## Hardware Root-of-Trust for Cyber Security

#### Mark M. Tehranipoor

Intel Charles E. Young Endowed Chair Professor in Cybersecurity Director, Florida Institute for Cybersecurity Research Electrical and Computer Engineering Department



#### **Example Hardware Attacks**





### **The Big Hack**



#### Bloomberg Businessweek

October 4, 2018

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies



LIBERTY 2018

Bloomberg Businesswe

The Big Hack

How China used a tiny chip to infiltrate America's top companies

### **SoC Security is a Challenge**







#### Hardware Trojans

- Malicious modification of design by adversaries
- Inserted by rogue employees of design house or foundry
- Intentionally introduced → Denial of Service, information leakage

#### Information Leakage

- Created intentionally by 3PIP vendor or induced unintentionally by CAD tools
- Reveal of information to unauthorized parties

#### **Existing Security Threats**

#### Side Channel

- No modification of design
- Extraction of secret information through communication channels of ICs

#### Exploitation of Test/Debug Infrastructure

- Scan, Compression, JTAG etc.
- Exploitation of controllability and observability of a design maliciously
- Power/Clock glitch, temperature variation, light/leaser/EM injection by malicious intention

**Fault Injection** 

 Violation of confidentiality, integrity, and etc. All Rights Reserved – University of Florida







### **Understand Supply Chain Vulnerabilities**





### Solutions, with Lifecycle in Mind

SoC

Design





Foundry

Packaging &

Distribution

End-user

SoC

Integrator



## **Protect IP**



### **Logic Locking or Obfuscation**



#### Runs of Key gates-

- □ keys gates connected back-to-back
- K1, K2 forms a run that can be replaced by K3



#### Dominating Key gates-

- □ K2 lies on every path from K1 to outputs
- □ K2 is dominating key gate whose bit value can only be determined after muting K1



#### □ Mutable convergent Key gates-

K1 & K2 converges at some other gate, such that K1's bit value can be determined by muting K2 and vice versa



### Logic Locking

- Inserting key gates to lock the design and functionality of the chip
- Writing the correct key in a tamper-proof non-volatile memory on the chip after fabrication to unlock the functionality of chip

Research







A number of vulnerabilities must be addressed to make **logic locking** a viable technology







# **Defense-in-Depth**

## To defend a system against any particular attack using several independent methods

### **Defense-in-Depth for Protecting Obfuscation**





### Layer 1: Trojan Scanner





## **Protect Assets**





#### Asset: A resource of value worth protecting from an adversary

#### **Security Assets in SoCs:**

- On-device keys (developer/OEM)
- Device configuration
- Manufacturer Firmware
- Application software
- On-device sensitive data
- Communication credentials
- Random number or entropy
- E-fuse,
- PUF, and more...



Source: Intel

### **Protect Assets: Strong Algorithms, Weak Implementation**





Algorithms, architectures, and policies could be impacted by design methods that do not understand Security!

#### **Vulnerabilities**

- Information Leakage
- Side Channel Leakage
- Fault Injection
- IP Tampering, Trojan Insertion

#### **Accesses/attack surfaces**

- Remote Access (E.g., WiFi, Ethernet, Zigbee, etc.)
- PCB Access (E.g., JTAG and Debug ports)
- Physical Access



- Modeling an asset as a stuck at fault
- Utilize automatic test pattern generation algorithms to detect that fault
- A successful detection  $\rightarrow$  Existence of information flow



We need to identify all observe points  $\rightarrow$  Asset can be observed



| Encryption<br>Algorithm | Design           | Seq.<br>Elements | Observable<br>Points | Distance |     | Stimulus |     |
|-------------------------|------------------|------------------|----------------------|----------|-----|----------|-----|
|                         |                  |                  |                      | Min      | Мах | Min      | Мах |
| AES                     | high speed       | 10769            | 2                    | 2        | 3   | 5        | 7   |
|                         | small area       | 2575             | 4                    | 2        | 2   | 6        | 6   |
|                         | ultra-high speed | 6720             | 2                    | 0        | 1   | 2        | 3   |
| Single-DES              | small area       | 64               | 32                   | 11       | 15  | 15       | 17  |
| Triple-DES              | small area       | 128              | 48                   | 10       | 12  | 29       | 33  |
|                         | high speed       | 8808             | 2                    | 2        | 2   | 3        | 3   |
| RSA                     | basic            | 555              | 32                   | 4        | 3   | 6        | 6   |
| PRESENT                 | light ware       | 149              | 2                    | 2        | 2   | 3        | 3   |

