Implementing a protected zone in a reconfigurable processor for isolated execution of cryptographic algorithms

We design and realize a protected zone inside a reconfigurable and extensible embedded RISC processor for isolated execution of cryptographic algorithms. The protected zone is a collection of processor subsystems such as functional units optimized for high-speed execution of integer operations, a small amount of local memory, and general and special-purpose registers. We outline the principles for secure software implementation of cryptographic algorithms in a processor equipped with the protected zone. We also demonstrate the efficiency and effectiveness of the protected zone by implementing major cryptographic algorithms, namely RSA, elliptic curve cryptography, and AES in the protected zone. In terms of time efficiency, software implementations of these three cryptographic algorithms outperform equivalent software implementations on similar processors reported in the literature. The protected zone is designed in such a modular fashion that it can easily be integrated into any RISC processor; its area overhead is considerably moderate in the sense that it can be used in vast majority of embedded processors. The protected zone can also provide the necessary support to implement TPM functionality within the boundary of a processor

ret2spec: Speculative Execution Using Return Stack Buffers

Speculative execution is an optimization technique that has been part of CPUs for over a decade. It predicts the outcome and target of branch instructions to avoid stalling the execution pipeline. However, until recently, the security implications of speculative code execution have not been studied. In this paper, we investigate a special type of branch predictor that is responsible for predicting return addresses. To the best of our knowledge, we are the first to study return address predictors and their consequences for the security of modern software. In our work, we show how return stack buffers (RSBs), the core unit of return address predictors, can be used to trigger misspeculations. Based on this knowledge, we propose two new attack variants using RSBs that give attackers similar capabilities as the documented Spectre attacks. We show how local attackers can gain arbitrary speculative code execution across processes, e.g., to leak passwords another user enters on a shared system. Our evaluation showed that the recent Spectre countermeasures deployed in operating systems can also cover such RSB-based cross-process attacks. Yet we then demonstrate that attackers can trigger misspeculation in JIT environments in order to leak arbitrary memory content of browser processes. Reading outside the sandboxed memory region with JIT-compiled code is still possible with 80\% accuracy on average.Comment: Updating to the cam-ready version and adding reference to the original pape

Encrypted statistical machine learning: new privacy preserving methods

We present two new statistical machine learning methods designed to learn on fully homomorphic encrypted (FHE) data. The introduction of FHE schemes following Gentry (2009) opens up the prospect of privacy preserving statistical machine learning analysis and modelling of encrypted data without compromising security constraints. We propose tailored algorithms for applying extremely random forests, involving a new cryptographic stochastic fraction estimator, and na\"{i}ve Bayes, involving a semi-parametric model for the class decision boundary, and show how they can be used to learn and predict from encrypted data. We demonstrate that these techniques perform competitively on a variety of classification data sets and provide detailed information about the computational practicalities of these and other FHE methods.Comment: 39 page

Prochlo: Strong Privacy for Analytics in the Crowd

The large-scale monitoring of computer users' software activities has become commonplace, e.g., for application telemetry, error reporting, or demographic profiling. This paper describes a principled systems architecture---Encode, Shuffle, Analyze (ESA)---for performing such monitoring with high utility while also protecting user privacy. The ESA design, and its Prochlo implementation, are informed by our practical experiences with an existing, large deployment of privacy-preserving software monitoring. (cont.; see the paper

Simulation-based verification of EM side-channel attack resilience of embedded cryptographic systems

Electromagnetic (EM) fields emanated due to switching currents in crypto-blocks can be an effective non-invasive channel for extracting secret keys. Accurate design-time simulation tools are needed to predict vulnerabilities and improve resilience of embedded systems to EM side-channel analysis attacks. Modeling such attacks is challenging, however, as it requires a multitude of expensive simulations across multiple circuit abstraction levels together with EM simulations. In this work, a simulation ow is developed to study the differential EM analysis (DEMA) attack on the Advanced Encryption System (AES) block cipher. The proposed ow enables design-time evaluation of realistic DEMA attacks for the first time. The major challenge is accurately computing signals received by a nearby probe at various positions above the chip surface for a large number of AES encryptions. This requires rapidly generating spatial distribution and transient EM radiation of on-chip current waveforms. Commercial CAD tools are used to generate space-time samples of these waveforms and a custom EM simulator to radiate them. The computations are sped up by focusing on information-leaking time windows, performing hybrid gate- and transistor-level simulations, radiating only the currents on top metallization layers, and generating traces for different encryptions in parallel. These methods reduce simulation time to a manageable ~ 20 hrs wall-clock time/attack allowing a previously impossible level of vulnerability analysis. The proposed ow also allows pinpointing critical regions on the chip most susceptible to EM attacks. We demonstrate that exploiting the spatial profile of circuit elements can reveal cryptographic keys with significantly fewer number of traces than DPA , guiding designers to the most critical areas of the layout. This enables targeted deployment of counter-measures to the highest information-leaking design componentsElectrical and Computer Engineerin