Description
Probing attacks are an invasive method for bypassing security measures by observing the physical silicon implementation of a chip. As an invasive attack, one directly accesses the internal wires and connections of a targeted device and extracts sensitive information. In combination with reverse engineering, this poses a serious threat. A typical probing attack will begin with decapsulation to expose the silicon die. Once done, an attacker can begin reverse engineering the device. By extracting the netlist, one can begin to understand the functionality and identify signals to target. Once the attacker finds a targeted signal and can map them to coordinates on a device, they can begin milling. By milling they expose the internal wires of the device. They can then form an electrical connection and begin extracting information. In order to protect against such attacks, it is important for a designer to identify possible targets and take appropriate measures. Examples of such targets can include the following:
- Encryption keys
- Firmware and configuration bitstreams
- On-device protected data
- Cryptographic random numbers
Some common countermeasures include shields and t-private circuits. Shields contain a layer of wires whose signals are monitored for disturbances caused by milling. T-private circuits aim to split signals up in order or exhaust an attacker’s resources by requiring them to use t + 1 number of probes to extract 1 bit of information. Other methods include light sensors to detect decapsulation and scrambling wire signals to prevent repetitive patterns.
Related Tools
Publications
Meade, Travis; Portillo, Jason; Zhang, Shaojie; Jin, Yier
NETA: When IP Fails, Secrets Leak Proceedings Article
In: Proceedings of the 24th Asia and South Pacific Design Automation Conference, pp. 90–95, Association for Computing Machinery, Tokyo, Japan, 2019, ISBN: 9781450360074.
@inproceedings{10.1145/3287624.3288739,
title = {NETA: When IP Fails, Secrets Leak},
author = {Travis Meade and Jason Portillo and Shaojie Zhang and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2019neta.pdf},
doi = {10.1145/3287624.3288739},
isbn = {9781450360074},
year = {2019},
date = {2019-01-01},
booktitle = {Proceedings of the 24th Asia and South Pacific Design Automation Conference},
pages = {90–95},
publisher = {Association for Computing Machinery},
address = {Tokyo, Japan},
series = {ASPDAC ’19},
abstract = {Assuring the quality and the trustworthiness of third party resources has been a hard problem to tackle. Researchers have shown that analyzing Integrated Circuits (IC), without the aid of golden models, is challenging. In this paper, we discuss a toolset, NETA, designed to aid IP users in assuring the confidentiality, integrity, and accessibility of their IC or third party IP core. The discussed toolset gives access to a slew of gate-level analysis tools, many of which are heuristic-based, for the purposes of extracting high-level circuit design information. NETA majorly comprises the following tools: RELIC, REBUS, REPCA, REFSM, and REPATH. The first step involved in netlist analysis falls to signal classification. RELIC uses a heuristic-based fan-in structure matcher to determine the uniqueness of each signal in the netlist. REBUS finds word-groups by leveraging the data bus in the netlist in conjunction with RELIC's signal comparison through heuristic verification of input structures. REPCA on the other hand tries to improve upon the standard brute force RELIC comparison by leveraging the data analysis technique of PCA and a sparse RELIC analysis on all signals. Given a netlist and a set of registers, REFSM reconstructs the logic which represents the behavior of a particular register set over the course of the operation of a given netlist. REFSM has been shown useful for examining register interaction at a higher level. REPATH, similar to REFSM, finds a series of input patterns that force a logical FSM to initialize with some reset state into a state specified by the user. Finally, REFSM 2 is introduced to utilizes linear time precomputation to improve the original REFSM.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Assuring the quality and the trustworthiness of third party resources has been a hard problem to tackle. Researchers have shown that analyzing Integrated Circuits (IC), without the aid of golden models, is challenging. In this paper, we discuss a toolset, NETA, designed to aid IP users in assuring the confidentiality, integrity, and accessibility of their IC or third party IP core. The discussed toolset gives access to a slew of gate-level analysis tools, many of which are heuristic-based, for the purposes of extracting high-level circuit design information. NETA majorly comprises the following tools: RELIC, REBUS, REPCA, REFSM, and REPATH. The first step involved in netlist analysis falls to signal classification. RELIC uses a heuristic-based fan-in structure matcher to determine the uniqueness of each signal in the netlist. REBUS finds word-groups by leveraging the data bus in the netlist in conjunction with RELIC's signal comparison through heuristic verification of input structures. REPCA on the other hand tries to improve upon the standard brute force RELIC comparison by leveraging the data analysis technique of PCA and a sparse RELIC analysis on all signals. Given a netlist and a set of registers, REFSM reconstructs the logic which represents the behavior of a particular register set over the course of the operation of a given netlist. REFSM has been shown useful for examining register interaction at a higher level. REPATH, similar to REFSM, finds a series of input patterns that force a logical FSM to initialize with some reset state into a state specified by the user. Finally, REFSM 2 is introduced to utilizes linear time precomputation to improve the original REFSM.
