Roshan G. Ragel

RIJID: random code injection to mask power analysis based side channel attacks

Side channel attacks are becoming a major threat to the security of embedded systems. Countermeasures proposed to overcome Simple Power Analysis (SPA) and Differential Power Analysis (DPA), are data masking, table masking, current flattening, circuitry level solutions, dummy instruction insertions and balancing bit-flips. All these techniques are either susceptible to multi-order side channel attacks, not sufficiently generic to cover all encryption algorithms, or burden the system with high area cost, run-time or energy consumption. A HW/SW based randomized instruction injection technique is proposed in this paper to overcome the pitfalls of previous countermeasures. Our technique injects random instructions at random places during the execution of an application which protects the system from both SPA and DPA. Further, we devise a systematic method to measure the security level of a power sequence and use it to measure the number of random instructions needed, to suitably confuse the adversary. Our processor model costs 1.9% in additional area for a simplescalar processor, and costs on average 29.8% in runtime and 27.1% in additional energy consumption for six industry standard cryptographic algorithms.

Hardware assisted pre-emptive control flow checking for embedded processors to improve reliability

Reliability in embedded processors can be improved by control flow checking and such checking can be conducted using software or hardware. Proposed software-only approaches suffer from significant code size penalties, resulting in poor performance. Proposed hardware-assisted approaches are not scalable and therefore cannot be implemented in real embedded systems. This paper presents a scalable, cost effective and novel fault detection technique, to ensure proper control flow of a program. This technique includes architectural changes to the processor and software modifications. While architectural refinement incorporates additional instructions, the software transformation utilizes these instructions into the program flow. Applications from an embedded systems benchmark suite are used for testing and evaluation. The overheads are compared with the state of the art approach that performs the same error coverage using software-only techniques. Our method has greatly reduced overheads compared to the state of the art. Our approach increased code size by between 3.85-11.2% and reduced performance by just 0.24-1.47% for eight different industry standard applications. The additional hardware (gates) overhead in this approach was just 3.59%. In contrast, the state of the art software- only approach required 50-150% additional code, and reduced performance by 53.5-99.5% when error detection was inserted.

Micro embedded monitoring for security in application specific instruction-set processors

This paper presents a methodology for monitoring security in Application Specific Instruction-set Processors (ASIPs). This is a generalized methodology for inline monitoring insecure operations in machine instructions at microinstruction level. Microinstructions are embedded into the critical machine instructions forming self checking instructions. We name this method Micro Embedded Monitoring. Since ASIPs are designed exclusively for a particular application domain, the Instruction Set Architecture (ISA) of an ASIP is based on the application executed. Knowledge of the domain gives an insight into the kinds of the security threats which need to be considered. The fact that the ISA design is based on the application makes room to accommodate security monitoring support during the design phase by embedding microinstructions into the critical machine instructions. Since the microinstructions are the lowest possible software level architecture, we could expect to get better performance by implementing security detection using microinstruction routines. Four different embedded security monitoring routines are implemented for evaluation. The average performance penalty with these monitoring routines with ten different benchmarks is 1.93% while the average area and power overheads are 5.26% and 3.07% respectively.

Reli: hardware/software checkpoint and recovery scheme for embedded processors

Checkpoint and Recovery (CR) allows computer systems to operate correctly even when compromised by transient faults. While many software systems and hardware systems for CR do exist, they are usually either too large, require major modifications to the software, too slow, or require extensive modifications to the caching schemes. In this paper, we propose a novel error-recovery management scheme, which is based upon re-engineering the instruction set. We take the native instruction set of the processor and enhance the microinstructions with additional micro-operations which enable checkpointing. The recovery mechanism is implemented by three custom instructions, which recover the registers which were changed, the data memory values which were changed and the special registers (PC, status registers etc.) which were changed. Our checkpointing storage is changed according to the benchmark executed. Results show that our method degrades performance by just 1.45% under fault free conditions, and incurs area overhead of 45% on average and 79% in the worst case. The recovery takes just 62 clock cycles (worst case) in the examples which we examined.

