Tamper Resistance - a Cautionary Note Ross Anderson Markus Kuhn

Similar documents
Lecture Notes 20 : Smartcards, side channel attacks

2/13/2014. What is Tamper Resistance? IBM s Attacker Categories. Protection Levels. Classification Of Physical Attacks.

How microprobing can attack encrypted memory

FPGA Programming Technology

8051 INTERFACING TO EXTERNAL MEMORY

Microprocessors/Microcontrollers

COMP3221: Microprocessors and. and Embedded Systems. Overview. Lecture 23: Memory Systems (I)

MicroProcessor. MicroProcessor. MicroProcessor. MicroProcessor

Secure Smartcard Design against Laser Fault Injection. FDTC 2007, September 10 th Odile DEROUET

Information Security Theory vs. Reality

Memory & Simple I/O Interfacing

How Do We Make Designs Insecure?

Chapter 7 Physical Attacks and Tamper Resistance

MT2 Introduction Embedded Systems. MT2.1 Mechatronic systems

CSCI 4974 / 6974 Hardware Reverse Engineering. Lecture 12: Non-invasive attacks

How Safe is Anti-Fuse Memory? IBG Protection for Anti-Fuse OTP Memory Security Breaches

Control System Implementation

Joint Interpretation Library

Electronic Control systems are also: Members of the Mechatronic Systems. Control System Implementation. Printed Circuit Boards (PCBs) - #1

Tamper resistant devices

IBG Protection for Anti-Fuse OTP Memory Security Breaches

CSCI 4974 / 6974 Hardware Reverse Engineering. Lecture 14: Invasive attacks

Summer 2003 Lecture 18 07/09/03

Architecture of Computers and Parallel Systems Part 6: Microcomputers

MODULE 12 APPLICATIONS OF MEMORY DEVICES:

Vineet Kumar Sharma ( ) Ankit Agrawal ( )

Address connections Data connections Selection connections

Organization. 5.1 Semiconductor Main Memory. William Stallings Computer Organization and Architecture 6th Edition

Basic Organization Memory Cell Operation. CSCI 4717 Computer Architecture. ROM Uses. Random Access Memory. Semiconductor Memory Types

Optical Fault Masking Attacks

William Stallings Computer Organization and Architecture 6th Edition. Chapter 5 Internal Memory

Memory Expansion. Lecture Embedded Systems

CHAPTER 1 MICROCOMPUTER SYSTEMS. 1.1 Introduction. 1.2 Microcontroller Evolution

Smart cards are made of plastic, usually polyvinyl chloride. The card may embed a hologram to prevent counterfeiting. Smart cards provide strong

Information Security Theory vs. Reality

Chip Card & Security ICs SLE Intelligent 256-Byte EEPROM with Write Protection function and Programmable Security Code

AT90SDC10X Summary Datasheet

2. List the five interrupt pins available in INTR, TRAP, RST 7.5, RST 6.5, RST 5.5.

CREATED BY M BILAL & Arslan Ahmad Shaad Visit:

Digital Systems. Semiconductor memories. Departamentul de Bazele Electronicii

DS1676 Total Elapsed Time Recorder, Erasable

High temperature / radiation hardened capable ARM Cortex -M0 microcontrollers

WHAT FUTURE FOR CONTACTLESS CARD SECURITY?

Titan silicon root of trust for Google Cloud

Chapter TEN. Memory and Memory Interfacing

Information Security Theory vs. Reality

1. Attempt any three of the following: 15

Lecture Objectives. Introduction to Computing Chapter 0. Topics. Numbering Systems 04/09/2017

Security of Embedded Hardware Systems Insight into Attacks and Protection of IoT Devices

Chip Card & Security ICs SLE Intelligent 1024 Byte EEPROM with Write Protection and Programmable Security Code

MEMORY BHARAT SCHOOL OF BANKING- VELLORE

William Stallings Computer Organization and Architecture 8th Edition. Chapter 5 Internal Memory


In this tutorial, we will discuss the architecture, pin diagram and other key concepts of microprocessors.

