Unit - V

1
 Hardware Security
 Security of Electronic hardware, its architecture,
implementations and validation.
 Attacks to steal or compromise assets and approaches
designed to protect these assets.
 Assets are hardware components such as IC s, passive
components (R,L,C) and PCB s.
 Secrets stored in these components – Cryptographic
Keys, sensitive user data, firmware and configuration
data.

2
Security in Computing Systems

3
 Overview of a Computing System
• A Computing system is a system of interconnected
components such as,
- Memory for information storage
- Processor for information processing
- Input/ Output devices
• Categories of computing systems
- General Purpose systems – desktops, laptops
- Embedded systems – home automation systems,
digital cameras.
- Cyber physical systems – Smart Grid, autonomous
vehicles and robotics.
- Internet-of-Things – Sensors sensing real world data
and actuators for control actions
4
Organization of a Modern Computing
System

5
Layers of a Computing System

6
 Layers of Electronic Hardware
• System Level Hardware – Integration of all
physical components(PCBs, peripheral
devices)
• One or more PCBs – mechanical support and
electrical connections to electronic
components to meet functional and
performance requirements.
• Active Components – IC s, transistors and
relays.

7
Layers of Electronic Hardware

8
 Hardware Security
• It deals with protecting sensitive assets stored in a hardware
from malicious software and network, and providing an
appropriate level of isolation between secure and insecure data
and code, in addition to providing separation between multiple
user applications.

(1) Trusted execution environment (TEE) - protects code and

data of an application from other untrusted applications.

(2) Protection of security-critical assets through appropriate

realization of security policies, such as access control and
information flow policies,

9
Hardware Security and Trust

10
Electronic Hardware Design and Flow

11
 Electronic Hardware Design and Flow
• IC Design house creating the functional specifications (e.g., data
compression, encryption, or pattern recognition) and parametric
specifications (e.g., the operating frequency or standby power) of a design.
• Sequence of design and verification steps, where the high-level description
of a design (for instance, an architecture level description) is transformed
into logic gates, then into a transistor level circuit and to a physical layout.
• Layout is then transferred to a fabrication facility, which creates a mask for
the layout and then lithography, etching, and other steps to produce a
“wafer”, which is typically a circular silicon disk containing a batch of Ics.
• These dies are then cut by diamond saw from the wafer and assembled into
a package made of ceramic, or other materials.
• The packaged dies, or ICs, are then tested for compliance with functional
and parametric features using another set of test patterns in a
manufacturing test facility.
• Testing and debug process for a complex IC is usually facilitated by
incorporating specialized structures in a design, which is called design-for-
test (DFT) and design-for-debug (DFD) infrastructure. 12
Attack Vectors
Attack vectors are means or paths for attackers to get
access to hardware components for malicious purposes.

13
Possible attacks

14
 Attack surfaces
• Aggregate of all known, unknown, potential vulnerabilities
and controls all hardware, software and network components.
1.Chip – Level Attacks
Reverse Engineering, Cloning,
Malicious Insertion, side channel attacks leading to fake chips.
2. PCB Level Attacks
Reverse Engineering the PCB to obtain
the schematic of board to redesign it and create fake units.
3.System Level Attacks
Attacks involving the interaction of
hardware – software components can be mounted.

15
16
17
 Security Model
• In order to describe a security issue or
solution, it is important to describe the
corresponding security model. A security
model should have two components,
(1) Threat Model, which describes the
threats including, the purpose and mechanism
of an attack.
(2) Trust Model, which describes the
trusted parties or components.

18
 System – On - Chip
• It is a small integrated chip that contains all the required
components and circuits of a particular system.
• Components of SoC include CPU, GPU, Memory, I/O devices,
etc.
• SoC is used in various devices such as smartphones, Internet
of Things appliances, tablets, and embedded system
applications.

19
An SoC Design Flow

20
 Hardware Trojan
• A hardware Trojan (HT) is defined as a malicious, intentional
modification of a circuit design that results in undesired
behavior when the circuit is deployed.
• SoCs that are ‘infected’ by a hardware Trojan may experience
changes in their functionality or specification, may leak
sensitive information, or may experience degraded or
unreliable performance.
• An effective way to detect a Trojan is to activate the Trojan
and observe its effects, but a Trojan’s type, size, and location
are unknown, and its activation is a rare event.
• A Trojan can be well hidden during the normal functional
operation of the chip and activated only when the triggering
condition is applied.

21
 Structure of a Hardware Trojan
• Two main parts, Trigger and a Payload.
• A Trojan trigger is an optional part that monitors various signals and/or a
series of events in the circuit.
• Payload usually taps signals from the original (Trojan-free) circuit and the
output of the trigger
• Once the trigger detects an expected event or condition, the payload is
activated to perform malicious behavior.
• When the payload is inactive, the IC acts like a Trojan-free circuit, making
it difficult to detect the Trojan.

