Why is it so hard to make secure chips?
Transcript of Why is it so hard to make secure chips?
Traditional internet
• connects people with machines
• shares data that people create
IoT (Internet of Things)
• connects machines to machines
• shares data that machines create
What’s new in internet?
Public
2
Is IoT security important?
inte
rna
l
5
Remote car hijack
Identity theft
Medical device
disturbance
Premium content theft
Information Security?
How to protect?
• Cryptography
• Access control
What to protect?
• Confidentiality
• Integrity
• Availability
Primary targets
For attackers
Public
6
Are IoT devices sensitive to attacks?
• Fast growing market with new
unexperienced entrants
• Operate in an uncontrolled
(hostile) environment
• Pressure on time-to-market
and cost
7
Public
Security is all about the chip
9 Memory
Interfaces
CPU
Test logic
Geometry Layout
Speed
Security
features
Public
Invasive attack steps
1. Prepare: get sample ready
2. Analyze: Optical Inspection
3. Modify: FIB
4. Extract: Standard interface or probe
13
Public
Sand
Cross-section of a chip
M1
M2
M3
M4
M5
Bulk silicon
P-doped area
N-doped area
Poly-Silicon
Via (plugs)
Metal wires
Passivation Layer
• Visible light (390 to 700 nm)
• Maximum resolution: ~0.29 µm (550 nm)
• Computer controlled XYZ table + camera
Imaging by optical microscope
(front side)
• Infra red light (700 nm to 1100 nm)
• Maximum resolution: ~0.63 µm
• Helps to identify functional blocks
Imaging by optical microscope
(back side)
• Much higher resolution
• Oxide layer in between metal layers
is not transparent (for electrons)
• Computer controlled XYZ stage + imaging
Imaging by Scanning Electron
Microscope (SEM)
Low-level HW reverse engineering
Reverse engineering reconstructs the functional layout, and then focuses on specific targets:
• Hardcoded secrets • ROM containing executable code • Fuses and OTP • CPU and registers • Security sensors • Crypto engines
How to reverse engineer a billion gates?
• Chips use a library of less than 1K standard cells
• Automated cell recognition possible and available
in tools • Use templates to automatically match standard cells
• Support for via and metal wire detection/tracing
• VHDL / Verilog export
25
Public
Modify
Focused Ion Beam can do chip edits
• Restore test state (fuse repair)
enable arbitrary memory read
• Disable security features
short cut shields
• Export data bus
enable data dump
27
Public
Logical attacks
Why do we need logical attacks?
Physical attacks provide access,
but may not reveal secrets yet
• Reconnected a test function
Need to run test routines to extract data
• Exported data lines
Need to reverse engineer code dump to find secrets
32
Public
A standardized test interface that uses a chain of
cells to set / capture internal states.
Controlled by 5 external connections
• TDI Test Data In
• TDO Test Data Out
• TCK Test Clock
• TMS Test Mode Select
• TRST Test Reset
JTAG
33
Public
Further software attacks on chips
External analysis
• Run extracted code in debug environment
• De-compilation source code level analysis
Internal analysis
• Fuzzing
• Penetration testing
• Malicious code injection
• Light
• Sound
• Heat
• Time
• Power consumption
• Electro-Magnetic
radiation
Side Channel Analysis
42
A side channel is an unintended communication channel that can reveal secret information
Public
XBOX 360 timing issue
XBOX 360 has a secure boot chain
16 byte keyed hash value computed over bootloader
Comparison is per byte timing attack
Bootloader Hash
Compute hash
Report failure
Compare
hash
Run
bootloader
Nok Ok
43
Public
XBOX 360 timing attack procedure
Brute forcing 16*128 = 2048 values takes about 2 hrs
Init hash in memory
Reset XBOX
Observe failure
Register time
Init hash byte counter
Store rogue bootloader Increase hash byte
Reset XBOX
Increase byte counter
Later?
Observe failure
Final?
No
No
Yes
Success! Yes
44
Public
Side Channel Analysis of Crypto
RSA most popular algorithm for signing data
Algorithm for S=Md mod N, with t exponent bits di
S := 1
for i from t down to 0 do:
S := S * S mod N
if di = 1 then S := S*M mod N
return S;
What do we see when we measure the radiation
emanated by a chip running this process? 46
Public
Electro magnetic analysis of RSA
Key bits revealed
1 0 1 0 1 0 0 1 0
variation of interval between dips
47
Change the behavior of a device by
manipulating the environmental conditions
• Clock
• Power
• EM
• Laser
Threshold of
read value A power dip at the moment of
reading a memory cell
Fault Attacks
49
A successful fault can
• Override decisions
escalate privileges
• Dump data
get secrets from memory
• Corrupt crypto
get secrets by output analysis
Exploiting faults
Public
53
Dump
char* bufferAddress = bufferBegin;
while (bufferAddress != bufferEnd) {
send( * bufferAddress );
bufferAddress++;
}
Single glitch leads to full memory dump
Public
56
• Developers need to cover all bases,
but attackers need only one bug
• Security flaws are not ‘automatically’
found and fixed
So, is there any hope?
• Secure labs to the rescue!
So, why is it so hard
to make secure chips?
57
Public
• Security is a cat and
mouse game
• Testing helps identifying
and mitigating risk
• Interaction between
development and evaluation
drives industry best practices
• Vendors that actively seek security feedback learn faster!
Takeaways
58
Public
Riscure North America
550 Kearny St., Suite 330
San Francisco, CA 94108
USA
Phone: +1 650 646 99 79
Riscure B.V.
Frontier Building, Delftechpark 49
2628 XJ Delft
The Netherlands
Phone: +31 15 251 40 90
www.riscure.com
Contact: Marc Witteman, [email protected]
Riscure is hiring! visit www.riscure.com/careers