9.5 Physical Attacks

Time	Label	Presentation Title Authors
08:30	9.5.1	(Best Paper Award Candidate) AN INSIDE JOB: REMOTE POWER ANALYSIS ATTACKS ON FPGAS Speaker: Falk Schellenberg, Ruhr-Universität Bochum, DE Authors: Falk Schellenberg¹, Dennis Gnad², Amir Moradi¹ and Mehdi Tahoori² ¹Ruhr University Bochum, DE; ²Karlsruhe Institute of Technology, DE Abstract Hardware Trojans have gained increasing interest during the past few years. Undeniably, the detection of such malicious designs needs a deep understanding of how they can practically be built and developed. In this work we present a design methodology dedicated to FPGAs which allows measuring a fraction of the dynamic power consumption. More precisely, we develop internal sensors which are based on FPGA primitives, and transfer the internally-measured side-channel leakages outside. These are distributed and calibrated delay sensors which can indirectly measure voltage fluctuations due to power consumption. By means of a cryptographic core as a case study, we present different settings and parameters for our employed sensors. Using their side-channel measurements, we further exhibit practical key-recovery attacks confirming the applicability of the underlying measurement methodology. This opens a new door to integrate hardware Trojans in a) applications where the FPGA is remotely accessible and b) FPGA-based multi-user platforms where the reconfigurable resources are shared among different users. This type of Trojan is highly difficult to detect since there is no signal connection between targeted (cryptographic) core and the internally-deployed sensors. Download Paper (PDF; Only available from the DATE venue WiFi)
09:00	9.5.2	CONFIDENT LEAKAGE DETECTION - A SIDE-CHANNEL EVALUATION FRAMEWORK BASED ON CONFIDENCE INTERVALS Authors: Florian Bache¹, Christina Plump¹ and Tim Güneysu² ¹University of Bremen, DE; ²University of Bremen & DFKI, DE Abstract Cryptographic devices that potentially operate in hostile physical environments need to be secured against side-channel attacks. In order to ensure the effectiveness of the required countermeasures, scientists, developers, and evaluators need efficient methods to test the level of security of a device. In this paper we propose a new framework based on confidence intervals that extends established t-test based approaches for test-vector leakage assessment (TVLA). In comparison to previous TVLA approaches the new methodology does not only enable the detection of leakage but can also assert its absence. The framework is robust against noise in the evaluation system and thereby avoids false negatives. These improvements can be achieved without overhead in measurement complexity and with a minimum of additional computational costs compared to previous approaches. We evaluate our method under realistic conditions by applying it to a protected implementation of AES. Download Paper (PDF; Only available from the DATE venue WiFi)
09:30	9.5.3	ØZONE: EFFICIENT EXECUTION WITH ZERO TIMING LEAKAGE FOR MODERN MICROARCHITECTURES Speaker: Zelalem Aweke, University of Michigan, US Authors: Zelalem Birhanu Aweke and Todd Austin, University of Michigan, US Abstract Time variation during program execution can leak sensitive information. Time variations due to program control flow and hardware resource contention have been used to steal encryption keys in cipher implementations such as AES and RSA. A number of approaches to mitigate timing-based side-channel attacks have been proposed including cache partitioning, control- flow obfuscation and injecting timing noise into the outputs of code. While these techniques make timing-based side-channel attacks more difficult, they do not eliminate the risks. Prior techniques are either too specific or too expensive, and all leave remnants of the original timing side channel for later attackers to attempt to exploit. In this work, we show that the state-of-the-art techniques in timing side-channel protection, which limit timing leakage but do not eliminate it, still have significant vulnerabilities to timing-based side-channel attacks. To provide a means for total protection from timing-based side-channel attacks, we develop Ozone, the first zero timing leakage execution resource for a modern microarchitecture. Code in Ozone executes under a special hardware thread that gains exclusive access to a single core's resources for a fixed (and limited) number of cycles during which it cannot be interrupted. Memory access under Ozone thread execution is limited to pre-allocated cache lines that can not be evicted, and all Ozone threads begin execution with a known fixed microarchitectural state. We evaluate Ozone using a number of security sensitive kernels that have previously been targets of timing side-channel attacks, and show that Ozone eliminates timing leakage with minimal performance overhead. Download Paper (PDF; Only available from the DATE venue WiFi)