A hybrid hardware--software technique to improve reliability in embedded processors

Numerous methods have been described in research literature with methods to improve reliability of processors by the use of control-flow checking. High performance and code-size penalties cripple the proposed software approaches, while hardware approaches are not scalable and are thus rarely implemented in real embedded systems. In this article, we show that by including control-flow checking as an issue to be considered when designing as embedded processor, we are able to reduce overheads considerably and still provide a scalable solution to this problem. The technique described in this article includes architectural improvements to the processor and binary rewriting of the application. Architectural refinement incorporates additional instructions to the instruction set architecture, while the binary rewriting utilizes these additional instructions into the program flow. Applications from an embedded systems benchmark suite have been used to test and evaluate the system. Our approach increased code size by only 5.55% to 13.5% and reduced performance by just 0.54% to 2.83% for eight different industry standard benchmarks. The additional hardware overhead due to the additional instruction in the design is just 2.70%. In contrast, the state-of-the-art software-only approach required 50% to 150% additional code, and reduced performance by 53.5% to 99.5% when monitoring was inserted. Fault injection analysis demonstrates that our solution is capable of capturing and recovering from all the injected control-flow errors, while the software-only approach detected 87% of the injected control-flow errors.

Multiprocessor information concealment architecture to prevent power analysis-based side channel attacks

Side channel attackers observe external manifestations of internal computations in an embedded system to predict the encryption key employed. The ability to examine such external manifestations (power dissipation or electromagnetic emissions) is a major threat to secure embedded systems. This study proposes a secure multiprocessor architecture to prevent side channel attacks, based on a dual-core algorithmic balancing technique, where two identical cores are used. Both cores use a single clock and encrypt simultaneously, with one core executing the original encryption, whereas the second executes the complementary encryption. This effectively balances the crucial information from the power profile (note that it is the information and not the power profile itself), hiding the actual key from the adversary attempting an attack based on differential power analysis (DPA). The two cores normally execute different tasks, but will encrypt together to foil a side channel attack. The authors show that, when our technique is applied, DPA fails on the most common block ciphers, data encryption standard (DES) and advanced encryption standard (AES), leaving the attacker with little useful information with which to perpetrate an attack.

Remote Cache Timing Attack on Advanced Encryption Standard and countermeasures

AES, Advanced Encryption Standard, is a symmetric key encryption standard being widely used to secure data in places where data confidentiality is a critical issue. AES was adopted from the Rijndael algorithm which was developed by Joan Daemen and Vincent Rijmen. In 2001 NIST, National Institute of Standards and Technology, declared Rijndael algorithm as the next generation cryptographic algorithm, and thus was titled AES — Advanced Encryption Standard. NIST spent several years analyzing the Rijndael algorithm for vulnerabilities against all known breeds of attacks and finally declared it to be a secure algorithm. In 2005 Daniel J. Bernstein claimed that the software implementation of AES is vulnerable to side channel attacks. Side Channel Attacks are a form of cryptanalysis that focuses not on breaking the underlying cipher directly but on exploiting weaknesses found in certain implementations of a cipher. One could derive attacks based on side-channel information gained through timing information, radiation of various sorts, power consumption statistics, cache contents, etc. AES uses a series of table look ups to increase its performance. Since these tables do not fully fit into the cache, cache hits and misses are frequent during encryption, causing various look up times, and thus various encryption times that change according to the input text and the encryption key. The Cache Timing Attack proposed by Bernstein correlates the timing details for encryption under a known key with an unknown key to deduce the unknown key. Bernstein demonstrated the attack against the OpenSSL 0.9.7a AES implementation on an 850MHz Pentium III desktop computer running FreeBSD 4.8. Over the years many researchers have proposed a number of countermeasures against Bernsteins Cache Timing Attack but there is no evidence to date of any investigation carried out to determine their effectiveness and efficiency. Our study focused on verifying Bernsteins Cache Timing Attack and investigating some of the countermeasures that have been proposed by implementing them.

