Frederic Stumpf

Side-channel analysis of PUFs and fuzzy extractors

Embedded security systems based on Physical Unclonable Functions (PUFs) offer interesting protection properties, such as tamper resistance and unclonability. However, to establish PUFs as a high security primitive in the long run, their vulnerability to side-channel attacks has to be investigated. For this purpose, we analysed the side-channel leakage of PUF architectures and fuzzy extractor implementations. We identified several attack vectors within common PUF constructions and introduce two side-channel attacks on fuzzy extractors. Our proof-of-concept attack on an FPGA implementation of a fuzzy extractor shows that it is possible to extract the cryptographic key derived from a PUF by side-channel analysis.

A Cache Timing Attack on AES in Virtualization Environments

We show in this paper that the isolation characteristic of system virtualization can be bypassed by the use of a cache timing attack. Using Bernstein’s correlation in this attack, an adversary is able to extract sensitive keying material from an isolated trusted execution domain. We demonstrate this cache timing attack on an embedded ARM-based platform running an L4 microkernel as virtualization layer. An attacker who gained access to the untrusted domain can extract the key of an AES-based authentication protocol used for a financial transaction. We provide measurements for different public domain AES implementations. Our results indicate that cache timing attacks are highly relevant in virtualization-based security architectures, such as trusted execution environments.

Semi-invasive EM attack on FPGA RO PUFs and countermeasures

It is often argued that Physical Unclonable Functions (PUFs) are resistant against invasive and semi-invasive attacks since these attacks would damage the underlying PUF structure resulting in a different PUF response. In this paper, we demonstrate exemplarily that this assumption does not hold for a Ring Oscillator (RO) PUF implemented on a Xilinx Spartan 3 FPGA, where we were able to perform a semi-invasive attack. We present analysis methods to identify ring oscillator frequencies and to map them to their corresponding oscillators. We practically prove that it is possible to recover the generated RO PUF response bits with this approach. To harden RO PUFs against side-channel analysis, we also propose a RO PUF concept not leaking useful information through the side-channel of electro-magnetic radiation.

Localized electromagnetic analysis of cryptographic implementations

High resolution inductive probes enable precise measurements of the electromagnetic field of small regions on integrated circuits. These precise measurements allow to distinguish the activity of registers on the circuit that are located at different distances to the probe. This location-dependent information can be exploited in side-channel analyses of cryptographic implementations. In particular, cryptographic algorithms where the usage of registers depends on secret information are affected by side-channel attacks using localized electromagnetic analysis. Binary exponentiation algorithms which are used in public key cryptography are typical examples for such algorithms. This article introduces the concept of localized electromagnetic analysis in general. Furthermore, we present a case study where we employ a template attack on an FPGA implementation of the elliptic curve scalar multiplication to prove that location-dependent leakage can be successfully exploited. Conventional countermeasures against side-channel attacks are ineffective against location-dependent side-channel leakage. As an effective general countermeasure, we promote that the assignment of registers to physical locations should be repeatedly randomized during execution.

Enhancing Trusted Platform Modules with Hardware-Based Virtualization Techniques

We present the design of a trusted platform module (TPM) that supports hardware-based virtualization techniques. Our approach enables multiple virtual machines to use the complete power of a hardware TPM by providing for every virtual machine (VM) the illusion that it has its own hardware TPM. For this purpose, we introduce an additional privilege level that is only used by a virtual machine monitor to issue management commands, such as scheduling commands, to the TPM. Based on a TPM Control Structure, we can ensure that state information of a virtual machines TPM cannot corrupt the TPM state of another VM. Our approach uses recent developments in the virtualization technology of processor architectures.

Improving the scalability of platform attestation

In the process of platform attestation, a Trusted Platform Module is a performance bottleneck, which causes enormous delays if multiple simultaneously attestation requests arrive in a short period of time. In this paper we show how the scalability of platform attestation can be improved. In this context, we propose three protocols that enable fast and secure integrity reporting for servers that have to handle many attestation requests. We implemented all of our protocols and compared them in terms of security and performance. Our proposed protocols enable a highly frequented entity to timely answer incoming attestation requests.

Detecting node compromise in hybrid wireless sensor networks using attestation techniques

Node compromise is a serious threat in wireless sensor networks. Particular in networks which are organized in clusters, nodes acting as cluster heads for many cluster nodes are a valuable target for an adversary. We present two efficient hardware-based attestation protocols for detecting compromised cluster heads. Cluster heads are equipped with a Trusted Platform Module and possess much more resources than the majority of cluster nodes which are very constrained in their capabilities. A cluster node can verify the trustworthiness of a cluster head using the Trusted Platform Module as a trust anchor and therefore validate whether the system integrity of a cluster head has not been tampered with. The first protocol provides a broadcast attestation, i.e., allowing a cluster head to attest its system integrity to multiple cluster nodes simultaneously, while the second protocol is able to carry out a direct attestation between a single cluster node (or the sink) and one cluster head. In contrast to timing-based software approaches, the attestation can be performed even if nodes are multiple hops away from each other.

Complementary IBS: Application specific error correction for PUFs

In this contribution, we present Complementary Index-Based Syndrome coding (C-IBS), a new and flexible fuzzy embedder for Physical Unclonable Functions (PUFs). C-IBS applies IBS several times to the same group of PUF outputs. The additional parameter permits an application specific tradeoff between error correction capability and implementation complexity. We demonstrate the flexibility of C-IBS by providing efficient solutions that optimize error correction, helper data size or decoder complexity for a well-known key generation scenario. Further, we present encoding criteria that characterize C-IBS fuzzy embedders in general. A hardware implementation is compared to previous work and substantiates the efficiency of C-IBS. The low implementation complexity of C-IBS facilitates the usage for resource constrained cryptographic applications.

An approach to a trustworthy system architecture using virtualization

We present a system architecture for trusted transactions in highly sensitive environments. This architecture takes advantage of techniques provided by the Trusted Computing Group (TCG) to attest the system state of the communication partners, to guarantee that the system is free of malware and that its software has not been tampered with. To achieve meaningful attestation, virtualization is used to establish several different execution environments. The attestation process is limited to a fragment of the software running on the platform, more specifically, to the part requesting access to sensitive data. The Trusted Platform Module (TPM) is virtualized, in order to make it accessible for an execution environment with a higher trust level.

Localized electromagnetic analysis of RO PUFs

Among all proposed Physical Unclonable Functions (PUFs), those based on Ring Oscillators (ROs) are a popular solution for ASICs as well as for FPGAs. However, compared to other PUF architectures, oscillators emit electromagnetic (EM) signals over a relatively long run time, which directly reveal their unique frequencies. Previous work by Merli et al. exploited this fact by global EM measurements and proposed a countermeasure for their attack. In this paper, we first demonstrate that it is feasible to measure and locate the EM emission of a single tiny RO consisting of only three inverters, implemented within a single configurable logic block of a Xilinx Spartan-3A. Second, we present a localized EM attack for standard and protected RO PUFs. We practically investigate the proposed side-channel attack on a protected FPGA RO PUF implementation. We show that RO PUFs are prone to localized EM attacks and propose two countermeasures, namely, randomization of RO measurement logic and interleaved placement.