Smart Card Fault Injections with High Temperatures

Power and clock glitch attacks on smart cards can help an attacker to discover some internal secrets or bypass certain security checks. Also, an attacker can manipulate the temperature and supply voltage of the device, thus making the device glitch more easily. If these manipulations are within the device operating conditions, it becomes harder to distinguish between an extreme condition from an attacker. To demonstrate temperature and power supply effect on fault attacks, we perform several tests on an Atmega 163 microcontroller in different conditions. Our results show that this kind of attacks are still a serious threat to small devices, whilst maintaining the manufacturer recommendations

High Speed Clock Glitching

In recent times, hardware security has drawn a lot of interest in the research community. With physical proximity to the target devices, various fault injection hardware attack methods have been proposed and tested to alter their functionality and trigger behavior not intended by the design. There are various types of faults that can be injected depending on the parameters being used and the level at which the device is tampered with. The literature describes various fault models to inject faults in clock of the target but there are no publications on overclocking circuits for fault injection. The proposed method bridges this gap by conducting high-speed clock fault injection on latest high-speed micro-controller units where the target device is overclocked for a short duration in the range of 4-1000 ns. This thesis proposes a method of generating a high-speed clock and driving the target device using the same clock. The properties of the target devices for performing experiments in this research are: Externally accessible clock input line and GPIO line. The proposed method is to develop a high-speed clock using custom bit-stream sent to FPGA and subsequently using external analog circuitry to generate a clock-glitch which can inject fault on the target micro-controller. Communication coupled with glitching allows us to check the target\u27s response, which can result in information disclosure.This is a form of non-invasive and effective hardware attack. The required background, methodology and experimental setup required to implement high-speed clock glitching has been discussed in this thesis. The impact of different overclock frequencies used in clock fault injection is explored. The preliminary results have been discussed and we show that even high-speed micro-controller units should consider countermeasures against clock fault injection. Influencing the execution of Tiva C Launchpad and STM32F4 micro-controller units has been shown in this thesis. The thesis details the method used for the testing a

Fault Injection Test Bed for Clock Violation

Abstract: In this paper, the International Data Encryption (IDEA) algorithm synthesis models will be used as test encryption algorithm. The Xilinx Digital clock manager component will be used for generation of clocks for different frequencies and phase shifts. The encryption output with faults introduced and without faults introduced is compared as a function of ratio of used clock frequency and maximum frequency of operation reported by synthesis tool. The clock generation, clock switching, interface adopter to IDEA core and UART interface will be realized and tested in FPGA hardware in integrated form. FPGA based test bed is realized for injecting faults through clock glitches, to result in setup and hold violations. The UART interface is realized on FPGA to provide PC based controlling for this fault injection. Xilinx chip scope tools will be used for verifying the output at various levels in FPGA hardware

Secure Physical Design

An integrated circuit is subject to a number of attacks including information leakage, side-channel attacks, fault-injection, malicious change, reverse engineering, and piracy. Majority of these attacks take advantage of physical placement and routing of cells and interconnects. Several measures have already been proposed to deal with security issues of the high level functional design and logic synthesis. However, to ensure end-to-end trustworthy IC design flow, it is necessary to have security sign-off during physical design flow. This paper presents a secure physical design roadmap to enable end-to-end trustworthy IC design flow. The paper also discusses utilization of AI/ML to establish security at the layout level. Major research challenges in obtaining a secure physical design are also discussed

Embedded Systems Security: On EM Fault Injection on RISC-V and BR/TBR PUF Design on FPGA

