RingOscillatorunderLaser ...conferenze.dei.polimi.it/FDTC16/shared/FDTC-2016-session_4_2.pdf · 3...
Transcript of RingOscillatorunderLaser ...conferenze.dei.polimi.it/FDTC16/shared/FDTC-2016-session_4_2.pdf · 3...
1
Ring Oscillator under Laser: Poten5al of PLL based Countermeasure against
Laser Fault Injec5on
Wei He*, Jakub Breier*, Shivam Bhasin* Noriyuki Miura+, Makoto Nagata+ * Physical Analysis and Cryptographic Engineering (PACE), Nanyang Technological University, Singapore + Graduate School of System InformaJcs, Kobe University, Japan
FDTC’16, August 16, 2016, Santa Barbara, US.
2
Ø Fault A?ack (FA) exploits the inten5onally triggered faulty data or faulty physical behaviors from the target devices, in order to study the device proper5es, or extract confiden5al informa5on about internals.
• Evalua5on of fault tolerance of cri5cal system (hash working environment, e.g., high energy cosmic ray) • Assistant means for reverse engineering • Break SCA countermeasure • Induce sensiJve computaJon errors in cryptosystem for
retrieving crypto keys (e.g., DFA, Algebraic FA, FSA, round reduc5on, etc.)
Purposes of Fault InjecJons in Circuit
FDTC’16, Santa Barbara, US, Aug 16 2016
3
Laser-‐Induced Fault on Transistor
VSS
N+N+
0PMOS
VDD
LASER
observedcurrent
P substrate
a transient can befurther
propagated
Ø Temporary photocurrent induced by laser radia5on. • Example: A laser injec5on into drain of the NMOS of a CMOS inverter
can temporarily turn the PMOS ON.
FDTC’16, Santa Barbara, US, Aug 16 2016
• In real IC, laser radiates numerous transistors simultaneously, hence the fault mechanism induced in IC is complicated.
• Laser also impact signal propaga5on in rou5ngs because of its charging and discharging effects on parasi5c capacitance.
4
Countermeasure against Fault InjecJons
Ø Algorithm-‐Intrinsic Countermeasure:
• Original algorithm is modified, for being for5fied with detec5on capability of abnormal values.
² Algorithm implemented by mul5 rails. ( Dual-‐rail comparison; Triple-‐rail majority vo5ng )
² Concurrent Error Detec5on (CED). ( Parity computa5on and comparison )
• Heavy! • Can only detect Already-‐INJECTED faults, e.g., cannot predict
coming injec5on a?empt. – no Security Margin, low detec5on coverage.
FDTC’16, Santa Barbara, US, Aug 16 2016
5
Countermeasure against Fault InjecJons
Ø Sensor based Countermeasure
Requirements of eligible sensors • Logically independent from the protected algorithm. • More sensi5ve under injec5on impact (laser, EM, clock,
power, temperature, etc) • Be able to predict on-‐going injec5ons in advance
– Power/Spa5al Security Margin.
FDTC’16, Santa Barbara, US, Aug 16 2016
Cipher fault sensi5ve region
Sensor detec5on region
min.power (sensor-‐alarm)
min.power (cipher-‐fault)
power
Power Security Margin Spa2al Security Margin
6
Digital Ring Oscillator under Laser
Ø Frequency ripple of RO can be temporarily incurred under external electrical impacts in vicinity, such as intensive EM/laser pulse, or power/clock glitch
…
…
fstart-up (en)
1.2
1.4
1.6
1.8
2
2.2
2.4
2.6
2.8
Amplit
ude
Time Samples
1.2
1.4
1.6
1.8
2
2.2
2.4
2.6
2.8
Amplit
ude
Ampli
tude
Ampli
tude
1.2
1.4
1.6
1.8
2.0
2.2
2.4
2.6
2.8
1.2
1.4
1.6
1.8
2.0
2.2
2.4
2.6
2.8
Time Samples
Time Samples
(Observable frequency ripple on high-‐frequency RO)
FDTC’16, Santa Barbara, US, Aug 16 2016
RO Frequency without laser impact
RO Frequency with laser impact
7
Phase-‐Locked Loop (PLL) Sensor System
Ø PLL is a widely used analog component in circuit.
• Be consisted by: (1) Phase-‐Frequency Detector (PFD), Low Pass Filter (LF), Voltage-‐controlled Oscillator (VCO).
• For providing phase locked clock using the feedback loop. • A disturbance in PLL clock input may temporarily unlock PLL.
