Patrick Koeberl

TrustLite: a security architecture for tiny embedded devices

Embedded systems are increasingly pervasive, interdependent and in many cases critical to our every day life and safety. Tiny devices that cannot afford sophisticated hardware security mechanisms are embedded in complex control infrastructures, medical support systems and entertainment products [51]. As such devices are increasingly subject to attacks, new hardware protection mechanisms are needed to provide the required resilience and dependency at low cost.n In this work, we present the TrustLite security architecture for flexible, hardware-enforced isolation of software modules. We describe mechanisms for secure exception handling and communication between protected modules, enabling seamless interoperability with untrusted operating systems and tasks. TrustLite scales from providing a simple protected firmware runtime to advanced functionality such as attestation and trusted execution of userspace tasks. Our FPGA prototype shows that these capabilities are achievable even on low-cost embedded systems.

TyTAN: tiny trust anchor for tiny devices

Embedded systems are at the core of many security-sensitive and safety-critical applications, including automotive, industrial control systems, and critical infrastructures. Existing protection mechanisms against (software-based) malware are inflexible, too complex, expensive, or do not meet real-time requirements. We present TyTAN, which, to the best of our knowledge, is the first security architecture for embedded systems that provides (1) hardware-assisted strong isolation of dynamically configurable tasks and (2) real-time guarantees. We implemented TyTAN on the Intel® Siskiyou Peak embedded platform and demonstrate its efficiency and effectiveness through extensive evaluation.

HAFIX: hardware-assisted flow integrity extension

Code-reuse attacks like return-oriented programming (ROP) pose a severe threat to modern software on diverse processor architectures. Designing practical and secure defenses against code-reuse attacks is highly challenging and currently subject to intense research. However, no secure and practical system-level solutions exist so far, since a large number of proposed defenses have been successfully bypassed. To tackle this attack, we present HAFIX (Hardware-Assisted Flow Integrity Extension), a defense against code-reuse attacks exploiting backward edges (returns). HAFIX provides fine-grained and practical protection, and serves as an enabling technology for future control-flow integrity instantiations. This paper presents the implementation and evaluation of HAFIX for the Intel® Siskiyou Peak and SPARC embedded system architectures, and demonstrates its security and efficiency in code-reuse protection while incurring only 2% performance overhead.

Memristor PUFs: a new generation of memory-based physically unclonable functions

Memristors are emerging as a potential candidate for next-generation memory technologies, promising to deliver non-volatility at performance and density targets which were previously the domain of SRAM and DRAM. Silicon Physically Unclonable Functions (PUFs) have been introduced as a relatively new security primitive which exploit manufacturing variation resulting from the IC fabrication process to uniquely fingerprint a device instance or generate device-specific cryptographic key material. While silicon PUFs have been proposed which build on traditional memory structures, in particular SRAM, in this paper we present a memristor-based PUF which utilizes a weak-write mechanism to obtain cell behaviour which is influenced by process variation and hence usable as a PUF response. Using a model-based approach we evaluate memristor PUFs under random process variations and present results on the performance of this new PUF variant.

Hardware-Assisted Fine-Grained Control-Flow Integrity: Towards Efficient Protection of Embedded Systems Against Software Exploitation

Embedded systems have become pervasive and are built into a vast number of devices such as sensors, vehicles, mobile and wearable devices. However, due to resource constraints, they fail to provide sufficient security, and are particularly vulnerable to runtime attacks (code injection and ROP). Previous works have proposed the enforcement of control-flow integrity (CFI) as a general defense against runtime attacks. However, existing solutions either suffer from performance overhead or only enforce coarse-grain CFI policies that a sophisticated adversary can undermine. In this paper, we tackle these limitations and present the design of novel security hardware mechanisms to enable fine-grained CFI checks. Our CFI proposal is based on a state model and a per-function CFI label approach. In particular, our CFI policies ensure that function returns can only transfer control to active call sides (i.e, return landing pads of functions currently executing). Further, we restrict indirect calls to target the beginning of a function, and lastly, deploy behavioral heuristics for indirect jumps.

