Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures L. BARTHE, P. BENOIT, L. TORRES LIRMM - CNRS - University of Montpellier 2 FPL 10 - Tuesday 31 August, 2010 Milan, Italy
Context: Side-Channel Attacks / Attackers exploit the correlation between data and physical leakages in order to reveal the secrets Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 1 / 19
Topic of this Work Main objective Improving the robustness of embedded processors against Power and ElectroMagnetic Analysis Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 2 / 19
Topic of this Work Main objective Improving the robustness of embedded processors against Power and ElectroMagnetic Analysis Contributions A RISC pipeline threat model A new masking countermeasure for RISC-based processors Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 2 / 19
Topic of this Work Main objective Improving the robustness of embedded processors against Power and ElectroMagnetic Analysis Contributions A RISC pipeline threat model A new masking countermeasure for RISC-based processors Challenge Implement countermeasures without compromising requirements of embedded systems! Area Security Speed Power Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 2 / 19
A Case Study: Xilinx s MicroBlaze A 32-bit RISC processor Soft-core processor Designed and supported by Xilinx for their FPGAs High level of flexibility Typical processor for embedded systems MicroBlaze s architecture Modified harvard architecture Classic RISC 5-stage pipeline Extra features: barrel shifter, cache memories etc. Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 3 / 19
A Case Study: Xilinx s MicroBlaze A 32-bit RISC processor Soft-core processor Designed and supported by Xilinx for their FPGAs High level of flexibility Typical processor for embedded systems MicroBlaze s architecture Modified harvard architecture Classic RISC 5-stage pipeline Extra features: barrel shifter, cache memories etc. Pipelining increases processor performance by increasing the instructions throughput What about security? Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 3 / 19
SCAs on the MicroBlaze Example: Data Encryption Standard (DES) Symmetric block cipher algorithm Standard software implementation using ANSI C code / mb-gcc L0 R0 K1 F L1 = R0 R1 = L0 F(0,K1) A DES Attack Model (Kocher) Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 4 / 19
SCAs on the MicroBlaze Example: Data Encryption Standard (DES) Symmetric block cipher algorithm Standard software implementation using ANSI C code / mb-gcc ANSI C L0 R0 K1 ASM F L1 = R0 R1 = L0 F(0,K1) A DES Attack Model (Kocher) Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 4 / 19
Concrete Evaluation: Acquisition Setup X-Y Table Oscilloscope EM Sensor Probe Low-Noise Amplifier Spartan-3 Board Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 5 / 19
Concrete Evaluation: DEMA Flow First step: data acquisition Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 6 / 19
Concrete Evaluation: DEMA Flow Second step: perform attacks First step: data acquisition Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 6 / 19
Concrete Evaluation: DEMA Flow Second step: perform attacks First step: data acquisition Last step: analyze results Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 6 / 19
Concrete Evaluation: DEMA Results Full key discovered with less than 500 electromagnetic traces Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 7 / 19
Concrete Evaluation: DEMA Results Full key discovered with less than 500 electromagnetic traces Voltage Time Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 7 / 19
Concrete Evaluation: DEMA Results Voltage Full key discovered with less than 500 electromagnetic traces - correct sub-key - other sub-keys Time Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 7 / 19
Concrete Evaluation: DEMA Results Full key discovered with less than 500 electromagnetic traces Voltage highest amplitude => guessed key - correct sub-key - other sub-keys Time Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 7 / 19
MicroBlaze s Datapath Instruction Fetch (IF) Instruction Decode (ID) Execute (EX) Access (MA) Write-Back (WB) Instruction IF/ID Register File ID/EX ALU EX/MA Data MA/WB Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 8 / 19
The Pipeline Threat Model noitcurtsni yromem hctef noitcurtsni )FI( n IF SWI ID XOR n+1 n+2 n+3 n+4 n+5 retsiger elif edoced noitcurtsni )DI( IF/ID EX ULA etucexe )XE( ID/EX MA atad yromem ssecca yromem )AM( EX/MA MA/WB Voltage kcab-etirw )BW( WB - correct sub-key - other sub-keys Time Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 9 / 19
