Rambus

At Rambus, we create cutting-edge semiconductor and IP products, spanning memory and interfaces to security, smart sensors and lighting.

Home > DPA Countermeasures

DPA Countermeasures

Below is an archive of the blog posts related to DPA Countermeasures. To learn more about our solutions and techniques for protecting devices against DPA and related side-channel attacks, click here.

A Modern Interpretation of Kerckhoff

by Leave a Comment

In the late 19th century, Dutch cryptographer Auguste Kerckhoff postulated what has become known as “Kerckhoff’s Principle” — a cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

Since Kerckhoff’s days, cryptography has certainly evolved. A modern interpretation of Kerckhoff teaches that you shouldn’t rely on the obscurity of your crypto algorithm, but rely instead on standard algorithms with strong key sizes. A natural assumption might be that standard algorithms would be able to conceal themselves, making it difficult to determine the algorithm in use. This actually isn’t the case – and isn’t even necessary for a security sub-system to resist attacks. Suppose you’re using a NIST-standard algorithm in your device — how is anyone ever going to know? Can an adversary tell what algorithm you’re using? It turns out they can – but that’s ok.

Using inexpensive tools, electromagnetic and/or power data from a semiconductor can be captured. That data can used to determine what cryptographic algorithm is being deployed; experienced analysts are often able to readily identify the algorithm deployed simply by looking at a series of waveforms. For instance, a waveform with 10 distinct rounds may indicate a 128-bit AES encryption standard (shown in Figure 1), whereas a 14 round waveform may indicate a 256-bit AES. Other popular cryptographic algorithms like RSA (shown in Figure 2), SHA, and Elliptic Curve all have a distinct “signatures” which may inform the analyses (i.e. the adversary) what algorithm is being executed, the key size, and where it’s happening in the overall computational process.

128-bit AES Trace
Fig. 1 – 128-bit AES Trace

 

RSA-CRT Power Trace
Figure 2: RSA-CRT Power Trace

 

So why Is knowledge of the algorithm deployed not a concern? This is the heart of Kerckhoff’s teachings. All NIST-standard algorithms derive security from the secrecy of the key and the cryptographic strength of the algorithm, but not the secrecy of the algorithm. And that secret key value is completely independent of the algorithm deployed – while the algorithm requires a certain size of key (e.g., AES-256 requires a 256-bit key value), the value of the key can be random set of digits. A 128-bit key has 2128 possible key combinations: that’s 340,282,366,920,938,463,463,374,607,431,768,211,456 combinations, which is 39 digits long – not something easily guessed! Without knowing the secret key value, adversaries have no way to penetrate the security of the chip, even if they have perfect knowledge of the algorithms deployed within the chip. The attack vector thus shifts to extracting the key, not what cryptographic algorithm(s) the device is running.

There are a multitude of attack vectors that adversaries use to extract the secret key which are known as Side-Channel Attacks, which include Differential Power Analysis (DPA), Simple Power Analysis (SPA), Simple Electromagnetic Analysis (SEMA), Differential Electromagnetic Analysis (DEMA), Correlation Power Analysis (CPA) and Correlation Electromagnetic Analysis (CEMA). Side-channel attacks work on the reality that all physical electronic systems routinely leak information about the internal process of computing via fluctuating levels of power consumption and electromagnetic emissions. Rather than using brute force attacks, side-channel attacks exploit those leaks by repeatedly capturing and analyzing samples. Rambus’s Differential Power Analysis Workstation is a powerful tool in understanding a device’s resistance to attack.

Perhaps most concerning about side-channel attacks is that while they formerly may have taken a prohibitively expensive level of equipment and expertise, today these attacks can be executed relatively cheaply and easily using off-the-shelf equipment. To combat side-channel attacks, Rambus offers a series of side-channel resistant cryptographic algorithms. Through various techniques, including leakage reduction, noise introduction, obfuscation, and the incorporation of randomness, the protected algorithms are effective at resisting side-channel attacks up to and beyond 1 billion operations, securing our customers’ devices against attack.

