5.3 Physical Attacks and Countermeasures

Time	Label	Presentation Title Authors
08:30	5.3.1	ORACLE-GUIDED INCREMENTAL SAT SOLVING TO REVERSE ENGINEER CAMOUFLAGED LOGIC CIRCUITS Speaker: Daniel Holcomb, University of Massachusetts, Amherst, US Authors: Duo Liu, Cunxi Yu, Xiangyu Zhang and Daniel Holcomb, University of Massachusetts, Amherst, US Abstract Layout-level gate camouflaging has attracted interest as a countermeasure against reverse engineering of combinational logic. In order to minimize area overhead, typically only a subset of gates in a circuit are camouflaged, and each camouflaged gate layout can implement a few different logic functions. The security of camouflaging relies on the difficulty of learning the overall combinational logic function without knowing which logic functions the camouflaged gates implement. In this paper, we present an incremental-SAT approach to reconstruct the logic function of a circuit with camouflaged gates. Our algorithm uses the standard attacker model in which an adversary knows only the non-camouflaged gate functions, and has the ability to query the circuit to learn the correct output vector for any input vector. Our results demonstrate an order-of-magnitude speedup over the best existing deobfuscation algorithm. Beyond demonstrating speedup, we use our powerful approach to produce new insights about the strength of obfuscation. First we show that deobfuscation is feasible even in the more challenging setting where layout reveals nothing about the possible logic function of camouflaged gates. Additionally, our results question the common wisdom that strong obfuscation should maximize output corruption under incorrect deobfuscation hypotheses. We show that obfuscation decisions that maximize output corruption actually result in an easier deobfuscation problem. Download Paper (PDF; Only available from the DATE venue WiFi)
09:00	5.3.2	A FULLY-DIGITAL EM PULSE DETECTOR Speaker: David El-baze, Mines Saint-Etienne, FR Authors: David El-Baze¹, Jean-Baptiste Rigaud¹ and Philippe Maurine² ¹Mines Saint-Etienne, FR; ²LIRMM, FR Abstract ElectroMagnetic Pulse Injection (EMPI) has recently been demonstrated to be an efficient fault injection technique with many advantages especially when considering security issues of Systems on Chip (SoC) embedded on ball grid array packages, i.e. when adversaries do not have an easy access to the backside. EMPI must therefore be considered as a real threat against smartcards and SoC from now on. Among the usual countermeasures against fault attacks, one can identify the use of embedded sensors. If one can find voltage glitch or laser shot detectors in the literature, there is only one proposal which puts forward the idea of detecting ElectroMagnetic Pulse (EMP). However, this former sensor requires a fine tuning of some timing characteristics and, as a result, its use appears complex and even impractical with SoCs which are heterogeneous by nature and designed by worldwide teams. Within this context, this paper introduces and experimentally validates a new sensor allowing to detect EMP. Because the sensor is fully digital, it is low cost and above all fully compliant with the standard design flow of SoC. Download Paper (PDF; Only available from the DATE venue WiFi)
09:30	5.3.3	ON THE DEVELOPMENT OF A NEW COUNTERMEASURE BASED ON A LASER ATTACK RTL FAULT MODEL Speaker: Athanasios Papadimitriou, Univ. Grenoble Alpes, LCIS F-26000, Valence, FR Authors: Charalampos Ananiadis¹, Athanasios Papadimitriou¹, David Hely¹, Vincent Beroulle¹, Regis Leveugle² and Paolo Maistri³ ¹Univ. Grenoble Alpes, LCIS, F-26000, Valence, FR; ²Univ. Grenoble Alpes, TIMA, F-38000, Grenoble, FR; ³CNRS, TIMA, F-38000, Grenoble, FR Abstract Secure integrated circuits that implement cryptographic algorithms (e.g., AES) require protection against laser attacks. The goal of such attacks is to inject errors during the computation and then use these errors to retrieve the secret key. Laser attacks can produce single or multiple-bit errors, but have a local and usually transient impact in the circuit. In order to detect such attacks, countermeasures must take into account the circuit implementation. This paper proposes a countermeasure implemented at the Register Transfer Level (RTL) according to a previously proposed laser attack RTL fault model. The efficiency of the implemented countermeasure is evaluated on a case study in terms of area overhead, error detection rates at RTL and fault detection capabilities with respect to layout information. Download Paper (PDF; Only available from the DATE venue WiFi)
10:00	IP2-6, 926	ESTIMATING DELAY DIFFERENCES OF ARBITER PUFS USING SILICON DATA Speaker: Keshab Parhi, University of Minnesota, US Authors: Satya Venkata Sandeep Avvaru, Chen Zhou, Saroj Satapathy, Yingjie Lao, Chris Kim and Keshab Parhi, University of Minnesota, US Abstract This paper presents a novel approach to estimate delay differences of each stage in a standard MUX-based physical unclonable function (PUF). Test data collected from PUFs fabricated using 32 nm process are used to train a linear model. The delay differences of the stages directly correspond to the model parameters. These parameters are trained by using a least mean square (LMS) adaptive algorithm. The accuracy of the response using the proposed model is around 97.5% and 99.5% for two different PUFs. Second, the PUF is also modeled by a perceptron. The perceptron has almost 100% classification accuracy. A comparison shows that the perceptron model parameters are scaled versions of the model derived by the LMS algorithm. Thus, the delay differences can be estimated from the perceptron model where the scaling factor is computed by comparing the models of the LMS algorithm and the perceptron. Because the delay differences are challenge independent, these parameters can be stored on the server. This will enable the server to issue random challenges whose responses need not be stored. An analysis of the proposed model confirms that the delay differences of all stages of the PUFs on the same chip belong to the same Gaussian probability density function. Download Paper (PDF; Only available from the DATE venue WiFi)
10:01	IP2-7, 153	ON THE USE OF FORWARD BODY BIASING TO DECREASE THE REPEATABILITY OF LASER-INDUCED FAULTS Speaker: Marc Lacruche, Ecole Nationale Supérieure des Mines de Saint Etienne (ENSM-SE), FR Authors: Marc Lacruche¹, Noemie Beringuier-Boher¹, Jean-Max Dutertre¹, Jean-Baptiste Rigaud¹ and Edith Kussener² ¹Ecole Nationale Supérieure des Mines de Saint Etienne (ENSM-SE), FR; ²IM2NP, FR Abstract This paper presents a study on the effect of Forward Body Biasing on the laser fault sensitivity of a CMOS 90nm microcontroller. Tests were performed on a register of this target, under several supply voltage and body bias settings, showing significant laser sensitivity variations. Based on these results, a method which aims at decreasing fault repeatability by using variable supply voltage and body bias settings is proposed. Finally, tests are performed on an implementation of this method on a temporally redundant AES and the results are presented. Download Paper (PDF; Only available from the DATE venue WiFi)
10:00		End of session Coffee Break in Exhibition Area

