RingOscillatorunderLaser ...conferenze.dei.polimi.it/FDTC16/shared/FDTC-2016-session_4_2.pdf · 3...

1

Ring Oscillator under Laser: Poten5al of PLL based Countermeasure against

Laser Fault Injec5on

Wei He*, Jakub Breier*, Shivam Bhasin* Noriyuki Miura+, Makoto Nagata+ * Physical Analysis and Cryptographic Engineering (PACE), Nanyang Technological University, Singapore + Graduate School of System InformaJcs, Kobe University, Japan

FDTC’16, August 16, 2016, Santa Barbara, US.

2

Ø  Fault A?ack (FA) exploits the inten5onally triggered faulty data or faulty physical behaviors from the target devices, in order to study the device proper5es, or extract confiden5al informa5on about internals.

•  Evalua5on of fault tolerance of cri5cal system (hash working environment, e.g., high energy cosmic ray) •  Assistant means for reverse engineering •  Break SCA countermeasure •  Induce sensiJve computaJon errors in cryptosystem for

retrieving crypto keys (e.g., DFA, Algebraic FA, FSA, round reduc5on, etc.)

Purposes of Fault InjecJons in Circuit

FDTC’16, Santa Barbara, US, Aug 16 2016

3

Laser-‐Induced Fault on Transistor

VSS

N+N+

0PMOS

VDD

LASER

observedcurrent

P substrate

a transient can befurther

propagated

Ø  Temporary photocurrent induced by laser radia5on. •  Example: A laser injec5on into drain of the NMOS of a CMOS inverter

can temporarily turn the PMOS ON.


•  In real IC, laser radiates numerous transistors simultaneously, hence the fault mechanism induced in IC is complicated.

•  Laser also impact signal propaga5on in rou5ngs because of its charging and discharging effects on parasi5c capacitance.

4

Countermeasure against Fault InjecJons

Ø  Algorithm-‐Intrinsic Countermeasure:

•  Original algorithm is modified, for being for5fied with detec5on capability of abnormal values.

²  Algorithm implemented by mul5 rails. ( Dual-‐rail comparison; Triple-‐rail majority vo5ng )

²  Concurrent Error Detec5on (CED). ( Parity computa5on and comparison )

•  Heavy! •  Can only detect Already-‐INJECTED faults, e.g., cannot predict

coming injec5on a?empt. – no Security Margin, low detec5on coverage.


5

Countermeasure against Fault InjecJons

Ø  Sensor based Countermeasure

Requirements of eligible sensors •  Logically independent from the protected algorithm. •  More sensi5ve under injec5on impact (laser, EM, clock,

power, temperature, etc) •  Be able to predict on-‐going injec5ons in advance

– Power/Spa5al Security Margin.


Cipher fault sensi5ve region

Sensor detec5on region

min.power (sensor-‐alarm)

min.power (cipher-‐fault)

power

Power Security Margin Spa2al Security Margin

6

Digital Ring Oscillator under Laser

Ø  Frequency ripple of RO can be temporarily incurred under external electrical impacts in vicinity, such as intensive EM/laser pulse, or power/clock glitch

…

…

fstart-up (en)

1.2

1.4

1.6

1.8

2

2.2

2.4

2.6

2.8

Amplit

ude

Time Samples

1.2

1.4

1.6

1.8

2

2.2

2.4

2.6

2.8

Amplit

ude

Ampli

tude

Ampli

tude

1.2

1.4

1.6

1.8

2.0

2.2

2.4

2.6

2.8

1.2

1.4

1.6

1.8

2.0

2.2

2.4

2.6

2.8

Time Samples

Time Samples

(Observable frequency ripple on high-‐frequency RO)


RO Frequency without laser impact

RO Frequency with laser impact

7

Phase-‐Locked Loop (PLL) Sensor System

Ø  PLL is a widely used analog component in circuit.

•  Be consisted by: (1) Phase-‐Frequency Detector (PFD), Low Pass Filter (LF), Voltage-‐controlled Oscillator (VCO).

•  For providing phase locked clock using the feedback loop. •  A disturbance in PLL clock input may temporarily unlock PLL.