The Pipeline Threat Model noitcurtsni yromem hctef noitcurtsni )FI( n n+1 n+2 n+3 n+4 n+5 IF SWI... ID XOR SWI retsiger elif edoced noitcurtsni )DI( IF/ID EX ULA etucexe )XE( ID/EX XOR MA atad yromem ssecca yromem )AM( EX/MA MA/WB Voltage kcab-etirw )BW( WB - correct sub-key - other sub-keys Time Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 9 / 19
The Pipeline Threat Model noitcurtsni yromem hctef noitcurtsni )FI( n n+1 n+2 n+3 n+4 n+5 IF SWI... ID XOR SWI... XOR SWI retsiger elif edoced noitcurtsni )DI( IF/ID EX ULA etucexe )XE( ID/EX MA atad yromem ssecca yromem )AM( EX/MA XOR MA/WB Voltage kcab-etirw )BW( WB - correct sub-key - other sub-keys Time Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 9 / 19
The Pipeline Threat Model noitcurtsni yromem hctef noitcurtsni )FI( n n+1 n+2 n+3 n+4 n+5 IF SWI... ID XOR SWI... XOR SWI... XOR SWI... XOR SWI retsiger elif edoced noitcurtsni )DI( IF/ID EX ULA etucexe )XE( ID/EX MA atad yromem ssecca yromem )AM( EX/MA MA/WB... Voltage kcab-etirw )BW( WB - correct sub-key - other sub-keys Time Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 9 / 19
Investigation of a Secure Processor: Overview Pipelined processors increase the efficiency of SCAs Hardware countermeasures not only focused on the ALU and the register file of the processor Challenge: overhead vs security Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 10 / 19
State-of-Art of Countermeasures ALGORITHM Arithmetic Masking Boolean Masking Random Execution Dummy Cycles masking countermeasures hiding countermeasures CIRCUIT Noise Generators Decoupled Power Supply GATE Gate Level Masking Dual-Rail Logic Asynchronous Logic No perfect solution has been identified but the security can be significantly improved Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 11 / 19
Masking Countermeasures Main idea Sensitive data are masked with various random numbers A mask correction is performed at key steps Strategy for Power and ElectroMagnetic Analysis Confuse the attacker Example: boolean masking Masked data result from XOR operations M M D... D D = D M D Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 12 / 19
A RISC-based Masked Datapath - 1 Dual pipelined datapath RISC pipeline with masked data New one with the corresponding mask D1 Combinatorial Process D2 M1 Combinatorial Process M2 Exploiting the simplicity of RISC architectures Trade-Off Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 13 / 19
A RISC-based Masked Datapath - 2 Instruction Fetch (IF) Instruction Decode (ID) Execute (EX) Access (MA) Write-Back (WB) Register File MAMU Instruction IF/ID ID/EX ALU EX/MA Data MA/WB Mask Register File Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 14 / 19
A RISC-based Masked Datapath - 2 Instruction Fetch (IF) Instruction Decode (ID) Execute (EX) Access (MA) Write-Back (WB) Register File MAMU Instruction IF/ID ID/EX ALU EX/MA Data MA/WB Mask Register File Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 14 / 19
A RISC-based Masked Datapath - 2 Instruction Fetch (IF) Instruction Decode (ID) Execute (EX) Access (MA) Write-Back (WB) Register File MAMU Instruction IF/ID ID/EX ALU EX/MA Data MA/WB Mask Register File Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 14 / 19
A RISC-based Masked Datapath - 2 Instruction Fetch (IF) Instruction Decode (ID) Execute (EX) Access (MA) Write-Back (WB) Register File MAMU Instruction IF/ID ID/EX ALU EX/MA Data MA/WB Mask Register File Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 14 / 19
A RISC-based Masked Datapath - 2 Instruction Fetch (IF) Instruction Decode (ID) Execute (EX) Access (MA) Write-Back (WB) Register File MAMU Instruction IF/ID ID/EX ALU EX/MA Data MA/WB Mask Register File Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 14 / 19
A RISC-based Masked Datapath - 2 Instruction Fetch (IF) Instruction Decode (ID) Execute (EX) Access (MA) Write-Back (WB) Register File MAMU Instruction IF/ID ID/EX ALU EX/MA Data MA/WB Mask Register File Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 14 / 19
A RISC-based Masked Datapath - 2 Instruction Fetch (IF) Instruction Decode (ID) Execute (EX) Access (MA) Write-Back (WB) Register File MAMU Instruction IF/ID ID/EX ALU EX/MA Data MA/WB Mask Register File Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 14 / 19
A RISC-based Masked Datapath - 2 Instruction Fetch (IF) Instruction Decode (ID) Execute (EX) Access (MA) Write-Back (WB) Register File MAMU Instruction IF/ID ID/EX ALU EX/MA Data MA/WB Mask Register File Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 14 / 19
A RISC-based Masked Datapath - 2 Instruction Fetch (IF) Instruction Decode (ID) Execute (EX) Access (MA) Write-Back (WB) Register File MAMU Instruction IF/ID ID/EX ALU EX/MA Data MA/WB Mask Register File Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 14 / 19
