Hardware Implementation of CRYSTALS-Kyber
- Yanning Ji
- Elena Dubrova
NIST has recently selected CRYSTALS-Kyber as a new public key encryption and key establishment algorithm to be standardized. This makes it important to evaluate the resistance of CRYSTALS-Kyber implementations to side-channel attacks. Software implementations of CRYSTALS-Kyber have already been thoroughly analysed. The discovered vulnerabilities helped improve the subsequently released versions and promoted stronger countermeasures against side-channel attacks. In this paper, we present the first attack on a protected hardware implementation of CRYSTALS-Kyber. We demonstrate a practical message (shared key) recovery attack on the first-order masked FPGA implementation of Kyber-512 by Kamucheka et al. (2022) using power analysis based on the Hamming distance leakage model. The presented attack exploits a vulnerability located in the masked message decoding procedure which is called during the decryption step of the decapsulation. The message recovery is performed using a profiled deep learning-based method which extracts the message directly, without extracting each share explicitly. By repeating the same decapsulation process multiple times, it is possible to increase the success rate of full shared key recovery to 99%.
Cover Chirp Jaming: Hybrid Jamming--Deception Attack on FMCW Radar and Its Countermeasure
- Shoei Nashimoto
- Tomoyuki Nagatsuka
The reliability of measurements is crucial for ensuring the safety of control systems that depend on such measurements. Frequency-modulated continuous-wave (FMCW) radar is an active sensor used to measure distance and speed. Security evaluations of commercial FMCW radars have focused primarily on deception attacks, assuming that jamming attacks are easier to address. In this study, we propose a novel and efficient jamming attack called cover chirp jamming. This attack utilizes deception techniques and concentrates energy near the target, resulting in higher efficiency compared to conventional jamming methods. Furthermore, it can bypass existing countermeasures against noise, interference, and jamming. We demonstrate the effectiveness and feasibility of the attack through field and simulation experiments using a modern 77-GHz multi-input multi-output FMCW radar. Moreover, we propose a software-based countermeasure that detects and mitigates the attack. Our quantitative evaluation shows that the power of cover chirp jamming is 17.4 dB higher than conventional jamming. In addition, the countermeasure effectively mitigates the attack if the jamming-to-signal ratio (JSR) is below 0.6 dB, whereas the cover chirp jamming cannot be mitigated when the JSR exceeds 0.6 dB.
Enabling Lattice-Based Post-Quantum Cryptography on the OpenTitan Platform
- Tobias Stelzer
- Felix Oberhansl
- Jonas Schupp
- Patrick Karl
\sisetupgroup-separator = ,, group-minimum-digits=3, The first generation of \glspqc standards by the \glsnist is just around the corner. The need for secure implementations is therefore increasing. In this work, we address this need and investigate the integration of lattice-based \glspqc into an open-source silicon \glsrot, the OpenTitan. \glsplrot are important security building blocks that need to be future-proofed with \glspqc. The OpenTitan features multiple cryptographic hardware accelerators and countermeasures against physical attacks, but does not offer dedicated support for lattice-based \glspqc. Thus, we propose instruction set extensions for the \glsotbn to improve the efficiency of polynomial arithmetic and sampling. As a case study we analyze the performance of signature verification of digital signature scheme Dilithium. Our implementation verifies signatures within νm997722 cycles for security level II, pushing this \glsrot functionality below \SI10 \milli\second for the OpenTitan's target frequency of \SI100 \mega\hertz. With an overhead of \SI242 \kilo\nothing GE, our hardware extensions make up only about \SI5 \percent of the total \glsrot area. All our extensions integrate seamlessly with countermeasures against physical attacks and comply with the adversary model chosen by the OpenTitan project.
BioLeak: Exploiting Cache Timing to Recover Fingerprint Minutiae Coordinates
- Owen Pemberton
- David Oswald
The wide deployment of biometric authentication and particularly fingerprint matching on mobile devices and laptops raises the question about their security. While respective algorithms have been extensively analysed regarding their ability to correctly identify a specific individual (and reject others), little attention has been paid to their secure implementation, especially on multi-user and multi-process systems. In this paper, we focus on this aspect and show that cache attacks on real-world biometric algorithms are a viable way to extract the user's fingerprint minutiae coordinates using a single side-channel trace. Specifically, we analyse NIST's MindTCT library that is used by the Linux fprintd fingerprint authentication system to identify suitable addresses for a Flush+Reload attack, then devise post-processing techniques to recover minutiae information. Using 1000 synthetic test fingerprints, our method succeeds in approximately 9% of cases to recover minutiae from a single cache trace. Our work proves that there is side-channel leakage from a widely used biometric algorithm and therefore more research should be performed on hardening biometric algorithms against such attacks.
