Securing the core root of trust(research in secure hardware design and test)

Ramesh Karri (rkarri@duke.poly.edu)ECE Department

Who can attack your system?

Hobby (class I) Obsession (class II) Job (class III)

D. Abraham, G. Dolan, G. Double, and J. Stevens. Transaction Security System. IBM Systems Journal 30(2): 206-229, 1991.

How can your system be compromised?

Application software Protocols Operating system software

Is the problem worth my time?

Source: http://www.uscc.gov/annual_report/2008/annual_report_full_09.pdf, , page 168US-China economic and security review commission hearing on China's proliferation practices and the development of its cyber and space warfare capabilities, testimony of Col. Gary McAlum.

How can your system be protected?

Fix applications Fix protocols Fix operating systems

“the core root of trust” is secure

This assumes that…

“the core root of trust” is secure

But…

Outline

1. threat models2. defenses3. conclusions

Threat models for hardware Side channels

Power dissipation Timing variation Test infrastructure Faults interactions between side channels

Cloning Overbuilding Reverse Engineering Trojans

An example: test infrastructure side channel

Data Encryption Standard (DES)Li

RiRound Key Ki

+

Li+1Ri+1

r

Expansion

+

S-box S-box

Permutation

ab

c

d

Initial Permutation

Input_Reg

+ f

Reverse Permutation

Output_Reg

MUXMUX

R_RegKey Reg

Control

Round key ROM

4

L_Reg

en

en

sel

addr

DES layout

scan chain test data input, TDI test data output, TDO test clock, TCK test mode select, TMS test reset

chain all flip flops in a design

test infrastructure

identify critical registers

attack step 1

Initial Permutation

Input_Reg

+ f

Reverse Permutation

Output_Reg

MUXMUX

R_RegKey Reg

Control

Round key ROM

4

L_Reg

en

en

sel

addr

apply selected inputs

attack step 2

3 plain texts 2 clock cycles in normal mode (plaintext reaches R,L) 198 clock cycles in test mode (R0, L0 scanned out) 1 clock cycle in normal mode (plaintext reaches R, L) 198 clock cycles in test mode (R1, L1 scanned out)

399×3=1197 clock cycles

• Can leak secrets from DES, AES etc • >80 % of all ASICs use scan chains for test/debug • Readback/test infrastructure in FPGAs

• Load configuration stream• Read-out bitstream for debug

test

normal

Secure normal

Insecure

Power off

A fix: secure scan

test

normal

Secure normal

Insecure

Power offSecure scan

Standards compliant3rd Prize, 2008-2009 IEEE TTTC PhD dissertation contest

Hardware threat models Side channels

Power dissipation Timing variation Test infrastructure Faults interactions between side channels

Cloning Overbuilding Reverse Engineering Trojans

T

DD

F

UU

U

Background: IC design process

D: Design, F: FabricationT: Test, U: User

Rev. engineering

T

DD

F

UU

U

Reverse engineering

D: Design, F: FabricationT: Test, U: User

3500 counterfeit Cisco networking components recovered • estimated retail value ~ $3.5 million

cloningT

DD

F

UU

U

Cloning

D: Design, F: FabricationT: Test, U: User

Trojans

T

DD

F

UU

U

Hardware Trojans

D: Design, F: FabricationT: Test, U: User

The kill switch ?

IEEE Spectrum, 2008

Only 2% of ~$3.5 billion of DoD ICs manufactured intrusted foundries !!!

Taxonomy of trojans

Leak AES key 40 registrations, 10 finalists, 3 winners, 2 honorable mentionshttp://isis.poly.edu/csaw/embedded

Trojan challenge

Trojans in the development cycle

Trojans at different abstractions

Location of the inserted trojans

Where are the trojans inserted?

2 1 3 4

Next steps

develop defenses investigate effectiveness developing benchmarks metrics?

Physically unclonable functions

• Uses physical structure of a device to give a unique response

• Used as device IDs• The ring oscillator frequency varies with process variations.

A trojan defense

Trivium

JTAG

Interpreter

Transmit DataRS232 UARTReceive Data

I/O SELECT

CLOCK

RS232-DCE_RXD

RESET

REC_READY

RS232_DCE_TXDUART CLK

FREQUENCYCOUNTER

C0

A1

B1

A2

B2

S1

S2

C1

C2

DETECTIONRING

OSCILLATOR OUTPUT

PUF gives unique ID to hardwareCan we give a unique ID to a design?

A preliminary defense

Trivium

JTAG

Interpreter

Transmit DataRS232 UARTReceive Data

I/O SELECT

CLOCK

RS232-DCE_RXD

RESET

REC_READY

RS232_DCE_TXDUART CLK

FREQUENCYCOUNTER

Next steps

develop defenses investigate effectiveness developing benchmarks metrics?

Questions? rkarri@duke.poly.edu, 917 363 9703