System Level Design Methods for Secure Embedded Systems

Transcription

1 System Level Design Methods for Secure Embedded Systems Patrick Schaumont Center for Embedded Systems in Critical Applications

2 Secure Embedded Systems Mobile Biometrics Mobile Authentication Access Control Mobile Identification Secure embedded systems face specific risks. They are 1. more accessible 2. more resource-constrained Keys Tagging Vehicle ID Electronic Purse Electronic Ticketing RFID Driver License Smart Card Health Care e-passport Inventory 2

3 More accessible = more vulnerable Security Attacks Based On Crypto-Heaven Protocol Algorithm Data Timing Energy (Intrusive or Passive) Channel (SW) Architecture Stack/ Memory (HW) Micro-Architecture Bus Device Execution Power Analysis EMI Analysis Circuit 3

4 More accessible = more vulnerable Security Attacks Based On Crypto-Heaven Protocol Algorithm Data Timing Energy (Intrusive or Passive) Channel Architecture Micro-Architecture Circuit Stack/ Design Memory methods for secure embedded systems aim to provide systematic protection against data-, Device Bus Execution timing-, or energy-based Power SCAAnalysis EMI Analysis while considering design cost, performance and form factor. 4

5 Secure Embedded Technologies A low end RFID today: 128-bit ROM, control circuit, RF & power circuit A high end smartcard today: Pipelined 32-bit RISC Memory management & protection hardware 240 Kbyte ROM, 16Kbyte RAM, 912Kbyte EEPROM Coprocessors for Public Key (RSA, ECC), DES, RNG Timer, Sensors for hi/lo Voltage/Freq, Temp, Light Technologies are extremely diverse [Hitachi] Being part of a security chain, they can become weakest links [Infineon] Therefore, embedding security means getting involved in a wide range of technologies (software, hardware, circuits, layout,..) 5

6 Design Methods for Embedded Security Partitioning for Security Protect Root of Trust Root of Trust = A component that must behave as expected, because misbehavior cannot be detected (Trusted Computing Group) Root of Trust = The part of the design that can hurt you! (D. Gollmann) Example to discuss - Secure biometrics in ThumbPod (UCLA) Secure Codesign Interface Refinement in a Security-partitioned system 6

7 The ThumbPod Project (UCLA) ThumbPod authenticated communications bank embedded electronics fingerprint sensor 7

8 ThumbPod Operation 1. Enrollment template (~30 minutia) minutia extraction 2. Normal Use User matches stored template? send rand reply token' =? rand template E token 8

9 Partitioning the ThumbPod (insecure) ThumbPod-2 Client Root-of-Trust Template Accept Minutiae Extraction Matching Algorithm Reject Server (considered secure) rand Master Key Session Key S k Load Master key Crypto Load Bogus plain Master Key Crypto plain payload Crypto crypt Crypto payload 9

10 Partitioning the ThumbPod ThumbPod-2 Client Minutiae Extraction Architecture-Level Secure Partition Template Accept Matching Algorithm Reject Server rand Master Key Session Key S k Load Master key Crypto Load Bogus plain Master Key Crypto plain payload Crypto crypt Crypto payload 10

11 ThumbPod-2 Client Microarchitecture to server UART UART to sensor Secure Circuit Style LEON-2 Processor RAM/ FLASH AMBA Bridge In Port Out Port Chip Command Interface Crypto Module Master Key Oracle Template Matching Algorithm 11

12 Secure matching of Minutiae Input Template (secure) not ok ok Untrusted Software Query Response Oracle for each input minutia pair I: for each template minutia pair T: if (I ~ T) matching_count++; if (matching_count > N) then match = true; else match = false; 12

13 HW/SW Partitions for secure matching main oracle extract I secure_initialize( ); for each input minutia pair I: for each template pair T secure_compare( I ); if (secure_match( )) then match = true; else match = false; secure interface secure_initialize( ) { matching_count = 0; secure_compare( I ) { if (I == T) matching_count++; secure_match( ) { if (matching_count > N) then return true; else return false; Template C secure_initialize( ) secure_compare( ) secure_match( ) Template software driver secure instruction set hardware oracle 13

14 System-level Security Partitioning Server Protocol/Algorithm-level validation Client root-of-trust Architecture-level attacks Noncritical software Architecture-level validation Software driver Matching & Crypto SW Microarchitecture-level attacks Matching & Crypto HW Microarchitecture-level validation Circuit-level attacks Side-channel free circuit DPA-resistant HW 14