22
 Activation Mechanism
• Internally Triggered – Ex Counter,temperature of the
chip.
• Externally Triggered – Push buttons,switches and
output ciphertext.
Payload Types
• Change Functionality
• Downgrade Performance
• Leak Information
• Denial-of-Service

23
 Location
• A hardware Trojan can be inserted in a single
component or spread across multiple components, for
example, processor, memory, input/output, power
supply, or clock grid.

 Random Logic
 Processing Unit
 Cryptographic Accelerator
 Memory Units
 Input/ Output Port
 Power Supply
 Clock Grid

24
 Side – Channel Attacks
• Side-channel attacks (SCA) is a noninvasive attack that is
based on targeting the implementation of a cryptographic
algorithm.

• These attacks exploit physical information leaking from

various indirect sources or channels, such as, the target de
vice’s power consumption, electromagnetic (EM) radiation, or
the time taken for a computation.

• The information embedded in side-channel parameters depend

on the intermediate values computed during the execution of a
crypto-algorithm, and are correlated with the inputs and the
secret key of the cipher.

25
 Side Channel Leakages

Data Collection
Process during SCA

26
Side Channel Attacks

27
 Power Analysis
• The basic idea of power analysis attacks is to reveal secret
information from a device by analyzing its power
consumption.
• Needs physical access to the device.
• Used to extract the secret key of cryptographic systems.
• A set of power measurements is required for each side-
channel analysis to be applied; these sets vary depending
on the type of attack, the complexity of the design, and the
accuracy of the data collection process.
• Each power signal captured during the analysis is called a
power trace.
• Simple Power Analysis,Differential Power Analysis and
Correlation Power Analysis.
28
 Dynamic Power of an Inverter

Let Pij be the power consumption, where the output value of the
inverter is changed from i to j, for i,j ∈{0,1}. P01 and P10 are
much greater than P00 and P11, since the capacitor connected to
the output is charged or discharged when the output value is
switched; P00 and P11 are almost zero since there is no charging
or discharging activity. Based on this characteristic, an adversary
can estimate the status of the output or input by measuring the
power of an inverter. 29
 Acquisition of power signals

A power analysis setup, where a cryptographic system is being

controlled by a computer that applies input patterns, observes
the outputs, measures the power consumption, and performs
necessary analysis to extract the secret key. 30
 Types of Power Analysis
• Simple Power Analysis
• Differential Power Analysis
• Correlational Power Analysis
• SPA is a technique that aims to observe power measurements
obtained while the device under attack is in operation mode.
• Visual inspection of power traces is considered the primary form
of SPA attack, where a power trace shows a sequence of patterns
that can lead to identifying key bits, instructions, or functions.
• Each instruction in a processor causes a specific pattern that can
be visually identified in the power trace.
• Template attacks are a more advanced form of SPA, where
known and recognized patterns in the power trace are
characterized and stored as templates.
• Power traces collected from the target device are matched to the
templates, and then corresponding operations are recognized
31
Power Traces during RSA Computation

32
 Differential Power Analysis(DPA)
• In DPA, an adversary can successfully exploit data dependency of
the power consumption, which gives them the ability to observe
internal transitions, and extract secret keys and critical information.
• Two phases: data collection and data analysis.
• In data collection, different input patterns are applied to the device
while recording the power traces in a high sampling rate.In the data
analysis phase, statistical analysis, such as the difference of means is
applied.
• If the guessed key is correct, then the conditional probability density
functions given by D = X7 = 0 and D=X7=1, are completely
different as shown in Fig. 8.8A. Otherwise, the conditional
probability density functions are similar, as shown in Fig. 8.8B.
• In case of the correct guessed key, the difference of means is the
largest and in other cases, the difference of means is almost zero, as
shown in Fig. 8.8C.
• Instead of mean, Hamming Distance is calculated – Correlational
33
Power Analysis(CPA)
DPA Applied to AES Block

34
 Electromagnetic Attacks
• EM SCA focuses on measuring electromagnetic waves that are
emitted from ICs in operation.
• The EM waves are produced as current flows across a device,
where transistor and interconnect switching activities occur with
changing input patterns.
• An adversary usually aims to capture EM signals that are
produced by current flows of data processing stages, where most
waves occur, due to the switching activity of a device while
performing a data processing operation.
• EM Emanation is defined as the process that causes the target
device to generate EM signals.
• Intentional Emanations – Cause the device to emit EM signals
• Unintentional emanations – EM signals generated due to
electromagnetic coupling.
35
Acquisition of EM Signals

