On the security of embedded systems against side-channel attacks

Side-Channel Analysis (SCA) represents a serious threat to the security of millions of smart devices that form part of the so-called Internet of Things (IoT). On the other hand, perform the "right- fitting" cryptographic code for the IoT is a highly challenging task due to the reduced resource constraints of must of the IoT devices and the variety of cryptographic algorithms on disposal. An important criterion to assess the suitability of a light-weight cipher implementation, with respect to the SCA point of view, is the amount of energy leakage available to an adversary. In this thesis, the efficiency of a selected function that is commonly used in AES implementations in the perspective of Correlation Power Analysis (CPA) attacks are analyzed, leading to focus on the very common situation where the exact time of the sensitive processing is drowned in a large number of leakage points. In the particular case of statistical attacks, much of the existing literature essentially develop the theory under the assumption that the exact sensitive time is known and cannot be directly applied when the latter assumption is relaxed, being such a particular aspect for the simple Differential Power Analysis (DPA) in contrast with the CPA. To deal with this issue, an improvement that makes the statistical attack a real alternative compared with the simple DPA has been proposed. For the power consumption model (Hamming Weight model), and by rewriting the simple DPA attacks in terms of correlation coefficients between Boolean functions. Exhibiting properties of S-boxes relied on CPA attacks and showing that these properties are opposite to the non-linearity criterion and to the propagation criterion assumed for the former DPA. In order to achieve this goal, the study has been illustrated by various attack experiments performed on several copies implementations of the light-weight AES chipper in a well-known micro-controller educative platform within an 8-bit processor architecture deployed on a 350 nanometers CMOS technology. The Side-channel attacks presented in this work have been set in ideal conditions to capture the full complexity of an attack performed in real-world conditions, showing that certain implementation aspects can influence the leakage levels. On the other side, practical improvements are proposed for specific contexts by exploring the relationship between the non-linearity of the studied selection function and the measured leakages, with the only pretension to bridge the gap between the theory and the practice. The results point to new enlightenment on the resilience of basic operations executed by common light-weight ciphers implementations against CPA attacks

Reliability and security in wellbeing monitoring embedded systems

Dissertação para obtenção do Grau de Mestre em Engenharia Informática e de ComputadoresAo longo dos últimos anos, a fiabilidade e a segurança dos sistemas embebidos utilizados em áreas críticas, como a saúde e o sector automóvel, têm suscitado um interesse crescente na comunidade científica e ganho maior consciencialização entre o público em geral. Esta tese aborda a modelação e a implementação de uma arquitetura software fiável e segura para um sistema embebido focado na aquisição e processamento de sinais fisiológicos, em particular o eletrocardiograma (ECG). O trabalho realizado visou o CardioWheel, um projeto em curso desenvolvido pela CardioID Technologies, destinado a aplicações nas áreas da saúde e do automóvel. As particularidades destas áreas quanto aos seus requisitos de segurança e proteção dos utilizadores servem de caso de estudo para mostrar as vantagens da arquitetura desenvolvida. Assim, no estudo realizado foi feito o levantamento dos requisitos do sistema que foram utilizados para projetar a máquina de estados da arquitetura em UML, a qual foi validada formalmente utilizando a ferramenta Uppaal e o modelo de autómatos finitos temporizados. Também foi feita uma análise de ameaças à arquitetura para validar os aspetos relacionados com a segurança. A arquitetura foi desenvolvida para microcontroladores ESP32 usando o ecossistema ESP-IDF e o FreeRTOS, para o que foram consideradas camadas independentes de hardware. A camada de comunicação é baseada no protocolo Bluetooth Low Energy (BLE) e permite a transmissão dos dados do nó final para um gateway e, posteriormente, para um servidor na nuvem. A operação de atualização de firmware usando o componente Over-The-Air (OTA) foi também implementada e validada quanto à sua segurança. A arquitetura foi, inicialmente, avaliada e validada usando um protótipo laboratorial. Posteriormente, foi utilizada para realizar uma pequena série de produção do CardioWheel em que se utilizaram as estratégias de validação propostas no contexto do projeto ESCEL KDT Valu3s. Também foi realizado um ensaio pré-médico no Hospital de Santa Marta usando o CardioWheel com a arquitetura proposta, que permitiu validar a sua fiabilidade e capacidades quando comparado com um eletrocardiógrafo clínico.Recently, the reliability and cybersecurity aspects of embedded systems for critical domains, such as health and automotive, has increased interest in the research community and awareness to the general public. This thesis addresses the modelling and the implementation of a reliable and secure software architecture for an embedded system aimed at the acquisition and processing of physiological signals, in particular the electrocardiogram (ECG). The work focused CardioWheel, an ongoing project developed by CardioID Technologies, targeting health and automotive applications. These domains demand special requirements for safety and security, and serve as a showcase for the proposed architecture. Accordingly, suitable requirements were first established and the architecture state machine was developed using UML and formally validated using Uppaal and Timed Automata modelling. Then, the threat analysis of the architecture was conducted. Finally, the implementation was realized for an ESP32 microcontroller using the FreeRTOS, the ESP-IDF ecosystem, and specially developed hardware independent layers. The communication layer is based on Bluetooth Low Energy (BLE) and allows the transmission of the data from the end-node to a gateway and finally to the cloud. The system has a Over-The-Air (OTA) component that enables the update of the firmware and the security of this operation was also validated. The proposed architecture was firstly validated using a laboratory prototype. Then, it was deployed to build a small production series of CardioWheel incorporating validation strategies proposed within the context of the ESCEL KDT Valu3s project. Also, a pre-medical trial was conducted at the Hospital de Santa Marta, confirming the reliability and capabilities of our system against a clinical ground-truth.N/