FDTC’16, Santa Barbara, US, Aug 16 2016
1/N
Phase-Frequency Detector
(PFD)
Low-Pass Filer (LPF)
Voltage-Controller Oscillator
f fNCLKIN1
CLKFBIN
RST
CLKOUT0CLKOUT1CLKOUT2CLKOUT3CLKOUT4CLKOUT5
CLKFBOUT
LOCKED
Alarm
Input from RO
RO Watchdog
laser injection
Locked
Alarminjection detected vigilantvigilant
8
Exemplary Xilinx FPGA Architecture
6-LUT
Carry Chain
FF-D
6-LUT FF-C
6-LUT FF-B
6-LUT FF-A
6-LUT
Carry Chain
FF-D
6-LUT FF-C
6-LUT FF-B
6-LUT FF-A
Slice
Slice
CLBSwitch-Box
Routing channel
interconnects between Slices and routing
channels
Ø Virtex-‐5 FPGA is used as the a?ack target • SRAM based FPGA, manufactured in 65 nm process, encapsulated
by flip-‐chip package. • CLB ( slice pair ) array with peripheral components. • Switch-‐box provides rich interconnects between slice pins and
external rou5ng channels.
Ø So, a CLB and a switch-‐box forms a basic logic cluster in Xilinx FPGA
FDTC’16, Santa Barbara, US, Aug 16 2016
9
Target Block Cipher – PRESENT80
• Round data registers are the target logics for laser injec5on a?acks.
• The 5ming of injec5on focuses on the last round data registers.
S S …. S S
ciphertext
64
4
4
pLayer
64
plaintext
64
round keys
64
64DQ
round_ctrl
round data registers
Ø Lightweight symmetric PRESENT-‐80 is selected as the a?ack cipher, implemented on target Virtex-‐5 FPGA
FDTC’16, Santa Barbara, US, Aug 16 2016
10
Ring Oscillator ImplementaJon on FPGA
Ø Two implementa5ons have been schemed. • A 1-‐inverter RO is implemented, covering 9 CLBs (40 data registers).
Rou5ng path is properly controller, to enforce passing through (“route-‐thru”) 3 corner CLBs.
• A 1-‐inverter RO is implemented, passing through the 4 LUTs in a single slice.
target slice for 1-inverter RO and 4 round data
register bits
RO output
RO routing loop1 Inverter and
enable
the used PLL
round data registers
RO output
(Single slice RO: protect 4 registers) (RO covering 9 CLBs: protect 40 registers)
210 MHz 260 MHz
FDTC’16, Santa Barbara, US, Aug 16 2016
11
Experimental Setup of Laser Fault InjecJon
Ø Setup specifics – RISCURE Pulse Laser Injector plalorm. • X-‐Y 2D motorized stage, with 0.05 um step size, diode pulse laser
(NI): 1064 nm • 5x (10W), 20x (8W) magnifica5on lens, with 10 MHz pulse repe55on • Laser spot size: 60x14um2 (5x), 15x3.5um2(20x) • Virtex-‐5 FPGA (vlx50t) on Genesys commercial board • SASEBO-‐GII used for bridging cipher and RISCURE GUI on PC
ONOFF
X-Y
FDTC’16, Santa Barbara, US, Aug 16 2016
12
Chip PreparaJon
Ø Virtex-‐5 target FPGA is mechanically process to facilitate injec5on. • Virtex-‐5 is flip-‐chip package • Heat sink metal lid is removed • Substrate is thinned down from 300 um to 100 um, to reduce energy
absorp5on and refrac5on side-‐effect.
milled down layer
front-side (multiple metal layers)
300 um
100 um
back-side (substrate)
diode laser
objective lens
high-energy laser core
objective lens
FDTC’16, Santa Barbara, US, Aug 16 2016
13
Experimental EvaluaJon – Regional CLBs Ø Surface LFI scan to regional CLBs, targe5ng to 9-‐CLB covered RO.
• 20x and 5x objec5ve lens are tested respec5vely • Scan matrix: 240x200=48,000 injec5on points • Point-‐of-‐Interest (POI) distribu5on matches CLB array on FPGA • Different alarm densi5es are shown using 20x and 5x laser • Cipher faults only appeared using 5x lens, no fault reported with
20x.
5,600 5,700 5,800 5,900 6,000 6,100
X (µm)
10,150
10,200
10,250
10,300
10,350
10,400
10,450
10,500
10,550
10,600
10,650
10,700
10,750
10,800
10,850
10,900
10,950
11,000
11,050
11,100
11,150
11,200
11,250
11,300
11,350
11,400
11,450Y
(µm
)
5,600 5,650 5,700 5,750 5,800 5,850 5,900 5,950 6,000 6,050 6,100
X (µm)
10,600
10,650
10,700
10,750
10,800
10,850
10,900
10,950
11,000
11,050
11,100
11,150
11,200
11,250
11,300
11,350
11,400
11,450
11,500
11,550
11,600
Y (µ
m)
CLBs for placing cipher data register
CLBs for positioning the other 3 corners of the RO loop
CLBs for placing the inverter of the 1-inverter RO
(a) with 20x objective lens (b) with 5x objective lens
Key ObservaJon: Alarm can also be triggered from injec5ons to neighboring CLBs.
