EE5900: Cyber-Physical Systems Hardware and IoT Security Lin Liu and Shiyan Hu

Cyberattack vs. Physical Attack Mini PCI CPU board / dual-core. Intel Atom Dual Core https://www.google.com/imgres?imgurl=http://img.directindustry.com/images_di/photo-g/7026-2581455.jpg&imgrefurl=http://www.directindustry.com/prod/eurotech/product-7026-846807.html&h=243&w=400&tbnid=w2o2sjuc2_kUvM:&docid=GY2kA850O9xJJM&hl=en&ei=QhqhVo7EFKyyjgSJ1KGgDA&tbm=isch&ved=0ahUKEwiO7brXu7vKAhUsmYMKHQlqCMQQMwhEKBMwEw 2 1

Physical Attack 3 Attack: learn information without authorization (Direct) access to the chip (Wireless) connection to signal wires Equipment, tools, skills and knowledge 16901A 2-slot Modular Logic Analyzer, starting from US$19,209 3 1

Invasive vs. Non-invasive Attacks Remove chip package and directly manipulate the inside of a chip Device damage or tampering evidence Non-invasive Interact with chip via its interface (voltage, current, power, clock, I/O, etc.) No device damage, no tampering evidence 4 1

Invasive Attack: Microprobing Directly access the surface of a chip Observe, manipulate, interfere, or reverse engineer the chip 5 1

Non-invasive Attack: Leverage Programming or Debugging Port Belkin Wemo as a remote switch How to hack? Connecting a UART adapter with “57600,8N1” Run the command “kill -9 $(ps | grep 'reboot'|sed -r -e 's/^ ([0-9]+) [0-9]+/\1/')” Root shell can be accessed Spread virus to neighboring devices through remote upgrading channels 6 1

Simple Power Analysis (SPA) Visual examination of graphs of the power Variations in power consumption for different operations or input Oscilloscopes can show the data-induced variations Measuring power Read from terminal in smart cards Relatively inexpensive 7 1

An Example Crypto-Algorithm convert a key K to binary: 𝑘 𝑠 𝑘 𝑠−1 … 𝑘 1 𝑘 0 b = 1; for (i = s; i >= 0; i --) { b = b*b(mod n); if ( 𝑘 𝑖 ==1) b = b*a(mod n) } Return b; Goal: to make a guess on K The value of bit 𝑘 𝑖 determines whether this operation is executed 8 1

If 𝑘 𝑖 =0, there is only square operation ( 𝑏 2 ) Analysis If 𝑘 𝑖 =0, there is only square operation ( 𝑏 2 ) If 𝑘 𝑖 =1, there is square operation ( 𝑏 2 ) followed by multiply operation (b*a) It takes less power and time to compute 𝑏 2 than b*a The higher power consumption slot is grouped with its previous lower power consumption slot, which is recognized as 1, and otherwise 0. 9 1

Directly deduces information (e.g., key) from power SPA Features Directly deduces information (e.g., key) from power Needs precise understanding of the crypto algorithm and its implementation If the implementation is not known, differential power analysis (DPA) can be used An SPA example is available at https://www.youtube.com/watch?v=sgJ858sJfZo 10 1

Timing Analysis Based Attacks Assumptions Execution time variation on some operations The execution time variation is measurable Design of the crypto-system is known if (a < b) x = 8; else x = c – d; x = 8 x = c - d a < b 11 1

Case Study: Credit Card 12 1

First Generation Credit Card: Magnetic Stripe Card Magnetic stripe keeps security data (authentication data) through modifying the magnetism of tiny iron-based magnetic particles on the band. The magnetic stripe is read by swiping through a magnetic reading head. 13 1

Authentication Flow 14 User 𝑖 w/ Magnetic Stripe Card Request for authentication information Authentication information for user 𝑖 No, card is not authenticated If it is valid Yes, card is authenticated 14 1