THE MICROCOMPUTER SYSTEM CHAPTER - 2

Secure Set Intersection with Untrusted Hardware Tokens

Chapter 5 Internal Memory

1. INTRODUCTION TO MICROPROCESSOR AND MICROCOMPUTER ARCHITECTURE:

DS 1682 Total Elapsed Time Recorder with Alarm

COMP2121: Microprocessors and Interfacing. Introduction to Microprocessors

Physical Tamper Resistance

Mega128-DEVelopment Board Progressive Resources LLC 4105 Vincennes Road Indianapolis, IN (317) (317) FAX

MEMORIES. Memories. EEC 116, B. Baas 3

How multi-fault injection. of smart cards. Marc Witteman Riscure. Session ID: RR-201 Session Classification: Advanced

SHORT FORM SPECIFICATION

Memory. Outline. ECEN454 Digital Integrated Circuit Design. Memory Arrays. SRAM Architecture DRAM. Serial Access Memories ROM

DS21T09 Plug and Play SCSI Terminator

OPERATIONAL UP TO. 300 c. Microcontrollers Memories Logic

Microprocessor Architecture

INTRODUCTION TO CLOAKWARE/TRS TECHNOLOGY

Supporting Document Mandatory Technical Document. Requirements to perform Integrated Circuit Evaluations. May Version 1.

Interface DAC to a PC. Control Word of MC1480 DAC (or DAC 808) 8255 Design Example. Engineering 4862 Microprocessors

DIY KIT 123. ATMEL 89xxxx PROGRAMMER

Physical Implementation

UNIT:4 MEMORY ORGANIZATION

Security & Chip Card ICs SLE 55R04. Intelligent 770 Byte EEPROM with Contactless Interface complying to ISO/IEC Type A and Security Logic

Surveying the Physical Landscape

Applications of Programmable Logic Controllers DG31 34

ELCT708 MicroLab Session #1 Introduction to Embedded Systems and Microcontrollers. Eng. Salma Hesham

80C51GB, 83C51GB, 87C51GB SPECIFICATION UPDATE

Memory and Programmable Logic

USB-4303 Specifications

AT90SO36 Summary Datasheet

COL862 - Low Power Computing

Microcomputer Architecture and Programming

Memory in Digital Systems

RTL Design (2) Memory Components (RAMs & ROMs)


Smart Card Operating Systems Overview and Trends

Memory Interfacing & decoding. Intel CPU s

University of California at Berkeley College of Engineering Department of Electrical Engineering and Computer Sciences. EECS 150 Spring 2000

(Advanced) Computer Organization & Architechture. Prof. Dr. Hasan Hüseyin BALIK (5 th Week)

1. Internal Architecture of 8085 Microprocessor

Chapter 1: Basics of Microprocessor [08 M]

SECURE DIGITAL ACCESS SYSTEM USING IBUTTON

NookBox Installation Guide Camera IR Pet Detector. Installation Guide. NookBox Camera IR Pet Detector (P / E )

Security Failures In Secure Devices Black Hat DC February 21, 2008

Evolution of Implementation Technologies. ECE 4211/5211 Rapid Prototyping with FPGAs. Gate Array Technology (IBM s) Programmable Logic

Embedded Systems Design: A Unified Hardware/Software Introduction. Outline. Chapter 5 Memory. Introduction. Memory: basic concepts

Embedded Systems Design: A Unified Hardware/Software Introduction. Chapter 5 Memory. Outline. Introduction

Transcription:

Tamper Resistance - a Cautionary Note Ross Anderson University of Cambridge Computer Laboratory Markus Kuhn University of Erlangen/ Purdue University

Applications of Tamper Resistant Modules Security of cryptographic applications is based on secure storage of secret keys and unobservability of computation Distributed and mobile applications allow attacker full physical access to hardware over extended period of time pay-tv access control electronic purses financial transaction terminals software copy protection prepayment meters anti-theft protection authentic telemetry protection of algorithms cellular phones...

Classification of Attackers Class I: Class II: Class III: Clever Outsiders. Often very intelligent, have insufficient knowledge of the system, have access to moderately sophisticated equipment, use existing weaknesses in the system. Knowledgeable Insiders. Substantial specialized technical education and experience, varying degrees of understanding of the system but potential access to most relevant information, often highly sophisticated tools. Funded Organizations. Teams of specialists with complementary skills, great funding resources, capable of in-depth analysis and design of sophisticated attacks, most advanced tools, access to knowledgeable insiders. [according to Abraham, Dolan, Double, Stevens: Transaction Security System, IBM Systems Journal, Vol. 30, No. 2, 1991.]

