Rambus

At Rambus, we create cutting-edge semiconductor and IP products, spanning memory and interfaces to security, smart sensors and lighting.

Home > DPA Countermeasures

DPA Countermeasures

Below is an archive of the blog posts related to DPA Countermeasures. To learn more about our solutions and techniques for protecting devices against DPA and related side-channel attacks, click here.

Side-channel attack targets deep neural networks (DNNs)

by Leave a Comment

All physical electronic systems routinely leak information about the internal process of computing via fluctuating levels of power consumption and electro-magnetic emissions. Much like traditional safecracking, an electronic side-channel attack (SCA) eschews a brute force approach to extracting keys and other secret information from a device or system. As such, an SCA conducted against electronic devices and systems are non-intrusive, relatively simple and inexpensive to execute. SCAs comprise a wide range of techniques including Differential Power Analysis (DPA), Simple Power Analysis (SPA), Simple Electromagnetic Analysis, Differential Electromagnetic Analysis, Correlation Power Analysis and Correlation Electromagnetic Analysis.

Attacking deep neural networks

Recently, a team of white hat researchers created a side-channel technique specifically designed to reveal the internal structure and parameters of deep neural network (DNN) computer vision models. As the researchers note in a paper published on arXiv, studies indicate that DNNs are vulnerable to adversarial attacks, which can be either white-box or black-box.

“During the computation process of the DNNs, the side-channel information shows strong correlations to the network structure and its parameters,” the researchers explain. “We envision that SCA can be used for embedded AI devices and reveal their network architectures and even the corresponding parameters. In other words, we intend to use SCA to open the black-box of DNNs, which can facilitate adversarial attacks by transforming a black-box attack to an at least partial white-box, or gray-box, attack.”


Image Credit: Yun Xiang, Zhuangzhi Chen, Zuohui Chen, Zebin Fang, Haiyang Hao, Jinyin Chen, Yi Liu, Member, IEEE, Zhefu Wu, Qi Xuan, Member, IEEE and Xiaoniu Yang (via arXiv)

To execute their SCA against a DNN, the researchers designed a Raspberry-Pi based platform to derive the power signature of embedded AI devices. The team then utilized machine learning algorithms to identify specific DNN architectures. As the researchers note, the Raspberry Pi is an ARM cortex-based system that shares the common architecture of many existing devices. As such, the experiments performed on the Pi can be easily applied to similar systems.

“One critical observation is that different components [convolutional layers, pooling layers, fully connected layers and activation function] require different computational cost,” the researchers state. “Therefore, different architectures have different power consumption patterns, which makes DNN architectures vulnerable to SCAs. In general, our technique can identify both the architecture and model parameters with quite high accuracy, indicating that we should pay strong attention to the security problem of many AI applications.”

In the future, the white hat security team plans to improve its experimental platform by analyzing additional DNN architectures and parameters with advanced machine learning algorithms that more precisely identify DNN models.

SCA resistance and countermeasures

To protect the internal structure and parameters of deep neural networks (DNNs), we recommend implementing an effective layer of side-channel countermeasures via hardware (DPA resistant cores), software (DPA resistant software libraries) or both. Countermeasures – including leakage reduction, noise introduction, obfuscation and the incorporation of randomness – are critical to ensuring the protection of sensitive keys and data. It should be noted that stand-alone noise introduction is incapable of sufficiently masking side-channel emissions. Indeed, DPA conducted against a device can effectively bypass stand-alone noise countermeasures, ultimately allowing the signal to be isolated.

After layered countermeasures have been implemented, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform such as the Rambus DPA Workstation (DPAWS) to confirm the cessation of sensitive side-channel leakage. More specifically, DPAWS measures a range of side-channel attacks across a wide spectrum of devices and platforms. DPAWS also provides users with a highly intuitive UI paired with enhanced data visualization that creates an integrated, project-centric analytic environment specifically designed to optimize the efficiency of side-channel analysis.