Within the industry, we say that “security by obscurity” is a bad idea. While we don’t necessarily recommend publishing your security architecture on the front page of the New York Times, we believe that your architecture should be able to withstand attacks based on that amount of disclosure. Corporate espionage, accidents, vandalism, or even reverse engineering can reveal the design of security.  Accepted security best practices don’t involve hiding what security you are deploying, but rather spending your time and efforts on making sure your security is deployed in such a manner that when your security architecture is determined (and it will be!), it is as resistant to as many attacks as possible, just as Kerckhoff spoke of almost 150 years ago.

Side-Channel Attacks Target Machine Learning (ML) Models

by Leave a Comment

Written by Paul Karazuba for Rambus Press

A team of North Carolina State University researchers recently published a paper that highlights the vulnerability of machine learning (ML) models to side-channel attacks. Specifically, the team used power-based side-channel attacks to extract the secret weights of a Binarized Neural Network (BNN) in a highly-parallelized hardware implementation.

“Physical side-channel leaks in neural networks call for a new line of side-channel analysis research because it opens up a new avenue of designing countermeasures tailored for deep learning inference engines,” the researchers wrote. “On a SAKURA-X FPGA board, [our] experiments show that the first-order DPA attacks on [an] unprotected implementation can succeed with only 200 traces.”

According to Jeremy Hsu of IEE Spectrum, machine learning algorithms that enable smart home devices and smart cars to automatically recognize various types of images or sounds such as words or music are among the artificial intelligence (AI) systems “most vulnerable” to such attacks.

“Such algorithms consist of neural networks designed to run on specialized computer chips embedded directly within smart devices, instead of inside a cloud computing server located in a data center miles away,” he explains. “This physical proximity enables such neural networks to quickly perform computations with minimal delay, but also makes it easy for hackers to reverse-engineer the chip’s inner workings using a method known as differential power analysis (DPA).”

Indeed, edge devices storing AI/ML models and data can be physically disassembled. If unprotected, an attacker can run malicious firmware, intercept network traffic, and employ various side-channel techniques to extract secret keys and steal sensitive information. Both AI/ML inference models, as well as input data and results, are often quite lucrative and should be shielded from criminal elements intent on financial gain. Moreover, the integrity of AI/ML systems must be secured from tampering to prevent malicious attackers from designing cloned or competitive devices, as well as altering training models, input data, and results.

To protect both silicon and data, edge devices running AI/ML algorithms should be built on top of a secure, tamper-proof foundation that ensures confidentiality, integrity, authentication, and availability (up-time). This can be achieved with a programmable security co-processor such as the Rambus CryptoManager Root of Trust (CMRT) which uses a combination of hardware and software countermeasures to thwart side-channel attacks. For AI/ML edge devices built without the Rambus CMRT, we recommend that system designers utilize a Test Vector Leakage Assessment (TVLA) platform like Rambus’ DPA Workstation Analysis Platform (DPAWS) to help detect side-channel leakage and implement appropriate countermeasures.

DPAWS includes all the hardware, software, and training material needed to evaluate and certify secure AI/ML edge devices. It offers a Windows-based, intuitive user interface that enables system designers to efficiently perform side-channel analysis on AI/ML edge devices to identify potential security flaws. Collected signals are examined using simple power and electromagnetic analysis (SPA/SEMA) or more powerful differential power and electromagnetic analysis (DPA/DEMA) to identify exposure of secret keys.

The recently released DPAWS 9.2 offers several new notable features, including sample leakage history plotting. This capability allows system designers to detect and better understand side-channel leakage. More specifically, confirming the increase of electronic leakage across time can help improve countermeasure design, detect additional locations vulnerable to potential leakage, and provide a baseline for comparing non-leaking locations.

DPAWS 9.2 also offers system designers access to bi-variate leakage detection; a form of higher-order side-channel analysis to which more robust designs may need to be resistant. Essentially, bi-variate analysis combines different points from within the analysis range to detect leakage. This methodology may reveal leaks in implementations that are univariate or first-order secure. Previously, separate tools were used to combine pairs of data points within the analysis window or perform bivariate analysis from the command line.