09:45	9.5.4	SCADPA: SIDE-CHANNEL ASSISTED DIFFERENTIAL-PLAINTEXT ATTACK ON BIT PERMUTATION BASED CIPHERS Speaker: Jakub Breier, Nanyang Technological University, SG Authors: Jakub Breier¹, Dirmanto Jap¹ and Shivam Bhasin² ¹Nanyang Technological University, SG; ²Temasek Laboratories, Nanyang Technological University, SG Abstract Bit permutations are a common choice for diffusion function in lightweight block ciphers, owing to their low implementation footprint. In this paper, we present a novel Side-Channel Assisted Differential-Plaintext Attack (SCADPA), exploiting specific vulnerabilities of bit permutations. SCADPA is a chosen-plaintext attack, knowledge of the ciphertext is not required. Unlike statistical methods, commonly used for distinguisher in standard power analysis, the proposed method is more differential in nature. The attack shows that diffusion layer can play a significant role in distinguishing the internal cipher state. We demonstrate how to practically exploit such vulnerability to extract the secret key. Results on microcontroller-based PRESENT-80 cipher lead to full key retrieval using as low as 17 encryptions. It is possible to automate the attack by using a thresholding method detailed in the paper. Several case studies are presented, using various attacker models and targeting different encryption modes (such as CTR and CBC). We provide a discussion on how to avoid such attack from the design point of view. Download Paper (PDF; Only available from the DATE venue WiFi)
10:00	IP4-9, 167	EXAMINING THE CONSEQUENCES OF HIGH-LEVEL SYNTHESIS OPTIMIZATIONS ON THE POWER SIDE CHANNEL Speaker: Lu Zhang, Northwestern Polytechnical University, CN Authors: Lu Zhang¹, Wei Hu², Armaiti Ardeshiricham², Yu Tai¹, Jeremy Blackstone², Dejun Mu¹ and Ryan Kastner² ¹Northwestern Polytechnical University, CN; ²University of California, San Diego, US Abstract High-level synthesis (HLS) allows hardware designers to think algorithmically and not have to worry about low-level, cycle-by-cycle details. This provides the ability to quickly explore the architectural design space and tradeoff between resource utilization and performance. Unfortunately, evaluating the security is not a standard part of the HLS design flow. In this work, we aim to understand the effects of HLS optimizations with respect to power side-channel leakage. We use Vivado HLS to develop different cryptographic cores, implement them on a Xilinx Spartan 6 FPGA, and collect power traces. We evaluate the designs with respect to resource utilization, performance, and side-channel leakage through power consumption. Furthermore, we analyze the first-order leakage of the HLS-based designs alongside well-known register transfer level (RTL) cryptographic cores. We describe an evaluation procedure for hardware designers and use it to make insightful recommendations on how to design the best architecture in cryptographic domain. Download Paper (PDF; Only available from the DATE venue WiFi)
10:01	IP4-10, 564	DFARPA: DIFFERENTIAL FAULT ATTACK RESISTANT PHYSICAL DESIGN AUTOMATION Speaker: Debdeep Mukhopadhyay, Indian Institute of Technology Kharagpur, IN Authors: Mustafa Khairallah¹, Rajat Sadhukhan², Radhamanjari Samanta², Jakub Breier¹, Shivam Bhasin³, Rajat Subhra Chakraborty², Anupam Chattopadhyay¹ and Debdeep Mukhopadhyay² ¹Nanyang Technological University, SG; ²Indian Institute of Technology Kharagpur, IN; ³Temasek Laboratories, Nanyang Technological University, SG Abstract Differential Fault Analysis (DFA), aided by sophisticated mathematical analysis techniques for ciphers and precise fault injection methodologies, has become a potent threat to cryptographic implementations. In this paper, we propose, to the best of the our knowledge, the first ``DFA-aware" physical design automation methodology, that effectively mitigates the threat posed by DFA. We first develop a novel floorplan heuristic, which resists the simultaneous corruption of cipher states necessary for successful fault attack, by exploiting the fact that most fault injections are localized in practice. Our technique results in the computational complexity of the fault attack to shoot up to exhaustive search levels, making them practically infeasible. In the second part of the work, we develop a routing mechanism, which tackles more precise and costly fault injection techniques, like laser and electromagnetic guns. We propose a routing technique by integrating a specially designed ring oscillator based sensor circuit around the potential fault attack targets without incurring any performance overhead.We demonstrate the effectiveness of our technique by applying it on state of the art ciphers. Download Paper (PDF; Only available from the DATE venue WiFi)
10:00		End of session Coffee Break in Exhibition Area Coffee Breaks in the Exhibition Area On all conference days (Tuesday to Thursday), coffee and tea will be served during the coffee breaks at the below-mentioned times in the exhibition area (Terrace Level of the ICCD). Lunch Breaks (Großer Saal + Saal 1) On all conference days (Tuesday to Thursday), a seated lunch (lunch buffet) will be offered in the rooms "Großer Saal" and "Saal 1" (Saal Level of the ICCD) to fully registered conference delegates only. There will be badge control at the entrance to the lunch break area. Tuesday, March 20, 2018 Coffee Break 10:30 - 11:30 Lunch Break 13:00 - 14:30 Awards Presentation and Keynote Lecture in "Saal 2" 13:50 - 14:20 Coffee Break 16:00 - 17:00 Wednesday, March 21, 2018 Coffee Break 10:00 - 11:00 Lunch Break 12:30 - 14:30 Awards Presentation and Keynote Lecture in "Saal 2" 13:30 - 14:20 Coffee Break 16:00 - 17:00 Thursday, March 22, 2018 Coffee Break 10:00 - 11:00 Lunch Break 12:30 - 14:00 Keynote Lecture in "Saal 2" 13:20 - 13:50 Coffee Break 15:30 - 16:00