Beyond the Last Layer: Deep Feature Loss Functions in Side-channel Analysis
- Trevor Yap
- Stjepan Picek
- Shivam Bhasin
This paper provides a novel perspective on improving the efficiency of side-channel analysis by applying two deep feature loss functions: Soft Nearest Neighbor (SoftNN) and Center loss. By leveraging these loss functions during the deep neural networks (DNNs) training phase, our study illuminates how profiling attacks can be more powerful. Deep feature loss functions incorporate the outputs from the DNN's intermediate layers into their computations, which reduces the distance between similar data points. As such, these techniques enhance the DNN's ability to generate more precise and meaningful representations, thereby improving its discriminative power. This paper presents empirical evidence illustrating the effectiveness of SoftNN and Center loss in strengthening DNN-based side-channel attacks. For instance, when using Center loss together with the focal loss ratio (FLR), it requires the least number of traces to break the ASCADf dataset. On the other hand, applying SoftNN with FLR successfully recovers the key for the ASCADr dataset with the least traces. The insights presented in this study can act as a baseline for more advanced investigations into the utility of such loss functions in deep learning-based side-channel analysis.
Netlist Whisperer: AI and NLP Fight Circuit Leakage!
- Madhav Nair
- Rajat Sadhukhan
- Hammond Pearce
- Debdeep Mukhopadhyay
- Ramesh Karri
Side-channel attacks (SCA) represent a significant challenge when designing secure hardware. Currently, mitigating the risk of SCA requires costly human expertise. The OpenROAD project, an AI-based initiative, aims to expedite hardware design by eliminating the need for human intervention, reducing costs and expertise requirements. AI to prevent SCA is pertinent: in this work, we explore the usage of AI-based Natural Language Processing (NLP) tools like GPT-3 which provide novel capabilities for text-based tasks. We explore whether GPT-3 can effectively detect side-channel leaks and replace the need for human proficiency in designing secure hardware. We propose a two-phase AI-based pre-silicon design flow. In phase-1, our flow uses an Ada-based GPT-3 model to analyze the electrical properties of nets and classify them as leaky without simulating actual power traces. If security vulnerabilities are identified in the netlist, phase-2 recommends an SCA-protected netlist using a Curie-based GPT-3 model. We integrate a formal equivalence check to ensure functional equivalence between the suggested protected circuit and its unprotected version. Our AI models reduce side-channel evaluation time by evaluating nets without power-trace collection, accelerating design time, and generating secured hardware without human expertise in loop. We evaluate our design flow on benchmark netlists viz. ISCAS-85 circuits and unprotected S-Boxes. The protected-S-Box counterparts are generated using first-order Domain-Oriented-Masking.
Remote Fault Injection Attack against Cryptographic Modules via Intentional Electromagnetic Interference from an Antenna
- Hikaru Nishiyama
- Daisuke Fujimoto
- Yuichi Hayashi
Fault injection attacks on cryptographic modules pose significant threats, yet conventional fault injection methods require physical access to the target device. This paper introduces a novel fault injection method using Intentional Electromagnetic Interference (IEMI) to induce temporary faults in cryptographic modules without intrusion, proximity, or synchronization with the encryption process. The proposed method selects a frequency that can cause faults only in the target cryptographic modules without disrupting other modules in the device. Additionally, faults suitable for secret key analysis are efficiently generated even when EM waves are injected asynchronously into the cryptographic operation. To demonstrate the effectiveness of the proposed method, an experiment was conducted where EM waves were irradiated from an antenna positioned 2 meters away from a cryptographic device with an Advanced Encryption Standard (AES) implementation, inducing faults. The secret key was successfully retrieved by applying Differential Fault Analysis (DFA) to the obtained faulty ciphertexts. The proposed method holds the potential to be applied to devices that have previously been considered outside the scope of fault injection attack threats, owing to the difficulty in implementing conventional fault scenarios. This suggests a broader range of applicability for addressing security concerns in such devices. Consequently, there exists a possibility that even devices already in circulation could become susceptible to these threats, necessitating the implementation of measures to protect such equipment against potential attacks. In the countermeasure approach against this kind of threat, we propose and demonstrate the ability to significantly reduce the transmission efficiency of EM waves utilized for attacks by expanding upon the concept of EM shielding. Consequently, it significantly decreased the occurrence rate of faults. This is achieved by merely positioning conductive materials close to cryptographic devices rather than completely enclosing them in a conductive enclosure.
