e-smart 2009 Low cost fault injection method for security characterization Jean-Max Dutertre ENSMSE Assia Tria CEA-LETI Bruno Robisson CEA-LETI Michel Agoyan CEA-LETI Département SAS Équipe mixte CEA-LETI/ENSMSE Site Georges Charpak Centre Microélectronique de Provence 880, route de Mimet 13541 Gardanne
Outline Secure ICs design issues Threats The need for security characterization tools Short review of existing tools A new fault injection based characterization tool Synchronous ICs timing analysis Faults injection through setup time violation Local over clocking Experimental results Fault nature Fault coverage 2 / 27
The threat Decoder Legal Encrypted video stream K Decrypted video stream «Attack» = method allowing to extract secret information (key K) stored into the device Illegal K K K K Cloned Decoder Cloned Decoder Cloned Decoder Cloned Decoder 3 / 27
Attacks on physical devices Cryptanalysis : mathematical analysis of plain and cipher texts sets plain? cipher Side channel attacks (SCA) : analysis of the chip environment when it performs sensitive computations plain? x(t) Fault attacks : modifications of the chip environment to bypass H/S protections plain? Y Invasive attacks : probing of internal signals? 4 / 27
Fault Attacks (FA) Experiments K Fault injection means (FIM) Cipher texts, side channels, behavior, etc. Data extraction Methods Corrupted execution Differential Fault Analysis Fault based Collision Safe-error Fault models (FM) Injection time Bit /Byte Random / Given value FIM needs to induce faults fitting the FM to allow secret information extraction 5 / 27
Fault Attacks (FA) Requirements : fault injection means must create faults compatible with the fault model, i.e. which enable to fault : particular bits without modifying others, (via spatial and/or timing control) in a particular way (form control), in a repeatable way, several times, without destroying the circuit. And if possible, at low-cost. 6 / 27
The need of security characterization tools Fault injection attacks work well Security issue Needs : - Evaluate fault effect on circuit behavior - Validate Counter measures Security characterization tool When and how? at design time (virtual)? after manufacturing (real)? fault injection means? 7 / 27
When should security evaluation take place? Design flow Simulation Specifications : Functionality Power Speed etc. Synthesis Models gds2 Manufacturing IC Characterization 8 / 27
Characterization when designing (design flow) Characterization in the virtual world Allow security weakness detection before manufacturing saving redesign costs Many injection tools developed for dependability analysis : during simulation (at different abstraction levels) - use of simulators features time consuming - instrumentation-based techniques (saboteurs, mutants) Emulate / Prototyping (on FPGA) - use of device reconfiguration features - instrumentation-based techniques (saboteurs, mutants) hardware acceleration 9 / 27
Characterization in the real world Characterization after manufacturing Use of real fault injection means : May be expensive EM pulse Vcc Over clocking Clk glitch 0 Power glitch Component preparation (opening, thinning, etc.) Flash light Laser (IR, UV, green, etc.) Source : [Skorobogatov02] 10 / 27
A new fault injection based characterization tool A tool for security characterization Target : Hardware prototype : FPGA for FPGA or ASIC final design ASIC prototype (clock access needed) 11 / 27
Fault injection principle Synchronous IC principle (reminds) propagation delay n m data Combinational logic 1 1 1 1 D Q D Q Dff i Dff i+1 clk Data are captured on the clock rising edge Time between two rising edges (i.e. clock period) depends on the propagation delay 12 / 27
Fault injection principle Synchronous IC principle (reminds) propagation delay n m data Combinational logic 1 1 1 1 D Q D Q Dff i Dff i+1 clk T clk clk propagation delay + setup time 12 / 27
Fault injection principle Fault injection principle propagation delay + setup time + margin n inputs Combinational logic D 0 D 1 D m-1 m outputs clk T clk 13 / 27
Fault injection principle Fault injection principle propagation delay + setup time + margin n inputs Combinational logic D 0 D 1 D m-1 m outputs clk T clk fault < T clk early data latching setup time violation Fault injection 13 / 27
Fault injection principle Fault location - Propagation delay delay outputs = f (inputs) n Combinational logic D 0 D 1 D m-1 m f logical function each D i had its own propagation delay inputs outputs Fault location : where delay Di > Tclk setup time Propagation times depend on : the logical states ( 0 / 1 ) the propagation delay changes with the inputs allow to change the fault location the power supply voltage the temperature 14 / 27
Fault injection by setup time violation Fault injection - Over clocking A well known approach decreasing the clock period unless faults appear by setup time violation T clk clk propagation delay + setup time T clk fault clk drawback : faults are injected at each clock cycle no timing control 15 / 27
Fault injection Local over clocking Setup time violation by modifying one clock cycle Fault injection by setup time violation T clk clk T clk - T clk fault injection cycle choice fault-nature fine tuning through T fine control (one-bit, two-bits faults) T variation step = 35 ps Experiment T clk = 10 ns 300 steps @ 100 MHz 16 / 27