Time

Label

Presentation Title
Authors

08:30

5.3.1

ORACLE-GUIDED INCREMENTAL SAT SOLVING TO REVERSE ENGINEER CAMOUFLAGED LOGIC CIRCUITS
Speaker:
Daniel Holcomb, University of Massachusetts, Amherst, US
Authors:
Duo Liu, Cunxi Yu, Xiangyu Zhang and Daniel Holcomb, University of Massachusetts, Amherst, US
Abstract
Layout-level gate camouflaging has attracted interest as a countermeasure against reverse engineering of combinational logic. In order to minimize area overhead, typically only a subset of gates in a circuit are camouflaged, and each camouflaged gate layout can implement a few different logic functions. The security of camouflaging relies on the difficulty of learning the overall combinational logic function without knowing which logic functions the camouflaged gates implement. In this paper, we present an incremental-SAT approach to reconstruct the logic function of a circuit with camouflaged gates. Our algorithm uses the standard attacker model in which an adversary knows only the non-camouflaged gate functions, and has the ability to query the circuit to learn the correct output vector for any input vector. Our results demonstrate an order-of-magnitude speedup over the best existing deobfuscation algorithm. Beyond demonstrating speedup, we use our powerful approach to produce new insights about the strength of obfuscation. First we show that deobfuscation is feasible even in the more challenging setting where layout reveals nothing about the possible logic function of camouflaged gates. Additionally, our results question the common wisdom that strong obfuscation should maximize output corruption under incorrect deobfuscation hypotheses. We show that obfuscation decisions that maximize output corruption actually result in an easier deobfuscation problem.
Download Paper (PDF; Only available from the DATE venue WiFi)

09:00

5.3.2

A FULLY-DIGITAL EM PULSE DETECTOR
Speaker:
David El-baze, Mines Saint-Etienne, FR
Authors:
David El-Baze¹, Jean-Baptiste Rigaud¹ and Philippe Maurine²
¹Mines Saint-Etienne, FR; ²LIRMM, FR
Abstract
ElectroMagnetic Pulse Injection (EMPI) has recently been demonstrated to be an efficient fault injection technique with many advantages especially when considering security issues of Systems on Chip (SoC) embedded on ball grid array packages, i.e. when adversaries do not have an easy access to the backside. EMPI must therefore be considered as a real threat against smartcards and SoC from now on. Among the usual countermeasures against fault attacks, one can identify the use of embedded sensors. If one can find voltage glitch or laser shot detectors in the literature, there is only one proposal which puts forward the idea of detecting ElectroMagnetic Pulse (EMP). However, this former sensor requires a fine tuning of some timing characteristics and, as a result, its use appears complex and even impractical with SoCs which are heterogeneous by nature and designed by worldwide teams. Within this context, this paper introduces and experimentally validates a new sensor allowing to detect EMP. Because the sensor is fully digital, it is low cost and above all fully compliant with the standard design flow of SoC.
Download Paper (PDF; Only available from the DATE venue WiFi)