Effective Layout Design for Laser Fault Sensor on FPGA
- Shungo Hayashi
- Junichi Sakamoto
- Masaki Chikano
- Tsutomu Matsumoto
Laser fault injection (LFI) refers to a precise attack that introduces specific errors into an operating device. In response to the increasing prevalence of such attacks, recent studies have proposed various countermeasures, primarily including conventional analog circuit-level solutions such as optical sensors and current sensors. In addition, digital sensors can be designed at the digital circuit level. However, the countermeasures proposed using digital sensors have primarily been limited to the schematic level, and their physical layouts have not been thoroughly examined. To this end, this study proposes a novel design methodology focusing on the physical layout of digital sensors to enhance laser detection in field programmable gate arrays. The proposed design methodology was applied to two types of sensors, namely, ring oscillator (RO)-based and time-to-digital converter (TDC)-based sensors. First, we conducted a naive implementation of the RO-based sensor, which did not consider the layout and only provided protection to a limited area of the device. Moreover, we proposed a more detailed design methodology for digital LFI sensors, which was specifically tailored to effectively protect a larger area of the device and was successfully applied to both RO-based and TDC-based sensors. In addition to this design methodology, we conducted comprehensive laser-scanning experiments using an extensive parameter space to evaluate the two types of LFI sensors. These evaluations demonstrated that the improved RO-based sensor can detect up to 80.1% of laser shots and 99.8% of the faults. In comparison, the TDC-based sensor could detect 75.4% of the laser shots and 85.4% of the faults. These result shows the effectiveness of the proposed method.
SESSION: Workshop Short Paper
Modulation to the Rescue: Identifying Sub-Circuitry in the Transistor Morass for Targeted Analysis
- Xhani Marvin Saß
- Thilo Krachenfels
- Frederik Dermot Pustelnik
- Jean-Pierre Seifert
- Frank Altmann
Physical attacks form one of the most severe threats against secure computing platforms. Their criticality arises from their corresponding threat model: By, e.g., passively measuring an integrated circuit (IC)'s environment during a security-related operation, internal secrets may be disclosed. Furthermore, by actively disturbing the physical runtime environment of an IC, an adversary can cause a specific, exploitable misbehavior. The set of physical attacks consists of techniques that apply either globally or locally. When compared to global techniques, local techniques exhibit a much higher precision, hence having the potential to be used in advanced attack scenarios. However, using physical techniques with additional spatial dependency expands the parameter search space exponentially. In this work, we present and compare two techniques, namely laser logic state imaging (LLSI) and lock-in thermography (LIT), that can be used to discover sub-circuitry of an entirely unknown IC based on optical and thermal principles. We show that the time required to identify specific regions can be drastically reduced, thus lowering the complexity of physical attacks requiring positional information. Our case study on an Intel H610 Platform Controller Hub showcases that, depending on the targeted voltage rail, our technique reduces the search space by around 90 % to 98 %.
Towards Unsupervised SEM Image Segmentation for IC Layout Extraction
- Nils Rothaug
- Simon Klix
- Nicole Auth
- Sinan Böcker
- Endres Puschner
- Steffen Becker
- Christof Paar
This paper presents a novel approach towards unsupervised SEM image segmentation for IC layout extraction. Existing methods typically rely on supervised machine learning with manually labeled training data, requiring re-training and partial annotation when applying them to new datasets. To address this issue, we propose a SEM image segmentation algorithm based on unsupervised deep learning, eliminating the need for manual labeling. We train and evaluate our approach on a real-world dataset comprising 648 SEM images of metal-1 and metal-2 layers from a commercial IC, achieving competitive segmentation error rates well below 1%. Releasing our dataset and algorithm implementations, we allow researchers to apply our approach to their own datasets and evaluate their methods against our dataset, facilitating reproducibility in the field.