Fault injection Local over clocking (cont d) Fault injection by setup time violation clk generation : use of an on chip Delay Locked Loop (Xilinx Virtex-5). Tclk clk clk Tclk - T 17 / 27
Fault injection Local over clocking (cont d) Fault injection by setup time violation clk generation : use of an on chip Delay Locked Loop (Xilinx Virtex-5). Tclk clk clk clk Tclk - T 17 / 27
Fault injection Local over clocking (cont d) Fault injection by setup time violation clk generation : use of an on chip Delay Locked Loop (Xilinx Virtex-5). Tclk clk clk clk clk Tclk - T All digital, easy to implement. 17 / 27
Experimental results Experimental setup COM serial trigger Clock generation board AES board COM serial clock 18 / 27
Experimental results T = 0 19 / 27
Experimental results T = 20 x 35 ps 19 / 27
Experimental results T = 40 x 35 ps 19 / 27
Experimental results T = 60 x 35 ps 19 / 27
Experimental results T = 80 x 35 ps 19 / 27
Experimental results T = 100 x 35 ps 19 / 27
Experimental results AES 128 bits (Rijndael / FIPS - 197) Round key Plain text 128 Mux 128 128 AddRoundKey 128 Cipher text 128 Round nb 128 MixColumns 128 ShiftRows 128 SubBytes Round nb clk 128 bits data path worst case for fault coverage clocked on Sboxes outputs 20 / 27
Experimental results Experiment scheme Initialization : T = 0, error = 0 Send plaintext T and key K to the AES Compute c = AES(T, K) Until error 0 : T = T + 35 ps c = AES T (T, K) error = c c return (error, T) Experiment results : error = 1-bit fault (rate greater than 90% for different T, K) Repeat previous algorithm for T,K constant -> same results 21 / 27
Repeat algorithm 12 000 times for T, K random Experimental results For each 1-bit fault -> retrieve T (i.e. critical time) -> retrieve error (fault location) - critical time changes with data : Number of occurrence 1400 1200 1000 800 600 400 Critical time is given for 1-bit faults 200 0 7285 7355 7425 7495 7565 7635 7705 7775 7845 7915 7985 8055 8125 8195 8265 8335 8405 8475 8545 8615 8685 8755 8825 Critical time (ps) 22 / 27
Experimental results Fault coverage AES : 16 bytes (Sboxes outputs) 128 bits (AES state) Ability to inject fault on different location Remember : propagation times depend on : the logical states ( 0 / 1 ) the propagation delay changes with the inputs allow to change the fault location Analyze previous data to draw the faulted bytes and bits maps 23 / 27
Experimental results - Fault location analysis at byte level (Sboxes outputs) 350 Byte 0 Byte 1 300 Byte 2 Byte 3 Number of occurrence 250 200 150 100 Byte 4 Byte 5 Byte 6 Byte 7 Byte 8 Byte 9 Byte 10 50 Byte 11 Byte 12 0 7355 7460 7565 7670 7775 7880 7985 8090 8195 Critical time (ps) 8300 8405 8510 8615 8720 8825 Byte 13 Byte 14 Byte 15 24 / 27
Experimental results - Fault location analysis at byte level (Sboxes outputs) 350 Byte 0 Byte 1 300 10 (1418) Byte 2 Byte 3 Number of occurrence 250 200 150 100 50 3 (1913) 2 (1943) 7 (1639) Byte 4 Byte 5 Byte 6 Byte 7 Byte 8 Byte 9 Byte 10 Byte 11 Byte 12 0 7355 7460 7565 7670 7775 7880 7985 8090 8195 Critical time (ps) 8300 8405 8510 8615 8720 8825 Byte 13 Byte 14 Byte 15 24 / 27
Experimental results - Fault location analysis at byte level (Sboxes outputs) 350 Byte 0 Byte 1 300 10 (1418) Byte 2 Byte 3 Number of occurrence 250 200 150 100 50 3 (1913) 2 (1943) 7 (1639) Byte 4 Byte 5 Byte 6 Byte 7 Byte 8 Byte 9 Byte 10 Byte 11 Byte 12 0 7355 7460 7565 7670 7775 14 (37) 7880 5 (5) 7985 8090 8195 Critical time (ps) 8 (41) 8300 8405 8510 8615 8720 8825 Byte 13 Byte 14 Byte 15 24 / 27
Experimental results - Fault location analysis at bit level (Byte 3) 250 Number of occurrence 200 150 100 50 bit 0 bit 3 bit 6 bit 7 bit 1 Byte 3 bit 5 bit 4 0 7285 7355 7425 7495 7565 7635 7705 7775 7845 7915 7985 8055 8125 8195 8265 8335 8405 8475 8545 8615 8685 8755 8825 Critical time (ps) 25 / 27
Experimental results - fault location synthesis : Byte 0 Byte 1 Byte 2 Byte 3 Byte 4 Byte 5 Byte 6 Byte 7 Byte 8 Byte 9 Byte 10 Byte 11 Byte 12 Byte 13 Byte 14 Byte 15 bit0 0 0 77 893 0 0 56 1 6 0 1402 0 438 746 22 0 bit1 0 9 1554 11 17 0 1 176 0 0 13 0 0 1 0 7 bit2 0 216 0 0 0 0 0 107 1 11 2 2 0 10 10 21 bit3 0 0 0 629 2 0 1 0 0 1 0 56 0 0 0 663 bit4 0 32 0 275 33 0 0 3 0 0 0 0 222 147 0 29 bit5 0 0 312 33 23 0 0 1290 22 0 0 2 368 9 0 406 bit6 225 690 0 69 83 5 0 0 0 486 1 0 0 0 5 3 bit7 0 10 0 3 95 0 0 62 12 43 0 0 0 0 0 0 Total 225 957 1943 1913 253 5 58 1639 41 541 1418 60 1028 913 37 1129 1-bit faults were injected : at every Sbox at 64 bits < 10 < 100 100 Without modifying the design Reduced design instrumentation (on the clock tree) allows reaching all locations Enough to emulate all differential fault attacks 26 / 27
Conclusion A new low-cost fault injection based characterization tool Setup time violation (clock access needed) Low-cost (a few k ) Easy to implement All digital No design modification needed Hardware prototype : On chip FPGA s DLL FPGA for FPGA or ASIC final design during design flow ASIC prototype (after manufacturing) Very good timing control (choice of the injection cycle) Fine fault nature control (1-bit fault or more) Fault coverage : ok to implement DFA extendable with a few instrumentation Contact for more information : dutertre@emse.fr 27 / 27