09:30

5.3.3

ON THE DEVELOPMENT OF A NEW COUNTERMEASURE BASED ON A LASER ATTACK RTL FAULT MODEL
Speaker:
Athanasios Papadimitriou, Univ. Grenoble Alpes, LCIS F-26000, Valence, FR
Authors:
Charalampos Ananiadis¹, Athanasios Papadimitriou¹, David Hely¹, Vincent Beroulle¹, Regis Leveugle² and Paolo Maistri³
¹Univ. Grenoble Alpes, LCIS, F-26000, Valence, FR; ²Univ. Grenoble Alpes, TIMA, F-38000, Grenoble, FR; ³CNRS, TIMA, F-38000, Grenoble, FR
Abstract
Secure integrated circuits that implement cryptographic algorithms (e.g., AES) require protection against laser attacks. The goal of such attacks is to inject errors during the computation and then use these errors to retrieve the secret key. Laser attacks can produce single or multiple-bit errors, but have a local and usually transient impact in the circuit. In order to detect such attacks, countermeasures must take into account the circuit implementation. This paper proposes a countermeasure implemented at the Register Transfer Level (RTL) according to a previously proposed laser attack RTL fault model. The efficiency of the implemented countermeasure is evaluated on a case study in terms of area overhead, error detection rates at RTL and fault detection capabilities with respect to layout information.
Download Paper (PDF; Only available from the DATE venue WiFi)

10:00

IP2-6, 926

ESTIMATING DELAY DIFFERENCES OF ARBITER PUFS USING SILICON DATA
Speaker:
Keshab Parhi, University of Minnesota, US
Authors:
Satya Venkata Sandeep Avvaru, Chen Zhou, Saroj Satapathy, Yingjie Lao, Chris Kim and Keshab Parhi, University of Minnesota, US
Abstract
This paper presents a novel approach to estimate delay differences of each stage in a standard MUX-based physical unclonable function (PUF). Test data collected from PUFs fabricated using 32 nm process are used to train a linear model. The delay differences of the stages directly correspond to the model parameters. These parameters are trained by using a least mean square (LMS) adaptive algorithm. The accuracy of the response using the proposed model is around 97.5% and 99.5% for two different PUFs. Second, the PUF is also modeled by a perceptron. The perceptron has almost 100% classification accuracy. A comparison shows that the perceptron model parameters are scaled versions of the model derived by the LMS algorithm. Thus, the delay differences can be estimated from the perceptron model where the scaling factor is computed by comparing the models of the LMS algorithm and the perceptron. Because the delay differences are challenge independent, these parameters can be stored on the server. This will enable the server to issue random challenges whose responses need not be stored. An analysis of the proposed model confirms that the delay differences of all stages of the PUFs on the same chip belong to the same Gaussian probability density function.
Download Paper (PDF; Only available from the DATE venue WiFi)

10:01

IP2-7, 153

ON THE USE OF FORWARD BODY BIASING TO DECREASE THE REPEATABILITY OF LASER-INDUCED FAULTS
Speaker:
Marc Lacruche, Ecole Nationale Supérieure des Mines de Saint Etienne (ENSM-SE), FR
Authors:
Marc Lacruche¹, Noemie Beringuier-Boher¹, Jean-Max Dutertre¹, Jean-Baptiste Rigaud¹ and Edith Kussener²
¹Ecole Nationale Supérieure des Mines de Saint Etienne (ENSM-SE), FR; ²IM2NP, FR
Abstract
This paper presents a study on the effect of Forward Body Biasing on the laser fault sensitivity of a CMOS 90nm microcontroller. Tests were performed on a register of this target, under several supply voltage and body bias settings, showing significant laser sensitivity variations. Based on these results, a method which aims at decreasing fault repeatability by using variable supply voltage and body bias settings is proposed. Finally, tests are performed on an implementation of this method on a temporally redundant AES and the results are presented.
Download Paper (PDF; Only available from the DATE venue WiFi)

10:00

End of session
Coffee Break in Exhibition Area

Visit us at DATE 2016