Logically reconfigurable PUFs: memory-based secure key storage

The security of hardware is essential to the prevention of cloning, theft of service and tampering, and therefore to revenue preservation. An important component of hardware security is secure key storage. The level of security provided by a key is dependent upon the effort required from an attacker to compromise the key. Since the sophistication of tools used to carry out such attacks has increased significantly, protection of traditional key storage approaches, like storing a key in non-volatile memory (NVM), decreases. To fight these attacks Hardware Intrinsic Security (HIS) can be used. An example of HIS are Physically Unclonable Functions (PUFs). In this paper we introduce a new logically reconfigurable PUF (LR-PUF), based on a memory-based PUF. This LR-PUF uses the physical properties of a PUF combined with state information that is stored in NVM. Even though this implementation requires NVM, we will prove that the LR-PUF provides significantly more security than simply storing a key in NVM. The reason for this is that reading the information in NVM will not allow an attacker to derive any information on the key

Entropy loss in PUF-based key generation schemes: The repetition code pitfall

One of the promising usages of Physically Unclonable Functions (PUFs) is to generate cryptographic keys from PUFs for secure storage of key material. This usage has attractive properties such as physical unclonability and enhanced resistance against hardware attacks. In order to extract a reliable cryptographic key from a noisy PUF response a fuzzy extractor is used to convert non-uniform random PUF responses into nearly uniform randomness. Bösch et al. in 2008 proposed a fuzzy extractor suitable for efficient hardware implementation using two-stage concatenated codes, where the inner stage is a conventional error correcting code and the outer stage is a repetition code. In this paper we show that the combination of PUFs with repetition code approaches is not without risk and must be approached carefully. For example, PUFs with min-entropy lower than 66% may yield zero leftover entropy in the generated key for some repetition code configurations. In addition, we find that many of the fuzzy extractor designs in the literature are too optimistic with respect to entropy estimation. For high security applications, we recommend a conservative estimation of entropy loss based on the theoretical work of fuzzy extractors and present parameters for generating 128-bit keys from memory based PUFs.

A practical device authentication scheme using SRAM PUFs

The contamination of electronic component supply chains by counterfeit hardware devices is a serious and growing risk in todays globalized marketplace. Current practice for detecting counterfeit semiconductors includes visual checking, electrical testing, and reliability testing which can require significant investments in expertise, equipment, and time. Additionally, best practices have been developed in industry worldwide to combat counterfeiting in many of its variants. Although the current approaches improve the situation significantly, they do not provide extensive technical means to detect counterfeiting. However, new approaches in this area are beginning to emerge. n nSuh and Devadas recently proposed a low cost device authentication scheme which relies on Physically Unclonable Functions (PUFs) to implement a challenge-response authentication protocol. There are several constraints in their authentication scheme, e.g., their scheme requires a secure online database and relies on PUF constructions that exhibit a large number of challenge-response pairs. In this paper, we introduce a new device authentication scheme using PUFs for device anticounterfeiting. Our scheme is simple and practical as it does not require any online databases and is not tied to any PUF implementations. For hardware devices which already have SRAM and non-volatile storage embedded, our scheme takes almost no additional cost.

Evaluation of a PUF device authentication scheme on a discrete 0.13um SRAM

The contamination of electronic component supply chains by counterfeit hardware devices is a serious and growing risk in todays globalized marketplace. Current best practice for detecting counterfeit semiconductors includes visual checking, electrical testing, and reliability testing, all of which require significant investments in expertise, equipment, and time. In TRUST11, Koeberl, Li, Rajan, Vishik, and Wu proposed a new device authentication scheme using SRAM Physically Unclonable Functions (PUFs) for semiconductor anti-counterfeiting. Their authentication scheme is simple, low cost, and practical. However, the method and corresponding parameters of their scheme are based on a theoretical SRAM PUF model without support from real experimental data. In this paper, we evaluate a real SRAM PUF on a discrete 0.13um SRAM, and use the PUF result to evaluate this device authentication scheme and show that this scheme indeed works well. We identify several gaps between the theoretical model and the experimental SRAM PUF result, and adjust the parameters of the scheme accordingly. In addition, we provide a new post-processing function that results in a smaller false rejection rate and false acceptance rate.

13fJ/bit probing-resilient 250K PUF array with soft darkbit masking for 1.94% bit-error in 22nm tri-gate CMOS

A 250K probing-resilient PUF array with measured 2GHz operation and total energy consumption of 13fJ/bit at 0.9V, 25°C is fabricated in 22nm tri-gate CMOS. Hybrid PUF circuit with integrated load modulation and run-time soft dark-bit mask generation enables identification of unstable PUF bits with 100% accuracy, eliminating the need for multiple voltage/temperature characterization while also reducing bit-error down to 1.94%. Transient behavior of the hybrid PUF cell, along with the use of balanced local clock routing improves resiliency to invasive power-up probing attacks by 75%.