Heiko Lohrke

Laser Fault Attack on Physically Unclonable Functions

Physically Unclonable Functions (PUFs) are introduced to remedy the shortcomings of traditional methods of secure key storage and random key generation on Integrated Circuits (ICs). Due to their effective and low-cost implementations, intrinsic PUFs are popular PUF instances employed to improve the security of different applications on reconfigurable hardware. In this work we introduce a novel laser fault injection attack on intrinsic PUFs by manipulating the configuration of logic cells in a programable logic device. We present two fault attack scenarios, where not only the effectiveness of modeling attacks can be dramatically increased, but also the entropy of the targeted PUF responses are drastically decreased. In both cases, we conduct detailed theoretical analyses by considering XOR arbiter PUFs and RO PUFs as the examples of PUF-based authenticators and PUF-based random key generators, respectively. Finally we present our experimental results based on conducting laser fault injection on real PUFs, implemented on a common complex programmable logic device manufactured in 180 nm technology.

No Place to Hide: Contactless Probing of Secret Data on FPGAs

Field Programmable Gate Arrays (FPGAs) have been the target of different physical attacks in recent years. Many different countermeasures have already been integrated into these devices to mitigate the existing vulnerabilities. However, there has not been enough attention paid to semi-invasive attacks from the IC backside due to the following reasons. First, the conventional semi-invasive attacks from the IC backside — such as laser fault injection and photonic emission analysis — cannot be scaled down without further effort to the very latest nanoscale technologies of modern FPGAs and programmable SoCs. Second, the more advanced solutions for secure storage, such as controlled Physically Unclonable Functions (PUFs), make the conventional memory-readout techniques almost impossible. In this paper, however, novel approaches have been explored: Attacks based on Laser Voltage Probing (LVP) and its derivatives, as commonly used in Integrated Circuit (IC) debug for nanoscale low voltage technologies, are successfully launched against a 60 nanometer technology FPGA. We discuss how these attacks can be used to break modern bitstream encryption implementations. Our attacks were carried out on a Proof-of-Concept PUF-based key generation implementation. To the best of our knowledge this is the first time that LVP is used to perform an attack on secure ICs.

PUFMon: Security monitoring of FPGAs using physically unclonable functions

Mainstream FPGAs and programmable SoCs employ different countermeasures during configuration and runtime to mitigate physical attacks. However, it has been demonstrated that sophisticated active attack techniques, such as laser voltage probing, can still bypass the bitstream protections during the configuration phase. On the other hand, although the security monitoring IP cores provided by FPGA vendors can ensure the physical security during the runtime of applications, they are unable to detect such attacks during configuration. In this work, we propose a novel approach to using PUFs as physical sensors to monitor the integrity of FPGAs against active attacks. Small modifications in existing PUF architectures enable us to design a PUF-based security scheme, which can be deployed for integrity monitoring and authentication/key generation at the same time. We evaluate the effectiveness of our framework against a range of powerful attacks, such as optical probing and fault attacks. We further discuss how this scheme can be deployed during bitstream configuration in FPGAs with partial reconfiguration capability.

From IC debug to hardware security risk: The power of backside access and optical interaction

IC debug and diagnosis techniques like photon emission and FIB circuit edit are well established as powerful ways to attack secret codes in security ICs through chip frontside. But protective additions like interconnect meshes serve as countermeasures. This work shows examples how the risk assessment of contactless fault isolation (CFI) techniques through chip backside has indicated a drastic increase of vulnerability. Acclaimed unclonable functions and keys have been successfully challenged. There is no low-cost electronic backside protection concept available like the frontside meshes, because alignment and contact of backside structures to active IC layers cannot be handled without expensive through-silicon-via (TSV) technologies. But optical interaction can also be used to create backside protection concepts: Such concepts based on electro-optical properties are presented and proven to be operational.

On the Power of Optical Contactless Probing: Attacking Bitstream Encryption of FPGAs

Modern Integrated Circuits (ICs) employ several classes of countermeasures to mitigate physical attacks. Recently, a powerful semi-invasive attack relying on optical contactless probing has been introduced, which can assist the attacker in circumventing the integrated countermeasures and probe the secret data on a chip. This attack can be mounted using IC debug tools from the backside of the chip. The first published attack based on this technique was conducted against a proof-of-concept hardware implementation on a Field Programmable Gate Array (FPGA). Therefore, the success of optical probing techniques against a real commercial device without any knowledge of the hardware implementation is still questionable. The aim of this work is to assess the threat of optical contactless probing in a real attack scenario. To this end, we conduct an optical probing attack against the bitstream encryption feature of a common FPGA. We demonstrate that the adversary is able to extract the plaintext data containing sensitive design information and intellectual property (IP). In contrast to previous optical attacks from the IC backside, our attack does not require any device preparation or silicon polishing, which makes it a non-invasive attack. Additionally, we debunk the myth that small technology sizes are unsusceptible to optical attacks, as we use an optical resolution of about 1 um to successfully attack a 28 nm device. Based on our time measurements, an attacker needs less than 10 working days to conduct the optical analysis and reverse-engineer the security-related parts of the hardware. Finally, we propose and discuss potential countermeasures, which could make the attack more challenging.

Key Extraction Using Thermal Laser Stimulation

Thermal laser stimulation (TLS) is a failure analysis technique, which can be deployed by an adversary to localize and read out stored secrets in the SRAM of a chip. To this date, a few proof-of-concept experiments based on TLS or similar approaches have been reported in the literature, which do not reflect a real attack scenario. Therefore, it is still questionable whether this attack technique is applicable to modern ICs equipped with side-channel countermeasures. The primary aim of this work is to assess the feasibility of launching a TLS attack against a device with robust security features. To this end, we select a modern FPGA, and more specifically, its key memory, the so-called battery-backed SRAM (BBRAM), as a target. We demonstrate that an attacker is able to extract the stored 256-bit AES key used for the decryption of the FPGA’s bitstream, by conducting just a single non-invasive measurement. Moreover, it becomes evident that conventional countermeasures are incapable of preventing our attack since the FPGA is turned off during key recovery. Based on our time measurements, the required effort to develop the attack is shown to be less than 7 hours. To avert this powerful attack, we propose a low-cost and CMOS compatible countermeasure circuit, which is capable of protecting the BBRAM from TLS attempts even when the FPGA is powered off. Using a proof-of-concept prototype of our countermeasure, we demonstrate its effectiveness against TLS key extraction attempts.

Visible light techniques in the FinFET era: Challenges, threats and opportunities

This work discusses visible light laser voltage probing (VIS-LVP) and gallium phosphide solid immersion lens (GaP SIL) research for Integrated Circuit (IC) analysis at Technische Universität Berlin. An overview of the challenges in connection with the ultra-precision fabrication of GaP SILs and their application is given. The use of visible light is not only opening a path for fault isolation in small geometry devices, but it also eases access to sensitive data in security relevant IC functions. As previous work has demonstrated that VIS-LVP can be realized with moderate effort, the question is raised if attackers are able to implement visible light attack techniques with moderate or even low cost. To this end, as a first step for attack risk evaluation, a visible light Laser Scanning Microscope (LSM) with a cost of less than 100

Key Extraction using Thermal Laser Stimulation: A Case Study on Xilinx Ultrascale FPGAs.

is presented. The current and future capabilities of such a setup are reviewed and relevant protection concepts are discussed.