Facon, Adrien; Guilley, Sylvain; Lec'hvien, Matthieu; Marion, Damien; Perianin, Thomas
Binary Data Analysis for Source Code Leakage Assessment Proceedings Article
In: Innovative Security Solutions for Information Technology and Communications, pp. 391–409, Springer International Publishing, Cham, 2019, ISBN: 978-3-030-12942-2.
@inproceedings{10.1007/978-3-030-12942-2_30,
title = {Binary Data Analysis for Source Code Leakage Assessment},
author = {Adrien Facon and Sylvain Guilley and Matthieu Lec'hvien and Damien Marion and Thomas Perianin},
doi = {10.1007/978-3-030-12942-2_30},
isbn = {978-3-030-12942-2},
year = {2019},
date = {2019-01-01},
booktitle = {Innovative Security Solutions for Information Technology and Communications},
pages = {391--409},
publisher = {Springer International Publishing},
address = {Cham},
abstract = {Side Channel Analysis (SCA) is known to be a serious threat for cryptographic algorithms since twenty years. Recently, the explosion of the Internet of Things (IoT) has increased the number of devices that can be targeted by these attacks, making this threat more relevant than ever. Furthermore, the evaluations of cryptographic algorithms regarding SCA are usually performed at the very end of a product design cycle, impacting considerably the time-to-market in case of security flaws. Hence, early simulations of embedded software and methodologies have been developed to assess vulnerabilities with respect to SCA for specific hardware architectures. Aiming to provide an agnostic evaluation method, we propose in this paper a new methodology of data collection and analysis to reveal leakage of sensitive information from any software implementation. As an illustration our solution is used interestingly to break a White Box Cryptography (WBC) implementation, challenging existing simulation-based attacks.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Side Channel Analysis (SCA) is known to be a serious threat for cryptographic algorithms since twenty years. Recently, the explosion of the Internet of Things (IoT) has increased the number of devices that can be targeted by these attacks, making this threat more relevant than ever. Furthermore, the evaluations of cryptographic algorithms regarding SCA are usually performed at the very end of a product design cycle, impacting considerably the time-to-market in case of security flaws. Hence, early simulations of embedded software and methodologies have been developed to assess vulnerabilities with respect to SCA for specific hardware architectures. Aiming to provide an agnostic evaluation method, we propose in this paper a new methodology of data collection and analysis to reveal leakage of sensitive information from any software implementation. As an illustration our solution is used interestingly to break a White Box Cryptography (WBC) implementation, challenging existing simulation-based attacks.
Souissi, Youssef; Facon, Adrien; Guilley, Sylvain
Virtual Security Evaluation Proceedings Article
In: Carlet, Claude; Guilley, Sylvain; Nitaj, Abderrahmane; Souidi, El Mamoun (Ed.): Codes, Cryptology and Information Security, pp. 3–12, Springer International Publishing, Cham, 2019, ISBN: 978-3-030-16458-4.
