## Welcome

Kevin Stine

Chief of the Applied Cybersecurity Division in the Information Technology Laboratory at NIST

### **NIST** Mission



# To promote U.S. innovation and industrial competitiveness by advancing **measurement science, standards, and technology** in ways that enhance economic security and improve our quality of life



## Cybersecurity at NIST



NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet US needs. Our activities range from producing specific information that organizations can put into practice immediately to longerterm research that anticipates advances in technologies and future challenges.



## The National Cybersecurity Center of Excellence

## Collaborate with innovators to provide **real-world**, **standards-based** cybersecurity capabilities that address business needs.



### Practical Guidance with Industry Collaboration



### **Objective of Today's Workshop**





- Convene semiconductor security experts from industry, academia, and government
- Gather input to inform NIST strategic planning
- Leverage cybersecurity expertise
- Collaborate to prioritize:
  - Research activities
  - Approaches to advance standards, guidance and example implementations

## Cybersecurity across the Life Cycle



## HW Security at NIST

#### Sanjay Rekhi

Group Leader, Security Components and Mechanism National Institute of Standards and Technology

## Cybersecurity practice





**Need Automation** 

### PAS<mark>S</mark>: <u>Power, Area, Speed, Security</u>



## Challenges: Vulnerabilities - Growing Fault Injection > Plundervolt

- $\geq$
- $\triangleright$ Privilege Escalation
- $\geq$ Trojan Insertion
- Trace Buffer  $\geq$
- EM Side-Channel  $\triangleright$
- **CLKSCREW**  $\triangleright$
- Denial-of-Service  $\triangleright$
- Vector Rewrite  $\succ$
- Rowhammer  $\succ$
- **Power Side-Channel**  $\geq$
- $\geq$ **Direct Memory Access**
- $\geq$ BranchScope
- $\triangleright$ Bitstream Encryption Cracking

- Access Control  $\geq$
- $\succ$ Meltdown and Spectre
- $\succ$ Machine Learning
- $\succ$ Information Leakage
- Trusted Execution  $\succ$ **Environment Breaking**
- Reset and Flush  $\geq$
- Branch Shadowing  $\succ$
- **Bitstream Tampering**  $\succ$
- **Reverse Engineering**  $\succ$
- Timing Side-Channel  $\triangleright$
- Integrity

#### **People: the weakest link!**

## Strong Algorithm & Architecture



Weak Implementation & Execution



Unique to Physical Layout

- Protect against untrusted foundry
- Address IP piracy
  - Physical Locking

#### Protect crypto cores

 Power side channels; EM Side channels; Fault injection

#### Protect physical attacks

 Contactless probing attacks; Contactless optical attacks; Laser fault injection attacks; X-ray attacks; Electromigration



#### Chip Backside Is A New Backdoor

Hamamatsu PHEMOS - 1000





- Device under Test (DUT): Xilinx Kintex 7 development board
  - Chip's technology: 28 nm
  - No chip preparation (e.g., depackaging, silicon polishing, etc.)
- Optical Setup: Hamamatsu PHEMOS-1000
  - Laser wavelength: 1.3  $\mu$ m
  - Laser spot size: >1  $\mu$ m

- Non-destructive
- Non-invasive
- No Footprint

#### Localizing the Configuration Logic





#### Xilinx Kintex 7 in flip-chip package

## Image acquisition with a infra-red laser scanning microscope

Tajik, S., Lohrke, H., Seifert, J. P., & Boit, C. "On the Power of Optical Contactless Probing: Attacking Bitstream Encryption of FPGAs," In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.

#### Localizing Decryption Engine

**Random Logic** 





#### Key Extraction









- Protection
  - Circuit Level Solutions
  - Device Level solutions
  - Material Level Solutions

### NIST Research: Hardware Weakness Hierarchies Looking at 'how' they are exploited



## Attack Surface Reference Model SoC/ASICs) NIST

| • | Substantial | efforts are | e on-going | in the | software | community |
|---|-------------|-------------|------------|--------|----------|-----------|
|---|-------------|-------------|------------|--------|----------|-----------|



• Alteration of system behavior based on software-accessible points of illicit entry that exist due to hardware design weaknesses or architectural flaws

- **Side Channel** extraction of secrets through <u>physical</u> communication channels other than intended (assumption: attackers are able to "listen" to emissions) → Economic Attackers
- Reverse Engineering extraction of algorithms from an illegally obtained design representation (assumption: attackers have access to design files) → Economic Attackers \*and\* Nation States
- **Supply Chain** Cloning, counterfeit, recycled or re-marked chips represented as genuine (assumption: attackers can manufacture perfect clones) → Economic Attackers
- **Malicious Hardware** insertion of secretly triggered hidden disruptive functionality (assumption: attackers successfully inserted malicious function(s) into the design) → Nation States