Security Vulnerabilities, Challenges and Opportunities in Hardware Design for IoT Devices 物联网设备硬件设计的安全隐患、 挑战和机遇 Gang Qu University of Maryland, College Park 2015 中国互联网安全大会 September 30, 2015 Hardware in Security and Trust Be careful where Evolving role of HW in security: you store the key Enabler Enhancer Enforcer Physical Attacks • • • • • • Reverse engineering Side channel attacks Microprobing Fault generation Software attacks … Be careful where you store the key [Ross Anderson, Security Engineering 2001] SCA: Attackers with Good Ears … • Side channel analysis attacks: – Monitor/measure chip’s physical characteristics during its normal operation – Perform data analysis to learn information • Side channels: – cache memory, power/current, timing, scan chain, EM radiation, output signal … Development of a Cipher • Design and implementation of a cipher – Algorithm/protocol design – Software implementation RSA: C = Pe (mod n) P = Cd (mod n) Cryptographer Mathematician Software engineer 1. 2. 3. 4. 5. 6. 7. 8. binary: ksks-1…k1k0 b = 1; for (i=s; i>=o; i--) { b = b*b (mod n); if (ki == 1) b = b * a (mod n) } … General purpose computing platform Modular Exponentiation: ae (mod n) • Goal: Compute ae (mod n) 1. 2. 3. 4. 5. 6. 7. 8. convert e to binary: ksks-1…k1k0 b = 1; Side channel attacks! for (i=s; i>=o; i--) { b = b*b (mod n); Observable side channel info during hardware execution: if (ki == 1) current, power, timing, … b = b * a (mod n) The value of bit ki determines } whether this non-trivial operation will be required. return b; Power Analysis Attacks http://www.eetimes.com/document.asp?doc_id=1278081 Security comes by design, not by default! Trust in Hardware Design What I want 1/0 11 0/1 What I get works, but is untrusted. There are backdoors! A B x A’ B’ 0 0 0 0 1 0 0 1 1 0 0 1 0 0 0 0 1 1 1 0 1 0 0 1 0 1 0 1 0 0 1 1 0 1 0 1 1 1 0 0 Malicious Design • Hardware Trojan horse: adding hidden access to state 00 [Dunbar and Qu, TECS’14] [Dunbar and Qu, IWLS’13] Optical Fault Injection Attacks [Sergei and Anderson et al, CHES 2002] Hardware in Security and Trust Evolving role of HW in security: Enabler Enhancer Enforcer Weakest Link ? 3748 Secure Systems based on Trusted Hardware Great Promises! TPM PUF HW-SW co-design Trust Platform Module (TPM) • TPM refers to – the set of specifications for a secure crypto-processor, and – chip implementation of these specifications. • TPM chips – can be installed on the motherboard and is used in almost all PCs, laptops, and tablets; most smart phones. – Best to be used together with: firewall, antivirus software, smart card, biometric verification – Vendors: Atmel, Broadcom, Infineon, Sinosun, STMicroelectronics, Winbond, Toshiba, Intel, etc. Main Functions of TPM hardware authentication cryptographic key generation protection of cryptographic keys hardware pseudo-random number generation • sealed storage (passwords, encryption keys and digital certificates) Does TPM • remote attestation solves all the problems? • • • • Physical Unclonable Function 79 101 start/stop Counter 1 feedback >? Counter 2 96 88 Ring Oscillator PUFs 0 1 Physical Unclonable Function Each challenge creates two paths through the circuit that are excited simultaneously. The digital response is based on a (timing) comparison of the path delays. Challenges 0 0 1 10 1 1 0 0 0 0 0 1 1 1 1 … 0 DQ C PUF: Unclonable Key A Silicon PUF can be used as an unclonable key. The lock has a database of challenge-response pairs. To open the lock, the key has to show that it knows the response to one or more challenges. ? PUF PUF: Secret Share • If a remote chip stores a private key, Alice can share a secret with the chip if she knows the public key corresponding to the stored private key – Alice encrypts the Secret using chip’s public key, only the right chip can decrypt the Secret using the stored private key. – The chip encrypts the Secret using chip’s private key, it can only be decrypted when the correct public key is used. PUF: Device Authentication • Alice wishes to authenticate a chip • She has a challenge response pair that no one else knows, which can authenticate the silicon PUF on the chip • She asks for the response to the challenge • Chip authenticated if response is correct PUF Anyone can see challenge 1. Challenge, Task and ask PUF for the response Alice 2. Response But only the genuin