ABSTRACT. As two typical representatives of Side-Channel Attack (SCA), power analysis attack and electromagnetic attack show a very high efficiency to extract cryptographic keys and other secret information from the device non-invasively.

In this work, we first investigate the and the effectiveness of CPA and EMA on the FPGA based AES encryption to show the vulnerability of the side-channel attack. Then we present a novel scheme to reduce the risk of CPA based on the dynamic reconfigurability of the up-to-date FPGA chip.

ABSTRACT. The hardware demo will highlight the use of MIRAGE, a system-level framework that can accept a benchmark circuit from the user in the form of a synthesized netlist; insert the desired logic obfuscation method; and evaluate the obfuscation method in terms of attack resiliency time and area, power, and timing overheads. The main goal of the demo is to provide obfuscation researchers with access to a common framework, so that they can develop more uniform, meaningful metrics reporting their results on standard, larger benchmarks such as CEP, and arbitrary designs. Attack researchers can plug into it to show the effectiveness of their attacks over the state of practice. Metrics developers can extend MAT to explore the effectiveness of various metrics. Moreover, the demo will highlight the overview of the APIs whereby these researchers can plug into and extend MIRAGE for their research.

ABSTRACT. FPGAs are getting increasingly adopted as accelerators in clouds and data centers. In many of such emerging applications of FPGAs, multi-tenant usage of a single FPGA through virtualization is envisioned. This mandates the security and proper isolation at logical level. However, as shown recently, FPGA primitives can be re-used for attacks on the underlying electrical level. Previously, such attacks typically relied on expensive test and measurement equipment which mandated physical access to the system under attack. We could show that FPGA primitives can be re-used for sensors and fault injection on the electrical level, sufficient to remotely deploy power analysis side channel and fault analysis attacks, on Intel, Xilinx and Lattice FPGAs. In this demo, we will present such attacks using a low-cost Lattice iCE40-HX8K board, since all attacks were ported to this platform already.

ABSTRACT. We will present a demo showing RISC-V secure caches on the FPGA board, to defend timing-based cache side-channel attacks. This is a microarchitecture level secure cache framework design based on RISC-V Rocket Chip generator using Chisel hardware construction language.

We will present Partition Locked cache (PL cache) [10] and other secure caches, which we realized in FPGA hardware to show their security and performance.

ABSTRACT. For this demonstration we present a system that allows to generate unique physical keys within a generic hardware-/software framework that exploits intrinsic variations in the manner of analog differential PUF structures. Analog PUF structures, realized as stand-alone integrated chips are complex and costly systems with limited direct access for the research community. DiffC-PUF's discrete design enables access to a reliable PUF in a full system including software for HW/SW security analysis in R&D settings. The design and fabrication costs of the discrete PUF are far lower than for integrated PUFs. The DiffC-PUF architecture shown in the demo is intended to be used in board-level security without developing an IC. In comparison to typical PUF implementations such as ring oscillator (RO)-PUFs, DiffC-PUF is much less complex when it is assembled with discrete components, while allowing the same non-linear growth of response bit width scaling. Another major advantage of the herein presented discrete PUF is that it is possible to access and measure all parts of the PUF circuit and to explore the underlying effects that cause the variations, used for digital PUF response generation, as well as the negative effects arising from real environmental operation. Therefore, the modular architecture is highly suitable for research and academic purposes in laboratories to measure and analyze a real hardware PUF and tackle questions coming up from a software security side. With an average reliability of 99.20% and an uniqueness of 48.84% the proposed system shows values close to ideal.

ABSTRACT. Systems-on-chip (SoCs) are becoming heterogeneous: they combine general-purpose processor cores with application- specific hardware components, also known as accelerators, to improve performance and energy efficiency. The advan- tages of heterogeneity, however, come at a price of threaten- ing security. The architectural dissimilarities of processors and accelerators require revisiting the current security tech- niques. With this hardware demo, we show how accelerators can break dynamic information flow tracking (DIFT), a well-known security technique that protects systems against software-based attacks. We also describe how the security guarantees of DIFT can be re-established with a hardware solution that has low performance and area penalties.

ABSTRACT. In this study, break of a chaos-based RNG is experimentally proven. A proposed attack system is set up and the security problem in the chaos-based RNG is revealed. Master-slave synchronization scheme is established for proving the convergence of the attack system. Experimental results confirming the achievability of the attack system are given.