Getting Access to the Die Surface in Plastic Chips and Smartcards 1) 2) 3) 4) 5) Remove covering plastic manually Put with a pipette a few drops fuming nitric acid (>98% HNO 3) on remaining plastic Etching process can be accelerated by heating up chip and acid with IR radiator Wash away acid and dissolved plastic with acetone Repeat from step 2 until die surface is fully exposed

UV Read-out of Standard Microcontrollers UV light EEPROM Security Fuse Many microcontrollers have an EEPROM security fuse located outside the EEPROM program memory. Open chip package Cover program memory with opaque material Reset security fuse in UV EPROM eraser Access memory with program/verify commands

Common Attack Techniques for Microcontrollers Security locks can often be released using unusual operating conditions: PIC16C84: raise VCC to VPP-0.5V and repeated writes to the lock bit will clear it without erasing the program memory. DS5000: short voltage drops sometimes release lock Smartcard controller: low VCC causes RBG to output mostly 1 bits Intel 8051 compatible µc can be read-out using the EA pin to switch between internal and external ROM access. Protection flip-flops can sometimes be reset with short VCC drops. Try all out-of-specification voltages, timings, temperatures, and programming protocol errors [FIPS 140-1]. Other common attack techniques try to get insight by protocol timing analysis EEPROM high temperature aging plus VCC variations current consumption analysis recording of leakage currents on switchable port/bus pins

Change single instructions by signal glitches VCC CLK RST Fault model: R C Links between transistors form RC delay elements R and C vary between links and individual chips Maximum RC of any link determines maximum CLK frequency RST signal sometimes not latched, which allows partial resets Transistors compare VCC and V C, which allows VCC glitches

Glitch attack on an output loop Typical data output routine in security software: 1 2 3 4 5 6 7 8 b = answer_address a = answer_length if (a == 0) goto 8 transmit(*b) b = b + 1 a = a - 1 goto 3... Cause CLK or VCC glitch when instruction 3 or 6 is being fetched, in order to extend loop length to send additional memory content to port.

Advanced Attack Tools Microprobing workstation up to around nine needles Laser cutter allows to break connections and remove passivation Electron beam testing comfortable access to bus signals Focused ion beam workstation creates new connections Selective dry etching helps to work around depassivation sensors Automatic layout reconstruction creates circuit diagram Electro-optic sampling scans a lithium niobate crystal with laser light for effects of E-field variations (e.g., 5 V, 25 MHz). IR rear access observe transistors with electro-optic effects from below at wavelengths at which the Si substrate is transparent

Example Read-Out Operation for a Smartcard Security Processor CLK signal Microcode Control Unit GND Program Counter load low high load out +1 one single microprobing needle data bus (8 bit) EEPROM address bus (16 bit) old connection opened with laser cutter new connection established with focused ion beam workstation Problem: Minimize the number of microprobing needles required for EEPROM read-out. One solution: Disconnect most parts of the CPU from the on-chip bus Use CPU components (e.g., program counter) to generate all addresses sequentially Observe only one data bus bit with per run, as multiple needles are difficult to handle Combine all eight data bus observations to memory dump and disassemble the secret software

Protection techniques environmental sensors copier traps top-layer coating multilayer design fusible links fine wire winding package conductive ink package composite materials oscillator salting battery buffered SRAM non-deterministic timing... Problems of battery buffered SRAM approaches low temperature delays bit pattern degradation without VCC long term exposure to constant bit pattern causes ion migration

Conclusions: do not blindly trust manufacturer claims about tamper resistance tamper resistance should be only an additional layer of protection and not a single point of failure; avoid global secrets clever protocols and public key cryptography can reduce the importance of tamper resistance use fault-tolerant machine code in smartcards smartcard form is problematic for high security applications implement fallback modes, intruder detection, intruder identification, and counter measures insist on indepth hostile review of your design

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback