The Art of SRAM Security: Tactics for Remanence-based Attack and Strategies for Defense

Mahmod, Jubayer

02 May 2024

The importance of securing hardware, particularly in the context of the Internet of Things (IoT), cannot be overstated in light of the increasing prevalence of low-level attacks. As the IoT industry continues to expand, security has become a more holistic concern, as evidenced by the wide range of attacks that we observed, from large-scale distributed denial-of-service attacks to data theft through monitoring a device's low-level behavior, such as power consumption. Traditional software-based security measures fall short in defending against the full spectrum of attacks, particularly those involving physical tampering with system hardware. This underscores the critical importance of proactively integrating attack vectors that encompass both hardware and software domains, with a particular emphasis on considering both the analog and digital characteristics of hardware. This thesis investigates system security from a hardware perspective, specifically examining how low-level circuit behavior and architectural design choices impact SRAM's data remanence and its implications for security. This dissertation not only identifies new vulnerabilities due to SRAM data remanence but also paves the way for novel security solutions in the ongoing "security arms race". I present an attack, volt boot, that executes cold-boot style short-term data remanence in on-chip SRAM without using temperature effect. This attack exploits the fact that SRAM's power bus is externally accessible and allows data retention using a simple voltage probe. Next, I present a steganography method that hides information in the SRAM exploiting long-term data remanence. This approach leverages aging-induced degradation to imprint data in SRAM's analog domain, ultimately resulting in hidden and plausibly deniable information storage in the hardware. Finally, I show how an adversary weaponizes SRAM data remanence to develop an attack on a hardware-backed security isolation mechanism. The following provides a brief overview of the three major contributions of this thesis: 1. Volt boot is an attack that demonstrates the vulnerability of on-chip SRAM due to the physical separation common in modern SoCs' power distribution networks. By probing external power pins (to the cache) of an SoC while simultaneously shutting down the main system power, Volt boot creates data retention across power cycles. On-chip SRAM can be a safe memory when the threat model considers traditional off-chip cold-boot-style attacks. This research demonstrates an alternative method for preserving information in on-chip SRAM through power cycles, expanding our understanding of data retention capabilities. Volt boot leverages asymmetrical power states (e.g., on vs. off) to force SRAM state retention across power cycles, eliminating the need for traditional cold boot attack enablers, such as low-temperature or intrinsic data retention time. 2. Invisible Bits is a hardware steganography technique that hides secret messages in the analog domain of SRAM embedded within a computing device. Exploiting accelerated transistor aging, Invisible Bits stores hidden data along with system data in an on-chip cache and provides a plausible deniability guarantee from statistical analysis. Aging changes the transistor's behavior which I exploit to store data permanently (ie long-term data remanence) in an SRAM. Invisible Bits presents unique opportunities for safeguarding electronic devices when subjected to inspections by authorities. 3. UntrustZone utilizes long-term data remanence to exfiltrate secrets from on-chip SRAM. An attacker application must be able to read retained states in the SRAM upon power cycles, but this needs changing the security privilege. Hardware security schemes, such as ARM TrustZone, erase a memory block before changing its security attributes and releasing it to other applications, making short-term data remanence attacks ineffective. That is, attacks such as Volt boot fail when hardware-backed isolation such as TEE is enforced. UntrustZone unveils a new threat to all forms of on-chip SRAM even when backed by hardware isolation: long-term data remanence. I show how an attacker systematically accelerates data imprinting on SRAM's analog domain to effectively burn in on-chip secrets and bypass TrustZone isolation. / Doctor of Philosophy / In computing systems, hardware serves as the fundamental bulwark against security breaches. The evolution in software security has compelled adversaries to seek potential vulnerabilities in the hardware.The infamous cold boot attack exemplifies such vulnerabilities, showcasing how adversaries exploit hardware to access runtime secrets, even when cryptographic algorithms protect the system's disk. In this attack, volatile main memory (DRAM) is `frozen' at extremely cold temperatures, allowing it to retain information even when disconnected from the victim machine. Subsequently, an adversary transfers this `frozen memory' to another machine to extract the victim's secrets. This classic case is among numerous sophisticated hardware vulnerabilities identified in recent years, highlighting the evolving challenge of securing hardware against ingenious attacks. This rise in hardware-based attacks across industry and academia underscores the importance of adopting a comprehensive approach to safeguard computing systems. This approach must encompass secure processor design, ensuring a trusted distribution chain, rigorous software security vetting, and protection against runtime side-channel leakage. Consequently, there is a growing emphasis in both industry and academia on prioritizing security in design decisions. My dissertation delves into the low-level hardware behaviors, particularly focusing on the data remanence phenomena of Static Random Access Memory (SRAM). By discovering new security vulnerabilities and proposing effective mitigation strategies, this thesis contributes to the ongoing effort to fortify computing systems against evolving threats that are rooted in the hardware. SRAM stands as a ubiquitous form of volatile memory found in most processors and microcontrollers, serving as a crucial component for temporary storage of instructions and data to facilitate rapid access. By design, SRAM forgets its contents upon a processor's power cycle and defaults to a state determined by low-level circuit behavior. However, this dissertation unveils the possibility of retaining on-chip information even after power cycling, leveraging inherent low-level circuit behaviors to create data retention. This revelation exposes major security implications, resulting in the following three key contributions: Firstly, I introduce the volt boot attack, which exploits the vulnerability of on-chip SRAM, particularly to physical separation in modern System on Chip (SoC) power distribution networks. We conventionally assume that on-chip SRAM is secure against off-chip cold-boot attacks, but volt boot demonstrates the feasibility of achieving a similar state without traditional prerequisites such as low temperatures or long intrinsic data retention times. Subsequently, I propose a data hiding technique---invisible Bits, which leverages accelerated device wear out to embed data into the transistors of SRAM. This method introduces a novel form of hardware-based steganography, concealing data within the analog domain alongside digital system data. Lastly, I show how accelerated device aging can be weaponized to design a sophisticated attack aimed at extracting secrets from a Trusted Execution Environment (TEE) like ARM TrustZone. While short-term data remanence attacks such as Volt boot are rendered ineffective against hardware-backed isolation enforced by TEEs, UntrustZone harnesses the methodologies and tools from preceding works to induce long-term data remanence. This poses a new threat to on-chip cryptography that stores secrets on chip, even when fortified by hardware isolation mechanisms, such as ARM TrustZone.

On-chip SRAM attacks

aging side channel

data remanence

Partition based Approaches for the Isolation and Detection of Embedded Trojans in ICs

Banga, Mainak

29 September 2008

This thesis aims towards devising a non-destructive testing methodology for ICs fabricated by a third party manufacturer to ensure the integrity of the chip. With the growing trend of outsourcing, the sanity of the final product has emerged to be a prime concern for the end user. This is especially so if the components are to be used in mission-critical applications such as space-exploration, medical diagnosis and treatment, defense equipment such as missiles etc., where a single failure can lead to a disaster. Thus, any extraneous parts (Trojans) that might have been implanted by the third party manufacturer with a malicious intent during the fabrication process must be diagnosed before the component is put to use. The inherent stealthy nature of Trojans makes it difficult to detect them at normal IC outputs. More so, with the restriction that one cannot visually inspect the internals of an IC after it has been manufactured. This obviates the use of side-channel signal(s) that acts like a signature of the IC as a means to assess its internal behavior under operational conditions. In this work, we have selected power as the side-channel signal to characterize the internal behavior of the ICs. We have used two circuit partitioning based approaches for isolating and enhancing the behavioral difference between parts of a genuine IC and one with a sequence detector Trojan in it. Experimental results reveal that these approaches are effective in exposing anomalous behavior between the targeted ICs. This is reflected as difference in power-profiles of the genuine and maligned ICs that is magnified above the process variation ensuring that the discrepancies are observable. / Master of Science

Side-Channel Analysis

Power profile

State-space

Trojans

Side Channel Analysis of a Java-­based Contactless Smart Card

Mateos Santillan, Edgar

January 2012

Smart cards are widely used in different areas of modern life including identification, banking, and transportation cards. Some types of cards are able to store data and process information as well. A number of them can run cryptographic algorithms to enhance the security of their transactions and it is usually believed that the information and values stored in them are completely safe. However, this is generally not the case due to the threat of the side channel. Side channel analysis is the process of obtaining additional information from the internal activity of a physical device beyond that allowed by its specifications. There exist different techniques to attempt to obtain information from a cryptosystem using other ways than the normally permitted. This thesis presents a series of experiments intended to study the side channel from a particular type of smart card, known as Java Cards. This investigation uses the well known technique, Correlation Analysis, and a new type of side channel attack called fast correlation in the frequency domain to study the side channel of Java Cards. This research presents a giant magnetoresistor (GMR) probe and for the first time, this type of sensor is used to investigate the side channel. A novel setup designed for studying the side channel of smart cards is described and two metrics used to evaluate the analysis results are presented. After testing the GMR probe and methodology on electronic devices executing the Advanced Encryption Standard (AES), such as 8 bit microcontrollers and 128 bit AES implementations on FPGAs, these techniques were applied to analyse two different models of Java Cards working in the contactless mode. The results show that successful attacks on a software implementation of AES running on both models of Java Cards are possible.

Side channel

fast correlation in the frequency domain

Correlation Analysis

Java Card

Giant magnetoresistance

GMR

EM analysis

smart card

Side Channel Analysis

Electrical and Computer Engineering

Increasing the Robustness of Point Operations in Co-Z Arithmetic against Side-Channel Attacks

Almohaimeed, Ziyad Mohammed

08 August 2013

Elliptic curve cryptography (ECC) has played a significant role on secure devices since it was introduced by Koblitz and Miller more than three decades ago. The great demand for ECC is created by its shorter key length while it provides an equivalent security level in comparison to previously introduced public-key cryptosystems (e.g.RSA). From an implementation point of view a shorter key length means a higher processing speed, smaller power consumption, and silicon area requirement. Scalar multiplication is the main operation in Elliptic Curve Diffie-Hellman (ECDH), which is a key-agreement protocol using ECC. As shown in the prior literature, this operation is both vulnerable to Power Analysis attack and requires a large amount of time. Therefore, a lot of research has focused on enhancing the performance and security of scalar multiplication. In this work, we describe three schemes to counter power analysis cryptographic attacks. The first scheme provides improved security at the expense of a very small cost of additional hardware overhead; its basic idea is to randomize independent field operations in order to have multiple power consumption traces for each point operation. In the second scheme, we introduce an atomic block that consists of addition, multiplication and addition [A-M-A]. This technique provides a very good scalar multiplication protection but with increased computation cost. The third scheme provides both security and speed by adopting the second tech- nique and enhancing the instruction-level parallelism at the atomic level. As a result, the last scheme also provides a reduction in computing time. With these schemes the users can optimize the trade-off between speed, cost, and security level according to their needs and resources. / Graduate / 0544 / 0984 / z.mohaimeed@gmail.com

elliptic curve cryptography

power analysis

Elliptic curve Diffie-Hellman

ECDH

ECC

atomic block

Side-Channel Attack Aware Implementation

Side Channel Analysis of a Java-­based Contactless Smart Card

Mateos Santillan, Edgar

January 2012

Smart cards are widely used in different areas of modern life including identification, banking, and transportation cards. Some types of cards are able to store data and process information as well. A number of them can run cryptographic algorithms to enhance the security of their transactions and it is usually believed that the information and values stored in them are completely safe. However, this is generally not the case due to the threat of the side channel. Side channel analysis is the process of obtaining additional information from the internal activity of a physical device beyond that allowed by its specifications. There exist different techniques to attempt to obtain information from a cryptosystem using other ways than the normally permitted. This thesis presents a series of experiments intended to study the side channel from a particular type of smart card, known as Java Cards. This investigation uses the well known technique, Correlation Analysis, and a new type of side channel attack called fast correlation in the frequency domain to study the side channel of Java Cards. This research presents a giant magnetoresistor (GMR) probe and for the first time, this type of sensor is used to investigate the side channel. A novel setup designed for studying the side channel of smart cards is described and two metrics used to evaluate the analysis results are presented. After testing the GMR probe and methodology on electronic devices executing the Advanced Encryption Standard (AES), such as 8 bit microcontrollers and 128 bit AES implementations on FPGAs, these techniques were applied to analyse two different models of Java Cards working in the contactless mode. The results show that successful attacks on a software implementation of AES running on both models of Java Cards are possible.

Side channel

fast correlation in the frequency domain

Correlation Analysis

Java Card

Giant magnetoresistance

GMR

EM analysis

smart card

Side Channel Analysis

Electrical and Computer Engineering

Outils d'aide à la recherche de vulnérabilités dans l'implantation d'applications embarquées sur carte à puce

Andouard, Philippe

18 December 2009

Les travaux présentés dans cette thèse ont pour objectif de faciliter les évaluations sécuritaires des logiciels embarqués dans les cartes à puce. En premier lieu, nous avons mis au point un environnement logiciel dédié à l'analyse de la résistance d'implémentations d'algorithmes cryptographiques face à des attaques par analyse de la consommation de courant. Cet environnement doit être vu comme un outil pour rechercher des fuites d'information dans une implémentation en vue d'évaluer la faisabilité d'une attaque sur le produit réel. En second lieu, nous nous sommes intéressé à l'analyse de programmes écrits en langage d'assemblage AVR dans le but de vérifier s'ils sont vulnérables aux \textsl{timing attacks}. Nous avons donc développé un outil qui consiste à décrire des chemins du flot de contrôle d'un programme grâce à des expressions régulières qui seront par la suite interprétées par notre outil afin de donner leur temps exact d'exécution (en terme de cycles d'horloge). Enfin, nous avons étudié comment faciliter la compréhension de programmes écrits en langage C dans le but de vérifier si des politiques de sécurité sont correctement implémentées. D'une part, nous fournissons des assistants de navigation qui au travers d'informations concernant les variables et procédures rencontrées, facilitent la compréhension du programme. D'autre part, nous avons au point une manière de vérifier les politiques de sécurité sans modélisation préalable (e.g. avec un automate à états finis) au moyen de requêtes exprimées dans la logique CTL. / The work presented in this thesis aims at easing the evaluation process of smartcards embedded software. On one hand, we set up a software environment dedicated to analyze the implementation resistance of cryptographic to power analysis attacks. This environment must be seen as a tool that facilitates a real attack by giving a way to find information leakages in an implementation. On the other hand, we focused on analyzing program written in AVR assembly language in order to check whether they are vulnerable to timing attacks. To achieve this goal we have developed a tool that makes possible the description of a path in the control flow of the program thanks to regular expressions. Those regular expressions will be interpreted by our tool in order to give the exact execution timing (expressed in clock cycles). Finally, we studied how to ease the global comprehension of a program written in C language in order to check whether security policies are well implemented. First, we provide graphical navigation assisants that helps to understand the progam being analyzed by giving information on variables and procedures. Then, we provide a way to check the security policies through the use of requests expressed with the CTL logic. This approach does not need prior modelisation of the program.

Carte à puce

Sécurité

Side channel attacks

Langage d'assemblage AVR

Langage C

Smartcard

Security

Microcontrollers

Side channel attacks

AVR assembly language

C language

Nové postranní kanály v kryptografii / The new side channels in cryptography

Machů, Petr

January 2011

This thesis is focused on the side-channels in the cryptology. The main attention is paid to the side-channels, which allow an attack on a computer keyboard. Especially the acoustic side-channel is focused on. Through this channel are demonstrated two attacks on the keyboard. At first, the method of recognizing is described. The neural network was used for the recognition. Then, the demonstration attacks on the keyboard are described. The first demonstration is an attack in laboratory conditions and the other in terms of household conditions. The thesis describes two attacks from the record, through data recognition by neural networks to evaluate the actual demonstration of attack. The following describes the recommendations for disabling attack. The results are supplemented by graphs and discussed.

Micro-architectural Threats to Modern Computing Systems

Inci, Mehmet Sinan

17 April 2019

With the abundance of cheap computing power and high-speed internet, cloud and mobile computing replaced traditional computers. As computing models evolved, newer CPUs were fitted with additional cores and larger caches to accommodate run multiple processes concurrently. In direct relation to these changes, shared hardware resources emerged and became a source of side-channel leakage. Although side-channel attacks have been known for a long time, these changes made them practical on shared hardware systems. In addition to side-channels, concurrent execution also opened the door to practical quality of service attacks (QoS). The goal of this dissertation is to identify side-channel leakages and architectural bottlenecks on modern computing systems and introduce exploits. To that end, we introduce side-channel attacks on cloud systems to recover sensitive information such as code execution, software identity as well as cryptographic secrets. Moreover, we introduce a hard to detect QoS attack that can cause over 90+\% slowdown. We demonstrate our attack by designing an Android app that causes degradation via memory bus locking. While practical and quite powerful, mounting side-channel attacks is akin to listening on a private conversation in a crowded train station. Significant manual labor is required to de-noise and synchronizes the leakage trace and extract features. With this motivation, we apply machine learning (ML) to automate and scale the data analysis. We show that classical machine learning methods, as well as more complicated convolutional neural networks (CNN), can be trained to extract useful information from side-channel leakage trace. Finally, we propose the DeepCloak framework as a countermeasure against side-channel attacks. We argue that by exploiting adversarial learning (AL), an inherent weakness of ML, as a defensive tool against side-channel attacks, we can cloak side-channel trace of a process. With DeepCloak, we show that it is possible to trick highly accurate (99+\% accuracy) CNN classifiers. Moreover, we investigate defenses against AL to determine if an attacker can protect itself from DeepCloak by applying adversarial re-training and defensive distillation. We show that even in the presence of an intelligent adversary that employs such techniques, DeepCloak still succeeds.

cloud security

DoS attacks

machine learning

mobile security

side-channel attacks

Side Channels in the Frequency Domain / Méthodes d'attaques avancées de systèmes cryptographiques par analyse des émissions EM

Tiran, Sébastien

11 December 2013

De nos jours, l'emploi de la cryptographie est largement répandu et les circuits intègrent des primitives cryptographiques pour répondre à des besoins d'identification, de confidentialité, ... dans de nombreux domaines comme la communication, la PayTV, ...La sécurisation de ces circuits est donc un enjeu majeur. Les attaques par canaux cachés consistent à espionner ces circuits par différents biais comme le temps de calcul, la consommation en courant ou les émanations électromagnétiques pour obtenir des informations sur les calculs effectués et retrouver des secrets comme les clefs de chiffrement. Ces attaques ont l'avantage d'être indétectables, peu couteuses et ont fait l'objet des nombreuses études. Dans le cadre des attaques par analyse de la consommation en courant ou des émanations électromagnétiques l'acquisition de bonnes courbes est un point crucial. Malgré la forte utilisation de techniques de prétraitement dans la littérature, personne n'a tenté d'établir un modèle de fuite dans le domaine fréquentiel. Les travaux effectués durant cette thèse se concentrent donc sur cet aspect avec pour intérêt d'améliorer l'efficacité des attaques. De plus, de nouvelles attaques dans le domaine fréquentiel sont proposées, sujet peu étudié malgré l'intérêt de pouvoir exploiter plus efficacement la fuite éparpillée dans le temps. / Nowadays, the use of cryptography is widely spread, and a lot of devices provide cryptographic functions to satisfy needs such as identification, confidentiality, ... in several fields like communication, PayTV, ...Security of these devices is thus a major issue.Side Channel Attacks consist in spying a circuit through different means like the computation time, power consumption or electromagnetic emissions to get information on the performed calculus and discover secrets such as the cipher keys.These attacks have the advantage to be cheap and undetectable, and have been studied a lot.In the context of attacks analysing the power consumption or the electromagnetic emissions, the acquisition of good traces is a crucial point.Despite the high use of preprocessing techniques in the literature, nobody has attempted to model the leakage in the frequency domain.The works performed during this thesis are focusing on this topic with the motivation of improving the efficiency of attacks.What's more, new frequency domain attacks are proposed, subject poorly studied despite the advantage of better exploiting the leakage spread in time.

Cryptographie

Em

Canaux cachés

Carte à puce

Cryptography

Em

Side channel Attack

Smartcard

Error Detection Techniques Against Strong Adversaries

Akdemir, Kahraman D.

01 December 2010

"Side channel attacks (SCA) pose a serious threat on many cryptographic devices and are shown to be effective on many existing security algorithms which are in the black box model considered to be secure. These attacks are based on the key idea of recovering secret information using implementation specific side-channels. Especially active fault injection attacks are very effective in terms of breaking otherwise impervious cryptographic schemes. Various countermeasures have been proposed to provide security against these attacks. Double-Data-Rate (DDR) computation, dual-rail encoding, and simple concurrent error detection (CED) are the most popular of these solutions. Even though these security schemes provide sufficient security against weak adversaries, they can be broken relatively easily by a more advanced attacker. In this dissertation, we propose various error detection techniques that target strong adversaries with advanced fault injection capabilities. We first describe the advanced attacker in detail and provide its characteristics. As part of this definition, we provide a generic metric to measure the strength of an adversary. Next, we discuss various techniques for protecting finite state machines (FSMs) of cryptographic devices against active fault attacks. These techniques mainly depend on nonlinear robust codes and physically unclonable functions (PUFs). We show that due to the nonuniform behavior of FSM variables, securing FSMs using nonlinear codes is an important and difficult problem. As a solution to this problem, we propose error detection techniques based on nonlinear codes with different randomization methods. We also show how PUFs can be utilized to protect a class of FSMs. This solution provides security on the physical level as well as the logical level. In addition, for each technique, we provide possible hardware realizations and discuss area/security performance. Furthermore, we provide an error detection technique for protecting elliptic curve point addition and doubling operations against active fault attacks. This technique is based on nonlinear robust codes and provides nearly perfect error detection capability (except with exponentially small probability). We also conduct a comprehensive analysis in which we apply our technique to different elliptic curves (i.e. Weierstrass and Edwards) over different coordinate systems (i.e. affine and projective). "

Error Detection

Robust Codes

Advanced Attacker

Side Channel Attacks

Fault Attacks