ABSTRACT. Chaotic systems are usually preferred in random bit generation. Although a small difference in initial condition of a chaotic system produces too different results at the output of a chaotic system, it should be taken in mind that chaotic systems without any noise source implement deterministic equations. Therefore, they are vulnerable to possible attacks. In this demo, a three dimensional chaotic system without any equilibrium points, in other words hidden attractors, is implemented on an FPGA. A clone attack system is proposed to break the target system in terms of predicting next random bits generated by the target system. The master slave synchronization method is utilized to exhibit the security vulnerabilities of the “novel” no-equilibrium chaotic system with hidden attractors.

ABSTRACT. The objective of this hardware demo is to introduce the academic community to the Hardened Adversarial VET Challenge (HAVoC). HAVoC is a series of hardware trojan benchmarks presented as a challenge and was developed over three years under the DARPA VET program to stress test and stimulate development of hardware trojan detection tools. Now that the DARPA VET program has ended we have been granted permission to release HAVoC on the world! In other words, academic researchers and others can now test their hardware trojan detection techniques and tools against HAVoC. This hardware demonstration will introduce HAVoC and show live operation of a hardware trojan from one of the HAVoC test articles.

ABSTRACT. The traditional side channel attacks are normally considered as quite difficult to launch in practice as it heavily relies upon laboratory equipments such as oscilloscopes and sophisticated expertise in the area. The objective of this hardware demo is to design a portable power tracer which can collect the power dissipation of standard 3G/4G USIM cards and extract the secret key inside with an offline analyzer, showing a practical side-channel threat to daily life with extremely low cost (around 50 USD).

The design principles include: (1) The hardware should be lightweight, stealthy, cheap and portable; (2) The collection process should be efficient, fast, and fully automated; (3) The collected traces are good enough for the offline power analysis such as Differential Power Analysis (DPA) and Correlation Power Analysis (CPA).

The highlighted contributions of our work include: (1) Redesign the lightweight PCB; (2) Automatically generate the customized APDU commands for different USIMs; (3) Automatically generate hardware trigger to improve accuracy; (4) Corresponding power analysis for mutual authentication for both MILENAGE and TUAK.

ABSTRACT. In our previous work published in IEEE Internet of Things Journal DOI: 10.1109/JIOT.2018.2874626, we proposed a design of a physically unclonable function (PUF) that was specifically targeted for use in Internet of Things (IoT) Applications. The PUF was created from components that are commonly found in IoT applications, specifically piezo sensors and a microcontroller. Our PUF works by comparing the total voltages of two different groups of three sensors. By using a microcontroller we were able to easily change the combinations of sensors that are being compared. Thanks to this, our PUF design only requires eight piezo sensors to perform 128 comparisons. Our demonstration will show the challenge response interface of our PUF as it generates responses when supplied an appropriate challenge.

ABSTRACT. Ensuring the authenticity of IoT devices is of great concern since an adversary can create a backdoor either to bypass the security and/or to leak secret information over an unsecured communication channel. It is of prime importance to design and develop solutions for authenticating such edge devices. In this demo, we will present a hardware implementation of a novel low-cost solution for authenticating edge devices. We will show how we can exploit the built-in SRAM to generate unique ``digital fingerprints'' for every device and authenticate a resource constraint IoT edge device at a cost of only 3.65% code overhead.

ABSTRACT. This demonstration presents on-chip integrated digital low-dropout (DLDO) regulator based countermeasures for encryption engines against side channel analysis (SCA) attacks. DLDOs, a critical power management circuits, are increasingly integrated with modern SoC systems for fine-grained power management and point of load regulation. This demonstration for the first time leverages DLDOs along with some circuit techniques to enhance SCA resistance of advanced encryption standard (AES) engines and presents experimental results and analysis. Our poster will show the motivation behind the proposed work, overall architecture and details about measurement setup, analysis techniques and side channel attack results with CPA/CEMA for both encryption engines (P-AES, S-AES).

ABSTRACT. Major commercial Field Programmable Gate Arrays (FPGAs) vendors provide encryption and authentication for programmable logic fabric (PL) bitstream using AES and RSA respectively. They are limited in scope of security that they provide and have proven to be vulnerable to different attacks. As-such, in-field deployed devices are susceptible to attacks where either a configuration bitstream, application software or dynamically reconfigurable bitstreams can be maliciously replaced. This hardware demo presents a framework for secure boot and runtime authentication for FPGAs. The presented system employs on-board cryptographic mechanisms and third-party established architectures such as Trusted Platform Module (TPM) and ARM TrustZone. The scope of this hardware demo is of systems level.

ABSTRACT. Hardware level modifications to the integrated systems are referred to as hardware Trojans. Recently, a novel Trojan that is enhanced by analog design techniques is proposed and is proved to be a huge threat to the security of microprocessors and microprocessor-based system-on-chips (SoCs). Although there are solutions based on monitoring the internal signals, it may not be able to cover all the Trojan-affected signals. An on-chip electromagnetic (EM) sensor network is proposed as a demo targeting analog hardware Trojans detection through analyzing the EM side-channel spectral signatures at integrated circuit level.

ABSTRACT. Today, computing systems are being implemented into nearly every aspect of daily life. Integrating electronics into critical systems introduces new opportunities along with risks. To protect these systems, maintaining proper operating characteristics is essential, but it is difficult to remotely monitor them after the system is deployed. A system will often utilize its own resources to monitor itself which can impede optimal functionality and security. Hence, we have developed a standalone embedded platform, termed RASC, to be placed near the critical system. RASC was designed to recreate an environment that can mirror the functionality of a typical electronics lab test setup, but in the size of approximately 2 cubic centimeters. Our demonstration will show our custom RASC platform monitoring a host system and reporting back it's collected data. Here we will demonstrate how side-channels can be used to defend systems throughout their lifetimes and the benefits to remote side-channel access.

ABSTRACT. This demo will provide a real-time application of using the Filling Logic and Testing Spatially (FLATS) architecture for perform an authentication operation on third party intellectual property (3PIP) running in an FPGA. A run-time tamper operation will be executed on 3PIP running on an FPGA. Our technique will detect the tamper event and will perform authentication operations before and after the tamper event to demonstrate authentication.

ABSTRACT. Physical attacks are a known threat to secure embedded systems. Notable among these is laser fault injection, which is probably the most powerful fault injection technique. Indeed, powerful injection techniques like laser fault injection provide a high spatial accuracy, which enables an attacker to induce bit level faults. However, experience gained from attacking 8-bit targets might not be relevant on more advanced micro-architectures and these attacks become increasingly challenging on 32-bit microcontrollers. In this article, we show that the flash memory area of a 32-bit microcontroller is sensitive to laser fault injection. These faults occur during the instruction fetch process, hence the stored value remains unaltered. After a thorough characterisation of the induced faults and the associated fault model, we provide detailed examples of bit-level corruptions of instruction and demonstrate practical applications in compromising the security of real-life codes. Based on these experimental results, we formulate a hypothesis about the underlying micro-architectural features that could explain the observed fault model.

ABSTRACT. The threat of side-channels is becoming increasingly prominent for resource-constrained internet-connected devices. While numerous power side-channel countermeasures have been proposed, a promising approach to protect the non-invasive electromagnetic side-channel attacks has been relatively scarce. Today's availability of high-resolution electromagnetic (EM) probes mandates the need for a low-overhead solution to protect EM side-channel analysis (SCA) attacks. This work, for the first time, performs a white-box analysis to root-cause the origin of the EM leakage from an integrated circuit. System-level EM simulations with Intel 32 nm CMOS technology interconnect stack, as an example, reveals that the EM leakage from metals above layer 8 can be detected by an external non-invasive attacker with the commercially available state-of-the-art EM probes. Equipped with this 'white-box' understanding, this work proposes STELLAR: Signature aTtenuation Embedded CRYPTO with Low-Level metAl Routing, which is a two-stage solution to eliminate the critical signal radiation from the higher-level metal layers. Firstly, we propose routing of the entire cryptographic cores power traces using the local lower-level metal layers, whose leakage cannot be picked up by an external attacker. Then, the entire crypto IP is embedded within a Signature Attenuation Hardware (SAH) which in turn suppresses the critical encryption signature before it routes the current signature to the highly radiating top-level metal layers. System-level implementation of the STELLAR hardware with local lower-level metal routing in TSMC 65 nm CMOS technology, with an AES-128 encryption engine (as an example cryptographic block) operating at 40 MHz, shows that the system remains secure against EM SCA attack even after 1 M encryptions, with 67% energy-efficiency compared to the unprotected AES.

ABSTRACT. Fault detection is becoming more and more essential to the cryptographic circuits protection (for the purpose of fighting against both natural and malicious faults). While finite field multiplier is regarded as the bottleneck arithmetic unit for cryptosystems such as elliptic curve cryptography, efficient implementation of finite field multiplier with high fault detection capability is still missing in the literature. In this paper, therefore, we propose a novel fault detection scheme for finite field multipliers over $GF(2^m)$, where the proposed work aims at obtaining high fault detection performance for finite field multipliers and meanwhile maintain low-complexity implementation. To successfully carry out the proposed design strategy, we have used the modified shifted polynomial basis (MSPB) to represent the field and have conducted three coherent interdependent stages of efforts: (i) a novel 1-bit parity based detection scheme for bit-serial MSPB multiplier is presented after thorough mathematical derivation; (ii) a novel Toeplitz matrix-vector product (TMVP)-based multi-bit parity prediction\&checking scheme for digit-serial MSPB multiplier is proposed then to obtain both high detection performance and low-complexity implementation; (iii) detailed complexity analysis and comparison show that the proposed designs have significantly better performance over the best of existing ones. For instance, for the bit-serial multipliers, the proposed design (using 1 parity bit) can achieve around 99.49\% fault detection performance while the best existing one with 2-bit parity checking scheme achieves only 75.12\% fault detection. The proposed scheme, because of its high fault detection capability and low-complexity, can be extended further in many cryptographic applications.

ABSTRACT. Energy efficiency and security is a critical requirement for computing at edge nodes. Unrolled architectures for lightweight cryptographic algorithms have been shown to be energy-efficient, providing higher performance while meeting the resource constraints. FPGA implementations of unrolled datapaths have also been shown to be secure against side channel analysis (SCA) attacks due to reduction in signal-to-noise ratio (SNR) and increased leakage model complexity. This paper demonstrates optimal leakage models and an improved CFA attack which makes it feasible to extract first-order side-channel leakages from combinational logic in the initial rounds of unrolled datapaths. Several leakage models targeting initial rounds are explored and 1-bit hamming weight (HW) based leakage model is shown to be an optimal choice. Additionally, narrow bandpass filtering techniques in conjunction with correlation frequency analysis (CFA) are demonstrated to improve SNR by up to 4× attributed to removal of misalignment effect in combinational logic and signal isolation. Next, improved CFA is performed on side channel signatures acquired for 7-round unrolled SIMON datapath implemented on Sakura-G (XILINX spartan 6, 45nm) based FPGA platform and 24× improvement in minimum-traces-to-disclose (MTD) to reveal 80% key bits is demonstrated with respect to baseline wide-band post-processing method and time domain correlation power analysis (CPA). Finally, the proposed methodology is successfully applied to a fully-unrolled datapath for PRINCE and a parallel round-based datapath for advanced encryption standard (AES) algorithm to demonstrate general applicability of proposed methods.

ABSTRACT. Authenticated ciphers are trending in secret key cryptography, since they combine confidentiality, integrity, and authentication into one algorithm, and offer potential efficiencies over the use of separate block ciphers and keyed hashes. Current cryptographic contests and standardization efforts (e.g., CAESAR and NIST) are evaluating authenticated ciphers for weaknesses, to include implementation vulnerabilities, such as fault attacks. In this paper, we analyze fault attacks against the Ascon authenticated cipher, which is a CAESAR lightweight category finalist. We propose a fault attack technique based on statistical ineffective fault analysis (SIFA) using double-fault injection and key dividing. Faults are injected at two selected S-boxes for every encryption, during the last round of permutation in the Ascon Finalization stage. The correct tag values, resulting from ineffective fault inductions, are then used to analyze key hypotheses. The complexity of our attack method is a trade-off between the size of key hypothesis search space and the number of double-fault injections. The sufficient number of correct tag values needed to recover a key subset depends on the bias of fault distributions. We perform experiments on a software implementation of Ascon to show that between 12.5 to 2500 correct tag values (i.e., ineffective faults) are enough for key recovery for highly biased to more uniform fault distributions, respectively.