36
• Simple EM Analysis
- In SEMA, an attacker obtains a single time domain trace to
observe, and gain knowledge about the device directly.
- To obtain critical information via visual inspection of the
EM signal trace, where a sequence of transitions at the startup of the
system may include information about the secret key used to
encrypt/decrypt data.
• Differential EM Analysis
- The attacker applies DEMA to the device to exploit
information that cannot be visually observable.
- DEMA uses a self-referencing approach, which
compares the analyzed signal with an equivalent one in a
different area of the device (spatial referencing), or in a different
time (temporal referencing).
- DEMA can help identify functional and structural details of
the target device.
- It can also track a process flow and determine how a signal
37
propagates inside the device.
 Fault Injection Attacks
• Fault injection attacks are active attacks, where a crypto-
device is intentionally injected with a fault that leads to a
leakage of the secret key.
• The injected fault is designed to introduce a temporary
malfunction during the device operation. This malfunction is
typically a disturbance of a few memory or register bits.
• As the execution continues, this single/multiple memory bit-
flip, propagates to other memory locations and eventually
results in a corrupted output called as the faulty ciphertext.
• An attacker can use the faulty ciphertext to derive the secret
key.

38
Fault Injection by clock glitch, optical
probing and power glitch

39
 Fault Injection Techniques
• Voltage Glitching
- A device is supplied with a lower than normal voltage level.

• Tampering with Clock Pin

- Subjecting the device with a faulty clock signal.

• EM Disturbances
- Generating EM signals and directing them to a device can cause the
operation of the system to be compromised. By controlling the EM signal,
different types of behavioral changes in functionality can be observed, and
with the right input patterns and enough iterations, the device can leak the
secret key of the cryptographic module.

• Laser Glitching
- Applying a laser beam to a specific area of a device can cause a fault
to be injected.Data in registers and states can be modified when intentionally
applying a strong laser beam. Beams can be controlled in terms of strength and
polarization, which allows the attacker to either inject faults to a specific area 40
 Timing Attacks

• An adversary often applies timing analysis on cryptographic systems to extract the

secret key, where timing analysis can help the attacker determine which subsets of
the key are correct, and which subsets are not.
• The total time of 10,000 executions of 3 different modular-exponentiation software
implementations: (1) straightforward, (2) square-and-multiply, and (3) Montgomery
with square-and-multiply implementations.
• In the case of straightforward implementation, as the exponent increases, the
execution time also increases linearly. In other cases, the execution time is
related to the number of 1’s in the binary exponent number, that is, the
Hamming weight of the exponent. 41
 Physical Attacks
• Noninvasive, Semi-invasive and Invasive attacks.
• A noninvasive attack does not require any initial preparations
of the device under test, and will not physically harm the
device during the attack. The attacker can either tap the wires
to the device, or plug it into a test circuit for the analysis.
• Invasive attacks require direct access to the internal compo
nents of the device, which normally requires a well-equipped
and knowledgeable attacker to succeed.
• Semi- invasive attacks require depackaging the chip in order
to get access to its surface. However, the passivation layer of
the chip remains intact, as semi-invasive methods do not
require creating contacts to the internal wires.
• Reverse Engineering, microprobing attack, and invasive fault
injection attack.
42
 Taxonomy of Reverse Engineering
• Reverse engineering (RE) is the process involving the thorough
examination of an object to achieve a full understanding of its construction
and/or functionality.
• Used to clone, duplicate, or reproduce systems and devices in various
security-critical applications, such as smartcards, smartphone, military,
financial, and medical systems.

43
• Chip – Level RE
X-ray tomography is a nondestructive method of RE that can provide
layer-by-layer images of chips, and is often used for the analysis of internal vias,
traces, wire bonding, capacitors, contacts, or resistors. Destructive analysis, on the
other hand, might consist of etching and grinding every layer for analysis. During
the delayering process, pictures are taken by either a scanning electron microscope
(SEM), or a transmission electron microscope (TEM).
• PCB Level RE
RE of PCBs begins with the identification of the components mounted on
the board, its traces on the top and bottom (visible) layers, its ports, and so forth.
After that, delayering or x-ray imaging could be used to identify the connections,
traces, and vias of the internal PCB layers.
• Board Level RE
Electronic systems are comprised of chips, PCBs, and firmware. A
system’s firmware includes the information about the system’s operation and
timing, and is typically embedded within nonvolatile memories (NVMs), such as
ROM, EEPROM, and Flash. By reading out and analyzing the contents in the
memory, RE can provide a deeper insight into the system under attack .

44
 Probing Attacks
• Probing directly accesses the internal wires of a security-critical
module and extracts sensitive information in electronic format .

45
 Security Architecture

• Developing a baseline secure architecture depends on the

following two steps:
Use threat modeling to identify potential threats to the
current architecture definition.
Refine the architecture with mitigation strategies
covering the threats identified.
• Policies are to be defined for the system under exploration.
• The architect must identify:
1) who can access the asset;
2) what kind of access is permitted by the policies; and
3) at what points in the system execution or product
development lifecycle such access requests can be granted or
denied.
46