@inproceedings{Souissi2019Virtual,
title = {Virtual Security Evaluation},
author = {Youssef Souissi and Adrien Facon and Sylvain Guilley},
editor = {Claude Carlet and Sylvain Guilley and Abderrahmane Nitaj and El Mamoun Souidi},
doi = {10.1007/978-3-030-16458-4_1},
isbn = {978-3-030-16458-4},
year = {2019},
date = {2019-01-01},
booktitle = {Codes, Cryptology and Information Security},
pages = {3--12},
publisher = {Springer International Publishing},
address = {Cham},
abstract = {``An ounce of prevention is worth a pound of cure''. This paper presents a methodology to detect side-channel leakage at source-code level. It leverages simple tests performed on noise-less traces of execution, and returns to the developer accurate information about the security issues. The feedback is in terms of location (where in code, when in time), in terms of security severity (amount and duration of leakage), and most importantly, in terms of possible reason for the leakage. After the source code (and subsequently the compiled code) has been sanitized, attack attempts complement the methodology to test the implementation against realistic exploitations. This last steps allows to validate whether the tolerated leakages during the sanitizing stage are indeed benign.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
``An ounce of prevention is worth a pound of cure''. This paper presents a methodology to detect side-channel leakage at source-code level. It leverages simple tests performed on noise-less traces of execution, and returns to the developer accurate information about the security issues. The feedback is in terms of location (where in code, when in time), in terms of security severity (amount and duration of leakage), and most importantly, in terms of possible reason for the leakage. After the source code (and subsequently the compiled code) has been sanitized, attack attempts complement the methodology to test the implementation against realistic exploitations. This last steps allows to validate whether the tolerated leakages during the sanitizing stage are indeed benign.
Meade, Travis; Shamsi, Kaveh; Le, Thao; Di, Jia; Zhang, Shaojie; Jin, Yier
The Old Frontier of Reverse Engineering: Netlist Partitioning Journal Article
In: Journal of Hardware and Systems Security, vol. 2, no. 3, pp. 201-213, 2018.
@article{Meade2018,
title = {The Old Frontier of Reverse Engineering: Netlist Partitioning},
author = {Travis Meade and Kaveh Shamsi and Thao Le and Jia Di and Shaojie Zhang and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2018the.pdf},
doi = {10.1007/s41635-018-0043-4},
year = {2018},
date = {2018-09-10},
journal = {Journal of Hardware and Systems Security},
volume = {2},
number = {3},
pages = {201-213},
abstract = {Without access to high-level details of commercialized integrated circuits (IC), it might be impossible to find potential design flaws or limiting use cases. To assist in high-level recovery, many IC reverse engineering solutions have been proposed. This paper focuses on a hard problem facing reverse engineering researchers, that of netlist partitioning. To assist in this endeavor, we propose our own methods that focus on signal matching by analyzing fan-in trees. This analysis extends to representing signal’s fan-ins numerically by their structural properties. These values go through certain common dimension reducing algorithms; clustering practices are also leveraged to assist in our proposed partitioning process. Adversely researchers have almost never agreed on the metric for evaluating such netlist partitioning methods. To keep our results unbiased, we leverage the Normalize Mutual Information (NMI) to evaluate our proposed partitioning method and compare its results with other techniques that aim to solve the same problem. Lastly, we show how our proposed methods are capable of effectively partition netlists of a larger scale than previously proposed schemes.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Without access to high-level details of commercialized integrated circuits (IC), it might be impossible to find potential design flaws or limiting use cases. To assist in high-level recovery, many IC reverse engineering solutions have been proposed. This paper focuses on a hard problem facing reverse engineering researchers, that of netlist partitioning. To assist in this endeavor, we propose our own methods that focus on signal matching by analyzing fan-in trees. This analysis extends to representing signal’s fan-ins numerically by their structural properties. These values go through certain common dimension reducing algorithms; clustering practices are also leveraged to assist in our proposed partitioning process. Adversely researchers have almost never agreed on the metric for evaluating such netlist partitioning methods. To keep our results unbiased, we leverage the Normalize Mutual Information (NMI) to evaluate our proposed partitioning method and compare its results with other techniques that aim to solve the same problem. Lastly, we show how our proposed methods are capable of effectively partition netlists of a larger scale than previously proposed schemes.