#### Takeaways

- All implementation of AES, RSA and PRESENT encryption modules have vulnerability due to DFT insertion
- ► The 'Distance' and 'Stimulus' → quantitative measure of vulnerability
- **Higher value**  $\rightarrow$  less vulnerable

### **Power Side Channel Attacks**





#### **Block Leakage Analysis**





### **Security Rule Check**

**Properties** Model **Establishing Secure** Rules Metric **Design** Infrastructure Threat **Vulnerabilities** Weaknesses **Development of** 2 Assets Security Rules and **Metrics Development of Security-aware** 3 **Automated CAD Tools** 4 **Experimental Security Validation** 



24



**Objective**: Provide automated security assessment and possible countermeasures of given designs for target vulnerabilities



<u>Outcomes</u>: Comprehensive set of formally defined transaction rules with security guarantees and data protection

### **Chip Backside Is A New Backdoor**



- Frontside: Multiple interconnect layers obstruct the optical path to transistor devices
- Backside: Active devices are directly accessible
- + Photon Emission
- + Laser Stimulation/Fault Injection
- + Optical Contactless Probing





### Attacking Bitstream Encryption of FPGAs







- Device under Test (DUT): Xilinx Kintex 7 development board
  - Chip's technology: 28 nm
  - No chip preparation (e.g., depackaging, silicon polishing, etc.)
- Optical Setup: Hamamatsu PHEMOS-1000
  - Laser wavelength: 1.3  $\mu$ m
  - Laser spot size: >1  $\mu$ m

- Non-destructive
- Non-invasive
- No Footprint

### **Localizing the Configuration Logic**







#### Xilinx Kintex 7 in flip-chip package

## Image acquisition with a infra-red laser scanning microscope

Tajik, S., Lohrke, H., Seifert, J. P., & Boit, C. "On the Power of Optical Contactless Probing: Attacking Bitstream Encryption of FPGAs," In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.

### **Localizing the Configuration Logic**





#### **Random Logic**

### Localizing Decryption Core using EOFM





#### **Clock activity for unencrypted bitstream**

### Localizing Decryption Core using EOFM





#### **Clock activity for encrypted bitstream**





#### Locations in AES output port

### **Key Extraction**







- Protection
  - Circuit Level Solutions
  - Device Level solutions
  - Material Level Solutions









### **Protect the Supply Chain**



### **Device-to-System**





### **OCM: Enrollment & Ownership Release**







### **PCB Assembler: Verification & Ownership Acquire**





### **AutoBoM: External Visual Inspection of PCB**





### **Auto3D: Internal Inspection of PCB**



#### X-ray CT

- Parameter
  Optimization
- Sample Preparation and Filtering





#### CAD File Generation

- Vectorization
- PCB CAD File (PCB, DWG, DXF, etc..)

#### Nondestructive!





## Image Processing and Segmentation

- Separate Layers
- Traces
- Vias w/ Pads
- Vias w/ Anti-Pads
- Conductive Planes



#### **PCB** Analysis

- Trace timing
- Signal integrity
- Power integrity
- Electromagnetic
  Interference
- Thermal Footprint
- Security vulnerabilities

#### **Non-destructive Reverse Engineering**











#### Florida Institute for Cybersecurity (FICS) Research



#### Designed-in security

Standards: Logic Locking, SCA, Backside,

**Provenance, Traceability** 

- <u>Automation</u>
  - Reduce complexity & cost
- Design with life cycle in mind
  - · Device  $\rightarrow$  Systems
  - Traceability & provenance







# semiconductors



• Hardware upgrade  $\rightarrow$  Zero day



### Powerful but low cost inspection