In summary, AI/ML edge devices, like all physical electronic systems, routinely leak information about the internal process of computing via fluctuating levels of power consumption and electro-magnetic emissions. To protect both silicon and data, edge devices running AI/ML algorithms should be built on top of a secure, tamper-proof foundation. As well, AI/ML edge devices should be carefully evaluated with a testing platform like Rambus DPAWS to validate the effectiveness of countermeasures in reducing sensitive side-channel leakage.

Side-channel attack targets deep neural networks (DNNs)

by Leave a Comment

All physical electronic systems routinely leak information about the internal process of computing via fluctuating levels of power consumption and electro-magnetic emissions. Much like traditional safecracking, an electronic side-channel attack (SCA) eschews a brute force approach to extracting keys and other secret information from a device or system. As such, an SCA conducted against electronic devices and systems are non-intrusive, relatively simple and inexpensive to execute. SCAs comprise a wide range of techniques including Differential Power Analysis (DPA), Simple Power Analysis (SPA), Simple Electromagnetic Analysis, Differential Electromagnetic Analysis, Correlation Power Analysis and Correlation Electromagnetic Analysis.

Attacking deep neural networks

Recently, a team of white hat researchers created a side-channel technique specifically designed to reveal the internal structure and parameters of deep neural network (DNN) computer vision models. As the researchers note in a paper published on arXiv, studies indicate that DNNs are vulnerable to adversarial attacks, which can be either white-box or black-box.

“During the computation process of the DNNs, the side-channel information shows strong correlations to the network structure and its parameters,” the researchers explain. “We envision that SCA can be used for embedded AI devices and reveal their network architectures and even the corresponding parameters. In other words, we intend to use SCA to open the black-box of DNNs, which can facilitate adversarial attacks by transforming a black-box attack to an at least partial white-box, or gray-box, attack.”


Image Credit: Yun Xiang, Zhuangzhi Chen, Zuohui Chen, Zebin Fang, Haiyang Hao, Jinyin Chen, Yi Liu, Member, IEEE, Zhefu Wu, Qi Xuan, Member, IEEE and Xiaoniu Yang (via arXiv)

To execute their SCA against a DNN, the researchers designed a Raspberry-Pi based platform to derive the power signature of embedded AI devices. The team then utilized machine learning algorithms to identify specific DNN architectures. As the researchers note, the Raspberry Pi is an ARM cortex-based system that shares the common architecture of many existing devices. As such, the experiments performed on the Pi can be easily applied to similar systems.

“One critical observation is that different components [convolutional layers, pooling layers, fully connected layers and activation function] require different computational cost,” the researchers state. “Therefore, different architectures have different power consumption patterns, which makes DNN architectures vulnerable to SCAs. In general, our technique can identify both the architecture and model parameters with quite high accuracy, indicating that we should pay strong attention to the security problem of many AI applications.”

In the future, the white hat security team plans to improve its experimental platform by analyzing additional DNN architectures and parameters with advanced machine learning algorithms that more precisely identify DNN models.

SCA resistance and countermeasures

To protect the internal structure and parameters of deep neural networks (DNNs), we recommend implementing an effective layer of side-channel countermeasures via hardware (DPA resistant cores), software (DPA resistant software libraries) or both. Countermeasures – including leakage reduction, noise introduction, obfuscation and the incorporation of randomness – are critical to ensuring the protection of sensitive keys and data. It should be noted that stand-alone noise introduction is incapable of sufficiently masking side-channel emissions. Indeed, DPA conducted against a device can effectively bypass stand-alone noise countermeasures, ultimately allowing the signal to be isolated.

After layered countermeasures have been implemented, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform such as the Rambus DPA Workstation (DPAWS) to confirm the cessation of sensitive side-channel leakage. More specifically, DPAWS measures a range of side-channel attacks across a wide spectrum of devices and platforms. DPAWS also provides users with a highly intuitive UI paired with enhanced data visualization that creates an integrated, project-centric analytic environment specifically designed to optimize the efficiency of side-channel analysis.