Mathieu, Brandon L.; McCue, Jamin J.; Duncan, Lucas; Dupaix, Brian; Lavasani, Hossein Miri; Khalil, Waleed
A Capacitively Coupled, Pseudo Return-to-Zero Input, Latched-Bias Data Receiver Journal Article
In: IEEE Journal of Solid-State Circuits, vol. 53, no. 9, pp. 2500-2511, 2018, ISSN: 1558-173X.
@article{mathieu2018cap,
title = {A Capacitively Coupled, Pseudo Return-to-Zero Input, Latched-Bias Data Receiver},
author = {Brandon L. Mathieu and Jamin J. McCue and Lucas Duncan and Brian Dupaix and Hossein Miri Lavasani and Waleed Khalil},
doi = {10.1109/JSSC.2018.2859390},
issn = {1558-173X},
year = {2018},
date = {2018-09-01},
journal = {IEEE Journal of Solid-State Circuits},
volume = {53},
number = {9},
pages = {2500-2511},
abstract = {A power and area efficient, capacitively coupled receiver for short links is presented. The proposed architecture enables a wide input common-mode range by utilizing on-chip ac-coupling capacitors, which avoids the use of large, off-chip capacitors or slow, rail-to-rail input stages. The small coupling capacitance and bias switches generate a pseudo return-to-zero pulse that is latched into the receiver via digital feedback. This input latching reduces the effects of baseline wander caused by unbalanced data streams without the need for encoding or scrambling. In addition, the full-scale digital feedback is used as the receiver output, enabling direct interface with standard digital cells. The architecture is implemented in a 130-nm SiGe BiCMOS and 45-nm CMOS silicon-on-insulator (SOI) technology. The 130-nm SiGe BiCMOS design achieves a peak data rate of 10 Gb/s at 5.1 mW, while a peak efficiency of 0.46 mW/Gb/s is recorded at 8 Gb/s. The 45-nm CMOS SOI design achieves a peak data rate of 30 Gb/s at 12.02 mW, with a peak efficiency of 0.24 mW/Gb/s at 25 Gb/s. Both the SiGe BiCMOS and CMOS SOI designs exhibit BERs of <;10-12 with PRBS15 data as small as 100 mV and occupy 0.012 and 0.007 mm2, respectively, including the on-chip coupling capacitance.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
A power and area efficient, capacitively coupled receiver for short links is presented. The proposed architecture enables a wide input common-mode range by utilizing on-chip ac-coupling capacitors, which avoids the use of large, off-chip capacitors or slow, rail-to-rail input stages. The small coupling capacitance and bias switches generate a pseudo return-to-zero pulse that is latched into the receiver via digital feedback. This input latching reduces the effects of baseline wander caused by unbalanced data streams without the need for encoding or scrambling. In addition, the full-scale digital feedback is used as the receiver output, enabling direct interface with standard digital cells. The architecture is implemented in a 130-nm SiGe BiCMOS and 45-nm CMOS silicon-on-insulator (SOI) technology. The 130-nm SiGe BiCMOS design achieves a peak data rate of 10 Gb/s at 5.1 mW, while a peak efficiency of 0.46 mW/Gb/s is recorded at 8 Gb/s. The 45-nm CMOS SOI design achieves a peak data rate of 30 Gb/s at 12.02 mW, with a peak efficiency of 0.24 mW/Gb/s at 25 Gb/s. Both the SiGe BiCMOS and CMOS SOI designs exhibit BERs of <;10-12 with PRBS15 data as small as 100 mV and occupy 0.012 and 0.007 mm2, respectively, including the on-chip coupling capacitance.
