Automatized Fault Attack Emulation for Penetration Testing Johannes Grinschgl 1, Thomas Aichinger 3, Armin Krieg 1, Christian Steger 1, Reinhold Weiss 1, Holger Bock 2, Josef Haid 2 1, Graz University of Technology, Austria 2 Infineon Technologies Austria AG, Design Center Graz, Austria 3 Austria Card GmbH, Austria 12th International Common Criteria Conference Kuala Lumpur, Malaysia, September 29, 2011 1
Agenda Motivation Introduction Related work Automatized Fault Attack Emulation Impact on Certification Flow Conclusion 2
Motivation (1/3) Increasing complexity of SoC More-than-Moore [Arden2010] Increasing test duration Increasing security and dependability requirements High costs Loss of trust Loss of life SOC Consumer Portable Design Complexity Trends (Source: ITRS - 2010 Update, "System Drivers ) Increasing number of known fault attacks Increasing knowledge of attackers Better attack tools Cheaper analysis equipment 3
Motivation (2/3) Common criteria certification Time consuming Expensive Penetration tests very late in development phase Fault detection during certification Longer time to market Reevaluation Test coverage of penetration tests? Efficiency evaluation of new security features 4
Motivation (3/3) How to solve this problem? Target: Reduction of deficits during design phase Early evaluation of security features Support of very large test pattern sets Open sample evaluation support SW test without HW security features (HW test without SW security features) Solution: Automatized Fault Attack Emulation 5
Agenda Motivation Introduction Related work Automatized Fault Attack Emulation Impact on Certification Flow Conclusion 6
Introduction (1/2) Emulation Mapping of smart card functionality to FPGA Emulation resembles very accurately the behavior of the final device Extendibility in respect to fault emulation Real-time emulation performance On-line debugging On-line register and memory examination Standard SW development tool Easy-to-use Rapid FPGA Prototyping Platform, Tanto2-FPGA system, http://www.hitex.com 7
Introduction (2/2) POWER-MODES 1 vision: Flexible and Fast Fault Emulator Whole system evaluation for fault attack vulnerability Software Hardware Operating system Saboteur-based attack method Automatized VHDL code base adaptation Automatized result evaluation Austria Card ACOS operating system 1 POWer EmulatoR and MOdel based DEpendability and Security evaluation platform, funded by the Austrian Federal Ministry for Transport, Innovation, and Technology under the FIT-IT contract FFG 825749. Project Partners: Infineon Technologies Austria AG and Austria Card 8
Agenda Motivation Introduction Related work Automatized Fault Attack Emulation Impact on Certification Flow Conclusion 9
Related Work (1/2) Fault injection mechanisms Simulation [Jenn1994, Velanzco2001, Rothbart2004] Slow Flexible Physical test [Karlsson1995] Late in design phase Expensive Emulation [Bayar2008, Kenterlis2006, Kafka2008, Sterpone2007, Sonza2006, Baraza2005, Leveugle2000] Fast Low-cost compared to physical tests Compromise between cost and flexibility Early in design phase 10
Related Work (2/2) Fault emulation methods Partial reconfiguration [Bayar2008, Kenterlis2006, Kafka2008, Sterpone2007, Sonza2006] Runtime adaptation of LUTs Requires specialized FPGA devices Mutants VHDL modification to modules [Baraza2005, Leveugle2000] Requires pre-modified modules for every fault scenario Saboteur VHDL modification into signal lines [Baraza2005, Leveugle2000] Very flexible if supported by automatized placement Common Criteria Certification Process [JIL2009], [CCEVS2005] 11
Agenda Motivation Introduction Related work Automatized Fault Attack Emulation Impact on Certification Flow Conclusion 12
Autom. Fault Attack Emulation (1/5) Host PC Fault injection flow control Attack Database Storage of different attack scenarios Fault injection controller Saboteur Management Saboteurs Single-bit type Bus type Port type Saboteur interface Saboteur <-> FI controller connection 13
