Technische Universität München
Secure Embedded Systems eine Voraussetzung für Cyber Physical Systems und das Internet der Dinge
Mitgliederversammlung EIKON e.V.
26. Februar 2014
Prof. Dr.-Ing. Georg Sigl
Lehrstuhl für Sicherheit in der Informationstechnik
Technische Universität München
Fraunhofer Institut für Angewandte und Integrierte Sicherheit AISEC
Technische Universität München
Content
• Attack examples on embedded systems
• Future secure embedded systems
• Testing embedded systems‘ security
• Security research in Munich
2
Technische Universität München
ATTACKS ON EMBEDDED
SYSTEMS
3
Technische Universität München
FUTURE SECURE
EMBEDDED SYSTEMS
12
Technische Universität München
Requirements for future secure embedded systems
1. Security for more than 10 years (target 30 years)
2. Secure machine to machine communication (M2M)
3. Protection of embedded systems against manipulation and misuse
4. Fulfillment of typical non functional requirements, i.e.:
– Real time behavior
– Resource limitations (cost, power)
5. Maintain security despite increasing complexity
6. Protection of intellectual property
7. Secure software update during operation
13
Technische Universität München
Secure embedded system
Core 1 Core 2
Core i Core n RAM Flash
IO-interfaces Peripherals
Hardware
Security
Module
ID ID
Sensor Actuator
SIM
GSM
other System on Chip
System on Chip
M2M
Trust
OS
14
Technische Universität München
Secure embedded system: Chip Identities
Core 1 Core 2
Core i Core n RAM Flash
IO-interfaces Peripherals
Hardware
Security
Module
ID ID
Sensor Actuator
SIM
GSM
other System on Chip
System on Chip
M2M
Trust
OS
15
Technische Universität München
IDs for Hardware
• Binding of components
– Authentication
– Integrity checking
• Piracy protection
– Encryption with derived keys
• Methods
– Physical Unclonable Functions
(PUF) : fingerprint of a chip
– Fuses (electric or laser)
– Flash memory
16
Technische Universität München
PUFs as security primitive
„Unique“
Physical Property Measurement
Method
Authentication,
Key Generation + =
+ =
PUF Physical
Unclonable
Function
17
Technische Universität München
Ring Oscillator PUF (Suh and Devadas, 2007) *
• Ring oscillator frequencies depend on manufacturing variations
• Two ROs are compared to obtain a response bit
18 * G. E. Suh and S. Devadas. Physical unclonable functions for device authentication and secret key
generation. Design Automation Conference, 2007. DAC ’07. 44th ACM/IEEE, pages 9–14, 2007.
Technische Universität München
SRAM PUF (Guajardo et al., 2007) *
• Symmetric circuit balance influenced by manufacturing variations
• SRAM cells show a random, but stable value after power-up
19 * J. Guajardo, S. S. Kumar, G. J. Schrijen, and P. Tuyls. FPGA intrinsic PUFs and their use for IP
protection. In CHES 2007, volume 4727 of LNCS, pages 63–80. Springer, 2007
Technische Universität München
Microcontroller
PUF
Automotive ECUs today and in future
Microcontroller
NVM
key application
Code CPU
Embedded Flash
65nm √
40nm √
28nm ?
???
RAM
key application
Code CPU
Flash
Encrypted Code/Data
Logic Process + external Flash
+ Shrinkable
+ Lower Cost
+ Higher Performance
20
Technische Universität München
Alternatives to PUF based key generation
• Fuses
– Electrical
• Reliability: weak
– Laser
• Size: very large
• Security: Easy to identify and modify
• OTP (one time programmable memory)
– Cost: comparison with PUF technology open
– Security: memory cells easier to detect, extract and modify
– Programming of key during test increases test complexity
Microcontroller
RAM
key application
Code CPU
Flash
Encrypted Code/Data
21
Technische Universität München
Reliability of PUFs
• Critical parameters:
– Temperature
– Voltage
– Ageing
• Countermeasures:
– Differential measurement
– Redundancy: Selection of reliable bits (1000 PUF Bits 100
Key Bits)
– Proper design: Design and design parameters must consider
the behavior of temperature and voltage variations as well as
ageing (as for any other circuit design)
22
Technische Universität München
Frequency behavior of an oscillator PUF
-40°C 150°C 25°C
Osc 1 Osc 2
Osc 3
Osc 4
f
Osc 5
Osc 6
good
instable
Critical:
uniqueness may
be compromised
f
f
23
Technische Universität München
24
State of the Art in error correction
• All error correctors work on fixed block structure:
e.g. IBS (Yu and Devadas, 2010 *)
• Goal: find one white and one black square in each block of four
• Helper data store the indices of selected bits
PUF Bits:
- Reliable 1
- Reliable 0
- Unreliable
PUF Response
Block Borders
Helper Data
index of selected bit u1=1 u2=? u3=3
Encoded Key Bits
* M.-D. Yu and S. Devadas, Secure and robust error correction for physical unclonable functions,
IEEE Design & Test of Computers, vol. 27, no. 1, pp. 48-65, 2010
Technische Universität München
Differential Sequence Coding *
• No fixed block borders
• Helper data store distance to next bit and an inversion indicator
• Larger blocks of unreliable bits can be skipped
• Most efficient error corrector scheme known to date
Encoded Key Bits
Helper Data
- distance
- inversion
PUF Response
25 * M. Hiller, M. Weiner, L. Rodrigues Lima, M- Birkner and G. Sigl. Breaking through Fixed PUF
Block Limitations with Differential Sequence Coding and Convolutional Codes, TrustED, 2013
Technische Universität München
Secure embedded system: Secure Elements
Core 1 Core 2
Core i Core n RAM Flash
IO-interfaces Peripherals
Hardware
Security
Module
ID ID
Sensor Actuator
SIM
GSM
other System on Chip
System on Chip
M2M
Trust
OS
27
Technische Universität München
Tasks of Secure Elements
• Key storage
• Asymmetric cryptography (signing and encryption)
• Session key generation
• Random number generation
• Access right check
• Integrity check
• Attestation
• Secure data storage
• Resistance against Hardware attacks!