Time

Label

Presentation Title
Authors

08:30

9.5.1

(Best Paper Award Candidate)
AN INSIDE JOB: REMOTE POWER ANALYSIS ATTACKS ON FPGAS
Speaker:
Falk Schellenberg, Ruhr-Universität Bochum, DE
Authors:
Falk Schellenberg¹, Dennis Gnad², Amir Moradi¹ and Mehdi Tahoori²
¹Ruhr University Bochum, DE; ²Karlsruhe Institute of Technology, DE
Abstract
Hardware Trojans have gained increasing interest during the past few years. Undeniably, the detection of such malicious designs needs a deep understanding of how they can practically be built and developed. In this work we present a design methodology dedicated to FPGAs which allows measuring a fraction of the dynamic power consumption. More precisely, we develop internal sensors which are based on FPGA primitives, and transfer the internally-measured side-channel leakages outside. These are distributed and calibrated delay sensors which can indirectly measure voltage fluctuations due to power consumption. By means of a cryptographic core as a case study, we present different settings and parameters for our employed sensors. Using their side-channel measurements, we further exhibit practical key-recovery attacks confirming the applicability of the underlying measurement methodology. This opens a new door to integrate hardware Trojans in a) applications where the FPGA is remotely accessible and b) FPGA-based multi-user platforms where the reconfigurable resources are shared among different users. This type of Trojan is highly difficult to detect since there is no signal connection between targeted (cryptographic) core and the internally-deployed sensors.
Download Paper (PDF; Only available from the DATE venue WiFi)

