1. EE5900: Cyber-Physical Systems Hardware and IoT Security
Lin Liu and Shiyan Hu

2. Cyberattack vs. Physical Attack
Mini PCI CPU board / dual-core. Intel Atom Dual Core 2 1

3. Physical Attack 3 Attack: learn information without authorization
(Direct) access to the chip
(Wireless) connection to signal wires
Equipment, tools, skills and knowledge
16901A 2-slot Modular Logic Analyzer, starting from US$19,209 3 1

4. Invasive vs. Non-invasive Attacks
Remove chip package and directly manipulate the inside of a chip
Device damage or tampering evidence
Non-invasive
Interact with chip via its interface (voltage, current, power, clock, I/O, etc.)
No device damage, no tampering evidence 4 1

5. Invasive Attack: Microprobing
Directly access the surface of a chip
Observe, manipulate, interfere, or reverse engineer the chip 5 1

6. Non-invasive Attack: Leverage Programming or Debugging Port
Belkin Wemo as a remote switch
How to hack?
Connecting a UART adapter with “57600,8N1”
Run the command “kill -9 $(ps | grep 'reboot'|sed -r -e 's/^ ([0-9]+) [0-9]+/\1/')”
Root shell can be accessed
Spread virus to neighboring devices through remote upgrading channels 6 1

7. Simple Power Analysis (SPA)
Visual examination of graphs of the power
Variations in power consumption for different operations or input
Oscilloscopes can show the data-induced variations
Measuring power
Read from terminal in smart cards
Relatively inexpensive 7 1

8. An Example Crypto-Algorithm
convert a key K to binary: 𝑘 𝑠 𝑘 𝑠−1 … 𝑘 1 𝑘 0
b = 1;
for (i = s; i >= 0; i --) {
b = b*b(mod n);
if ( 𝑘 𝑖 ==1)
b = b*a(mod n) }
Return b;
Goal: to make a guess on K
The value of bit 𝑘 𝑖 determines whether this operation is executed 8 1

9. If 𝑘 𝑖 =0, there is only square operation ( 𝑏 2 )
Analysis
If 𝑘 𝑖 =0, there is only square operation ( 𝑏 2 )
If 𝑘 𝑖 =1, there is square operation ( 𝑏 2 ) followed by multiply operation (b*a)
It takes less power and time to compute 𝑏 2 than b*a
The higher power consumption slot is grouped with its previous lower power consumption slot, which is recognized as 1, and otherwise 0. 9 1

10. Directly deduces information (e.g., key) from power
SPA Features
Directly deduces information (e.g., key) from power
Needs precise understanding of the crypto algorithm and its implementation
If the implementation is not known, differential power analysis (DPA) can be used
An SPA example is available at 10 1

11. Timing Analysis Based Attacks
Assumptions
Execution time variation on some operations
The execution time variation is measurable
Design of the crypto-system is known
if (a < b)
x = 8;
else
x = c – d;
x = 8
x = c - d
a < b 11 1

12. Case Study: Credit Card12 1

13. First Generation Credit Card: Magnetic Stripe Card
Magnetic stripe keeps security data (authentication data) through modifying the magnetism of tiny iron-based magnetic particles on the band.
The magnetic stripe is read by swiping through a magnetic reading head. 13 1

14. Authentication Flow 14 User 𝑖 w/ Magnetic Stripe Card
Request for authentication information
Authentication information for user 𝑖
No, card is not authenticated
If it is valid
Yes, card is authenticated 14 1

15. Hack?
Given a malicious magnetic card reader, the magnetic stripe is read by swiping through its reading head and the authentication information can be obtained
The hacker can clone the card with the same authentication information and impersonate that user
It has been documented that the information from 40 million credit and debit cards has been stolen 15 1

16. Second Generation Credit Card: Microcontroller Based Card
The smart card is embedded with a microchip (integrated circuit) that can store and process data. It provides cryptographic services (e.g. authentication, confidentiality, integrity).
EMV (Europay, MasterCard and Visa) is a global standard for cards equipped with computer chips. 16 1

17. Authentication Flow 17 Send smart card ID for user 𝑖
In-factory characterization
Authentication Flow
User
Request
Response …
Encrypt request 𝑃 𝑖𝑗 to get response 𝐶 𝑖𝑗 using a crypto-algorithm with the pre-stored key
Request
𝑃 𝑖𝑗
Response
𝐶 𝑖𝑗
Send smart card ID for user 𝑖
User 𝑖 w/ chip based credit card
Request 𝑃 𝑖𝑗
Response 𝐶 𝑖𝑗
Withdraw $200
User gets $200
Reduce the balance by $200
How is the response computed?
No, card is not authenticated
If 𝐶 𝑖𝑗 = 𝐶 𝑖𝑗
Yes, card is authenticated 17 1

18. Hack?
This is the main weakness, since the security of computation only depends on the key
A physical attack can erase the security lock bit by focusing UV light on the EEPROM
Probe the operation of the circuit by using microprobing needles
Use laser cutter microscopes to explore the chip
Locate the private key 𝐾 used in the smart card
Clone a fake credit card with the same private key
Compute response as f(request, 𝐾) to impersonate the credit card user
CPU
RAM
test logic
ROM
EEPROM
serial i/o
interface
security
logic
databus
EEPROM:
cryptographic keys
PIN code
biometric template
balance
application code 18 1

19. Next Generation Credit Card: PUF Based Card
The main idea/advantage of Physically Unclonable Functions (PUFs) is to generate the keys on the fly rather than saving keys locally.
Since PUFs leverage the fabrication induced variations, they are very sensitive to manipulation, so the secondary advantage is that when attackers deploy invasive attacks, they will damage PUFs with a very high probability. 19 1

20. Circuit Delay
Circuit delay = Interconnect delay + Gate delay 20 1

21. Interconnect
The interconnect delay depends on the wire width 21 1

22. Gate
The gate delay depends on the channel width 22 1

23. Lithography System: A Simplistic View23 1

24. Designed v.s. Fabricated Features24 1

25. Fabrication Statistics
Chip design cannot be reliably fabricated
Gap
Lithography technology: 193nm wavelength
VLSI technology: 45nm features
Lithography induced variations
Impact on timing and power
Even for 180nm technology, variations up to 20x in leakage power and 30% in frequency were reported.
Large wavelength will degrade the printing quality, and thus there are significant variations on feature sizes (wire widths or channel wire).
After printing, circuit delay can be significantly different from what it is designed. 25 1

26. The Motivational ExampleC D Q x
No change 1
Response
Challenge 1 D Q C 1 1 1 1
If the first path is faster, then D = 0, C = 1, output Q = 0;
If the second path is faster, then D = 1, C = 0, output Q remains at 1.
The fabrication variation will generate unpredictable true random output. 26 1

27. PUFs Properties 27 PUF Basic requirements
For two PUFs, difference between responses to same challenge should be large
For a single PUF, two measured responses to the same challenge should be the same (e.g., robust to environmental change)
Expected features
Evaluatable: y = PUF (x) is easy
Unclonable: hard to make PUF’(x) given PUF(x)
One-way: given y and PUF(), cannot find x
Tamper evident: tampering changes PUF()
PUF
Challenge x
Response y 27 1

28. PUF Applications 28 1

29. Block Based Ring Oscillator PUF
The previous simple implementation requires precise timing measurement
Response
Response
𝑟= 𝑓 𝐴 / 𝑓 𝐵
𝑓 𝐴 =4
𝑓 𝐵 =3
B. Gassend, D. Clarke , M. van Dijk, and S. Devadas , "Silicon Physical
Random Functions," in ACM CCS, pp , 2002. 29 1