Differential cryptanalysis of substitution permutation networks and Rijndael-like ciphers

A block cipher, in general, consist of several repetitions of a round transformation. A round transformation is a weak block cipher which consists of a nonlinear substitution transformation, a linear diffusion transformation and a key mixing. Differential cryptanalysis is a well known chosen plaintext attack on block ciphers. In this project, differential cryptanalysis is performed on two kinds of block ciphers: Substitution Permutation Networks(SPN) and Rijndael-like Ciphers. In order to strengthen a block cipher against differential attack, care should be taken in the design of both substitution and diffusion components and in the choice of number of rounds. In this context, most of the researches has been focused on the design of substitution component. In this project, differential cryptanalysis is carried out on several SPNs to find the role of permutation. Differential analysis on Rijndael-like ciphers is done to find the strength of the cipher as a whole. Tools are developed to configure and to perform differential analysis on these ciphers. In the context of SPN, the importance of permutation, the effect of bad permutation, no permutation and sequentially chosen plaintext pairs are discussed. The diffusion strength of SPN and Rijndael-like ciphers are discussed and compared

Hardware Intellectual Property Protection Through Obfuscation Methods

Security is a growing concern in the hardware design world. At all stages of the Integrated Circuit (IC) lifecycle there are attacks which threaten to compromise the integrity of the design through piracy, reverse engineering, hardware Trojan insertion, physical attacks, and other side channel attacks — among other threats. Some of the most notable challenges in this field deal specifically with Intellectual Property (IP) theft and reverse engineering attacks. The IP being attacked can be ICs themselves, circuit designs making up those larger ICs, or configuration information for the devices like Field Programmable Gate Arrays (FPGAs). Custom or proprietary cryptographic components may require specific protections, as successfully attacking those could compromise the security of other aspects of the system. One method by which these concerns can be addressed is by introducing hardware obfuscation to the design in various forms. These methods of obfuscation must be evaluated for effectiveness and continually improved upon in order to match the growing concerns in this area. Several different forms of netlist-level hardware obfuscation were analyzed, on standard benchmarking circuits as well as on two substitution boxes from block ciphers. These obfuscation methods were attacked using a satisfiability (SAT) attack, which is able to iteratively rule out classes of keys at once and has been shown to be very effective against many forms of hardware obfuscation. It was ultimately shown that substitution boxes were naturally harder to break than the standard benchmarks using this attack, but some obfuscation methods still have substantially more security than others. The method which increased the difficulty of the attack the most was one which introduced a modified SIMON block cipher as a One-way Random Function (ORF) to be used for key generation. For a substitution box obfuscated in this way, the attack was found to be completely unsuccessful within a five-day window with a severely round-reduced implementation of SIMON and only a 32-bit obfuscation key

Design and evaluation of countermeasures against fault injection attacks and power side-channel leakage exploration for AES block cipher