09:00

9.5.2

CONFIDENT LEAKAGE DETECTION - A SIDE-CHANNEL EVALUATION FRAMEWORK BASED ON CONFIDENCE INTERVALS
Authors:
Florian Bache¹, Christina Plump¹ and Tim Güneysu²
¹University of Bremen, DE; ²University of Bremen & DFKI, DE
Abstract
Cryptographic devices that potentially operate in hostile physical environments need to be secured against side-channel attacks. In order to ensure the effectiveness of the required countermeasures, scientists, developers, and evaluators need efficient methods to test the level of security of a device. In this paper we propose a new framework based on confidence intervals that extends established t-test based approaches for test-vector leakage assessment (TVLA). In comparison to previous TVLA approaches the new methodology does not only enable the detection of leakage but can also assert its absence. The framework is robust against noise in the evaluation system and thereby avoids false negatives. These improvements can be achieved without overhead in measurement complexity and with a minimum of additional computational costs compared to previous approaches. We evaluate our method under realistic conditions by applying it to a protected implementation of AES.
Download Paper (PDF; Only available from the DATE venue WiFi)

09:30

9.5.3

ØZONE: EFFICIENT EXECUTION WITH ZERO TIMING LEAKAGE FOR MODERN MICROARCHITECTURES
Speaker:
Zelalem Aweke, University of Michigan, US
Authors:
Zelalem Birhanu Aweke and Todd Austin, University of Michigan, US
Abstract
Time variation during program execution can leak sensitive information. Time variations due to program control flow and hardware resource contention have been used to steal encryption keys in cipher implementations such as AES and RSA. A number of approaches to mitigate timing-based side-channel attacks have been proposed including cache partitioning, control- flow obfuscation and injecting timing noise into the outputs of code. While these techniques make timing-based side-channel attacks more difficult, they do not eliminate the risks. Prior techniques are either too specific or too expensive, and all leave remnants of the original timing side channel for later attackers to attempt to exploit. In this work, we show that the state-of-the-art techniques in timing side-channel protection, which limit timing leakage but do not eliminate it, still have significant vulnerabilities to timing-based side-channel attacks. To provide a means for total protection from timing-based side-channel attacks, we develop Ozone, the first zero timing leakage execution resource for a modern microarchitecture. Code in Ozone executes under a special hardware thread that gains exclusive access to a single core's resources for a fixed (and limited) number of cycles during which it cannot be interrupted. Memory access under Ozone thread execution is limited to pre-allocated cache lines that can not be evicted, and all Ozone threads begin execution with a known fixed microarchitectural state. We evaluate Ozone using a number of security sensitive kernels that have previously been targets of timing side-channel attacks, and show that Ozone eliminates timing leakage with minimal performance overhead.
Download Paper (PDF; Only available from the DATE venue WiFi)

09:45

9.5.4

SCADPA: SIDE-CHANNEL ASSISTED DIFFERENTIAL-PLAINTEXT ATTACK ON BIT PERMUTATION BASED CIPHERS
Speaker:
Jakub Breier, Nanyang Technological University, SG
Authors:
Jakub Breier¹, Dirmanto Jap¹ and Shivam Bhasin²
¹Nanyang Technological University, SG; ²Temasek Laboratories, Nanyang Technological University, SG
Abstract
Bit permutations are a common choice for diffusion function in lightweight block ciphers, owing to their low implementation footprint. In this paper, we present a novel Side-Channel Assisted Differential-Plaintext Attack (SCADPA), exploiting specific vulnerabilities of bit permutations. SCADPA is a chosen-plaintext attack, knowledge of the ciphertext is not required. Unlike statistical methods, commonly used for distinguisher in standard power analysis, the proposed method is more differential in nature. The attack shows that diffusion layer can play a significant role in distinguishing the internal cipher state. We demonstrate how to practically exploit such vulnerability to extract the secret key. Results on microcontroller-based PRESENT-80 cipher lead to full key retrieval using as low as 17 encryptions. It is possible to automate the attack by using a thresholding method detailed in the paper. Several case studies are presented, using various attacker models and targeting different encryption modes (such as CTR and CBC). We provide a discussion on how to avoid such attack from the design point of view.
Download Paper (PDF; Only available from the DATE venue WiFi)

