Side-channel based intrusion detection for industrial control systems

Industrial Control Systems are under increased scrutiny. Their security is historically sub-par, and although measures are being taken by the manufacturers to remedy this, the large installed base of legacy systems cannot easily be updated with state-of-the-art security measures. We propose a system that uses electromagnetic side-channel measurements to detect behavioural changes of the software running on industrial control systems. To demonstrate the feasibility of this method, we show it is possible to profile and distinguish between even small changes in programs on Siemens S7-317 PLCs, using methods from cryptographic side-channel analysis.Comment: 12 pages, 7 figures. For associated code, see https://polvanaubel.com/research/em-ics/code

Side-channel Attacks on Blinded Scalar Multiplications Revisited

In a series of recent articles (from 2011 to 2017), Schindler et al. show that exponent/scalar blinding is not as effective a countermeasure as expected against side-channel attacks targeting RSA modular exponentiation and ECC scalar multiplication. Precisely, these works demonstrate that if an attacker is able to retrieve many randomizations of the same secret, this secret can be fully recovered even when a significative proportion of the blinded secret bits are erroneous. With a focus on ECC, this paper improves the best results of Schindler et al. in the specific case of structured-order elliptic curves. Our results show that larger blinding material and higher error rates can be successfully handled by an attacker in practice. This study also opens new directions in this line of work by the proposal of a three-steps attack process that isolates the attack critical path (in terms of complexity and success rate) and hence eases the development of future solutions

A Comparison of Chi^2-Test and Mutual Information as Distinguisher for Side-Channel Analysis

Masking is known as the most widely studied countermeasure against side-channel analysis attacks. Since a masked implementation is based on a certain number of shares (referred to as the order of masking), it still exhibits leakages at higher orders. In order to exploit such leakages, higher-order statistical moments individually at each order need to be estimated reflecting the higher-order attacks. Instead, Mutual Information Analysis (MIA) known for more than 10 years avoids such a moment-based analysis by considering the entire distribution for the key recovery. Recently the $\chi^2$-test has been proposed for leakage detection and as a distinguisher where also the whole distribution of the leakages is analyzed. In this work, we compare these two schemes to examine their dependency. Indeed, one of the goals of this research is to conclude whether one can outperform the other. In addition to a theoretical comparison, we present two case studies and their corresponding practical evaluations. Both case studies are masked hardware implementations; one is an FPGA-based realization of a threshold implementation of PRESENT, and the other is an AES implementation as a coprocessor on a commercial smart card

Herausforderungen für Informationssicherheit in eingebetteten Systemen bei Angreifern mit Hardware-Zugriff

Die Informationssicherheit von vernetzten eingebetteten Systemen in Anwendungen wie „Industrie 4.0“, dem Automobilbereich, dem intelligenten Stromnetz und dem Internet der Dinge, das sich zukünftig auch auf medizinische Geräte, Heimautomatisierung und auf das intelligente Messwesen erstrecken wird, ist einerseits ein besonders wichtiges Entwicklungsziel und andererseits auch eine besonders große Herausforderung. Die betreffenden Fragestellungen sind in den genannten Anwendungen sehr ähnlich. Der Kern der Herausforderung ist, Informationssicherheit für dort eingesetzte eingebettete Gerate zu gewährleisten, obwohl Angreifer physischen Zugang zu diesen Geräten haben konnten. Es besteht dabei meist die Gefahr, dass erfolgreiche Angriffe auf einzelne Gerate zu Verwundbarkeiten und Angriffen oder Auswirkungen auf alle vernetzten Gerate fuhren konnten. Schutzmaßnahmen gegen Angreifer mit Hardware-Zugriff benötigen oft Funktionen in Hardware, die nicht nachgerüstet werden können. Aufgrund der potenziell langen Lebenszeit von eingebetteten Geraten im Betrieb ist es aber eine große Herausforderungen, diese notwendigen Hardware-basierten Schutzmaßnahmen vorzusehen, um damit auch die Grundlage für die ebenfalls notwendige Software-Sicherheit zu bilden

Attack on a DFA protected AES by simultaneous laser fault injections

This paper demonstrates a Fault Attack on an AES core protected by an infection type countermeasure. The redundant AES is implemented on a Xilinx Spartan-6FPGA, with a feature size of 45 nm. By injecting exactly the same fault in both state registers of the redundant implementation using lasers, we are able to annul the protection added by the countermeasure and thus perform a successful Differential Fault Analysis. This requires a high precision double laser setup in order to hit two different locations on the chip at the same point in time. With a priori knowledge about the location of both state registers, we were able to generate applicable faultyciphertexts within minutes. Our results show that for applications demanding a high level of security, relying on a duplication of hardware is not sufficient

