Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions G. Edward Suh, Charles W. O’Donnell, Ishan Sachdev,

Published byMelvyn Peters Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions G. Edward Suh, Charles W. O’Donnell, Ishan Sachdev,"— Presentation transcript:

1 1 Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions G. Edward Suh, Charles W. O’Donnell, Ishan Sachdev, and Srinivas Devadas Massachusetts Institute of Technology

2 2 New Security Challenges Computing devices are becoming distributed, unsupervised, and physically exposed –Computers on the Internet (with untrusted owners) –Embedded devices (cars, home appliances) –Mobile devices (cell phones, PDAs, laptops) Attackers can physically tamper with devices –Invasive probing –Non-invasive measurement –Install malicious software Software-only protections are not enough

3 3 Distributed Computation How can we “trust” remote computation? Example: Distributed Computation on the Internet (SETI@home, etc.) DistComp() { x = Receive(); result = Func(x); Send(result); } Receive() { … } Send(…) { … } Func(…) { … } Need a secure platform –Authenticate “itself (device)” –Authenticate “software” –Guarantee the integrity and privacy of “execution”

4 4 Existing Approaches Sensors to detect attacks Expensive Continually battery-powered Tamper-Proof Package: IBM 4758 Trusted Platform Module (TPM) A separate chip (TPM) for security functions Decrypted “secondary” keys can be read out from the bus

5 5 Our Approach Build a secure computing platform with only trusting a “single-chip” processor (named AEGIS) Protected Environment Memory I/O Security Kernel (trusted part of an OS) A single chip is easier and cheaper to protect The processor authenticates itself, identifies the security kernel, and protects off-chip memory Protect Identify

6 6 Contributions Physical Random Functions (PUFs) –Cheap and secure way to authenticate the processor Architecture to minimize the trusted code base –Efficient use of protection mechanisms –Reduce the code to be verified Integration of protection mechanisms –Additional checks in MMU –Off-chip memory encryption and integrity verification (IV) Evaluation of a fully-functional RTL implementation –Area Estimate –Performance Measurement

7 7 Physical Random Function (PUF – Physical Unclonable Function)

8 8 Problem EEPROM/ROM Processor Probe Adversaries can physically extract secret keys from EEPROM while processor is off Trusted party must embed and test secret keys in a secure location EEPROM adds additional complexity to manufacturing Storing digital information in a device in a way that is resistant to physical attacks is difficult and expensive.

9 9 Our Solution: Physical Random Functions (PUFs) Generate keys from a complex physical system Security Advantage –Keys are generated on demand  No non-volatile secrets –No need to program the secret –Can generate multiple master keys What can be hard to predict, but easy to measure? Physical System Processor Challenge (c-bits) configure characterize Response (n-bits) Use as a secret Can generate many secrets by changing the challenge Hard to fully characterize or predict

10 10 Silicon PUF – Concept Because of random process variations, no two Integrated Circuits even with the same layouts are identical –Variation is inherent in fabrication process –Hard to remove or predict –Relative variation increases as the fabrication process advances Experiments in which identical circuits with identical layouts were placed on different ICs show that path delays vary enough across ICs to use them for identification. Combinatorial Circuit Challenge c-bits Response n-bits

11 11 A (Simple) Silicon PUF [VLSI’04] Each challenge creates two paths through the circuit that are excited simultaneously. The digital response of 0 or 1 is based on a comparison of the path delays by the arbiter We can obtain n-bit responses from this circuit by either duplicate the circuit n times, or use n different challenges Only use standard digital logic  No special fabrication … c-bit Challenge Rising Edge 1 if top path is faster, else 0 DQ 1 1 0 0 1 1 0 0 1 1 0 0 101001 01 G

12 12 PUF Experiments Fabricated 200 “identical” chips with PUFs in TSMC 0.18  on 5 different wafer runs Security –What is the probability that a challenge produces different responses on two different PUFs? Reliability –What is the probability that a PUF output for a challenge changes with temperature? –With voltage variation?