10:00

IP4-9, 167

EXAMINING THE CONSEQUENCES OF HIGH-LEVEL SYNTHESIS OPTIMIZATIONS ON THE POWER SIDE CHANNEL
Speaker:
Lu Zhang, Northwestern Polytechnical University, CN
Authors:
Lu Zhang¹, Wei Hu², Armaiti Ardeshiricham², Yu Tai¹, Jeremy Blackstone², Dejun Mu¹ and Ryan Kastner²
¹Northwestern Polytechnical University, CN; ²University of California, San Diego, US
Abstract
High-level synthesis (HLS) allows hardware designers to think algorithmically and not have to worry about low-level, cycle-by-cycle details. This provides the ability to quickly explore the architectural design space and tradeoff between resource utilization and performance. Unfortunately, evaluating the security is not a standard part of the HLS design flow. In this work, we aim to understand the effects of HLS optimizations with respect to power side-channel leakage. We use Vivado HLS to develop different cryptographic cores, implement them on a Xilinx Spartan 6 FPGA, and collect power traces. We evaluate the designs with respect to resource utilization, performance, and side-channel leakage through power consumption. Furthermore, we analyze the first-order leakage of the HLS-based designs alongside well-known register transfer level (RTL) cryptographic cores. We describe an evaluation procedure for hardware designers and use it to make insightful recommendations on how to design the best architecture in cryptographic domain.
Download Paper (PDF; Only available from the DATE venue WiFi)

10:01

IP4-10, 564

DFARPA: DIFFERENTIAL FAULT ATTACK RESISTANT PHYSICAL DESIGN AUTOMATION
Speaker:
Debdeep Mukhopadhyay, Indian Institute of Technology Kharagpur, IN
Authors:
Mustafa Khairallah¹, Rajat Sadhukhan², Radhamanjari Samanta², Jakub Breier¹, Shivam Bhasin³, Rajat Subhra Chakraborty², Anupam Chattopadhyay¹ and Debdeep Mukhopadhyay²
¹Nanyang Technological University, SG; ²Indian Institute of Technology Kharagpur, IN; ³Temasek Laboratories, Nanyang Technological University, SG
Abstract
Differential Fault Analysis (DFA), aided by sophisticated mathematical analysis techniques for ciphers and precise fault injection methodologies, has become a potent threat to cryptographic implementations. In this paper, we propose, to the best of the our knowledge, the first ``DFA-aware" physical design automation methodology, that effectively mitigates the threat posed by DFA. We first develop a novel floorplan heuristic, which resists the simultaneous corruption of cipher states necessary for successful fault attack, by exploiting the fact that most fault injections are localized in practice. Our technique results in the computational complexity of the fault attack to shoot up to exhaustive search levels, making them practically infeasible. In the second part of the work, we develop a routing mechanism, which tackles more precise and costly fault injection techniques, like laser and electromagnetic guns. We propose a routing technique by integrating a specially designed ring oscillator based sensor circuit around the potential fault attack targets without incurring any performance overhead.We demonstrate the effectiveness of our technique by applying it on state of the art ciphers.
Download Paper (PDF; Only available from the DATE venue WiFi)

10:00

End of session
Coffee Break in Exhibition Area

Coffee Breaks in the Exhibition Area

On all conference days (Tuesday to Thursday), coffee and tea will be served during the coffee breaks at the below-mentioned times in the exhibition area (Terrace Level of the ICCD).

Lunch Breaks (Großer Saal + Saal 1)

On all conference days (Tuesday to Thursday), a seated lunch (lunch buffet) will be offered in the rooms "Großer Saal" and "Saal 1" (Saal Level of the ICCD) to fully registered conference delegates only. There will be badge control at the entrance to the lunch break area.

Tuesday, March 20, 2018