Fast and reliable PUF response evaluation from unsettled bistable rings

Bistable ring (BR) based strong PUFs are promising candidates for lightweight authentication applications. It has been observed that a good '0'/'1'-balance of their responses correlates with longer settling times. This is problematic, since the state-of-the-art evaluation method requires the BR to be settled in order to generate a reliable PUF response. We show that settling times can easily extend beyond 100 ms for 70 percent of the responses in the TBR PUF, which is a BR-based PUF with good '0'/'1'-balance characteristics. Hence, it is practically impossible to wait for all BRs to settle, which results in a reliability penalty. In order to solve this problem, we present three new methods, which allow the evaluation of unsettled BRs with increased reliability compared to the state-of-the-art method. We were able to improve response reliability from 81 percent to up to 98.5 percent and achieve response reliabilities of 97 percent at an evaluation time of 320 ns. This enables the fast and reliable use of BR-based PUFs in strong PUF applications

Investigating measurement methods for high-resolution electromagnetic field side-channel analysis

Recent publications have emphasized the power of high-resolution, low-distance EM measurements for side channel analysis. In this paper, we investigate several aspects of such measurements, e.g. different coil-diameters, probe-to-die distances, bandwidths and spatial measurement resolutions. We use an FPGA-based implementation of an AES s-box as device under test and perform measurements of the magnetic near-field. Using the peak amplitude of the magnetic near-field and the Pearson correlation coefficient as quality measures, we show that the probes with smallest diameters lead to the best results. We propose a suitable trade-off between measurement time and measurement quality by using one fourth of the coil diameter as spatial measurement resolution. We show that the correlation is decreasing significantly if a bandwidth less than 300 MHz is used and we recommend a bandwidth of 1 GHz. Additionally, we confirm that the maximum value of the measured EM amplitude decreases by 1/r2, and the correlation of the measurement by 1/r with r being the distance between probe and die

Towards efficient evaluation of a time-driven cache attack on modern processors

Software implementations of block ciphers are widely used to perform critical operations such as disk encryption or TLS traffic protection. To speed up cipher execution, many implementations rely on pre-computed lookup tables, which makes them vulnerable to cache-timing attacks on modern processors. For time-driven attacks, the overall execution time of a cipher is sufficient to recover the secret key. Testing cryptographic software on actual hardware is consequently essential for vulnerability and risk assessment. In this work, we investigate the efficient and robust evaluation of cryptographic software on modern processors under a time-driven attack. Using a practical case study, we discuss necessary adaptations to the original attack and identify promising new micro-architectural side-channels for it. To leverage the leakage of multiple side-channels, we propose a simple, heuristic way to combine their corresponding attacks

Localized electromagnetic analysis of cryptographic implementations

High resolution inductive probes enable precise measurements of the electromagnetic field of small regions on integrated circuits. These precise measurements allow to distinguish the activity of registers on the circuit that are located at different distances to the probe. This location-dependent information can be exploited in side-channel analyses of cryptographic implementations. In particular, cryptographic algorithms where the usage of registers depends on secret information are affected by side-channel attacks using localized electromagnetic analysis. Binary exponentiation algorithms which are used in public key cryptography are typical examples for such algorithms. This article introduces the concept of localized electromagnetic analysis in general. Furthermore, we present a case study where we employ a template attack on an FPGA implementation of the elliptic curve scalar multiplication to prove that location-dependent leakage can be successfully exploited. Conv entional countermeasures against side-channel attacks are ineffective against location-dependent side-channel leakage. As an effective general countermeasure, we promote that the assignment of registers to physical locations should be repeatedly randomized during execution

X25519 hardware implementation for low-latency applications

In the world of 'Internet of Things' (IoT), millions of interconnected smart devices have to share information in a fast and secure way. In order to ensure the success and widespread adoption of IoT applications, cryptographic services must be provided to ensure secure communications and avoid skepticism about new emerging technologies. Due to its short key sizes, elliptic curve cryptography is typically deployed on resource-constrained devices in order to enable public-key cryptographic services, i.e. secure key exchanges between smart devices. In the past few years, there has been a growing interest in Curve25519 due to its elegant design aimed at both high-security and high-performance, making it one of the most promising candidates to secure IoT applications. In fact, beside providing appropriate security levels, most IoT applications must adhere to strict latency requirements and provide guarantee to process information in a tiny fraction of time. Until now Curve25 519 hardware implementations were mainly optimized for high-throughput applications, while no special care was given to low-latency designs. In this work, we close this gap and provide a Curve25519 hardware design targeting low-latency applications. Our implementation takes only 13,639 cycles for a variable-base Curve25519 scalar multiplication and can be operated up to 115 MHz on Xilinx Zynq 7030 FPGA devices. This allows to compute a session key in less than 120 μs, which outperforms known FPGA-based Curve25519 implementations by a factor of 2.8, yet requiring 24 % less area resources