ABSTRACT. Hardware Trojans in the form of malicious modifications during the design and/or the fabrication process is a security concern due to the globalization of semiconductor production process. The Trojan would be designed to evade structural and functional testing and would activate under certain conditions and cause read/write failures. Very limited literature exists on memory Trojans in spite of their high likelihood. Emerging Non-Volatile Memories (NVMs) possess unique characteristics that make them the prime targets to deploy a Hardware Trojan. In this paper, we have designed two NVM-based trigger circuits that are activated after the test phase of the fabrication process.

ABSTRACT. Hardware Trojans are malicious modifications on integrated circuits (IC), which pose a grave threat to security of modern military and commercial systems. Existing methods to detect hardware Trojan are plagued by inability to detect all Trojans, reliance on golden chip that might not be available, high time cost, and low accuracy. In this paper, we present Golden Gates, a novel detection method designed to achieve comparable level of accuracy as full reverse engineering yet paying only a fraction of its cost in time. The proposed method inserts golden gate circuits (GGC) to achieve superlative accuracy in classification of scanning electron microscopy (SEM) images of thinned backside footprints of all existing gates. Possible attacks against GGC as well as malicious modifications on interconnect layers are discussed and addressed with secure built-in exhaustive test infrastructure. Evaluation with real SEM images demonstrate high classification accuracy and resistance to attacks of the proposed technique.

ABSTRACT. The rise of recycled ICs being sold as new through the global semiconductor supply chain is a serious threat to critical infrastructure due to their inferior quality, shorter remaining life, and potentially poorer performance, compared to their authentic counterparts. While solutions, such as age monitors, have been proposed for new designs, detecting the recycling of older legacy ICs already in use is much harder; no reliably effective solution currently exist. In this paper, we propose a new and highly effective approach for detecting recycled ICs by exploiting the power-up state of on-chip SRAM to evaluate the age of the chip. Our methodology does not require the introduction of any special aging detection circuitry, nor the recording and saving of historical circuit performance data to detect degradation from use. It is also low cost since does not require any special test equipment. Since SRAMs exist in virtually all system on chips (SoC), the approach is widely applicable to both old and new designs. We present experimental results using commercial off-the-shelf SRAM chips to validate the effectiveness of the proposed approach.

ABSTRACT. Security-critical field programmable gate array (FPGA) designs traditionally rely on bitstream encryption and hashing to prevent bitstream modifications and provide design authentication. Recent attacks to extract bitstream encryption keys, and research in automated bitstream manipulation tools, have created a class of vulnerabilities involving post-synthesis low-level FPGA editing. Current authentication and tamper (e.g., malicious modification) detection approaches dependent upon hash-based comparison mechanisms and register transfer level safeguards are vulnerable to these post-synthesis exploits. In this paper, we propose FLATS, which provides filling logic and testing spatially to combat such vulnerability. FLATS fills unused configurable logic blocks (CLBs) within a FPGA design and inserts infrared-emitting spatial watermarks into the partially used CLBs at the post-synthesis stage for physical authentication and tamper detection using backside infrared imaging. FLATS takes an existing synthesized design and re-purposes a portion of its LUT initialization to function as a watermark allowing for the detection of changes to the post-synthesis placement and initialization. Experimental results validate the FLATS architecture on a 28nm Xilinx FPGA with less than 12% lookup table utilization overhead and negligible compromises in power and speed.

ABSTRACT. Hardware vulnerabilities are often due to design mistakes because the designer does not sufficiently consider potential security vulnerabilities at the design stage. As a result, various security solutions have been developed to protect IC, among which the language-based hardware security verification serves as a promising solution. The verification process will be performed while compiling the HDL of the design. However, similar to other formal verification methods, the language-based approach also suffers from scalability issue. Furthermore, existing solutions either lead to hardware overhead or are not designed for vulnerable or malicious logic detection. To alleviate these challenges, we propose a new language based framework, QIF-Verilog, to evaluate the trustworthiness of a hardware system at register transfer level (RTL). This framework introduces a quantified information flow (QIF) model and extends Verilog type system to provide more expressiveness in presenting security rules; QIF is capable of checking the security rules given by the hardware designer. Secrets are labeled by the new type and then parsed to data flow, to which QIF model will be applied. To demonstrate our approach, we design a compiler for QIF-Verilog and perform vulnerability analysis on benchmarks from Trust-Hub and OpenCore. We show that Trojans or design faults that leak information from circuit outputs can be detected automatically and we show that our method evaluates the security of the design correctly.