With the increased usage of embedded computers in modern life and the rapid growth of the Internet of Things (IoT), embedded systems security has become a real concern. Especially with safety-critical systems or devices that communicate sensitive data, security becomes a critical issue. Embedded computers more than others are vulnerable to hardware attacks that target the chips themselves to extract the cryptographic keys, compromise their security, or counterfeit them. In this thesis, embedded security is studied through two different areas. The first is the study of hardware attacks by investigating Electro Magnetic Fault Injection (EMFI) on a RISC-V processor. And the second is the study of the countermeasures against counterfeiting and key extraction by investigating the implementation of the Bistable Ring Physical Unclonable Function (BR-PUF) and its variant the TBR-PUF on FPGA. The experiments on a 320 MHz five-stage pipeline RISC-V core showed that with the increase of frequency and the decrease of supplied voltage, the processor becomes more susceptible to EMFI. Analysis of the effect of EMFI on different types of instructions including arithmetic and logic operations, memory operations, and flow control operations showed different types of faults including instruction skips, instructions corruption, faulted branches, and exception faults with variant probabilities. More interestingly and for the first time, multiple consecutive instructions (up to six instructions) were empirically shown to be faulted at once, which can be very devastating, compromising the effect of software countermeasures such as instruction duplication or triplication. This research also studies the hardware implementation of the BR and TBR PUFs on a Spartan-6 FPGA. A comparative study on both the automatic and manual placement implementation approaches on FPGA is presented. With the use of the settling time as a randomization source for the automatic placement, this approach showed a potential to generate PUFs with good characteristics through multiple trials. The automatic placement approach was successful in generating 4-input XOR BR and TBR PUFs with almost ideal characteristics. Moreover, optimizations on the architectural and layout levels were performed on the BR and TBR PUFs to reduce their footprint on FPGA. This research aims to advance the understanding of the EMFI effect on processors, so that countermeasures may be designed for future secure processors. Additionally, this research helps to advance the understanding of how best to design improved BR and TBR PUFs for key protection in future secure devices

Quantifiable Assurance: From IPs to Platforms

Hardware vulnerabilities are generally considered more difficult to fix than software ones because they are persistent after fabrication. Thus, it is crucial to assess the security and fix the vulnerabilities at earlier design phases, such as Register Transfer Level (RTL) and gate level. The focus of the existing security assessment techniques is mainly twofold. First, they check the security of Intellectual Property (IP) blocks separately. Second, they aim to assess the security against individual threats considering the threats are orthogonal. We argue that IP-level security assessment is not sufficient. Eventually, the IPs are placed in a platform, such as a system-on-chip (SoC), where each IP is surrounded by other IPs connected through glue logic and shared/private buses. Hence, we must develop a methodology to assess the platform-level security by considering both the IP-level security and the impact of the additional parameters introduced during platform integration. Another important factor to consider is that the threats are not always orthogonal. Improving security against one threat may affect the security against other threats. Hence, to build a secure platform, we must first answer the following questions: What additional parameters are introduced during the platform integration? How do we define and characterize the impact of these parameters on security? How do the mitigation techniques of one threat impact others? This paper aims to answer these important questions and proposes techniques for quantifiable assurance by quantitatively estimating and measuring the security of a platform at the pre-silicon stages. We also touch upon the term security optimization and present the challenges for future research directions

Anti-Tamper Method for Field Programmable Gate Arrays Through Dynamic Reconfiguration and Decoy Circuits

As Field Programmable Gate Arrays (FPGAs) become more widely used, security concerns have been raised regarding FPGA use for cryptographic, sensitive, or proprietary data. Storing or implementing proprietary code and designs on FPGAs could result in the compromise of sensitive information if the FPGA device was physically relinquished or remotely accessible to adversaries seeking to obtain the information. Although multiple defensive measures have been implemented (and overcome), the possibility exists to create a secure design through the implementation of polymorphic Dynamically Reconfigurable FPGA (DRFPGA) circuits. Using polymorphic DRFPGAs removes the static attributes from their design; thus, substantially increasing the difficulty of successful adversarial reverse-engineering attacks. A variety of dynamically reconfigurable methodologies exist for implementation that challenge designers in the reconfigurable technology field. A Hardware Description Language (HDL) DRFPGA model is presented for use in security applications. The Very High Speed Integrated Circuit HDL (VHSIC) language was chosen to take advantage of its capabilities, which are well suited to the current research. Additionally, algorithms that explicitly support granular autonomous reconfiguration have been developed and implemented on the DRFPGA as a means of protecting its designs. Documented testing validates the reconfiguration results and compares power usage, timing, and area estimates from a conventional and DRFPGA model