Nahid Farhady Ghalaty

Differential Fault Intensity Analysis

Recent research has demonstrated that there is no sharp distinction between passive attacks based on side-channel leakage and active attacks based on fault injection. Fault behavior can be processed as side-channel information, offering all the benefits of Differential Power Analysis including noise averaging and hypothesis testing by correlation. This paper introduces Differential Fault Intensity Analysis, which combines the principles of Differential Power Analysis and fault injection. We observe that most faults are biased - such as single-bit, two-bit, or three-bit errors in a byte - and that this property can reveal the secret key through a hypothesis test. Unlike Differential Fault Analysis, we do not require precise analysis of the fault propagation. Unlike Fault Sensitivity Analysis, we do not require a fault sensitivity profile for the device under attack. We demonstrate our method on an FPGA implementation of AES with a fault injection model. We find that with an average of 7 fault injections, we can reconstruct a full 128-bit AES key.

Digital fingerprints for low-cost platforms using MEMS sensors

With the Internet of Things on the horizon, correct authentication of Things within a population will become one of the major concerns for security. Physical authentication, which is implementing digital fingerprints by utilizing device-unique manufacturing variations, has great potential for achieving this purpose. MEMS sensors that are used in the Internet of Things have not been explored as a source of variation. In this paper, we target a commonly used MEMS sensor, an accelerometer, and utilize its process variations to generate digital fingerprints. This is achieved by measuring the accelerometers response to an applied electrostatic impulse and its inherent offset values. Our results revealed that MEMS sensors could be used as a source for digital fingerprints for run-time authentication applications.

Analyzing and eliminating the causes of fault sensitivity analysis

Fault Sensitivity Analysis (FSA) is a new type of side-channel attack that exploits the relation between the sensitive data and the faulty behavior of a circuit, the so-called fault sensitivity. This paper analyzes the behavior of different implementations of AES S-box architectures against FSA, and proposes a systematic countermeasure against this attack. This paper has two contributions. First, we study the behavior and structure of several S-box implementations, to understand the causes behind the fault sensitivity. We identify two factors: the timing of fault sensitive paths, and the number of logic levels of fault sensitive gates within the netlist. Next, we propose a systematic countermeasure against FSA. The countermeasure masks the effect of these factors by intelligent insertion of delay elements. We evaluate our methodology by means of an FPGA prototype with built-in timing-measurement. We show that FSA can be thwarted at low hardware overhead. Compared to earlier work, our method operates at the logic-level, is systematic, and can be easily generalized to bigger circuits.

Improving Fault Attacks on Embedded Software Using RISC Pipeline Characterization

A fault attack becomes more efficient when the fault behavior, the response of a device to a fault injection, is precisely understood. In this paper, we present a methodology for fault attacks and their analysis on pipelined RISC processors. For complex hardware structures such as microprocessor pipelines, modeling the fault behavior can become challenging. By analyzing the structure of the RISC pipeline, we obtain insight into the most likely faults, and we are able to pinpoint the most sensitive points during execution of a cryptographic software program. We use this result to apply a recent class of fault injection attacks, so-called biased fault injection attacks, to two different software implementations of AES. Our target microprocessor is a 7-stage pipeline LEON3, mapped into a Spartan6 FPGA. The paper explains the methodology, the fault injection setup, and the fault analysis on the embedded software design of AES. Our results are useful for embedded software designers who have a need to understand the fault attack sensitivity of their implementation, as well as for security engineers who are in charge of improving countermeasures, in hardware or in software, against fault attacks.

Software Fault Resistance is Futile: Effective Single-Glitch Attacks

Fault attacks are a serious threat for the secure embedded software running on a wide spectrum of embedded devices. Fault attacks can be thwarted using countermeasures in software. Among them, instruction-level countermeasures provide a fine-grained protection by executing redundant copies of an assembly instruction, and verifying their results for fault detection. It is assumed that this fine-grained security can only be broken by injecting multiple faults with expensive tools. In this work, we break the security of state-of-the-art instruction-level countermeasures by injecting single clock glitches with a low-cost fault injection setup. We first analyze their vulnerabilities by considering micro-architectural aspects such as pipelining effects. Second, we experimentally demonstrate the feasibility of exploiting these vulnerabilities on a SAKURA-G board. Finally, as a case study, we apply a recent biased fault attack on a fault-resistant software implementation of LED block cipher, and retrieve its secret key.