Autom. Fault Attack Emulation (2/5) What are saboteurs? Modules which can disturb signals Placed between signal source and sink Advantages Definable detailed attack Full control over the signal Flexibility Applicable to Security and Dependability Evaluations Attack patterns Specification of fault location Mapping of physical to logical location 14
Autom. Fault Attack Emulation (3/5) Fault emulation initialization Attack time Attack type Memory address Attack scenario Result evaluation Output Memory Report generation Repeat until all addresses and points in time are tested 15
Autom. Fault Attack Emulation (4/5) Attack on security relevant regions Memory regions Time Calculation example Some 100 Addresses 20-50ms for one command ~1ms is interesting ~1M Attack Scenarios 1sec per attack 11,6 Days Long time tests Attack granularity refinement Information gain for real-chip testing 16
Autom. Fault Attack Emulation (5/5) Power emulation [Bachmann2010] Automatized control signal extraction Control signal weighting Accumulation Characterization using gate level simulations and physical tests Information extraction from the power profile Emulate power information available to attacker Average error below 10% Power [normalized] 1 Equipment 0.8 0.6 0.4 0.2 P estimated = c * x[ t] 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Time [normalized] [Genser2009] i i Reference Estimated 17
Agenda Motivation Introduction Related work Automatized Fault Attack Emulation Impact on Certification Flow Conclusion 18
Impact on Certification Flow (1/3) Impact on smart card embedded SW development SW evaluation without activated HW security features Evaluation of SW security implementation Automated verification of SW countermeasure implementation and test replication using HW with enabled security features Testing of security relevant code is difficult (practical experience) Coding guideline verification E.g. SW handling of memory manipulations E.g. Detection of program counter manipulations Replicable penetration test 19
Impact on Certification Flow (2/3) Impact on certification (penetration tests) Advantages for the lab Gain information for physical attacks Attack time Attack region (RAM, Core, ) No blocking of expensive laboratory equipment Enabling of parallel test scenarios Certain HW security features can be deactivated 20
Impact on Certification Flow (3/3) Use the emulator as open sample/ sample with known secrets Freely configurable hardware Internal values can be read out and manipulated Registers Memory Program counter Hardware security features can be deactivated Memory encryption Fault detection mechanisms Manipulation of critical signals Fault detection mechanisms Crypto calculation Freely definable software load Debugging is possible Get memory location of critical code 21
Agenda Motivation Introduction Related work Automatized Fault Attack Emulation Impact on Certification Flow Conclusion 22
Conclusion (1/3) SW development view Test security features Verification of coding guideline Allow to debug SW Open sample approach Specific deactivation of HW security features Allow to test SW on the HW Allow to manipulate HW features Run-time power estimation Extract interesting time slots E.g. Cryptographic calculations 23
Conclusion (2/3) Provide information for real chip certification Attack time Attack region RAM, Core, Crypto, Speed-up of security evaluation Simple tests can already be performed during SW development Provide information for the real tests Test counter measures Detailed attack result evaluation by memory analysis Enabling of complex fault attack scenarios 24
Conclusion (3/3) Future Work More detailed result evaluation Multiple FPGA configurations for parallel emulation Automatic increase of test granularity at critical regions 25