A new Open-Processor is Born The SecretBlaze Compliant with the MicroBlaze s instruction set Modified harvard architecture RISC 5-stage pipeline Optional features (barrel shifter etc.) Available soon at http://www.lirmm.fr/~barthe/ SecretBlaze!s Processor SecretBlaze!s Core Instruction Fetch Instruction Decode Execute Access Write-Back IM Bus Interface Register File ALU DM Bus Interface MSR int_i INT halt_sb_i clk_i rst_n_i im_bus_i/o dm_bus_i/o SecretBlaze!s Sub-System Decoder Instruction Cache Data Cache WB Bus Master Interface WB IO Bus Master Interface wb_mem_bus_i/o wb_io_bus_i/o Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 15 / 19
Evaluation: Overhead Without countermeasure With countermeasure Overhead Max Freq. in Mhz 52.70 46.98-11.2 % # Slices 816 1013 + 24 % # LUTs 1493 1705 + 14 % # BRAMs 7 10 + 14 % Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 16 / 19
Evaluation: Robustness Without countermeasure 1 st Pos. 2 th Pos. With countermeasure 1 st Pos. 2 th Pos. First Correct Guess 431 601 Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 17 / 19
Evaluation: Robustness Without countermeasure 1 st Pos. 2 th Pos. With countermeasure 1 st Pos. 2 th Pos. First Correct Guess 431 601 7177 Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 17 / 19
Evaluation: Robustness Without countermeasure 1 st Pos. 2 th Pos. With countermeasure 1 st Pos. 2 th Pos. First Correct Guess 431 601 7177 x 16 Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 17 / 19
Evaluation: Robustness Without countermeasure 1 st Pos. 2 th Pos. With countermeasure 1 st Pos. 2 th Pos. First Correct Guess 431 601 7177 1387 x 16 Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 17 / 19
Evaluation: Robustness Without countermeasure 1 st Pos. 2 th Pos. With countermeasure 1 st Pos. 2 th Pos. First Correct Guess 431 601 7177 1387 x 16 x 2 Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 17 / 19
Evaluation: Robustness Without countermeasure 1 st Pos. 2 th Pos. With countermeasure 1 st Pos. 2 th Pos. First Correct Guess 431 601 7177 1387 x 16 x 2 Clock number n n + 1 n + 2 n + 3 n + 4 n + 5 Pipeline State XOR ID SWI IF XOR EX SWI ID XOR MA SWI EX XOR WB SWI MA SWI WB... Voltage - correct sub-key - other sub-keys Time DEMA traces without countermeasure Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 17 / 19
Evaluation: Robustness Without countermeasure 1st Pos. 2th Pos. First Correct Guess 431 With countermeasure 1st Pos. 2th Pos. 601 7177 1387 x 16 x2 n n+1 n+2 n+3 n+4 n+5 Clock number n n+1 n+2 n+3 n+4 n+5 Pipeline State XOR ID SWI IF XOR EX SWI ID XOR MA SWI EX XOR WB SWI MA SWI WB... Pipeline State XOR ID SWI IF XOR EX SWI ID XOR MA SWI EX XOR WB SWI MA SWI WB... Voltage Voltage Clock number - correct sub-key - other sub-keys - correct sub-key - other sub-keys Time Time DEMA traces without countermeasure DEMA traces with countermeasure Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 17 / 19
Evaluation: Robustness Without countermeasure 1st Pos. 2th Pos. First Correct Guess 431 With countermeasure 1st Pos. 2th Pos. 601 7177 1387 x 16 x2 Clock number n n+1 n+2 n+3 n+4 n+5 Clock number n n+1 n+2 n+3 n+4 n+5 Pipeline State XOR ID SWI IF XOR EX SWI ID XOR MA SWI EX XOR WB SWI MA SWI WB... Pipeline State XOR ID SWI IF XOR EX SWI ID XOR MA SWI EX XOR WB SWI MA SWI WB... Voltage Voltage ALU - correct sub-key - other sub-keys - correct sub-key - other sub-keys Time Time DEMA traces without countermeasure DEMA traces with countermeasure Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 17 / 19
A RISC-based Masked Datapath - 3 Instruction Fetch (IF) Instruction Decode (ID) Execute (EX) Access (MA) Write-Back (WB) Register File MAMU Instruction IF/ID ID/EX ALU EX/MA Data MA/WB Mask Register File Masked Unmasked Masked Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 14 / 19
A RISC-based Masked Datapath - 3 Instruction Fetch (IF) Instruction Decode (ID) Execute (EX) Access (MA) Write-Back (WB) Register File MAMU Instruction IF/ID ID/EX ALU EX/MA Data MA/WB Mask Register File Masked Unmasked Masked Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 14 / 19
Conclusion Hardware weaknesses of pipelined processors A new masking countermeasure for embedded processors A new Open-Processor Significant reduction of the undesirable effects of the pipelining technique ALU is still a critical security issue Power constant logics or asynchronous logics should be investigated High-order attacks? Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 18 / 19
Thanks for your attention Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures 19 / 19