1/N

Phase-Frequency Detector

(PFD)

Low-Pass Filer (LPF)

Voltage-Controller Oscillator

f fNCLKIN1

CLKFBIN

RST

CLKOUT0CLKOUT1CLKOUT2CLKOUT3CLKOUT4CLKOUT5

CLKFBOUT

LOCKED

Alarm

Input from RO

RO Watchdog

laser injection

Locked

Alarminjection detected vigilantvigilant

8

Exemplary Xilinx FPGA Architecture

6-LUT

Carry Chain

FF-D

6-LUT FF-C

6-LUT FF-B

6-LUT FF-A

6-LUT

Carry Chain

FF-D

6-LUT FF-C

6-LUT FF-B

6-LUT FF-A

Slice

Slice

CLBSwitch-Box

Routing channel

interconnects between Slices and routing

channels

Ø  Virtex-‐5 FPGA is used as the a?ack target •  SRAM based FPGA, manufactured in 65 nm process, encapsulated

by flip-‐chip package. •  CLB ( slice pair ) array with peripheral components. •  Switch-‐box provides rich interconnects between slice pins and

external rou5ng channels.

Ø  So, a CLB and a switch-‐box forms a basic logic cluster in Xilinx FPGA


9

Target Block Cipher – PRESENT80

•  Round data registers are the target logics for laser injec5on a?acks.

•  The 5ming of injec5on focuses on the last round data registers.

S S …. S S

ciphertext

64

4

4

pLayer

64

plaintext

64

round keys

64

64DQ

round_ctrl

round data registers

Ø  Lightweight symmetric PRESENT-‐80 is selected as the a?ack cipher, implemented on target Virtex-‐5 FPGA


10

Ring Oscillator ImplementaJon on FPGA

Ø  Two implementa5ons have been schemed. •  A 1-‐inverter RO is implemented, covering 9 CLBs (40 data registers).

Rou5ng path is properly controller, to enforce passing through (“route-‐thru”) 3 corner CLBs.

•  A 1-‐inverter RO is implemented, passing through the 4 LUTs in a single slice.

target slice for 1-inverter RO and 4 round data

register bits

RO output

RO routing loop1 Inverter and

enable

the used PLL

round data registers

RO output

(Single slice RO: protect 4 registers) (RO covering 9 CLBs: protect 40 registers)

210 MHz 260 MHz


11

Experimental Setup of Laser Fault InjecJon

Ø  Setup specifics – RISCURE Pulse Laser Injector plalorm. •  X-‐Y 2D motorized stage, with 0.05 um step size, diode pulse laser

(NI): 1064 nm •  5x (10W), 20x (8W) magnifica5on lens, with 10 MHz pulse repe55on •  Laser spot size: 60x14um2 (5x), 15x3.5um2(20x) •  Virtex-‐5 FPGA (vlx50t) on Genesys commercial board •  SASEBO-‐GII used for bridging cipher and RISCURE GUI on PC

ONOFF

X-Y


12

Chip PreparaJon

Ø  Virtex-‐5 target FPGA is mechanically process to facilitate injec5on. •  Virtex-‐5 is flip-‐chip package •  Heat sink metal lid is removed •  Substrate is thinned down from 300 um to 100 um, to reduce energy

absorp5on and refrac5on side-‐effect.

milled down layer

front-side (multiple metal layers)

300 um

100 um

back-side (substrate)

diode laser

objective lens

high-energy laser core

objective lens


13

Experimental EvaluaJon – Regional CLBs Ø  Surface LFI scan to regional CLBs, targe5ng to 9-‐CLB covered RO.

•  20x and 5x objec5ve lens are tested respec5vely •  Scan matrix: 240x200=48,000 injec5on points •  Point-‐of-‐Interest (POI) distribu5on matches CLB array on FPGA •  Different alarm densi5es are shown using 20x and 5x laser •  Cipher faults only appeared using 5x lens, no fault reported with

20x.

5,600 5,700 5,800 5,900 6,000 6,100

X (µm)

10,150

10,200

10,250

10,300

10,350

10,400

10,450

10,500

10,550

10,600

10,650

10,700

10,750

10,800

10,850

10,900

10,950

11,000

11,050

11,100

11,150

11,200

11,250

11,300

11,350

11,400

11,450Y

(µm

)

5,600 5,650 5,700 5,750 5,800 5,850 5,900 5,950 6,000 6,050 6,100

X (µm)

10,600

10,650

10,700

10,750

10,800

10,850

10,900

10,950

11,000

11,050

11,100

11,150

11,200

11,250

11,300

11,350

11,400

11,450

11,500

11,550

11,600

Y (µ

m)

CLBs for placing cipher data register

CLBs for positioning the other 3 corners of the RO loop

CLBs for placing the inverter of the 1-inverter RO

(a) with 20x objective lens (b) with 5x objective lens

Key ObservaJon: Alarm can also be triggered from injec5ons to neighboring CLBs.


14

Experimental EvaluaJon – Regional CLBs

Ø  Analysis of LFI disturbance propaga5on in FPGAs.

substrate layer

Affected !

no affection !