Q&A Thanks for your attention! Questions? 26
References [Arden2010] [Jenn1994] [Velanzco2001] [Rothbart2004] [Karlsson1995] [Bayar2008] [Kenterlis2006] [Kafka2008] [Sterpone2007] [Sonza2006] [Baraza2005] [Leveugle2000] [Grinschgl2011] [Pohl2010] [Pellegrini2010] [Bachmann2010] [Genser2009] [JIL2009] [CCEVS2005] W. Arden, M. Brillouët, P. Cogez, M. Graef, B. Huizing, R. Mahnkopf: More-than-Moore, ITRS 2010. E. Jenn, J. Arlat, M. Rimen, J. Ohlsson, and J. Karlsson, Fault injection into vhdl models: the mefisto tool, in Proc. Twenty-Fourth Int Fault-Tolerant Computing FTCS-24. Digest of Papers. Symp, 1994, pp. 66 75. R. Velazco, R. Leveugle, and O. Calvo, Upset-like fault injection in vhdl descriptions: A method and preliminary results, in Proc. IEEE Int Defect and Fault Tolerance in VLSI Systems Symp, 2001, pp. 259 267. K. Rothbart, U. Neffe, C. Steger, R. Weiss, E. Rieger, and A. Muehlberger, High level fault injection for attack simulation in smart cards, in Proc. 13th Asian Test Symp, 2004, pp. 118 121. J. Karlsson and P. Folkesson, Application of three physical fault injection techniques to the experimental assessment of the mars architecture. IEEE Computer Society Press, 1995, pp. 267 287. S. Bayar and A. Yurdakul, Self-reconfiguration on spartan-iii fpgas with compressed partial bitstreams via a parallel configuration access port (cpcap) core, in Proc. Ph.D. Research in Microelectronics and Electronics PRIME 2008, 2008, pp. 137 140. P. Kenterlis, N. Kranitis, A. Paschalis, D. Gizopoulos, and M. Psarakis, A low-cost seu fault emulation platform for sram-based fpgas, in Proc. 12th IEEE Int. On-Line Testing Symp. IOLTS 2006, 2006. L. Kafka, Analysis of applicability of partial runtime reconfiguration in fault emulator in xilinx fpgas, in DDECS 08: Proceedings of the 2008 11th IEEE Workshop on Design and Diagnostics of Electronic Circuits and Systems. Washington, DC, USA: IEEE Computer Society, 2008, pp. 1 4. L. Sterpone and M. Violante, A new partial reconfiguration-based fault-injection system to evaluate seu effects in sram-based fpgas, Nuclear Science, IEEE Transactions on, vol. 54, no. 4, pp. 965 970, 2007. M. Sonza Reorda, L. Sterpone, M. Violante, M. Portela-Garcia, C. Lopez-Ongil, and L. Entrena, Fault injection-based reliability evaluation of sopcs, in Proc. Eleventh IEEE European Test Symp. ETS 06, 2006, pp. 75 82. J. C. Baraza, J. Gracia, D. Gil, and P. J. Gil, Improvement of fault injection techniques based on vhdl code modification, in Proc. Tenth IEEE Int. High-Level Design Validation and Test Workshop, 2005, pp. 19 26. R. Leveugle, Fault injection in vhdl descriptions and emulation, in Proc. IEEE Int Defect and Fault Tolerance in VLSI Systems Symp, 2000, pp. 414 419. J. Grinschgl, A. Krieg, C. Steger, R. Weiss, H. Bock, and J. Haid, Modular fault injector for multiple fault dependability and security evaluations, in DSD 2011, In Press. C. Pohl, R. Fuest, and M. Porrmann, vmagic automatic code generation for vhdl, newsletter edacentrum, vol. 2, pp. 7 10, Jul. 2010. A. Pellegrini, V. Bertacco, and T. Austin, Fault-based attack of rsa authentication, in Proc. Design, Automation & Test in Europe Conf. & Exhibition (DATE), 2010, pp. 855 860. C. Bachmann, A. Genser, C. Steger, R. Weiss, and J. Haid, Automated Power Characterization for Run-Time Power Emulation of SoC Designs, in DSD 2010, 2010, pp. 587 594. A. Genser, C. Bachmann, J. Haid, C. Steger, and R. Weiss, An emulation-based real-time power profiling unit for embedded software, in SAMOS 2009, 2009, pp. 67 73. Joint Interpretation Library, Application of Attack Potential to Smartcards,, 2009,online available on https://www.bsi.bund.de National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme, Common Criteria Evaluation and Validation Scheme Validation Report, 2005, online available onhttp://www.commoncriteriaportal.org/files/epfiles/st_vid10023-vr.pdf 27