1

Secure Design MethodologyandThe Tree of Trust

Patrick Schaumont

Secure Embedded Systems Group

ECE Department

Virginia Tech

2

The new Cool: Reverse Engineering ...

Microsoft Zune (http://bunniestudios.com) Under the Hood (http://www.techonline.com)

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

2

3

... in a complete curriculum.

Learn hacking tricks .. (http://www.blackhat.com)

.. and write papers on it

(http://www.ssddfj.org)

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

4

It's fun to break things ..• but this presentation is about making things.

• How to handle 'secrets' in a design?

• Systematic side-channel-resistant design?

• Jumping forward, we will conclude:

• Secure design of embedded systems needs a methodology. Ad-hoc security is doomed to fail.

• Perfect security does not exist (zero-power design doesn't exist either)

• Low-risk security does exist (low-power design does exist)

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

3

5

The starting point: Root of Trust• A secret in a box by itself is useless

(useless like a key without a matching door-lock)

• So a secure system contains at least two parts:

secure

embedded

system

distrusted

environment

root-of-trustsecurity policy

• authentication

• integrity

• confidentiality

• non-repudiation

• availability

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

The part that always

works as expected

(or so you think!)

6

Design Step: Secure partitioning

secureembedded

system

distrustedenvironment

secureembeddedsubsystem

distrustedembeddedsubsystem

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

4

7

What drives secure partitioning?

• Minimize footprint of the root-of-trust

• Reduce the physical size of the root-of-trust

• Make the root-of-trust dynamic and short-lived

• Minimize the risk for side-channel-attacks

• A side-channel-attack is an interface into the root-of-trust around the security policy

side-channel-attack

secureembedded

system

distrustedenvironment

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

8

Side Channel Attaxonomy

Abstraction

Level

Attacker

ProximityCountermeasure Example

Math

Interpreter

Time

Power

EM

Implementation

Off-line Algorithm Cryptanalysis

Connected

Close-range

Physical

Protected Partition

Constant-time

Constant-powerMasked-power

Aluminium foil

Shielding

Software Tampering [vanOorschot]

Faults [Joye]

Cache [Osvik]

Branch Prediction [Aciimez]

DPA [Oswald/Mangard]

+ Higher-order

Semi-Invasive [Skorobogatov]

DPA [De Mulder]

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

5

9

Example 1: Cache timing attack

addroundkey

mixcolumns

shiftrows

sbox

CACHE(1 cycle/acces)

MEMORY(20 cycle/acces) round keysdata in

(last round)

• Execution time dependency due to cache conflicts

• Software Solution: constant-time crypto (hard)

data out

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

10

Example 1: Cache timing attack

addroundkey

mixcolumns

shiftrows

sbox

CACHE(1 cycle/acces)

MEMORY(20 cycle/acces) round keysdata in

(last round)

• Execution time dependency due to cache conflicts

• Software Solution: constant-time crypto (hard)

Root-of-Trust

Timing Side-Channel

data out

Top-levelPolicy

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

6

11

Moving Sbox into Hardware

sbox

(AES32)ALU

RAM

DCACHE

ICACHE

register

file

instructionfetch/

decodeSBOX regs

(16 byte +

4 byte rkey)

128 32

128

32

32

Hardware Sboxwith ASIP interface

AESdrivercode

CPU

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

12

Moving Sbox into Hardware

sbox

(AES32)ALU

RAM

DCACHE

ICACHE

SBOX regs

(16 byte +

4 byte rkey)

128 32

128

32

32

CPU

Hardware Sboxwith ASIP interface

Constant Execution Timing

AESdrivercode

Software Sbox:159 Dcache138 Icache

Hardware Sbox0 Dcache

52 Icache

Cache miss rateper encryption

• Timing Side-channel fixed, but others remain ..

StrongARM arch

1K I, 1K D cache,

16 byte/line direct

instructionfetch/

decoderegister

file

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

7

13

The Tree of Trust

secure

embedded

system

distrusted

environment

crypto

softwarenon-critical software

crypto

hardware

crypto

circuit

non-critical

hardware/

software

non-critical

circuit

Interpreter Side-channels

Timing Side-channels

Power Side-channels

PhysicalTamper-resistance

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

14

Where does it end? A hacker's view

http://bunniestudios.com

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

8

15

Where does it end? A designer's view

• It doesn't - the tree of trust solves a turtle problem

• Deploy countermeasures systematically and analyze vulnerabilities at each level

• Software-only is insufficient(eg. Fairplay iTunes)

• Hardware-only is insufficient(eg. Hardware keys in DVD, Xbox, HDCP)

• Working in our favor are:

• Moore's law

• Distribution of trust across the tree

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

16

The Tree of Trust

secure

embedded

system

distrusted

environment

crypto

softwarenon-critical software

crypto

hardware

crypto

circuit

non-critical

hardware/

software

non-critical

circuit

Deploy

Countermeasures

Distributed,

dynamic

secrets

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

9

17

Example #2: Chain-of-trust

Decode

D/A &Amplify

Decrypt(DRM)

FlashMemory

Side-channel:Probe and extract

DRM-freehigh-quality

music

Downloadcopy-righted multimedia

into player

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

18

Chain-of-trust for Video Messaging

ProgramMemory

PPC

SAMTrivium

Stream

CipherVGA

key

Display SW

Trivium Key

Message

CF-card

FPGA-uniqueencryption

FPGA

correct authenticationcomplete

chain-of-trust

incorrect authenticationincomplete

chain-of-trust

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

[Simpson, Yu, Schaumont]

10

19

Chain-of-trust for Video Messaging

ProgramMemory

PPC

SAMTrivium

Stream

CipherVGA

key

Display SW

Trivium Key

Message

CF-card

FPGA-uniqueencryption

FPGA

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

20

Chain-of-trust for Video Messaging

PPC

Baseline

Config

CompactFlash Data

ProgramMemory

PPC

SAMTrivium

Stream

CipherVGA

key

Display SW

Trivium Key

Message

CF-card

FPGA-uniqueencryption

FPGA

FPGAbitstreamdecryption

(keys)

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

11

21

Chain-of-trust for Video Messaging

PPC

Baseline

Config

CompactFlash Data

ProgramMemory

PPC

SAMTrivium

Stream

CipherVGA

key

Display SW

Trivium Key

Message

CF-card

FPGA-uniqueencryption

FPGA

SAMdecryption

(PUF)Configure

VGA Display

Secure SW

& Data Download

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

22

Chain-of-trust for Video Messaging

PPC

Baseline

Config

CompactFlash Data

ProgramMemory

PPC

SAMTrivium

Stream

CipherVGA

key

Display SW

Trivium Key

Message

CF-card

FPGA-uniqueencryption

FPGA TriviumStream Cipher

(key)

Configure

VGA Display

Secure SW

& Data Download

Display

VideoMessage

LoadEncrypted

Message

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations

12

23

Conclusions• Secure design of embedded systems needs a

methodology. Ad-hoc security is doomed to fail.

• The Tree-of-Trust advocates stepwise partitioning of an embedded system to achieve trustworthy operation

• Perfect security does not exist (zero-power design doesn't exist either)

• Low-risk security does exist (low-power design does exist)

Patrick Schaumont DATE 07 Friday Workshop on Secure Embedded Implementations