Both flexible and scalable, DPAWS supports multiple side-channel sensors, device protocols and form factors, with out-of-the-box support for SASEBO and additional third-party hardware. DPAWS also easily integrates with a wide range of industry tools including Matlab, Python and other scripting languages. Moreover, the Rambus DPA Workstation supports full cipher coverage (AES, RSA, ECC, DES and SHA), large dataset handling, as well as high-speed collection and analysis of billions of traces. Source code is also available to facilitate increased flexibility.

Interested in learning more about protecting systems from side-channel attacks?

>> Download our eBook << 

FIPS 140-3 and DPA: A Winning Combination

by Leave a Comment

Recently, Rambus blogged about a large number of our DPARC and Crypto Accelerator Hardware Cores receiving FIPS-140-2 CAVP certification by NIST. As we wrote, these certifications provide our customers with assurance of the robustness, quality and applicability of our cryptographic solutions. But, as nefarious parties continue to uncover new ways to hack devices, Rambus and others must continually improve their cryptography technologies.

The standards body that regulates the FIPS 140 standard recognizes that as well. Earlier this year, the US Secretary of Commerce approved the Federal Information Processing Standards Publication (FIPS) 140-3Security Requirements for Cryptographic Modules. The new FIPS 140-3 standard is effective on September 22, 2019,  with testing on the new standard beginning exactly one year later. While not official, it is suspected that current modules validated to FIPS 140-2 (like ours) will remain on the active validation list until the 140-2 sunset date. This is typically five years after date of validation, which implies that FIPS 140-2 would remain valid until at least September 22, 2026. So, the takeaway here would be that our work in getting 140-2 certification will continue to benefit our customers for at least the next half decade.

For us, the most interesting thing in the new FIPS 140-3 specification is the inclusion of language around non-invasive attacks. The 140-2 specification listed non-invasive attacks only as a definition item, with no specific requirement. The 140-3 specification specifically calls out a heightened importance of mitigations against non-invasive attacks.

For those new to non-invasive (i.e. side channel) attacks: a side-channel attack is a method for an adversary to gain access to information about the internal activity of a chip by capturing and analyzing “unintentional” data, for example power consumption, EM emissions, behavior during voltage spikes, and others. These low-cost, non-invasive methods enable attackers to stealthily extract secret cryptographic keys used during normal device operations. Once the keys have been extracted, attackers can easily gain unauthorized access to a device, decrypt or forge messages, steal identities, clone devices, create unauthorized signatures and perform additional unauthorized transactions. Essentially, a side channel attack is a way to steal all a device’s secrets without having to physically hack a device. If you’re interested in learning more about DPA and how to test resistance, join us at our next DPA Workstation Training, happening in late August in Atlanta.

Rambus sees resistance against side channel attacks as a critical item for securing devices, both now and in the future. Rambus pioneered DPA back in the mid-1990s, and we continue fundamental research into, and development of, products based on side channel attacks. We’ve long spoken of the importance of not only testing devices to understand their resistance to side channel attacks (using our DPA Workstation), but also building protections against these attacks into devices via our DPA-resistant software libraries, DPA-resistant hardware cores, and our more recently released combo DPARC and fault Injection-resistant hardware cores.

The formal recognition of the risk of side channel attacks via its inclusion in the FIPS 140-3 standard validates our assertion that side channel attacks are no longer the domain of state actors, but a real, everyday threat to devices. We hope that the new standard will continue to drive awareness beyond government and military applications, and we stand ready to address our customer’s needs to make their devices as secure as possible.

Validating Cryptographic Algorithms to FIPS 140-2

by Leave a Comment

NIST, the National Institute of Standards and Technology, is a United States Department of Commerce agency tasked with both the creation and maintenance of a country-wide measurement infrastructure.  From their website: “From the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology. Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations—from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair up to earthquake-resistant skyscrapers and global communication networks.”

In 1995, NIST established a method for testing and validating cryptographic algorithms such as Rambus’ Crypto Accelerators and DPA Resistant Cores. Called the Cryptographic Algorithm Validation Program (CAVP), it provides validation testing of FIPS (Federal Information Processing Standards)-approved and NIST-recommended cryptographic algorithms and their individual components. Once successfully tested and validated, NIST adds this information to their publicly-available validation list.