Affected ! Injection Location !

no affection !no affection !

metal layers

CLB/Switch Box

Transistor layer


15

Experimental EvaluaJon – Security Margin

Ø  A be?er sensor-‐based countermeasure should be more sensi5ve against injec5on impact. •  Scan area: roughly 300x400 um2 •  Only consider the 5x experimental result •  Lowest power to trigger countermeasure is: 64% of full power •  Lowest power to induce cipher faults is: 91% (except 2 outliers)

60

65

70

75

80

85

90

95

100

Pow

er (%

)

5,700 5,750 5,800 5,850 5,900X (µm)

10,900

10,950

11,000

11,050

11,100

11,150

11,200

11,250

11,300

Y (µ

m)

60

65

70

75

80

85

90

95

100

Pow

er (%

)

5,700 5,750 5,800 5,850 5,900X (µm)

10,900

10,950

11,000

11,050

11,100

11,150

11,200

11,250

11,300

Y (µ

m)

Ø  Both Power and SpaJal security margin have been observed.


16

Experimental EvaluaJon – Single CLB

Ø  Power level related fault distribu5on using 3D plopng. •  X/Y: scan plan •  Z: laser injec5on power level •  50 injec5ons into each loca5on, with rising power level by step of 1%

Key ObservaJons: •  Significantly higher chance to trigger alarm

than inducing cipher fault without alarm •  Lowest power to trigger alarm start from

62% of full power •  Lowest power to induce cipher fault starts

from 90% of full power •  Outstanding power and spaJal security

margin


17

Experimental EvaluaJon – Single CLB

Ninjected 752

Nundetected 54

Ncountermeasure 5759

Ø  Quan5fy the security escala5on using the proposed LFI sensor. 1.  Only consider injected faults 2.  Or, consider all abnormality (alarm+fault)

DetecJon Rate: chance to detect the injected faults

92.82%

InjecJon Success Rate: chance to inject faults without triggering alarm

0.94%


18

Concluding Remarks

Ø  Work Summary •  A RO-‐PLL based sensor for detec5ng laser fault injec5on is presented •  The effec5veness of the proposed system is thoroughly validated on

Xilinx FPGA •  Experiments show no5ceable power and spa5al security margin •  Experimental results show that the detec5on sensi5vity is high, with

detec5on rate of 92.82%, and injec5on success rate of 0.94% •  Explore the fault mechanism on silicon chip, and the detec5on

features on FPGAs

Ø  Future Work •  Improve the logic and validate the detec5on capability against other

fault a?acks •  Protec5on enhancement on other func5onal blocks, such as BRAMs


19

Thanks for your a?en5on!

Ques5ons?


20

Ø  Doable fault perturba5on methodologies on ICs:

•  Power System: Power Glitch, Under-‐Powering [J Blomer, et al: Fault based crytanalysis… 2003] •  Clock Tree:Clock Glitch,Over-‐Clocking

[M Agoyan, et al: On cri2cal paths and .., 2010] •  Temperature Rise: slowing down electrons/holes mobility [Hamid, H.B.E., et al: The sorcerer’s appren2ce .., 2004] •  EM Disturbance: Eddy current caused by intense magne5c field from a high transient current pulse in near-‐field

[A Dehbaoui, et al: Injec2on of transient faults…, 2012] •  OpJcal Disturbance:Laser, Intense White Light

[SP Skorobogatov, et al: Op2cal fault induc2on…, 2003]

ü  Global ü  Low-‐precision ü  Low-‐cost

ü  Local ü  High-‐precision ü  Expensive

FI Approaches on Chip


21

Further Discussions

Ø  Frequency Sensi5vity vs Protec5on Coverage. •  Higher RO RO frequency brings in higher detec5on sensi5vity, while

results in smaller protec5on area •  Disturbance propaga5on in FPGA enlarges protec5on coverage •  Full protec5on to large cipher can be protected by several sensors

Ø  Accidental “unlock-‐alarm” due to PVT factors. •  Power-‐Voltage-‐Temperature varia5on affect electrical performance of

silicon circuit •  If not malicious disturbance (sharp voltage/power change) imposed by

a?acker, PVT parameters in circuit are slight, and changing gradually, which can be recalibrated by PLL feedback loop


RingOscillatorunderLaser ...conferenze.dei.polimi.it/FDTC16/shared/FDTC-2016-session_4_2.pdf · 3...

Documents

Transcript of RingOscillatorunderLaser ...conferenze.dei.polimi.it/FDTC16/shared/FDTC-2016-session_4_2.pdf · 3...