Hack? Given a malicious magnetic card reader, the magnetic stripe is read by swiping through its reading head and the authentication information can be obtained The hacker can clone the card with the same authentication information and impersonate that user It has been documented that the information from 40 million credit and debit cards has been stolen 15 1

Second Generation Credit Card: Microcontroller Based Card The smart card is embedded with a microchip (integrated circuit) that can store and process data. It provides cryptographic services (e.g. authentication, confidentiality, integrity). EMV (Europay, MasterCard and Visa) is a global standard for cards equipped with computer chips. 16 1

Authentication Flow 17 Send smart card ID for user 𝑖 In-factory characterization Authentication Flow User Request Response … Encrypt request 𝑃 𝑖𝑗 to get response 𝐶 𝑖𝑗 using a crypto-algorithm with the pre-stored key Request 𝑃 𝑖𝑗 Response 𝐶 𝑖𝑗 Send smart card ID for user 𝑖 User 𝑖 w/ chip based credit card Request 𝑃 𝑖𝑗 Response 𝐶 𝑖𝑗 Withdraw $200 User gets $200 Reduce the balance by $200 How is the response computed? No, card is not authenticated If 𝐶 𝑖𝑗 = 𝐶 𝑖𝑗 Yes, card is authenticated 17 1

Hack? This is the main weakness, since the security of computation only depends on the key A physical attack can erase the security lock bit by focusing UV light on the EEPROM Probe the operation of the circuit by using microprobing needles Use laser cutter microscopes to explore the chip Locate the private key 𝐾 used in the smart card Clone a fake credit card with the same private key Compute response as f(request, 𝐾) to impersonate the credit card user CPU RAM test logic ROM EEPROM serial i/o interface security logic databus EEPROM: cryptographic keys PIN code biometric template balance application code 18 1

Next Generation Credit Card: PUF Based Card The main idea/advantage of Physically Unclonable Functions (PUFs) is to generate the keys on the fly rather than saving keys locally. Since PUFs leverage the fabrication induced variations, they are very sensitive to manipulation, so the secondary advantage is that when attackers deploy invasive attacks, they will damage PUFs with a very high probability. 19 1

Circuit Delay Circuit delay = Interconnect delay + Gate delay 20 1

Interconnect The interconnect delay depends on the wire width 21 1

Gate The gate delay depends on the channel width 22 1

Lithography System: A Simplistic View 23 1

Designed v.s. Fabricated Features 24 1

Fabrication Statistics Chip design cannot be reliably fabricated Gap Lithography technology: 193nm wavelength VLSI technology: 45nm features Lithography induced variations Impact on timing and power Even for 180nm technology, variations up to 20x in leakage power and 30% in frequency were reported. Large wavelength will degrade the printing quality, and thus there are significant variations on feature sizes (wire widths or channel wire). After printing, circuit delay can be significantly different from what it is designed. 25 1

The Motivational Example C D Q x No change 1 Response Challenge 1 D Q C 1 1 1 1 If the first path is faster, then D = 0, C = 1, output Q = 0; If the second path is faster, then D = 1, C = 0, output Q remains at 1. The fabrication variation will generate unpredictable true random output. 26 1

PUFs Properties 27 PUF Basic requirements For two PUFs, difference between responses to same challenge should be large For a single PUF, two measured responses to the same challenge should be the same (e.g., robust to environmental change) Expected features Evaluatable: y = PUF (x) is easy Unclonable: hard to make PUF’(x) given PUF(x) One-way: given y and PUF(), cannot find x Tamper evident: tampering changes PUF() PUF Challenge x Response y 27 1

PUF Applications 28 1

Block Based Ring Oscillator PUF The previous simple implementation requires precise timing measurement Response Response 𝑟= 𝑓 𝐴 / 𝑓 𝐵 𝑓 𝐴 =4 𝑓 𝐵 =3 B. Gassend, D. Clarke , M. van Dijk, and S. Devadas , "Silicon Physical Random Functions," in ACM CCS, pp. 148-160, 2002. 29 1