Takarabt, Sofiane; Chibani, Kais; Facon, Adrien; Guilley, Sylvain; Mathieu, Yves; Sauvage, Laurent; Souissi, Youssef
Pre-silicon Embedded System Evaluation as New EDA Tool for Security Verification Proceedings Article
In: 2018 IEEE 3rd International Verification and Security Workshop (IVSW), pp. 74-79, 2018.
@inproceedings{8494881,
title = {Pre-silicon Embedded System Evaluation as New EDA Tool for Security Verification},
author = {Sofiane Takarabt and Kais Chibani and Adrien Facon and Sylvain Guilley and Yves Mathieu and Laurent Sauvage and Youssef Souissi},
doi = {10.1109/IVSW.2018.8494881},
year = {2018},
date = {2018-07-01},
booktitle = {2018 IEEE 3rd International Verification and Security Workshop (IVSW)},
pages = {74-79},
abstract = {The security evaluation of embedded systems becomes clear and mandatory. Up today, the evaluation process is limited to certification labs that conduct the analysis on real target devices. This requires appropriate measurement platforms and equipment in addition to real chip analysis skills. In this paper, we put forward a pre-silicon evaluation methodology and tools that allow the security verification at an early stage (virtual target) and running it hands in hands with the functional verification. As of today, such approach can be used as new Electronic Design Automation (EDA) tool to properly satisfy the basics of Design for Security (DFS) concept. From a practical viewpoint, we show a study case to illustrate and provide a better understanding of that approach. Moreover, we propose new evaluation metrics based on Signal to Noise Ratio (SNR) computation, and verified on virtual and real targets respectively based on a comparative study. Likewise, the tool identifies vulnerabilites (thereby anticipating complete families of otherwise numerous, complex and many undiscovered attacks), and returns accurate feedack to the user on the precise line of code (LoC) where the vulnerability lays along with its characterization, including an identification of its severity. This allows the design to input source code to the tool, and to get back in return annotated source code with a collection of LoCs which deserve careful analysis and/or subsequent modification aiming at patching vulnerabilities.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
The security evaluation of embedded systems becomes clear and mandatory. Up today, the evaluation process is limited to certification labs that conduct the analysis on real target devices. This requires appropriate measurement platforms and equipment in addition to real chip analysis skills. In this paper, we put forward a pre-silicon evaluation methodology and tools that allow the security verification at an early stage (virtual target) and running it hands in hands with the functional verification. As of today, such approach can be used as new Electronic Design Automation (EDA) tool to properly satisfy the basics of Design for Security (DFS) concept. From a practical viewpoint, we show a study case to illustrate and provide a better understanding of that approach. Moreover, we propose new evaluation metrics based on Signal to Noise Ratio (SNR) computation, and verified on virtual and real targets respectively based on a comparative study. Likewise, the tool identifies vulnerabilites (thereby anticipating complete families of otherwise numerous, complex and many undiscovered attacks), and returns accurate feedack to the user on the precise line of code (LoC) where the vulnerability lays along with its characterization, including an identification of its severity. This allows the design to input source code to the tool, and to get back in return annotated source code with a collection of LoCs which deserve careful analysis and/or subsequent modification aiming at patching vulnerabilities.
Meade, Travis; Jin, Yier; Tehranipoor, Mark; Zhang, Shaojie
Gate-Level Netlist Reverse Engineering for Hardware Security: Control Logic Register Identification Proceedings Article
In: 2016 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1334-1337, IEEE, Montreal, QC, Canada, 2016.