Accelerating string matching for bio-computing applications on multi-core CPUs

Huge amount of data in the form of strings are being handled in bio-computing applications and searching algorithms are quite frequently used in them. Many methods utilizing on both software and hardware are being proposed to accelerate processing of such data. The typical hardware-based acceleration techniques either require special hardware such as generalpurpose graphics processing units (GPGPUs) or need building a new hardware such as an FPGA based design. On the other hard, software-based acceleration techniques are easier since they only require some changes in the software code or the software architecture. Typical software-based techniques make use of computers connected over a network, also known as a network grid to accelerate the processing. In this paper, we test the hypothesis that multi-core architectures should provide better performance in this kind of computation, but still it would depend on the algorithm selected as well as the programming model being utilized. We present the acceleration of a string-searching algorithm on a multi-core CPU via a POSIX thread based implementation. Our implementation on an 8-core processor (that supports 16-threads) resulted in 9x throughput improvement compared to a single thread implementation.

Architectural Frameworks for Security and Reliability of MPSoCs

Multiprocessor system-on-chip (MPSoC) architectures are increasingly used in modern embedded systems. MPSoCs are used for confidential and critical applications and hence need strong security and reliability features. Software attacks exploit vulnerabilities in the software on MPSoCs. In this paper we propose two MPSoC architectural frameworks, tCUFFS and iCUFFS, for an Application Specific Instruction set Processor (ASIP) design. Both tCUFFS and iCUFFS employ a dedicated security processor for detecting software attacks. iCUFFS relies on the exact number of instructions in the basic block to determine an attack and tCUFFS relies on time-frame based measures. In addition to software attacks, reliability concerns of bit flip errors in the control flow instructions (CFIs) are also addressed. Additional method is proposed to the iCUFFS framework to ensure reliable inter-processor communication. The results for the implementation on Xtensa processor from Tensilica showed, worst case runtime penalty of 38% for tCUFFS and 44% for iCUFFS, and worst case area overhead of 33% for tCUFFS and 40% for iCUFFS. The existing iCUFFS framework was able to detect approximately 70% of bit flip errors in the CFIs. The modified iCUFFS framework proposed for reliable inter-processor communication was at most 4% slower than the existing iCUFFS framework.

Advanced modes in AES: Are they safe from power analysis based side channel attacks?

Advanced Encryption Standard (AES) is arguably the most popular symmetric block cipher algorithm. The commonly used mode of operation in AES is the Electronic Codebook (ECB) mode. In the past, side channel attacks (including power analysis based attacks) have been shown to be effective in breaking the secret keys used with AES, while AES is operating in the ECB mode. AES defines a number of advanced modes (namely Cipher Block Chaining - CBC, Cipher Feedback - CFB, Output Feedback - OFB, and Counter - CTR) of operations that are built on top of the EBC mode to enhance security via disassociating the encryption function from the plaintext or the secret key used. In this paper, we investigate the vulnerabilities against power analysis based side channel attacks of all such modes of operations, implemented on hardware circuits for low power and high speed embedded systems. Through such an investigation, we show that AES is vulnerable in all modes of operations against Correlation Power Analysis (CPA) attack, one of the strongest power analysis based side channel attacks. We also quantify the level of difficulty in breaking AES in different modes by calculating the number of power traces needed to arrive at the complete secret key. We conclude that the Counter mode of operation provides a balance in between area and power while maintaining adequate resistance for power analysis attacks than when used with other modes of operations. We show that the previous recommendations for the rate of change in the keys and vectors is grossly inadequate, and suggest that it must be changed at least every 210 encryptions in CBC mode and 212 encryptions in CFB, OFB and CTR modes in order to resist power analysis attacks.