15 System-level Security Partitioning Server Protocol/Algorithm-level validation Client root-of-trust Architecture-level attacks Noncritical software Matching & Crypto SW GEZEL: Tool support for codesign Architecture-level validation Software driver Microarchitecture-level attacks Matching & Crypto HW Microarchitecture-level validation Circuit-level attacks Side-channel free circuit DPA-resistant HW 15

16 GEZEL Cycle-true Hardware Description Language Deterministic and Implementation-oriented Easy to learn and use (11-page LRM) Hardware Simulation Kernel Open-source (C++) with co-simulation backend Library block concept Toggle/Operation Profiler VHDL/Testvector Backend 16

17 Example of a GEZEL codesign Crypttext 128 aes_decoder done rst ld aes_top (AES/ECB) Key Plaintext instructions (0x ) data_in (0x ) data_out (0x ) Addr Data Embedded Software Driver µp Core FSMD model of hardware HW/SW Interfaces Library Blocks GEZEL Model Power Profile Cycle Performance VHDL SW Simulation (Instruction-Set Simulation) 17

18 An FSMD in GEZEL dp updown(out a : ns(4)) { reg c : ns(4); sfg inc { c = c + 1; a = c; sfg dec { c = c 1; a = c; +1-1 c <10 >0 s0 s1 fsm ctl_updown(updown) { initial s0; state if (c < 10) then (inc) -> s0; else (dec) -> if (c > 0) then (dec) -> s1; else (inc) -> s0; a 18

19 Equivalent SystemC model SC_MODULE(fsm_counter) { sc_in <bool> clk; sc_in <sc_uint<2> > flags_counter; sc_out<sc_uint<3> > ins_counter; sc_signal<int> state, state_next; void eval_logic(); void update_regs(); SC_CTOR(fsm_counter) { SC_METHOD(eval_logic); sensitive << flags_counter << state; SC_METHOD(update_regs); sensitive_pos(clk); state = state_next = 0; ; void fsm_counter::eval_logic() { sc_uint<3> flags = flags_counter.read(); switch(state) { case 0: if (flags[0]) { state_next = 1; ins_counter.write(c_do_dn c_do_io); FSM else { state_next = 0; ins_counter.write(c_do_up c_do_io); break; case 1: if (flags[1]) { state_next = 0; ins_counter.write(c_do_up c_do_io); else { state_next = 1; ins_counter.write(c_do_dn c_do_io); break; void fsm_counter::update_regs() { state = state_next; const int counter_do_io = 1; const int counter_do_up = 2; const int counter_do_dn = 4; SC_MODULE(dp_counter) { sc_in <bool> clk; sc_in <sc_uint<3> > ins_counter; sc_in <sc_uint<2> > ud; sc_out<sc_uint<3> > a; sc_out<sc_uint<2> > flags_counter; sc_signal<sc_uint<3> > c, c_next; sc_signal<sc_uint<2> > u, u_next; sc_signal<sc_uint<3> > nc; void eval_logic(); void update_regs(); SC_CTOR(dp_counter) { SC_METHOD(eval_logic); sensitive << c << nc << ud; SC_METHOD(update_regs); sensitive_pos(clk); c = c_next = 0; u = u_next = 0; ; Datapath void dp_counter::eval_logic() { sc_uint<3> sfg = ins_counter.read(); if (sfg & counter_do_io) { u_next = ud.read(); a.write(nc); flags_counter.write(u); if (sfg & counter_do_up) { nc = c.read() + 1; c_next = nc; if (sfg & counter_do_dn) { nc = c.read() - 1; c_next = nc; void dp_counter::update_regs() { u = u_next; c = c_next; 19

20 FSMD networks (Closed) FSMD networks wire FSMD F1 FSMD F2 GEZEL models Extended FSMD networks FSMD F1 FSMD F2 Library Block Library Block: - Interface in GEZEL - Body in C++ - IO, Cosimulation, IP 20

21 Platform Simulators with GEZEL GEZEL Application (by designer) EmSW Platform Simulator (by tool builder) parser GEZEL Kernel (C++ Library) VHDL codegen RT codegen executable object hierarchy user-defined ipblock impl. Communication Channel Instruction-Set Simulator Cycle-true System Scheduler 21