Both flexible and scalable, DPAWS supports multiple side-channel sensors, device protocols and form factors, with out-of-the-box support for SASEBO and additional third-party hardware. DPAWS also easily integrates with a wide range of industry tools including Matlab, Python and other scripting languages. Moreover, the Rambus DPA Workstation supports full cipher coverage (AES, RSA, ECC, DES and SHA), large dataset handling, as well as high-speed collection and analysis of billions of traces. Source code is also available to facilitate increased flexibility.

Interested in learning more about protecting systems from side-channel attacks? You can download our eBook on the subject below.

FIPS 140-3 and DPA: A Winning Combination

by Leave a Comment

Recently, Rambus blogged about a large number of our DPARC and Crypto Accelerator Hardware Cores receiving FIPS-140-2 CAVP certification by NIST. As we wrote, these certifications provide our customers with assurance of the robustness, quality and applicability of our cryptographic solutions. But, as nefarious parties continue to uncover new ways to hack devices, Rambus and others must continually improve their cryptography technologies.

The standards body that regulates the FIPS 140 standard recognizes that as well. Earlier this year, the US Secretary of Commerce approved the Federal Information Processing Standards Publication (FIPS) 140-3Security Requirements for Cryptographic Modules. The new FIPS 140-3 standard is effective on September 22, 2019,  with testing on the new standard beginning exactly one year later. While not official, it is suspected that current modules validated to FIPS 140-2 (like ours) will remain on the active validation list until the 140-2 sunset date. This is typically five years after date of validation, which implies that FIPS 140-2 would remain valid until at least September 22, 2026. So, the takeaway here would be that our work in getting 140-2 certification will continue to benefit our customers for at least the next half decade.

For us, the most interesting thing in the new FIPS 140-3 specification is the inclusion of language around non-invasive attacks. The 140-2 specification listed non-invasive attacks only as a definition item, with no specific requirement. The 140-3 specification specifically calls out a heightened importance of mitigations against non-invasive attacks.

For those new to non-invasive (i.e. side channel) attacks: a side-channel attack is a method for an adversary to gain access to information about the internal activity of a chip by capturing and analyzing “unintentional” data, for example power consumption, EM emissions, behavior during voltage spikes, and others. These low-cost, non-invasive methods enable attackers to stealthily extract secret cryptographic keys used during normal device operations. Once the keys have been extracted, attackers can easily gain unauthorized access to a device, decrypt or forge messages, steal identities, clone devices, create unauthorized signatures and perform additional unauthorized transactions. Essentially, a side channel attack is a way to steal all a device’s secrets without having to physically hack a device. If you’re interested in learning more about DPA and how to test resistance, join us at our next DPA Workstation Training, happening in late August in Atlanta.

Rambus sees resistance against side channel attacks as a critical item for securing devices, both now and in the future. Rambus pioneered DPA back in the mid-1990s, and we continue fundamental research into, and development of, products based on side channel attacks. We’ve long spoken of the importance of not only testing devices to understand their resistance to side channel attacks (using our DPA Workstation), but also building protections against these attacks into devices via our DPA-resistant software libraries, DPA-resistant hardware cores, and our more recently released combo DPARC and fault Injection-resistant hardware cores.

The formal recognition of the risk of side channel attacks via its inclusion in the FIPS 140-3 standard validates our assertion that side channel attacks are no longer the domain of state actors, but a real, everyday threat to devices. We hope that the new standard will continue to drive awareness beyond government and military applications, and we stand ready to address our customer’s needs to make their devices as secure as possible.

Validating Cryptographic Algorithms to FIPS 140-2

by Leave a Comment

NIST, the National Institute of Standards and Technology, is a United States Department of Commerce agency tasked with both the creation and maintenance of a country-wide measurement infrastructure.  From their website: “From the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology. Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations—from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair up to earthquake-resistant skyscrapers and global communication networks.”

In 1995, NIST established a method for testing and validating cryptographic algorithms such as Rambus’ Crypto Accelerators and DPA Resistant Cores. Called the Cryptographic Algorithm Validation Program (CAVP), it provides validation testing of FIPS (Federal Information Processing Standards)-approved and NIST-recommended cryptographic algorithms and their individual components. Once successfully tested and validated, NIST adds this information to their publicly-available validation list.