Differential Fault Analysis (DFA) and Power Analysis (PA) attacks, have become the main methods for exploiting the vulnerabilities of physical implementations of block ciphers, currently used in a multitude of applications, such as the Advanced Encryption Standard (AES). In order to minimize these types of vulnerabilities, several mechanisms have been proposed to detect fault attacks. However, these mechanisms can have a signi cant cost, not fully covering the implementations against fault attacks or not taking into account the leakage of the information exploitable by the power analysis attacks. In this paper, four different approaches are proposed with the aim of protecting the AES block cipher against DFA. The proposed solutions are based on Hamming code and parity bits as signature generators for the internal state of the AES cipher. These allow to detect DFA exploitable faults, from bit to byte level. The proposed solutions have been applied to a T-box based AES block cipher implemented on Field Programmable Gate Array (FPGA). Experimental results suggest a fault coverage of 98.5% and 99.99% with an area penalty of 9% and 36% respectively, for the parity bit signature generators and a fault coverage of 100% with an area penalty of 18% and 42% respectively when Hamming code signature generator is used. In addition, none of the proposed countermeasures impose a frequency degradation, in respect to the unprotected cipher. The proposed work goes further in the evaluation of the proposed DFA countermeasures by evaluating the impact of these structures in terms of power side-channel. The obtained results suggest that no extra information leakage is produced that can be exploited by PA. Overall, the proposed DFA countermeasures provide a high fault coverage protection with a low cost in terms of area and power consumption and no PA security degradation

Mind the Gap - A Closer Look at the Security of Block Ciphers against Differential Cryptanalysis

Resistance against differential cryptanalysis is an important design criteria for any modern block cipher and most designs rely on finding some upper bound on probability of single differential characteristics. However, already at EUROCRYPT'91, Lai et al. comprehended that differential cryptanalysis rather uses differentials instead of single characteristics. In this paper, we consider exactly the gap between these two approaches and investigate this gap in the context of recent lightweight cryptographic primitives. This shows that for many recent designs like Midori, Skinny or Sparx one has to be careful as bounds from counting the number of active S-boxes only give an inaccurate evaluation of the best differential distinguishers. For several designs we found new differential distinguishers and show how this gap evolves. We found an 8-round differential distinguisher for Skinny-64 with a probability of 2−56.932−56.93, while the best single characteristic only suggests a probability of 2−722−72. Our approach is integrated into publicly available tools and can easily be used when developing new cryptographic primitives. Moreover, as differential cryptanalysis is critically dependent on the distribution over the keys for the probability of differentials, we provide experiments for some of these new differentials found, in order to confirm that our estimates for the probability are correct. While for Skinny-64 the distribution over the keys follows a Poisson distribution, as one would expect, we noticed that Speck-64 follows a bimodal distribution, and the distribution of Midori-64 suggests a large class of weak keys

Flexible Memory Protection with Dynamic Authentication Trees

As computing appliances increase in use and handle more critical information and functionalities, the importance of security grows even greater. In cases where the device processes sensitive data or performs important functionality, an attacker may be able to read or manipulate it by accessing the data bus between the processor and memory itself. As it is impossible to provide physical protection to the piece of hardware in use, it is important to provide protection against revealing confidential information and securing the device\u27s intended operation. Defense against bus attacks such as spoofing, splicing, and replay attacks are of particular concern. Traditional memory authentication techniques, such as hashes and message authentication codes, are costly when protecting off-chip memory during run-time. Balanced authentication trees such as the well-known Merkle tree or TEC-Tree are widely used to reduce this cost. While authentication trees are less costly than conventional techniques it still remains expensive. This work proposes a new method of dynamically updating an authentication tree structure based on a processor\u27s memory access pattern. Memory addresses that are more frequently accessed are dynamically shifted to a higher tree level to reduce the number of memory accesses required to authenticate that address. The block-level AREA technique is applied to allow for data confidentiality with no additional cost. An HDL design for use in an FPGA is provided as a transparent and highly customizable AXI-4 memory controller. The memory controller allows for data confidentiality and authentication for random-access memory with different speed or memory size constraints. The design was implemented on a Zynq 7000 system-on-chip using the processor to communicate with the hardware design. The performance of the dynamic tree design is comparable to the TEC-Tree in several memory access patterns. The TEC-Tree performs better than a dynamic design in particular applications; however, speedup over the TEC-Tree is possible to achieve when applied in scenarios that frequently accessed previously processed data