Why is it so hard to make secure chips?

Why is it so hard to make secure chips?
Why is it so hard to make secure chips? Marc Witteman GLSVLSI, May 18, 2016
Traditional internet • connects people with machines • shares data that people create IoT (Internet of Things) • connects machines to machines • shares data that machines create What’s new in internet? Public 2
What is the Internet of Things? internal 3 Source: Vivante
internal 4
Is IoT security important? internal 5 Remote car hijack Identity theft Medical device disturbance Premium content theft
Information Security? How to protect? • Cryptography • Access control What to protect? • Confidentiality • Integrity • Availability Primary targets For attackers Public 6
Are IoT devices sensitive to attacks? • Fast growing market with new unexperienced entrants • Operate in an uncontrolled (hostile) environment • Pressure on time-to-market and cost 7 Public
IoT example 8 SoC (System on Chip ) Power management Communication Public
Security is all about the chip 9 Memory Interfaces CPU Test logic Geometry Layout Speed Security features Public
How does an attacker get access? 10 Find the key or Break the lock Public
How do attackers work?
Chip Attacks 12 Invasive Logical Side Channel Public Fault
Invasive attack steps 1. Prepare: get sample ready 2. Analyze: Optical Inspection 3. Modify: FIB 4. Extract: Standard interface or probe 13 Public
Depackaging Confidential 14
Confidential 15
Sand Cross-section of a chip M1 M2 M3 M4 M5 Bulk silicon P-doped area N-doped area Poly-Silicon Via (plugs) Metal wires Passivation Layer
A Die’s metal side
Delayering • Chemical delayering • Polishing • Plasma etching
• Visible light (390 to 700 nm) • Maximum resolution: ~0.29 µm (550 nm) • Computer controlled XYZ table + camera Imaging by optical microscope (front side)
• Infra red light (700 nm to 1100 nm) • Maximum resolution: ~0.63 µm • Helps to identify functional blocks Imaging by optical microscope (back side)
• Much higher resolution • Oxide layer in between metal layers is not transparent (for electrons) • Computer controlled XYZ stage + imaging Imaging by Scanning Electron Microscope (SEM)
Image stitching 22 Public
internal 23 Ok, I have the chip layout, now what?
Low-level HW reverse engineering Reverse engineering reconstructs the functional layout, and then focuses on specific targets: • Hardcoded secrets • ROM containing executable code • Fuses and OTP • CPU and registers • Security sensors • Crypto engines
How to reverse engineer a billion gates? • Chips use a library of less than 1K standard cells • Automated cell recognition possible and available in tools • Use templates to automatically match standard cells • Support for via and metal wire detection/tracing • VHDL / Verilog export 25 Public
Confidential 26
Modify Focused Ion Beam can do chip edits • Restore test state (fuse repair)  enable arbitrary memory read • Disable security features  short cut shields • Export data bus  enable data dump 27 Public
Focused Ion Beam 28
Extract data 30 Public Re-bonding Probing
Logical attacks Why do we need logical attacks? Physical attacks provide access, but may not reveal secrets yet • Reconnected a test function  Need to run test routines to extract data • Exported data lines  Need to reverse engineer code dump to find secrets 32 Public
A standardized test interface that uses a chain of cells to set / capture internal states. Controlled by 5 external connections • TDI Test Data In • TDO Test Data Out • TCK Test Clock • TMS Test Mode Select • TRST Test Reset JTAG 33 Public
34 Code analysis boot loader packed loader packed main application Key block
Further software attacks on chips External analysis • Run extracted code in debug environment • De-compilation  source code level analysis Internal analysis • Fuzzing • Penetration testing • Malicious code injection
Side channel analysis (1) internal 40
41
• Light • Sound • Heat • Time • Power consumption • Electro-Magnetic radiation Side Channel Analysis 42 A side channel is an unintended communication channel that can reveal secret information Public
XBOX 360 timing issue XBOX 360 has a secure boot chain 16 byte keyed hash value computed over bootloader Comparison is per byte  timing attack BootloaderHash Compute hash Report failure Compare hash Run bootloader Nok Ok 43 Public
XBOX 360 timing attack procedure Brute forcing 16*128 = 2048 values takes about 2 hrs Init hash in memory Reset XBOX Observe failure Register time Init hash byte counter Store rogue bootloader Increase hash byte Reset XBOX Increase byte counter Later? Observe failure Final? No No Yes Success! Yes 44 Public
Timing attack with Infectus board source: http://beta.ivancover.com 45 Public
Side Channel Analysis of Crypto RSA most popular algorithm for signing data Algorithm for S=Md mod N, with t exponent bits di S := 1 for i from t down to 0 do: S := S * S mod N if di = 1 then S := S*M mod N return S; What do we see when we measure the radiation emanated by a chip running this process? 46 Public
Electro magnetic analysis of RSA Key bits revealed 1 0 1 0 1 0 0 1 0 variation of interval between dips 47
Change the behavior of a device by manipulating the environmental conditions • Clock • Power • EM • Laser Threshold of read value A power dip at the moment of reading a memory cell Fault Attacks 49
Voltage glitching setup Glitch parameters response trigger glitch command Public 50
EM glitching
Laser glitching Public 52
A successful fault can • Override decisions  escalate privileges • Dump data  get secrets from memory • Corrupt crypto  get secrets by output analysis Exploiting faults Public 53
Skip branch (1) Public 54
Skip branch (2)
Dump char* bufferAddress = bufferBegin; while (bufferAddress != bufferEnd) { send( * bufferAddress ); bufferAddress++; } Single glitch leads to full memory dump Public 56
• Developers need to cover all bases, but attackers need only one bug • Security flaws are not ‘automatically’ found and fixed So, is there any hope? • Secure labs to the rescue! So, why is it so hard to make secure chips? 57 Public
• Security is a cat and mouse game • Testing helps identifying and mitigating risk • Interaction between development and evaluation drives industry best practices • Vendors that actively seek security feedback learn faster! Takeaways 58 Public
Riscure North America 550 Kearny St., Suite 330 San Francisco, CA 94108 USA Phone: +1 650 646 99 79 inforequest@riscure.com Riscure B.V. Frontier Building, Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 www.riscure.com Contact: Marc Witteman, witteman@riscure.com Riscure is hiring! visit www.riscure.com/careers

Check these out next

Why is it so hard to make secure chips?

Recommended

More Related Content

Slideshows for you(20)

Similar to Why is it so hard to make secure chips?(20)

More from Riscure(10)

Recently uploaded(20)

Why is it so hard to make secure chips?