Lightweight Fault Attack Resistance in Software Using Intra-instruction Redundancy

Fault attack countermeasures can be implemented by storing or computing sensitive data in redundant form, such that the faulty data can be detected and restored. We present a class of lightweight, portable software countermeasures for block ciphers. Our technique is based on redundant bit-slicing, and it is able to detect faults in the execution of a single instruction. In comparison to earlier techniques, we are able to intercept data faults as well as instruction sequence faults using a uniform technique. Our countermeasure thwarts precise bit-fault injections through pseudo-random shifts in the allocation of data bit-slices. We demonstrate our solution on a full AES design and confirm the claimed security protection through a detailed fault simulation for a 32-bit embedded processor. We also quantify the overhead of the proposed fault countermeasure, and find a minimal increase in footprint (14%), and a moderate performance overhead between 125% to 317%, depending on the desired level of fault-attack resistance.

FAME: Fault-attack Aware Microprocessor Extensions for Hardware Fault Detection and Software Fault Response

Fault attacks are a known serious threat to embedded software security. We propose FAME, a low-cost and flexible approach to defend embedded software against fault attacks. FAME offers a combination of fault detection in hardware and fault response in software. A hardware fault detection unit continuously monitors the system status. When a fault injection is detected, an alarm signal triggers a secure trap mechanism that passes the control to a software trap handler. The trap handler applies a suitable fault response policy, which may include a broad variety of responses such as clearing sensitive data or issuing system-wide alerts. This enables a targeted, fast fault detection as well as an application-dependent, user-defined fault response. FAME requires much lower overhead than traditional countermeasure techniques in software or hardware. We demonstrate a prototype implementation of FAME using a modified LEON3 processor, and we analyze the hardware and software overhead to thwart setup-time violation attacks. The hardware area overhead is 7.4% and 14.2% in the number of LUTs and registers, respectively. The overhead of the software trap handler on top of an AES-128 program is 0.59%--0.71% in footprint and 1.01%--2.35% in performance, depending on the security policy. In contrast, traditional countermeasures that use redundant hardware or software against similar faults have at least double overhead.

TVVF: Estimating the vulnerability of hardware cryptosystems against timing violation attacks

Secure hardware designers require a method to evaluate the vulnerability of their systems against fault attacks to make proper security/cost trade-offs. To our knowledge, no systematic approach has been proposed for this purpose. This paper introduces Timing Violation Vulnerability Factor (TVVF), which evaluates the vulnerability of a hardware structure to setup time violation attacks. TVVF, a probablistic metric computed on a circuits netlist, is comprised of two factors: First, the probability of injecting a specific fault in the hardware structure, and second, the probability of propagating this fault to the output of the structure. TVVF aims at evaluating the security of designs against intentional faults caused by an adversary. In contrast, existing vulnerability metrics such as the Architecture Vulnerability Factor (AVF), evaluate the system reliability against random uncontrolled faults. To show the applicability of our metric, we compute the TVVF for two fault attacks on two AES netlists, which are generated for an FPGA.

Analyzing the Efficiency of Biased-Fault Based Attacks

In this letter, we analyze a class of recently proposed fault analysis techniques, which adopt a biased fault model. The purpose of our analysis is to evaluate the relative efficiency of several recently proposed biased-fault attacks. We compare the relative performance of each technique in a common framework, using a common circuit and a common fault injection method. We show that, for an identical circuit and fault injection method (setup time violation through clock glitching), the number of faults per attack greatly varies according to the analysis technique. In particular, DFIA is more efficient than FSA, and FSA is more efficient than both NUEVA and NUFVA. In terms of number of fault injections until full key disclosure, for a typical case, FSA uses 8x more faults than DFIA, and NUEVA uses 33x more faults than DFIA. Hence, the postprocessing technique selected in a biased-fault attack has a significant impact on the success of the attack.

Differential Fault Intensity Analysis on PRESENT and LED Block Ciphers

Differential Fault Intensity Analysis DFIA is a recently introduced fault analysis technique. This technique is based on the observation that faults are biased and thus are non-uniformly distributed over the cipher state variables. The adversary uses the fault bias as a source of leakage by controlling the intensity of fault injection. DFIA exploits statistical analysis to correlate the secret key to the biased fault behavior. In this work, we show a DFIA attack on two lightweight block ciphers: PRESENT and LED. For each algorithm, our research analyzes the efficiency of DFIA on a round-serial implementation and on a nibble-serial implementation.We show that all algorithms and all implementation variants can be broken with 10 to 36 fault intensity levels, depending on the case. We also analyze the factors that affect the convergence of DFIA. Wei¾?show that there is a trade-off between the number of required plaintexts, and the resolution of the fault-injection equipment. Thus, an adversary with lower-quality fault-injection equipment may still be as effective as an adversary with high-quality fault-injection equipment, simply by using additional encryptions. This confirms that DFIA is effective against a range of algorithms using a range of fault injection techniques.