The CAVP certification provides 3rdparty verification that a specific algorithm has been tested and has met independent standards for robustness. Consumers of cryptographic algorithms, generally chip designers, can rely on this certification as a determination of an algorithm’s effectiveness for their designs. Even designs for commercial applications often adopt FIPS certification as a means of ensuring robust security.

Rambus was recently notified that many of our algorithms have received CAVP FIPS 140-2 certification by NIST. Highlights include our Differential Power Analysis (DPA)-resistant and standard AES (Advanced Encryption Standard) and HMAC-SHA2 (Hash-based Message Authentication Code, Secure Hash Algorithm) cores. A full list of certifications can be found on the NIST website, along with the Crypto Accelerators and DPA Resistant Cores product pages on Rambus.com. Many of the certified algorithms are included in standard configurations of our CryptoManager Root of Trust family of products.

We see the CAVP certification as especially important for our most security-conscious customers, typically those designing SoCs for government, military and automotive use. However, the importance of this certification is not unique to those markets. Regardless of what use a chip might be destined, semiconductor designers understand the growing importance of security in any connected application. The certification of cryptographic algorithms and cores to the FIPS standard provides customers with assurance of the robustness, quality and applicability of cryptographic solutions.

Fault Injection Attacks PlayStation Vita’s SoC

by Leave a Comment

Security researcher Yifan Lu recently published a detailed paper that examines how voltage glitching causes critical timing violations in CMOS behavior. More specifically, Lu closely analyzes CMOS transistor behavior to better understand when the combinational logic is most susceptible to voltage glitch induced faults. The paper also describes a real-world fault injection attack against the PlayStation Vita’s SoC that gains early (boot time) execution control and dumps the secure boot ROM.

Picture of a lock on the board

As Lu notes, glitching, or fault injection, has been used for quite some time to attack software running on allegedly secure execution environments. This is because fault injections can cause a malfunction in the target’s SoC that enable an attacker to assume full control over a device. Voltage glitching, he says, is a specific kind of fault injection that is particularly appealing to attackers, as it is inexpensive to deploy and widely applicable to most chips. Crowbar glitching, he adds, was implemented in the ChipWhisperer open hardware platform and brought such attacks to the mainstream.

“It works by abusing the capacitance ringing effect caused by introducing a crowbar circuit into the existing system,” he explains. “The ringing causes faults that can be exploited.”

For the Vita attack, Lu closely examines how voltage glitches introduce timing violations into a digital circuit. He then finds snippets of code to glitch. Once a target is identified, he searches for the correct timing parameters for the crowbar circuit to cause a fault. Finally, the injected fault introduces a software vulnerability that is exploited to gain code execution.

“All of this can be done at a low cost thanks to the open hardware interface of the ChipWhisperer. With a custom script written for ChipWhisperer, we created a working attack on a security hardened consumer device,” he concludes.

From our perspective, the fault injection attack against the PlayStation Vita’s SoC could have been prevented if it had included a hardware-based security core. Siloed from the primary processor, such a security core is specially designed to securely run sensitive code, processes and algorithms. Indeed, a hardware-based security core can utilize advanced anti-tamper techniques to provide the highest level of security and protection against fault injection and other attacks. These include a canary core for the detection of glitching and over-clocking, logic and crypto redundancy, secure state encoding and ephemeral keys that are generated on-the-fly from multiple splits and flushed immediately after use.

In addition, a hardware-based security core can protect the host processor from compromise, as well as thwart non-volatile memory (NVM) key extraction, tearing and other attacks against NVM writes, corruption of non-volatile memory or fuses, probing of external buses, man-in-the-middle and replay attacks. Last, but certainly not least, a hardware-based security core can help protect SoCs against test and debug interface attacks, power/EM analysis (SPA/DPA) and other side-channel attacks, including timing attacks.

Interested in learning more about hardware-based security cores? You can check out our CryptoManager Root of Trust product page here.

Don’t miss out on the Rambus Design Summit on October 8th!

Register Today