@inproceedings{Meade2016b,
title = {Gate-Level Netlist Reverse Engineering for Hardware Security: Control Logic Register Identification},
author = {Travis Meade and Yier Jin and Mark Tehranipoor and Shaojie Zhang},
url = {http://cadforassurance.org/wp-content/uploads/travis2016gate.pdf},
doi = {10.1109/ISCAS.2016.7527495},
year = {2016},
date = {2016-05-22},
booktitle = {2016 IEEE International Symposium on Circuits and Systems (ISCAS)},
pages = {1334-1337},
publisher = {IEEE},
address = {Montreal, QC, Canada},
abstract = {The heavy reliance on third-party resources, including third-party IP cores and fabrication foundries, has triggered the security concerns that design backdoors and/or hardware Trojans may be inserted into fabricated chips. While existing reverse engineering tools can help recover netlist from fabricated chips, there is a lack of efficient tools to further analyze the netlist for malicious logic detection and full functionality recovery. While it is relatively easy to identify the functional modules from the netlist using pattern matching methods, the main obstacle is to isolate control logic registers and reverse engineering the control logic. Upon this request, we proposed a topology-based computational method for register categorization. Through this proposed algorithm, we can differentiate data registers from control logic registers such that the control logic can be separated from the datapath. Experimental results showed that the suggested method was capable of identifying control logic registers in circuits with various complexities ranging from the RS232 core to the 8051 microprocessor.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
The heavy reliance on third-party resources, including third-party IP cores and fabrication foundries, has triggered the security concerns that design backdoors and/or hardware Trojans may be inserted into fabricated chips. While existing reverse engineering tools can help recover netlist from fabricated chips, there is a lack of efficient tools to further analyze the netlist for malicious logic detection and full functionality recovery. While it is relatively easy to identify the functional modules from the netlist using pattern matching methods, the main obstacle is to isolate control logic registers and reverse engineering the control logic. Upon this request, we proposed a topology-based computational method for register categorization. Through this proposed algorithm, we can differentiate data registers from control logic registers such that the control logic can be separated from the datapath. Experimental results showed that the suggested method was capable of identifying control logic registers in circuits with various complexities ranging from the RS232 core to the 8051 microprocessor.
Meade, Travis; Zhang, Shaojie; Jin, Yier
Netlist Reverse Engineering for High-Level Functionality Reconstruction Proceedings Article
In: 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC), pp. 655-660, ASP-DAC IEEE, Macau, 2016, (Best Paper Award).
@inproceedings{Meade2016,
title = {Netlist Reverse Engineering for High-Level Functionality Reconstruction},
author = {Travis Meade and Shaojie Zhang and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2016netlist.pdf},
doi = {10.1109/ASPDAC.2016.7428086},
year = {2016},
date = {2016-01-25},
booktitle = {2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC)},
pages = {655-660},
publisher = {IEEE},
address = {Macau},
organization = {ASP-DAC },
series = {ASP-DAC 16},
abstract = {In a modern IC design flow, from specification development to chip fabrication, various security threats are emergent. Of particular concern are modifications made to third-party IP cores and commercial off-the-shelf (COTS) chips where no golden models are available for comparisons. Toward this direction, we develop a tool, named Reverse Engineering Finite State Machine (REFSM), that helps end-users reconstruct a high-level description of the control logic from a flattened netlist. We demonstrate that REFSM effectively recovers circuit control logic from netlists with varying degrees of complexity. Experimental results also showed that the developed tool can easily identify malicious logic from a flattened (or even obfuscated) netlist. If combined with chip-level reverse engineering techniques, the developed REFSM tool can help detect the insertion of hardware Trojans in fabricated circuits.},
note = {Best Paper Award},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In a modern IC design flow, from specification development to chip fabrication, various security threats are emergent. Of particular concern are modifications made to third-party IP cores and commercial off-the-shelf (COTS) chips where no golden models are available for comparisons. Toward this direction, we develop a tool, named Reverse Engineering Finite State Machine (REFSM), that helps end-users reconstruct a high-level description of the control logic from a flattened netlist. We demonstrate that REFSM effectively recovers circuit control logic from netlists with varying degrees of complexity. Experimental results also showed that the developed tool can easily identify malicious logic from a flattened (or even obfuscated) netlist. If combined with chip-level reverse engineering techniques, the developed REFSM tool can help detect the insertion of hardware Trojans in fabricated circuits.