The CAVP certification provides 3rdparty verification that a specific algorithm has been tested and has met independent standards for robustness. Consumers of cryptographic algorithms, generally chip designers, can rely on this certification as a determination of an algorithm’s effectiveness for their designs. Even designs for commercial applications often adopt FIPS certification as a means of ensuring robust security.

Rambus was recently notified that many of our algorithms have received CAVP FIPS 140-2 certification by NIST. Highlights include our Differential Power Analysis (DPA)-resistant and standard AES (Advanced Encryption Standard) and HMAC-SHA2 (Hash-based Message Authentication Code, Secure Hash Algorithm) cores. A full list of certifications can be found on the NIST website, along with the Crypto Accelerators and DPA Resistant Cores product pages on Rambus.com. Many of the certified algorithms are included in standard configurations of our CryptoManager Root of Trust family of products.

We see the CAVP certification as especially important for our most security-conscious customers, typically those designing SoCs for government, military and automotive use. However, the importance of this certification is not unique to those markets. Regardless of what use a chip might be destined, semiconductor designers understand the growing importance of security in any connected application. The certification of cryptographic algorithms and cores to the FIPS standard provides customers with assurance of the robustness, quality and applicability of cryptographic solutions.

Fault Injection Attacks PlayStation Vita’s SoC

by Leave a Comment

Security researcher Yifan Lu recently published a detailed paper that examines how voltage glitching causes critical timing violations in CMOS behavior. More specifically, Lu closely analyzes CMOS transistor behavior to better understand when the combinational logic is most susceptible to voltage glitch induced faults. The paper also describes a real-world fault injection attack against the PlayStation Vita’s SoC that gains early (boot time) execution control and dumps the secure boot ROM.

Picture of a lock on the board

As Lu notes, glitching, or fault injection, has been used for quite some time to attack software running on allegedly secure execution environments. This is because fault injections can cause a malfunction in the target’s SoC that enable an attacker to assume full control over a device. Voltage glitching, he says, is a specific kind of fault injection that is particularly appealing to attackers, as it is inexpensive to deploy and widely applicable to most chips. Crowbar glitching, he adds, was implemented in the ChipWhisperer open hardware platform and brought such attacks to the mainstream.

“It works by abusing the capacitance ringing effect caused by introducing a crowbar circuit into the existing system,” he explains. “The ringing causes faults that can be exploited.”

For the Vita attack, Lu closely examines how voltage glitches introduce timing violations into a digital circuit. He then finds snippets of code to glitch. Once a target is identified, he searches for the correct timing parameters for the crowbar circuit to cause a fault. Finally, the injected fault introduces a software vulnerability that is exploited to gain code execution.

“All of this can be done at a low cost thanks to the open hardware interface of the ChipWhisperer. With a custom script written for ChipWhisperer, we created a working attack on a security hardened consumer device,” he concludes.

From our perspective, the fault injection attack against the PlayStation Vita’s SoC could have been prevented if it had included a hardware-based security core. Siloed from the primary processor, such a security core is specially designed to securely run sensitive code, processes and algorithms. Indeed, a hardware-based security core can utilize advanced anti-tamper techniques to provide the highest level of security and protection against fault injection and other attacks. These include a canary core for the detection of glitching and over-clocking, logic and crypto redundancy, secure state encoding and ephemeral keys that are generated on-the-fly from multiple splits and flushed immediately after use.

In addition, a hardware-based security core can protect the host processor from compromise, as well as thwart non-volatile memory (NVM) key extraction, tearing and other attacks against NVM writes, corruption of non-volatile memory or fuses, probing of external buses, man-in-the-middle and replay attacks. Last, but certainly not least, a hardware-based security core can help protect SoCs against test and debug interface attacks, power/EM analysis (SPA/DPA) and other side-channel attacks, including timing attacks.

Interested in learning more about hardware-based security cores? You can check out our CryptoManager Root of Trust product page here.

Fault Injection Attacks: Bart Stevens Explains In eeweb.com/EE Times Article

by Leave a Comment

We’ve all heard about micro-architectural vulnerabilities, Meltdown, Spectre, and Foreshadow.  Volumes have been written about them in the trade and popular press. Indeed, they are the top villains of the electronics world.