28
Technische Universität München
Secure Element in a vehicle
• In BMBF Project SEIS (Sicherheit in eingebetteten IP-basierten
Systemen) AISEC integrated a Secure Element in a car.
OEM
Server
Internet
Gateway
Secure Element
29
Technische Universität München
Secure Element in Smart Meter
Source: Protection Profile für das Gateway eines Smart Metering Systems; http://www.bsi.bund.de
The BSI Protection Profile
requests a Secure Element in the
Smart Meter Gateway.
Secure
Element
30
Technische Universität München
Secure Elements in mobile phones
• SIM
• Security Chip
• Secure SD Card
3 Secure Elements
32
Technische Universität München
TESTING EMBEDDED
SYSTEMS‘ SECURITY
36
Technische Universität München
AISEC Labs to test security of systems!
37
Hardware GSM
NFC,
Mobile
App Test
Embedded
Technische Universität München
Attacks on PUF based key generation
• All PUFs are vulnerable to HW attacks:
– Probing/Forcing
– Fault Attacks
– Side Channel Attacks
• Attacking the physical system (ring oscillators frequencies) D. Merli, J. Heyszl, B. Heinz, D. Schuster, F. Stumpf, and G. Sigl. Localized
Electromagnetic Analysis of RO PUFs. In Proceedings of Int. Symposium
on Hardware-Oriented Security and Trust (HOST), June 2013. IEEE.
• Attacking the key extraction process D. Merli, D. Schuster, F. Stumpf, and G. Sigl. Semi-invasive EM attack on
FPGA RO PUFs and countermeasures. In 6th Workshop on Embedded
Systems Security (WESS’2011), Taipei, Taiwan, October 2011. ACM.
D. Merli, F. Stumpf, and G. Sigl. Protecting PUF error correction by
codeword masking. Cryptology ePrint Archive, Report 2013/334, 2013.
38
Technische Universität München
Ring Oscillator PUF (Suh and Devadas, 2007) *
• Ring oscillator frequencies depend on manufacturing variations
• Two ROs are compared to obtain a response bit
39 * G. E. Suh and S. Devadas. Physical unclonable functions for device authentication and secret key
generation. Design Automation Conference, 2007. DAC ’07. 44th ACM/IEEE, pages 9–14, 2007.
Technische Universität München
RO PUF, EM Side-Channel Attack (Merli et al., 2011)*
• Identification of RO PUF frequencies through EM side-channel
RO frequencies
around 100 MHz
40 * D. Merli, D. Schuster, F. Stumpf, and G. Sigl. Semi-invasive EM attack on FPGA RO PUFs and countermeasures.
In 6th Workshop on Embedded Systems Security (WESS’2011), Taipei, Taiwan, October 2011. ACM.
Technische Universität München
RO PUF, EM Side-Channel Attack (Merli et al., 2011)*
• RO PUF modelling by EM side-channel of frequency comparisons
RO_1
RO_2
RO_2
RO_3
41 * D. Merli, D. Schuster, F. Stumpf, and G. Sigl. Semi-invasive EM attack on FPGA RO PUFs and countermeasures.
In 6th Workshop on Embedded Systems Security (WESS’2011), Taipei, Taiwan, October 2011. ACM.
Technische Universität München
Side Channel Analysis: Electromagnetic Analysis
42
Technische Universität München
RO PUF, Localized EM Analysis (Merli et al., 2013)*
• Separation of Ring Oscillator PUF measurement components
possible by EM analysis
• RO frequency measurement can be observed step by step
• Full PUF model can be extracted
43 * D. Merli, J. Heyszl, B. Heinz, D. Schuster, F. Stumpf, and G. Sigl. Localized Electromagnetic Analysis of RO
PUFs. In Proceedings of Int. Symposium on Hardware-Oriented Security and Trust (HOST), June 2013. IEEE.
Technische Universität München
Security Research in Munich
46
Fraunhofer Institute for Applied and Integrated Security
Claudia Eckert Georg Sigl
TU München Computer Science
Claudia Eckert
TU München Electrical
Engineering
Georg Sigl
~3000 Students
~3000 Students
Industry Industry
© Fraunhofer
AISEC KEY FIGURES Employees: 2013: current status: > 90
Plans for further growth
2014 > 110
2015 > 150
Financing (Fraunhofer Model)
Up to 30% state directly, 70% 3rd party research projects
© Fraunhofer
AISEC Fields of Expertise
Embedded Security
Trusted platforms (HW/SW-Co-Design)
Hardware Security
HSMs, Side-channel, EMA-, Fault-Analysis
Product- and Know-How-Protection
PUF-solutions, smart materials, Firmware-Protection
Mobile Security
Trusted BYOD, App-Analysis Tool, Automotive-Sec.
IP-based Networks
Cloud-Networking, Secure Multi-Party Computation
Digital Identity
Attribute based IDs, Object-IDs, Web-IDs