MemoryConfiguration Transactions for Embedded Systems Lionel Torres P BenoitG Sassatelli P Maurine Contributeurs R Elbaz B Badrignans F Devic L ID: 466871
Download Presentation The PPT/PDF document "Hardware Mechanisms for Secured" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Hardware Mechanisms for Secured Memory/Configuration Transactions for Embedded Systems
Lionel Torres, P. Benoit,G. Sassatelli, P. Maurine Contributeurs : R. Elbaz, B. Badrignans, F. Devic, L. Barthe, F. Poucheret, V. Lomne, A. DehbaouiSlide2
Hardware Mechanisms for Secured
Processor- Memory TransactionsMost embedded systems use off-chip memories:Data and instructions are exchanged in clear over the processor-memory bus.FPGA configuration
Address bus
Data bus
SoC
/FPGA
(Trusted)
External
Memory
Objectives:
Ensure the
confidentiality
and the
integrity
of data stored in off-chip memories and transferred on
SoC
/FPGA
memory interfaces.
Threats:
Unauthorized data reads
Code
injection or data alteration
Memory tamperingSoftware, SCA attacks not considered
Trusted Area
Introduction
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2 FPGA
State of the art
2Slide3
Introduction
Threat ModelState of the artContribution 1: PE-ICE & PRV TreeParallelized Encryption and Integrity Checking EngineContribution 2: FPGA configurationSARFUM protocolConclusion, Future Works
Introduction
Hardware Mechanisms for Secured
Processor- Memory Transactions
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
3Slide4
COMP
Cryptographic Tools: Integrity CheckingH(M)
Message M
Tag T
Alice
Bob
Unsecured channel
(M; T)
(M; T)
M
T
Integrity Flag
K
K
Principle:
Meeting at 7h00 am in …
Meeting at 7h00 am in …
Hash functions:
Compression function
One-way function
gives a compact
representative
image of the input
MAC
(
*
) functions: take a secret key as additional input to authenticate the source of the message.
(*) Message Authentication Code
H(M)
Hash
function
hi-1
Message M
i
message digest
h
i
= f(M
i
, h
i-1
)
MAC
function
K
Introduction
T’
Tag reference
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
4Slide5
Passive Attacks
Address bus
Data bus
SoC
(Trusted)
External
Memory
Bus probing – eavesdropping [1]
01010001000100000111001001
Add
Data / Instruction
01010001000100000111001001
01110101010100010111001001
0x00000010
01110101010100010111001001
0x080ff0fa
[1] M. G. Kuhn, “Cipher Instruction Search Attack on the Bus-Encryption Security Microcontroller DS5002FP” IEEE Trans. Comput., vol. 47, pp. 1153–1157, October. 1998.
Introduction
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
5Slide6
Passive Attacks
Attacker motivation:Off-line analysis:Key recovery Message recoveryRaw materials for active attacks…
Address bus
Data bus
SoC
(Trusted)
External
Memory
01010001000100000111001001
Add
Data / Instruction
01110101010100010111001001
0x00000010
0x080ff0fa
0x00000014
0x0ab820ff
0x00000018
0x0000001C
0x00000020
0x080112f4
0x102bcd0f
0x11ff11ab
Bus probing – eavesdropping [1]
[1] M. G. Kuhn, “Cipher Instruction Search Attack on the Bus-Encryption Security Microcontroller DS5002FP” IEEE Trans. Comput., vol. 47, pp. 1153–1157, October. 1998.
Introduction
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
6Slide7
Active Attacks
Address busData bus
SoC
(Trusted)
Spoofing: Random data injection
Memory
Code and data injection
External
Memory
Malicious
Memory
Three kinds of active attacks are defined depending on the choice made by the adversary on the data to insert:
Introduction
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
7Slide8
Active Attacks
Code and data injectionSpoofing: Random data injectionSplicing: Spatial permutationMemory
Data(@2)
Data(@3)
Data(@4)
Data(@5)
Data(@6)
Data(@7)
Data(@8)
Data(@7)
Data(@7)
SoC
(Trusted)
Three kinds of active attacks are defined depending on the choice made by the adversary on the data to insert:
Address bus
Data bus
Data(@1)
Introduction
External
Memory
Malicious
Memory
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
8Slide9
Data(@7, t1)
Active AttacksThree kinds of active attacks are defined depending on the choice made by the adversary on the data to insert:
Address bus
Data bus
SoC
(Trusted)
Code and data injection
Spoofing: Random data injection
Splicing: Spatial permutation
Replay: Temporal permutation
Memory
Data(@2, t1)
Data(@3, t1)
Data(@4, t1)
Data(@5, t1)
Data(@6, t1)
Data(@8, t1)
Data(@1, t1)
Data(@4, t1)
Data(@1, t4)
Data(@3, t8)
Data(@4, t7)
Data(@6, t6)
Data(@7, t4)
Data(@2, t9)
Data(@4, t1)
Data(@4, t1)
Introduction
External
Memory
Malicious
Memory
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
9Slide10
Active Attacks
Three kinds of active attacks are defined depending on the choice made by the adversary on the data to insert:Address bus
Data bus
SoC
(Trusted)
Code and data injection
Spoofing: Random data injection
Splicing: Spatial permutation
Replay: Temporal permutation
Attacker motivation:
Hijack the software execution
Reduce the search space for key recovery or message recovery
Introduction
External
Memory
Malicious
Memory
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
10Slide11
General Principles
CacheSoC: Trusted areaCPU core
Memory
Controller
External Memory
Ciphered memory block
Untrusted area
Trusted area
EDU
:
Encryption Decryption
Unit
ICE
:
Integrity Checking Engine
Memory block
Tag
EDU
Cache
SoC: Trusted area
CPU core
Memory
Controller
ICE
External Memory
Data Confidentiality:
symmetric encryption
Data Integrity:
append a MAC generated digest ( tag)
MAC:
Message Authentication Code
Introduction
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
11Slide12
2 passes over the data
and usually 2 algorithms used (one for each security primitives: Encryption and Integrity checking) CiphertextTag
Encryption
Ke
MAC
Km
Encryption
Ke
MAC
Km
Ciphertext
Tag
Plaintext
Payload
Plaintext
Payload
Encrypt-then-MAC:
Encrypt-and-MAC:
Payload
Tag
Encryption
Ke
MAC
Km
Payload
Plaintext
MAC-then-Encrypt:
Ciphertext
E(T)
E(T): Encrypted tag
Write and Read operations:
Not parallelizable
Write operations: Not parallelizable
Read operations: Not parallelizable
General Principles
Introduction
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
12Slide13
State of the Art: Summary
Introduction
Objectives
Countermeasures / Techniques
Drawbacks
Ensure Confidentiality
Thwart Spoofing Attacks
Generic composition scheme:
Encryption + MAC (Data)
Non Parallelizable
Hardware Expensive
Prevent Splicing Attacks
Generic composition scheme:
Encryption + MAC (Data,
@
)
N/A
Prevent Replay Attacks
Generic composition scheme:
On-chip memory expensive
Encryption +
MAC (Data, @,
RV
)
Encryption +
Hash (stored on-chip)
On-chip Memory Optimization
NONE
Hash Trees
Non Parallelizable
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
13Slide14
Introduction
Threat ModelState of the artContribution 1: PE-ICE & PRV TreeParallelized Encryption and Integrity Checking EngineContribution 2: FPGA configurationSARFUM protocolConclusion, Future Works
Introduction
Hardware Mechanisms for Secured
Processor- Memory Transactions
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
14Slide15
PE-ICE Principles
PE-ICE: Parallelized Encryption & Integrity Checking EngineOnly 1 pass over the data to provide both data confidentiality and integrity.Tag are not computed over the dataConfidentiality is ensured by block encryption Rijndael (J.Daemen, V.Rijmen) – AES (NIST(*
)
standard)
Data integrity checking
relies on the
diffusion property
of block encryption:
P
T
Block Encryption
(E
k
)Ciphered (P;T)AREA (Added Redundancy Explicit Authentication) applied at the block levelRedundancy is inserted in each plaintext block before encryptionRedundancy is checked after each block decryption
Introduction
(*)
NIST
: National Institute of Standard and Technology
AES: Advanced Encryption Standard
Cryptography & Threat Model
Contribution 1 PE-ICE & Trees
ConclusionContribution 2
FPGAState of the art15Slide16
PE-ICE for Read Only Data
SoC: Trusted areaMemoryController
External Memory
CPU
Cache
Address bus
PE-ICE
Ciphered memory block
SoC: Trusted area
Memory
Controller
External Memory
CPU
Cache
Address bus
PE-ICE
Ciphered memory block
Block Encryption
Block Decryption
COMP
OK?
Write operations:
The redundancy is added in each plaintext block
Read operations:
The redundancy is checked after decryption
C = E
k
(P
L
|| ADD)
P
L
|| ADD = D
k
(C)
Introduction
T’ = ADD’
T = ADD
T’ = T ?
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
16Slide17
SoC: Trusted area
MemoryController
External Memory
CPU
Cache
PE-ICE
Memory
Block Encryption
RV Generator
PE-ICE for Read Write Data
C: Ciphered memory block
Write operations:
The redundancy is added in each plaintext block
RV’
Introduction
C = E
k
(P
L
|| RV)
RV’ RV
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
17Slide18
SoC: Trusted area
MemoryController
External Memory
CPU
Cache
PE-ICE
Ciphered memory block
Memory
SoC: Trusted area
Memory
Controller
External Memory
CPU
Cache
PE-ICE
Memory
Block Encryption
RV Generator
PE-ICE for Read Write Data
C: Ciphered memory block
Block Decryption
COMP
OK?
Write operations:
The redundancy is added in each plaintext block
Read operations:
The redundancy is checked after decryption
RV’
RV’
Introduction
C = E
k
(P
L
|| RV)
P
L
|| RV = D
k
(C)
T’ = RV’
T = RV
T’ = T ?
RV’ RV
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
18Slide19
PE-ICE: Simulation Results (2/2)
PE
-
ICE
GC (CBC-MAC)
18%
5%
Performance overhead of the integrity checking mechanisms
Introduction
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
19Slide20
PE-ICE Vs Encrypt-then-MAC
AES
GC
(AES + CBC-MAC)
PE-ICE
Hardware cost
80kgates
144Kgates
+80%
80Kgates
~ 0%
Latencies
-
+54,5%
+13%
Run-time
slowdown
4KB
-
+13,7%
+3,4%
128KB
-
+7,8%
+1,7%
Off-chip Memory consumption
-
+12,5%
+25%
Introduction
Summary:
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the artSlide21
PE-ICE - Properties
ObjectivesCountermeasures / Techniques
Drawbacks
Ensure Confidentiality
Thwart Spoofing Attacks
Generic composition scheme:
Encryption + MAC (Data)
Non Parallelizable
Hardware Expensive
Prevent Splicing Attacks
Generic composition scheme:
Encryption + MAC (Data,
@
)
N/A
Prevent Replay Attacks
Generic composition scheme:
On-chip memory expensive
Encryption +
MAC (Data, @,
RV
)
Encryption +
Hash (stored on-chip)
On-chip Memory Optimization
NONE
Hash Trees
Non Parallelizable
Introduction
PE-ICE is
parallelizable
on read and write operations with
hardware area optimization.
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the artSlide22
PE-ICE On-Chip Memory Overhead
SoC: Trusted area
Memory
Controller
CPU
Cache
PE-ICE
Block Encryption
External Memory
PMR
RV Generator
RV’1
RV’2
RV’3
RV’4
RV’5
RV’6
RV’7
RV’8
Memory
E
k
(M1 || M2 || RV1)
E
k
(M3 || M4 || RV2)
E
k
(M5 || M6 || RV3)
Ek(M7 || M8 || RV4)
Ek(M9 || M10 || RV5)
E
k
(M11 || M12 || RV6)
E
k
(M13 || M14 || RV7)
E
k
(M15 || M16 || RV8)
Introduction
On-chip storage of the Reference Random Values (RV’):
Drawbacks: high on-chip memory overhead
PMR: Protected Memory Region
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
22Slide23
PRV-Trees
SoC: Trusted area
Memory
Controller
CPU
Cache
PE-ICE
Block Encryption
External Memory
PMR
RV Generator
RV’1
RV’2
RV’3
RV’4
RV’5
RV’6
RV’7
RV’8
Memory
E
k
(RV’1 || RV’2 || RV11)
E
k
(RV’3 || RV’4 || RV12)
E
k(RV’5 || RV’6 || RV13)
Ek(RV’7 || RV’8 || RV14)
RV’11
RV’12
RV’13
RV’14
E
k
(M1 || M2 || RV1)
E
k
(M3 || M4 || RV2)
E
k
(M5 || M6 || RV3)
E
k
(M7 || M8 || RV4)
E
k
(M9 || M10 || RV5)
E
k
(M11 || M12 || RV6)
E
k
(M13 || M14 || RV7)
E
k
(M15 || M16 || RV8)
PRV-Trees: scheme relying on PE-ICE allowing to securely store Reference Values (RV’) off-chip
Introduction
PMR: Protected Memory Region
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
23Slide24
PRV-Trees
SoC: Trusted area
Memory
Controller
CPU
Cache
PE-ICE
Block Encryption
External Memory
PMR
RV Generator
Memory
RV’11
RV’12
RV’13
RV’14
E
k
(RV’11 || RV’12 ||RV21)
E
k
(RV’13 || RV’14 ||RV22)
E
k
(RV’1 || RV’2 || RV11)
Ek(RV’3 || RV’4 || RV12)
Ek(RV’5 || RV’6 || RV13)
E
k(RV’7 || RV’8 || RV14)
Ek(M1 || M2 || RV1)
Ek(M3 || M4 || RV2)
E
k
(M5 || M6 || RV3)
E
k
(M7 || M8 || RV4)
E
k
(M9 || M10 || RV5)
E
k
(M11 || M12 || RV6)
E
k
(M13 || M14 || RV7)
E
k
(M15 || M16 || RV8)
RV’21
RV’22
RV’r
E
k
(RV’21 || RV’22 || RVr)
PRV-Tree: scheme relying on PE-ICE allowing to securely store Reference Values (RV’) off-chip
Introduction
PMR: Protected Memory Region
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
24Slide25
Tree Structure & Initialization
RV’21
RV’22
Non Trusted stored off-chip
Trusted
stored on-chip
M1
M2
RV1
M3
M4
RV2
M5
M6
RV3
M7
M8
RV4
M9
M10
RV5
M15
M16
RV8
M13
M14RV7
M11
M12
RV6
RV11
RV12
RV13
RV14
RV’1
RV’2
RV’3
RV’4
RV’5
RV’6
RV’7
RV’8
RV’11
RV’12
RV’13
RV’14
RV’r
RV21
RV22
RVr
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
25Slide26
Read Operations – Integrity Checking
RV’21
RV’22
M1
M2
RV1
M3
M4
RV2
M5
M6
RV3
M7
M8
RV4
M9
M10
RV5
M15
M16
RV8
M13
M14
RV7
M11
M12
RV6
RV11
RV12
RV13
RV14
RV’1
RV’2
RV’3
RV’4
RV’5
RV’6
RV’7
RV’8
RV’11
RV’12
RV’13
RV’14
RV’r
RV21
RV22
RVr
Introduction
Trusted
stored on-chip
Non Trusted stored off-chip
Read Operations
Integrity Checking
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
26Slide27
E
k(RV’11||RV’12 ||RV21)Ek(RV’21||RV’22 || RV’r)
E
k
(RV’3||RV’4||RV12)
E
k
(M5 || M6 || RV3)
Read Operations – Integrity Checking
RV’21
RV’22
M1
M2
RV1
M3
M4
RV2
M5
M6
RV3
M7
M8
RV4
M9
M10
RV5M15M16
RV8
M13
M14
RV7
M11
M12
RV6
RV11
RV12
RV13
RV14
RV’1
RV’2
RV’3
RV’4
RV’5
RV’6
RV’7
RV’8
RV’11
RV’12
RV’13
RV’14
RV’r
RV21
RV22
RVr
E
k
(M5 || M6 || RV3)
E
k
(RV’3||RV’4||RV12)
E
k
(RV’11||RV’12 ||RV21)
E
k
(RV’21||RV’22 || RVr)
RV’r
Decryption
Decryption
Decryption
Decryption
RV’r
Introduction
Trusted
stored on-chip
Non Trusted stored off-chip
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
27Slide28
Read Operations – Integrity Checking
RV’21
RV’22
M1
M2
RV1
M3
M4
RV2
M5
M6
RV3
M7
M8
RV4
M9
M10
RV5
M15
M16
RV8
M13
M14
RV7
M11
M12
RV6
RV11
RV12
RV13
RV14
RV’1
RV’2
RV’3
RV’4
RV’5
RV’6
RV’7
RV’8
RV’11
RV’12
RV’13
RV’14
RV’r
RV11
RV12
RVr
Decryption
Decryption
Decryption
Decryption
M5
M6
RV3
RV’3
RV’4
RV12
RV’12
RV’11
RV21
RV’21
RV’22
RVr
RV’r
Introduction
Trusted
stored on-chip
Non Trusted stored off-chip
Read Operations
Integrity Checking
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
28Slide29
Read Operations – Integrity Checking
RV’21
RV’22
M1
M2
RV1
M3
M4
RV2
M5
M6
RV3
M7
M8
RV4
M9
M10
RV5
M15
M16
RV8
M13
M14
RV7
M11
M12
RV6
RV11
RV12
RV13
RV14
RV’1
RV’2
RV’3
RV’4
RV’5
RV’6
RV’7
RV’8
RV’11
RV’12
RV’13
RV’14
RV’r
RV11
RV12
RVr
OK?
Decryption
Decryption
Decryption
Decryption
M5
M6
RV3
RV’3
RV’4
RV12
RV’12
RV’11
RV21
RV’21
RV’22
RVr
RV’r
Introduction
Trusted
stored on-chip
Non Trusted stored off-chip
Read Operations
Integrity Checking
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
29Slide30
Write Operations – Tree Update
RV’21
RV’22
M1
M2
RV1
M3
M4
RV2
M5
M6
RV3
M7
M8
RV4
M9
M10
RV5
M15
M16
RV8
M13
M14
RV7
M11
M12
RV6
RV11
RV12
RV13
RV14
RV’1
RV’2
RV’3
RV’4
RV’5
RV’6
RV’7
RV’8
RV’11
RV’12
RV’13
RV’14
RV’r
RV21
RV22
RVr
M5b
Introduction
Trusted
stored on-chip
Non Trusted stored off-chip
Write Operations
Tree Update
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
30Slide31
E
k(M5 || M6 || RV3)Ek(RV’3||RV’4||RV12)Ek(RV’11||RV’12 ||RV21)
E
k
(RV’21||RV’22 || RV’r)
Write Operations – Tree Update
RV’21
RV’22
M1
M2
RV1
M3
M4
RV2
M5
M6
RV3
M7
M8
RV4
M9
M10
RV5
M15
M16
RV8
M13
M14
RV7
M11
M12
RV6
RV11
RV12
RV13
RV14
RV’1
RV’2
RV’3
RV’4
RV’5
RV’6
RV’7
RV’8
RV’11
RV’12
RV’13
RV’14
RV’r
RV21
RV22
RVr
Decryption
Decryption
Decryption
Decryption
Encryption
Encryption
Encryption
Encryption
E
k
(M5 || M6 || RV3)
E
k
(RV’3||RV’4||RV12)
E
k
(RV’11||RV’12 ||RV21)
E
k
(RV’21||RV’22 || RVr)
M5
M6
RV3
RV’3
RV’4
RV12
RV’12
RV’11
RV21
RV’21
RV’22
RVr
M5b
RV3b
RV12b
RV21b
RVrb
Introduction
Trusted
stored on-chip
Non Trusted stored off-chip
Write Operations
Tree Update
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
31Slide32
Write Operations – Tree Update
RV’21
RV’22
M1
M2
RV1
M3
M4
RV2
M5
M6
RV3
M7
M8
RV4
M9
M10
RV5
M15
M16
RV8
M13
M14
RV7
M11
M12
RV6
RV11
RV12
RV13
RV14
RV’1
RV’2
RV’3
RV’4
RV’5
RV’6
RV’7
RV’8
RV’11
RV’12
RV’13
RV’14
RV’r
RV21
RV22
RVr
Decryption
Decryption
Decryption
Decryption
Encryption
Encryption
Encryption
Encryption
M5
M6
RV3
RV’3
RV’4
RV12
RV’12
RV’11
RV21
RV’21
RV’22
RVr
M5b
RV3b
RV12b
RV21b
RVrb
Introduction
Trusted
stored on-chip
Non Trusted stored off-chip
Write Operations
Tree Update
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
32Slide33
RV’rb
RV’3Write Operations – Tree Update
RV’3b
RV’21
RV’22
M1
M2
RV1
M3
M4
RV2
M5
M6
RV3
M7
M8
RV4
M9
M10
RV5
M15
M16
RV8
M13
M14
RV7
M11
M12
RV6
RV11
RV12
RV13
RV14
RV’1
RV’2
RV’3
RV’4
RV’5
RV’6
RV’7
RV’8
RV’11
RV’12
RV’13
RV’14
RV’r
RV21
RV22
RVr
Decryption
Decryption
Decryption
Decryption
Encryption
Encryption
Encryption
Encryption
M5
M6
RV3
RV’4
RV12
RV’12
RV’11
RV21
RV’21
RV’22
RVr
M5b
RV3b
RVrb
M5b
RV3b
RV12b
RV’21b
RVrb
RV’12b
RV’3b
RV’12b
RV12b
RV21b
RV’21b
RV21b
Introduction
Trusted
stored on-chip
Non Trusted stored off-chip
Write Operations
Tree Update
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
33Slide34
Write Operations – Tree Update
RV’21
RV’22
M1
M2
RV1
M3
M4
RV2
M5
M6
RV3
M7
M8
RV4
M9
M10
RV5
M15
M16
RV8
M13
M14
RV7
M11
M12
RV6
RV11
RV12
RV13
RV14
RV’1
RV’2
RV’3
RV’4
RV’5
RV’6
RV’7
RV’8
RV’11
RV’12
RV’13
RV’14
RV’r
RV21
RV22
RVr
Decryption
Decryption
Decryption
Decryption
Encryption
Encryption
Encryption
Encryption
RVrb
RV’rb
RV’3
M5
M6
RV3
RV’4
RV12
RV’12
RV’11
RV21
RV’21
RV’22
RVr
M5b
RV3b
RV12b
RV’21b
RVrb
RV’3b
RV21b
RV’12b
E
k
(M5b || M6 || RV3b)
E
k
(RV’3b||RV’4 ||RV12b)
E
k
(RV’11||RV’12b ||RV21b)
E
k
(RV’21b||RV’22 || RVbr)
Introduction
Trusted
stored on-chip
Non Trusted stored off-chip
Write Operations
Tree Update
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
34Slide35
Write Operations – Tree Update
RV’21
RV’22
M1
M2
RV1
M3
M4
RV2
M5
M6
RV3
M7
M8
RV4
M9
M10
RV5
M15
M16
RV8
M13
M14
RV7
M11
M12
RV6
RV11
RV12
RV13
RV14
RV’1
RV’2
RV’3
RV’4
RV’5
RV’6
RV’7
RV’8
RV’11
RV’12
RV’13
RV’14
RV’r
RV21
RV22
RVr
Decryption
Decryption
Decryption
Decryption
Encryption
Encryption
Encryption
Encryption
RV’rb
E
k
(M5b || M6 || RV3b)
E
k
(RV’3b||RV’4 ||RV12b)
E
k
(RV’11||RV’12b ||RV21b)
E
k
(RV’21b||RV’22 || RVbr)
RV3b
M5b
RV12b
RV’3b
RV21b
RV’12b
RV’21b
RV’rb
RV’rb
Introduction
Trusted
stored on-chip
Non Trusted stored off-chip
Write Operations
Tree Update
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
35Slide36
PE-ICE & PRV-Trees - Properties
ObjectivesCountermeasures / Techniques
Drawbacks
Ensure Confidentiality
Thwart Spoofing Attacks
Generic composition scheme:
Encryption + MAC (Data)
Non Parallelizable
Hardware Expensive
Prevent Splicing Attacks
Generic composition scheme:
Encryption + MAC (Data, @)
N/A
Prevent Replay Attacks
Generic composition scheme:
On-chip memory expensive
Encryption +
MAC (Data, @,
RV
)
Encryption +
Hash (stored on-chip)
On-chip Memory Optimization
NONE
Hash Trees
Non Parallelizable
PRV-Trees: Optimized the on-chip memory overhead
Parallelizable on read and
write operations
Can be applied to the 1st replay attack countermeasure
PRV-Trees
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide37
Conclusion & Perspectives
PE-ICE:Parallelized way to provide data confidentiality and integrityOptimized Hardware resources requiredImplementationAdd a compression techniquePRV-Trees:Reduce the on-chip memory overhead to the storage of a single Reference Values (RV’)Parallelizable on read and write operationsEasily adaptable to MAC based replay countermeasuresPartial authenticationMathematical proofEvaluation
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
37Slide38
Introduction
Threat ModelState of the artContribution 1: PE-ICE & PRV TreeParallelized Encryption and Integrity Checking EngineContribution 2: FPGA configurationSARFUM protocolConclusion, Future Works
Introduction
Hardware Mechanisms for Secured
Processor- Memory Transactions
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
38Slide39
Untrusted medium
System owner (untrusted)
FPGA (trusted)
User logic
System designer
Bitstream
Configuration
Module
Non Volatile Memory for bitstream
(untrusted)
FPGA
Vendor
Trusted
FPGA Chip
Trusted
System Designer
Trusted
NVM
Untrusted
System
owner
Untrusted
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
FPGA
Bitstream
configuration protection Slide40
Untrusted medium
System owner (untrusted)
FPGA (trusted)
User logic
System designer
Bitstream
Key(s)
Crypto
Configuration
Module
Key(s)
Crypto
Non Volatile Memory for bitstream
(untrusted)
Provided
by FPGA
vendors
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
FPGA
Bitstream
configuration protection Slide41
System owner (untrusted)
FPGA (trusted)
User logic
System designer
Bitstream
Key(s)
Crypto
Configuration
Module
Key(s)
Crypto
Non Volatile Memory for bitstream
(untrusted)
Untrusted medium
Encrypted Bitstream
Design
Bitstream
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
FPGA
Bitstream
configuration protection Slide42
Untrusted medium
System owner (untrusted)
FPGA (trusted)
User logic
System designer
Bitstream
Key(s)
Crypto
Configuration
Module
Key(s)
Crypto
Non Volatile Memory for
bitstream
(
untrusted
)
Our Objectives :
Ensure confidentiality
Ensure integrity
Avoid system downgrade
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
FPGA
Bitstream
configuration protection Slide43
1
SRAM : SRAM based FPGAs (Xilinx, Altera, Lattice)
Issue
Impact on FPGA design
Generic Solution
FPGA Vendors Solution
SRAM
1
ACTEL
Confidentiality
Cloning / IP Theft
Encryption
AES (128/256)
Tampering / Spoofing
Design Modification
Integrity Check
CBC
2
+ CRC
3
AES based MAC
4
Old Bitstream Replays
System Downgrade
Unique time-stamp / Non Volatile State
None
Security Model
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide44
Issue
Impact on FPGA design
Generic Solution
FPGA Vendors Solution
SRAM
1
ACTEL
Confidentiality
Cloning / IP Theft
Encryption
AES (128/256)
Integrity
Design Modification
Integrity Check
CBC
2
+ CRC
3
AES based MAC
4
Old Bitstream Replays
System Downgrade
Unique time-stamp / Non Volatile State
None
1
SRAM : SRAM based FPGAs (Xilinx, Altera, Lattice)
2
CBC : Cipher Block Chaining : block cipher mode of operation
3
CRC : Cyclic Redundancy Check
4
MAC : Message Authentication Code
Security ModelSlide45
Issue
Impact on FPGA design
Generic Solution
FPGA Vendors Solution
SRAM
1
ACTEL
Confidentiality
Cloning / IP Theft
Encryption
AES (128/256)
Integrity
Design Modification
Integrity Check
CBC
2
+ CRC
3
AES based MAC
4
Replay attack
System Downgrade
Unique time-stamp / Non Volatile State
None
1
SRAM : SRAM based FPGAs (Xilinx, Altera, Lattice)
2
CBC : Cipher Block Chaining : block cipher mode of operation
3
CRC : Cyclic Redundancy Check
4
MAC : Message Authentication Code
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
Security ModelSlide46
Encryption for confidentiality
Configuration Module
K
ENC
Decryption
engine
Untrusted medium
User Logic
FPGA
Encrypted
Bitstream (EB)
Bitstream
Design
EB : Encrypted Bitstream
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide47
Encryption and Message Authentication Code
For confidentiality and integrity
Configuration Module
K
ENC
Decryption
and MAC
engine
Untrusted medium
User Logic
FPGA
EB || MAC (EB)
K
MAC
Bitstream
Design
VALID ?
EB : Encrypted
Bitstream
MAC : Message Authentication Code
|| : concatenation
Proposed by :
Actel
:
Actel
Application Note : Fusion security
Saar
Drimer
, University of Cambridge :
Authentication of FPGA Bitstreams : Why and How ?
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide48
Replay attack
FPGA (trusted)
User logic
System designer
Bitstream
(version i)
Key(s)
Crypto
Configuration
Module
Key(s)
Crypto
Version i
Version i+n
FPGA (trusted)
User logic
System designer
Bitstream
(version i+n)
Key(s)
Crypto
Configuration
Module
Key(s)
Crypto
HACKER
EB (Version i)
Untrusted medium
Untrusted medium
EB (Version i)
EB (Version i)
EB (Version i+n)
Design
(Vi)
Design
(Vi)
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide49
Secure Update
Mechanism, PrincipleAlice (System Designer)
Bob (FPGA)
K
MAC
Non volatile
TAG
Alice
= 0
K
ENC
K
MAC
Non volatile
TAG
Bob = 0
K
ENC
Encrypted Message || MAC (Message || 0)
MAC validation using (
Message || 0 )
Message decryption using KENCTAGALICE
TAGBOB
IntroductionCryptography & Threat ModelConclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide50
Alice (System Designer)
Bob (FPGA)KMAC
Non volatile
TAG
Alice
= 0
K
ENC
K
MAC
Non volatile
TAG
Bob
= 0
K
ENC
Cmd
TAG+1 || MAC (CmdTAG+1 || 0)
MAC validation using (CmdTAG+1 || 0)
TAG+1
TAG+1
Message || MAC (Message || 1)
MAC validation using (Message || 1)
Non volatileTAG Alice = 1
Non volatile
TAG Bob = 1Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
Secure Update
Mechanism, PrincipleSlide51
Alice (System Designer)
Bob (FPGA)KMAC
Non volatile
TAG
Alice
= 2
K
ENC
K
MAC
Non volatile
TAG
Bob
= 2
K
ENC
TAG + 1
Message
TAG + 1
Message
.
..
IntroductionCryptography & Threat Model
Conclusion
Contribution 2 FPGA
State of the artContribution 1 PE-ICE & Trees
Secure Update
Mechanism, PrincipleSlide52
Architecture preventing system downgrade
SUM
K
ENC
Decryption
and MAC
engine
Untrusted medium
User Logic
FPGA
K
MAC
Update Logic
TAG
SUM
SUM :
Secure Update Module
VALID ?
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide53
Remote TAG increment process
SUM
K
ENC
Decryption
and MAC
engine
Untrusted
medium
User Logic
FPGA
K
MAC
Update Logic
TAG
SUM
System Designer
TAG
SD
K
MAC
MAC
engine
Cmd
TAG+1
Design
Cmd
TAG+1
||
MAC (Cmd
TAG+1
|| TAG SD)
VALID ?
TAG + 1
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide54
Bitstream
validation
SUM
K
ENC
Decryption
and MAC
engine
Untrusted
medium
User Logic
FPGA
K
MAC
Update Logic
TAG
SUM
System Designer
TAG
SD
K
MAC
Encryption
and MAC
engine
Bitstream
Bitstream
Design
VALID ?
K
ENC
EB || MAC (EB ||TAG
SD
)
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide55
Acknowledgment
System Designer
FPGA - SUM
CmdUpdate || TAG
SD
|| MAC
MAC Engine
(Validation)
Acknowledgement
Message (ACK)
MAC Engine
(Generation)
Ack || TAG
SUM
||MAC
MAC Engine
(Validation)
Remote update
process
...
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide56
Acknowledgement
Alice (System Designer)
Bob (FPGA)
K
MAC
Non volatile
TAG
Alice
= 0
K
ENC
K
MAC
Non volatile
TAG
Bob = 0
K
ENC
Cmd
TAG+1 || MAC (CmdTAG+1 || 0)MAC validation using (CmdTAG+1 || 0
)
TAG+1
TAG+1
Ack || MAC (Ack || 1)Ack = AcknowledgementIntroductionCryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1 PE-ICE & TreesSlide57
Performances / Overhead
Area
Crypto engine Throughput
Max. configuration speed
No security
0
-
3.2Gb/s [1]
Confidentiality
(AES-CBC)
~15k Gates [2]
1000
Mb/s [2]
580 Mb/s [1]
Confidentiality and integrity
(AES-CCM)
57
kGates
[2]
430 Mb/s [2]
430 Mb/s [2]
SUM
(With AES-CCM)
~ 58
kGates
430 Mb/s
430 Mb/s
[1] XILINX, 2008,
Virtex
-5 FPGA Configuration User Guide
[2]
Parelkar
, M.M.: Authenticated encryption in hardware. Master’s thesis, George Mason University, Fairfax, VA, USA (2005)
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide58
Area
Crypto engine Throughput
Max. configuration speed
No security
0
-
3.2Gb/s [1]
Confidentiality
(AES-CBC)
~ 15
kGates
[2]
1000
Mb/s [2]
580 Mb/s [1]
Confidentiality and integrity
(AES-CCM)
~ 23
kGates
[2]
430 Mb/s [2]
430 Mb/s [2]
SUM
(With AES-CCM)
~ 58
kGates
430 Mb/s
430 Mb/s
[1] XILINX, 2008, Virtex-5 FPGA Configuration User Guide
[2] Parelkar, M.M.: Authenticated encryption in hardware. Master’s thesis, George Mason University, Fairfax, VA, USA (2005)
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & Trees
Performances / OverheadSlide59
Performances / Overhead
Area
Crypto engine Throughput
Max. configuration speed
No security
0
-
3.2Gb/s [1]
Confidentiality
(AES-CBC)
~15
kGates
[2]
1000
Mb/s [2]
580 Mb/s [1]
Confidentiality and integrity
(AES-CCM)
~ 23
kGates
[2]
430 Mb/s [2]
430 Mb/s [2]
SUM
(With AES-CCM)
~ 24
kGates
430 Mb/s
430 Mb/s
[1] XILINX, 2008, Virtex-5 FPGA Configuration User Guide
[2] Parelkar, M.M.: Authenticated encryption in hardware. Master’s thesis, George Mason University, Fairfax, VA, USA (2005)
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide60
Introduction
Threat ModelState of the artContribution 1: PE-ICE & PRV TreeParallelized Encryption and Integrity Checking EngineContribution 2: FPGA configurationSARFUM protocolConclusion, Future Works
Introduction
Hardware Mechanisms for Secured
Processor- Memory Transactions
Cryptography & Threat Model
Contribution 1
PE-ICE & Trees
Conclusion
Contribution 2
FPGA
State of the art
60Slide61
Futur
works : Flexible security Threat model evolution : SCA are consideredHW security
at
the architectural
level
Ideas
based
on self adaptive architectures(1) Configurations mouvantesgrain fin, grain épais (HW), grain logiciel(2) Processeur Généraliste Sécurisé
Side Channel Attacks
61
Introduction
Cryptography & Threat ModelConclusionContribution 2 FPGAState of the art
Contribution 1 PE-ICE & TreesSlide62
« Fuzzy » Configuration (1)
Fine GrainDES « Fuzzy configuration »Principle: Generic SBOX+ random shiftDEMA Results: efficiency limited
Travail réalisé avec F.
Poucheret
, P.
Maurine
62
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide63
« Fuzzy » Configuration (2)
Coarse GrainPrincipleRandom moving on all the HW blocksDEMA results: to be done63
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide64
« Fuzzy » Configuration (3)
Software grainPrinciple, task migrationMPSOC ArchitecturesData Instructions Randon movingAttacks on processor64
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide65
Attacks on processor
MicroBlaze (Xilinx)RISC 5 étages
65
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the art
Contribution 1
PE-ICE & TreesSlide66
Secure processor (native)
Why?Heart of security (co-processors aren’t alone!)Specifications (SCA)MaskingNon-determinism Random Execution Order (REO)State of ArtFew-architectural design for SCA (asynchronous processors)
Ideas
Temporal jitter could be done with “
elastic-pipeline
”
Pseudo-REO could be implemented with a special hardware architecture with
priority instruction strategies
(static & dynamic methods)
Special “
masked registers
”
Load/Store instructions are critical => bus masking strategies
Cache is also a weak point These features could be combined with others secure techniques in order to provide a secure processor against all kind of attacks (FA, Spoofing...)66
Introduction
Cryptography & Threat Model
Conclusion
Contribution 2
FPGA
State of the artContribution 1
PE-ICE & Trees