Chip

Meanwhile, academicians and scholars are closely investigating yet another group of bad actors that – like those vulnerabilities – are up to no good and are also attacking electronics systems. These are fault injection attacks or FIAs.

Bart Stevens, Sr. Director, Product Management for the Cryptography Product Group, recently wrote a piece for eeweb.com/EE Times network to explain to SoC and system designers what FIAs are all about and how best to skirt them in their next generation designs.

Simply put, he says, the whole idea of an FIA is to make silicon do something else besides what it’s intended to. The attackers objective is to create a transient fault during the execution of some particular chip operation or lead to the reduction or disabling of security features and countermeasures.

Two examples Stevens writes about are voltage and clock glitching.  In the first one, he says the attacker increases voltage or creates a fake glitch in the system. As for clock glitching, he says one or more short pulses in the external clock are introduced to temporarily accelerate the chip’s clock.

Stevens tells eeweb.com/EE Times network readers that embedded security establishes the barriers to guard against FIAs and chip vulnerabilities.

“Certain key countermeasures like those in Rambus’ Root-of-Trust core are critical to assure the SoC and system designer an attacker is completely deprived of any attack avenue.  Those countermeasures include items such as critical control signal redundancy, canary logic, separated key bus logic and logic to protect cryptographic algorithm implementations,” Stevens asserts.

Check out Rambus’ DPA Workstation (DPAWS) that’s available with Riscure fault injection products offering complete fault injection functionality and differential fault analysis (DFA).

Best-in-class Security Testing Platform for Side-channel Analysis by Rambus and Riscure

by Leave a Comment

Today, on October 16th, 2018, Rambus has announced the collaboration with Riscure, a global security lab based in San Francisco, to deliver cutting-edge security testing solutions to chip manufacturers, government institutions and security evaluation laboratories worldwide. As part of a combined solution, Rambus will expand its Differential Power Analysis (DPA) Workstation (DPAWS) to include the Riscure Inspector Fault Injection products to deliver a comprehensive side-channel analysis platform.

The collaboration enables Rambus to offer Riscure’s unique fault injection products and capabilities in combination with the Rambus DPA Workstation, allowing our customers to source a combined side-channel testing platform from a single vendor. The combined solution is a powerful and flexible testing platform that includes an integrated suite of hardware and software for analyzing the vulnerabilities of cryptographic chips and systems to attacks such as fault, power and electromagnetic (EM) side-channel attacks.

chips

Dr. Martin Scott, Senior Vice President and General Manager of Cryptography, as well as Chief Technical Officer at Rambus has noted that as the number of widespread chip vulnerabilities continues to grow, hardware-level security and resistance to side-channel attacks is becoming a critical requirement for secure chip design. “As leaders in side-channel testing, Rambus and Riscure have a long-standing collaborative relationship and this agreement strengthens that alliance to provide the best overall solutions and services for both company’s customers,” said Scott.

Speaking about Fault Injection, Marc Witteman, Chief Executive Officer at Riscure said that it has become an alarmingly widespread hardware attack technique. He also noted that, on an adversary level, the cost of performing such an attack also decreases. “To outpace this development, hardware vendors should test their products for robustness against all kinds of hardware vulnerabilities using cutting-edge equipment and attack know-how. Riscure Inspector Fault Injection accumulates more than 10 years of experience in hardware security testing. Thanks to our partnership with Rambus, the world-class fault injection tools and software from Riscure now become available to a wider range of businesses worldwide.”

The Bottom Line

The announcement of the collaboration between Rambus and Riscure, which will expand Rambus’ already comprehensive DPAWS platform to include Riscure’s unique Fault Injection products represents a positive step forward for security against hardware attacks. With the advent of widespread chip vulnerabilities such as Meltdown/Spectre and Foreshadow, it is becoming imperative for companies to implement hardware-level security and resistance to side-channel attacks into their hardware.

FREE Webinar: Secure Silicon IP Series: Complexity vs. Security

Register Today