FDTC’16, Santa Barbara, US, Aug 16 2016
14
Experimental EvaluaJon – Regional CLBs
Ø Analysis of LFI disturbance propaga5on in FPGAs.
substrate layer
Affected !
no affection !
Affected ! Injection Location !
no affection !no affection !
metal layers
CLB/Switch Box
Transistor layer
FDTC’16, Santa Barbara, US, Aug 16 2016
15
Experimental EvaluaJon – Security Margin
Ø A be?er sensor-‐based countermeasure should be more sensi5ve against injec5on impact. • Scan area: roughly 300x400 um2 • Only consider the 5x experimental result • Lowest power to trigger countermeasure is: 64% of full power • Lowest power to induce cipher faults is: 91% (except 2 outliers)
60
65
70
75
80
85
90
95
100
Pow
er (%
)
5,700 5,750 5,800 5,850 5,900X (µm)
10,900
10,950
11,000
11,050
11,100
11,150
11,200
11,250
11,300
Y (µ
m)
60
65
70
75
80
85
90
95
100
Pow
er (%
)
5,700 5,750 5,800 5,850 5,900X (µm)
10,900
10,950
11,000
11,050
11,100
11,150
11,200
11,250
11,300
Y (µ
m)
Ø Both Power and SpaJal security margin have been observed.
FDTC’16, Santa Barbara, US, Aug 16 2016
16
Experimental EvaluaJon – Single CLB
Ø Power level related fault distribu5on using 3D plopng. • X/Y: scan plan • Z: laser injec5on power level • 50 injec5ons into each loca5on, with rising power level by step of 1%
Key ObservaJons: • Significantly higher chance to trigger alarm
than inducing cipher fault without alarm • Lowest power to trigger alarm start from
62% of full power • Lowest power to induce cipher fault starts
from 90% of full power • Outstanding power and spaJal security
margin
FDTC’16, Santa Barbara, US, Aug 16 2016
17
Experimental EvaluaJon – Single CLB
Ninjected 752
Nundetected 54
Ncountermeasure 5759
Ø Quan5fy the security escala5on using the proposed LFI sensor. 1. Only consider injected faults 2. Or, consider all abnormality (alarm+fault)
DetecJon Rate: chance to detect the injected faults
92.82%
InjecJon Success Rate: chance to inject faults without triggering alarm
0.94%
FDTC’16, Santa Barbara, US, Aug 16 2016
18
Concluding Remarks
Ø Work Summary • A RO-‐PLL based sensor for detec5ng laser fault injec5on is presented • The effec5veness of the proposed system is thoroughly validated on
Xilinx FPGA • Experiments show no5ceable power and spa5al security margin • Experimental results show that the detec5on sensi5vity is high, with
detec5on rate of 92.82%, and injec5on success rate of 0.94% • Explore the fault mechanism on silicon chip, and the detec5on
features on FPGAs
Ø Future Work • Improve the logic and validate the detec5on capability against other
fault a?acks • Protec5on enhancement on other func5onal blocks, such as BRAMs
FDTC’16, Santa Barbara, US, Aug 16 2016
19
Thanks for your a?en5on!
Ques5ons?
FDTC’16, Santa Barbara, US, Aug 16 2016
20
Ø Doable fault perturba5on methodologies on ICs:
• Power System: Power Glitch, Under-‐Powering [J Blomer, et al: Fault based crytanalysis… 2003] • Clock Tree:Clock Glitch,Over-‐Clocking
[M Agoyan, et al: On cri2cal paths and .., 2010] • Temperature Rise: slowing down electrons/holes mobility [Hamid, H.B.E., et al: The sorcerer’s appren2ce .., 2004] • EM Disturbance: Eddy current caused by intense magne5c field from a high transient current pulse in near-‐field
[A Dehbaoui, et al: Injec2on of transient faults…, 2012] • OpJcal Disturbance:Laser, Intense White Light
[SP Skorobogatov, et al: Op2cal fault induc2on…, 2003]
ü Global ü Low-‐precision ü Low-‐cost
ü Local ü High-‐precision ü Expensive
FI Approaches on Chip
FDTC’16, Santa Barbara, US, Aug 16 2016
21
Further Discussions
Ø Frequency Sensi5vity vs Protec5on Coverage. • Higher RO RO frequency brings in higher detec5on sensi5vity, while
results in smaller protec5on area • Disturbance propaga5on in FPGA enlarges protec5on coverage • Full protec5on to large cipher can be protected by several sensors
Ø Accidental “unlock-‐alarm” due to PVT factors. • Power-‐Voltage-‐Temperature varia5on affect electrical performance of
silicon circuit • If not malicious disturbance (sharp voltage/power change) imposed by
a?acker, PVT parameters in circuit are slight, and changing gradually, which can be recalibrated by PLL feedback loop
FDTC’16, Santa Barbara, US, Aug 16 2016