22 GEZEL Platform Simulator Examples Single-Processor Multi-Processor Hybrid GEZEL GEZEL GEZEL µp coproc µp µp network or coproc µp µp network or coproc SH3 ARM LEON AVR 32-bit 8-bit m-arm m-arm + n-8051 SystemC Java (JNI) port-mapped memory-mapped coprocessor-interface-mapped shared-memory buffer 22

23 The codesign process C aes(int *in, int *key, int *out) { //.. int main() {.. aes(i, k, o);.. partitioning HW/SW interface GEZEL dp aes(in di: ns(128); in k: ns(128); out do: ns(128)) {... Execution Model: How the coprocessor operates Data Transfer Model: How data is exchanged with it 23

24 Execution and Data Transfer Models High-level concerns (things to think of first) Low-level concerns (things to think of next) Execution Model Concurrency Model Co-processing Model Instruction-set Design Data Transfer Model Parameters & Arguments API Model Interface Design Cost-effective embedded systems do not have to be fastest; they have to be efficient MAX # bits gates. cycles 24

25 Execution Model - Concurrency Concurrency Model Block-pipelined in-buffer in in-buffer pipe-buffer pipe-buffer op in op out out-buffer out out-buffer For single bus, should have T op ~ (T in + T out ) 25

26 Data Transfer Model: Parms and Args Shared-memory model of C is forgiving. Any memory location will work as argument or as a parameter. e.g. int aes(int *din, int *key, int *out); for ECB: in-argument parameter out-argument In a coprocessor, difference is crucial Parameter needs to be set once, enhances the operation Argument needs to be set/retrieved every operation Wrong partitioning results in a communications bottleneck. 26

27 AES HW Performance - at JAVA level Execution stack: JAVA -> KVM -> LEON2 32-bit RISC -> AES HW aes(din, key, dout) aes(din, dout) log 10 (Cycles) X performance gain log 10 (Cycles) X performance gain X integration overhead X integration overhead AES in JAVA AES in HW (but called from JAVA) 0 AES in JAVA AES in HW (but called from JAVA) Compared to SW, HW is so fast, that API (and data copying) gets a key impact on resulting performance. 27

28 Data Transfer Model: API Model Driver API HW async IO SW interrupt Application close( ) write( ) ioctl( ) open( ) read( ) irq( ) control sync IO Adr polling( ) Data standard bus decode regfile Crypto hardware needs encapsulation Register set, Shared storage Address mapping Interrupts Coprocessor design is constrained by many interfaces Driver API Bus Interface Not just HW/SW interface design! design usage model top-down (from the programmer's viewpoint) 'Firmware-friendly design', David Fechser (EETimes series) 128 Crypto

29 The security dimension of coprocessors Need to consider security next to performance Execution Model Execution is a (time+energy) side-channel. Balance execution with constant-time/constantpower implementation techniques. Data Transfer Model API's are a (data) sidechannel [Bond, Anderson]. Parameters vs Arguments: Parameters may become side-channels [Chan]. 29

30 Power/Operation profiles GEZEL $option "profile_toggle_alledge_toggles" $option "profile_toggle_alledge_operations" Type Evals dpinput dpoutput reg sig assign_op ior_op xor_op and_op 2000 shr_op add_op 771 sub_op 845 not_op 2000 sel_op eq_op cycles of AES encryption for random data 30

31 Challenges for secure system design System level: Trusted computing aims to support protected capabilities, integrity measurement, integrity reporting. 'Trusted computing'covers only the general case, application-specific solutions are still needed Tool support (for Thumbpod-type of designs) Make security and trust 'measurable'as a quality of individual bits & operations on these bits (modeling issue) Partition algorithms in secure/non-secure parts: measure information spread in the algorithm Transform secure part for minimal complexity Validate & verify security protocol and protocol faults 31

32 Challenges for secure system design Embedded Security is a big opportunity for hardware and logic Hardware offers qualities that software has lost (viruses etc) Besides performance, offers assured and constant-time behavior Recent attack on hyper-threaded processors clarifies the issue for software But for Big Time Secure Hardware need modeling & design support for the complete security pyramid (protocol, algorithm,..., circuit) need to recognize the weakest link principle: look at the complete system and at multiple abstraction levels 32

33 Thank You! GEZEL Homepage: