André Schaller

Secure PRNG seeding on commercial off-the-shelf microcontrollers

The generation of high quality random numbers is crucial to many cryptographic applications, including cryptographic protocols, secret of keys, nonces or salts. Their values must contain enough randomness to be unpredictable to attackers. Pseudo-random number generators require initial data with high entropy as a seed to produce a large stream of high quality random data. Yet, despite the importance of randomness, proper high quality random number generation is often ignored. Primarily embedded devices often suffer from weak random number generators. In this work, we focus on identifying and evaluating SRAM in commercial off-the-shelf microcontrollers as an entropy source for PRNG seeding. We measure and evaluate the SRAM start-up patterns of two popular types of microcontrollers, a STMicroelectronics STM32F100R8 and a Microchip PIC16F1825. We also present an efficient software-only architecture for secure PRNG seeding. After analyzing over 1000000 measurements in total, we conclude that of these two devices, the PIC16F1825 cannot be used to securely seed a PRNG. The STM32F100R8, however, has the ability to generate very strong seeds from the noise in its SRAM start-up pattern. These seeds can then be used to ensure a PRNG generates high quality data.

Lightweight Anti-counterfeiting Solution for Low-End Commodity Hardware Using Inherent PUFs

This paper presents a lightweight anti-counterfeiting solution using intrinsic Physically Unclonable Functions PUFs, which are already embedded in most commodity hardware platforms. The presented solution is particularly suitable for low-end computing devices without on-board security features. Our anti-counterfeiting approach is based on extracting a unique fingerprint for individual devices exploiting inherent PUF characteristics from the on-chip static random-access memory SRAM, which in turn allows to bind software to a particular hardware platform. Our solution does not require additional hardware, making it flexible as well as cost efficient. In a first step, we statistically analyze the characteristics of the intrinsic PUF instances found in two device types, both based on a widely used ARM Cortex-M microcontroller. We show that the quality of the PUF characteristics is almost ideal. Subsequently, we propose a security architecture to protect the platforms firmware by using a modified boot loader. In a proof of concept, we embed our solution on a state-of-the-art commodity system-on-a-chip platform equipped with an MCU similar to the ones previously analyzed.

Run-Time Accessible DRAM PUFs in Commodity Devices

A Physically Unclonable Function (PUF) is a unique and stable physical characteristic of a piece of hardware, which emerges due to variations in the fabrication processes. Prior works have demonstrated that PUFs are a promising cryptographic primitive to enable secure key storage, hardware-based device authentication and identification. So far, most PUF constructions require addition of new hardware or FPGA implementations for their operation. Recently, intrinsic PUFs, which can be found in commodity devices, have been investigated. Unfortunately, most of them suffer from the drawback that they can only be accessed at boot time. This paper is the first to enable the run-time access of decay-based intrinsic DRAM PUFs in commercial off-the-shelf systems, which requires no additional hardware or FPGAs. A key advantage of our PUF construction is that it can be queried during run-time of a Linux system. Furthermore, by exploiting different decay times of individual DRAM cells, the challenge-response space is increased. Finally, we introduce lightweight protocols for device authentication and secure channel establishment, that leverage the DRAM PUFs at run-time.

PUF-Based Software Protection for Low-End Embedded Devices

In recent years, low-end embedded devices have been used increasingly in various scenarios, ranging from consumer electronics to industrial equipment. However, this evolution made embedded devices profitable targets for software piracy and software manipulation. Aggravating this situation, low-end embedded devices typically lack secure hardware to effectively protect against such attacks. In this work, we present a novel software protection scheme, which is particularly suited for already deployed low-end embedded devices without secure hardware. Our approach combines techniques based on self-checksumming code with Physically Unclonable Functions (PUFs) to establish a hardware-assisted software protection. In this way, we can tie the execution of a software instance to a specific device and protect its program code against manipulations. We show that our software protection scheme offers a high level of security against static adversaries and demonstrate that dynamic adversaries require considerable resources to perform a successful attack. To explore the feasibility of our solution, we implemented the protection scheme on an ARM-based low-end commodity microcontroller. A further performance evaluation shows that the implemented solution exhibits a fair overhead of ten percent.

DEMO: Inherent PUFs and secure PRNGs on commercial off-the-shelf microcontrollers

Research on Physically Unclonable Functions (PUFs) has become very popular in recent years. However, all PUFs researched so far require either ASICs, FPGAs or a microcontroller with external components. Our research focuses on identifying PUFs in commercial off-the-shelf devices, e.g. microcontrollers. We show that PUFs exist in several off-theshelf products, which can be used for security applications. We present measurement results on the PUF behavior of five of the most popular microcontrollers today: ARM Cortex A,ARM Cortex-M,Atmel AVR, Microchip PIC16 and Texas Instruments MSP430. Based on these measurements, we can calculate whether these chips can be considered for applications requiring strong cryptography. As a result of these findings, we present a secure bootloader for the ARM Cortex-A9 platform based on a PUF inherent to the device, requiring no external components. Furthermore, instead of discarding the randomness in PUF responses, we utilize this to create strong seeds for pseudo-random number generators (PRNGs). The existence of a secure RNG is at the heart of virtually every cryptographic protocol, yet very often overlooked. We present the implementation of a strongly seeded PRNG for the ARM Cortex-M family, again requiring no external components.

Intrinsic Rowhammer PUFs: Leveraging the Rowhammer effect for improved security

Physically Unclonable Functions (PUFs) have become an important and promising hardware primitive for device fingerprinting, device identification, or key storage. Intrinsic PUFs leverage components already found in existing devices, unlike extrinsic silicon PUFs, which are based on customized circuits that involve modification of hardware. In this work, we present a new type of a memory-based intrinsic PUF, which leverages the Rowhammer effect in DRAM modules — the Rowhammer PUF. Our PUF makes use of bit flips, which occur in DRAM cells due to rapid and repeated access of DRAM rows. Prior research has mainly focused on Rowhammer attacks, where the Rowhammer effect is used to illegitimately alter data stored in memory, e.g., to change page table entries or enable privilege escalation attacks. Meanwhile, this is the first work to use the Rowhammer effect in a positive context — to design a novel PUF. We extensively evaluate the Rowhammer PUF using commercial, off-the-shelf devices, not relying on custom hardware or an FPGA-based setup. The evaluation shows that the Rowhammer PUF holds required properties needed for the envisioned security applications, and could be deployed today.

On the Systematic Drift of Physically Unclonable Functions Due to Aging

In recent years Physically Unclonable Functions (PUFs) have been proposed as a promising building block for security related scenarios like key storage and authentication. PUFs are physical systems and as such their responses are inherently noisy, precluding a straightforward derivation of cryptographic key material from raw PUF measurements. To overcome this drawback, Fuzzy Extractors are used to eliminate the noise and guarantee robust outputs. A special type are Reverse Fuzzy Extractors, shifting the computational load of error correction towards a computationally powerful verifier. However, the Reverse Fuzzy Extractor reveals error patterns to any eavesdropper, which may cause privacy issues (if the PUF key is drifting, the error pattern is linkable to the identity) and even security problems (if the noise is data-dependent and multiple protocol transcripts can be linked to the same user). In this work we evaluate the effects of aging on popular PUF implementations and investigate its impact on the security properties of the Reverse Fuzzy Extractor.

Physical Unclonable Functions

ZusammenfassungPUFs werden zunehmend als Basisprimitive für die Sicherheit von eingebetteten Systemen benutzt, etwa zur sicheren Speicherung von kryptographischen Schlüsseln oder zur Identifikation von Geräten. Doch wie sicher sind PUFs in der Praxis wirklich? Welche Anwendungen lassen sich mit ihnen realisieren?

Eliminating Leakage in Reverse Fuzzy Extractors

In recent years, physically unclonable functions (PUFs) have been proposed as a promising building block for key storage and device authentication. PUFs are physical systems, and as such, their responses are inherently noisy, precluding a straightforward derivation of cryptographic key material from raw PUF measurements. To overcome this drawback, fuzzy extractors are used to eliminate the noise and guarantee robust outputs. A special type is reverse fuzzy extractors, shifting the computational load of error correction toward a computationally powerful verifier. However, the reverse fuzzy extractor reveals error patterns to any eavesdropper, which may cause privacy issues (due to a systematic drift of the PUF responses, the error pattern is linkable to the identity) and even security problems (if the noise is data-dependent). In this paper, we quantify the issue of leakage due to asymmetry of noise, leveraging the binary asymmetric channel (BAC) model. We further propose to concatenate two BACs to form a symmetric channel, as a solution that is able to eliminate such noise. Finally, we propose a modified reverse fuzzy extractor that does not leak via the error patterns even in the case of systematic drift of the PUF responses.

Boot Attestation: Secure Remote Reporting with Off-The-Shelf IoT Sensors

A major challenge in computer security is about establishing the trustworthiness of remote platforms. Remote attestation is the most common approach to this challenge. It allows a remote platform to measure and report its system state in a secure way to a third party. Unfortunately, existing attestation solutions either provide low security, as they rely on unrealistic assumptions, or are not applicable to commodity low-cost and resource-constrained devices, as they require custom secure hardware extensions that are difficult to adopt across IoT vendors. In this work, we propose a novel remote attestation scheme, named Boot Attestation, that is particularly optimized for low-cost and resource-constrained embedded devices. In Boot Attestation, software integrity measurements are immediately committed to during boot, thus relaxing the traditional requirement for secure storage and reporting. Our scheme is very light on cryptographic requirements and storage, allowing efficient implementations, even on the most low-end IoT platforms available today. We also describe extensions for more flexible management of ownership and third party (public-key) attestation that may be desired in fully Internet-enabled devices. Our scheme is supported by many existing off-the-shelf devices. To this end, we review the hardware protection capabilities for a number of popular device types and present implementation results for two such commercially available platforms.