13 13 Inter-Chip Variation Apply random challenges and observe 100 response bits Measurement noise for Chip X = 0.9 bits Distance between Chip X and Y responses = 24.8 bits Can identify individual ICs

14 14 Environmental Variations What happens if we change voltage and temperature? Measurement noise at 125C (baseline at 20C) = 3.5 bits Measurement noise with 10% voltage variation = 4 bits Even with environmental variation, we can still distinguish two different PUFs

15 15 Reliable PUFs PUF n Challenge PUFs can be made more secure and reliable by adding extra control logic c Response k One-Way Hash Function New Response Hash function (SHA-1,MD5) precludes PUF “model-building” attacks since, to obtain PUF output, adversary has to invert a one-way function Syndrome BCH Encoding n - k Error Correcting Code (ECC) can eliminate the measurement noise without compromising security BCH Decoding Syndrome For calibrationFor Re-generation

16 16 Architecture Overview

17 17 Authentication The processor identifies security kernel by computing the kernel’s hash (on the l.enter.aegis instruction) –Similar to ideas in TCG TPM and Microsoft NGSCB –Security kernel identifies application programs H(SKernel) is used to produce a unique key for security kernel from a PUF response (l.puf.secret instruction) –Security kernel provides a unique key for each application Message Authentication Code (MAC)  A server can authenticate the processor, the security kernel, and the application Application (DistComp) Security Kernel H(SKernel) H(App)

18 18 Protecting Program State Memory Encryption [MICRO36][Yang 03] –Counter-mode encryption Integrity Verification [HPCA’03,MICRO36,IEEE S&P ’05] –Hash trees Processor External Memory write read INTEGRITY VERIFICATION ENCRYPT / DECRYPT On-chip registers and caches –Security kernel handles context switches and permission checks in MMU

19 19 A Simple Protection Model How should we apply the authentication and protection mechanisms? What to protect? –All instructions and data –Both integrity and privacy What to trust? –The entire program code –Any part of the code can read/write protected data Program Code (Instructions) Initialized Data (.rodata,.bss) Uninitialized Data (stack, heap) Memory Space Encrypted & Integrity Verified Hash  Program Identity

20 20 What Is Wrong? Large Trusted Code Base –Difficult to verify to be bug-free –How can we trust shared libraries? Applications/functions have varying security requirements –Do all code and data need privacy? –Do I/O functions need to be protected?  Unnecessary performance and power overheads Architecture should provide flexibility so that software can choose the minimum required trust and protection

21 21 Distributed Computation Example Obtaining a secret key and computing a MAC –Need both privacy and integrity Computing the result –Only need integrity Receiving the input and sending the result (I/O) –No need for protection –No need to be trusted DistComp() { x = Receive(); result = Func(x); key = get_puf_secret(); mac = MAC(x,result,key); Send(result,mac); }

22 22 AEGIS Memory Protection Architecture provides five different memory regions –Applications choose how to use Static (read-only) –Integrity verified –Integrity verified & encrypted Dynamic (read-write) –Integrity verified –Integrity verified & encrypted Unprotected Only authenticate code in the verified regions Memory Space Static Verified Dynamic Encrypted Dynamic Verified Static Encrypted Unprotected Receive(), Send() Receive(), Send() data Func(), MAC() Func() data MAC() data

23 23 Suspended Secure Processing (SSP) Two security levels within a process –Untrusted code such as Receive() and Send() should have less privilege Architecture ensures that SSP mode cannot tamper with secure processing –No permission for protected memory –Only resume secure processing at a specific point STD TE/PTR SSP Start-up Secure Modes Insecure (untrusted) Modes Compute Hash Suspend Resume

24 24 Implementation & Evaluation

25 25 Implementation Fully-functional system on an FPGA board –AEGIS (Virtex2 FPGA), Memory (256MB SDRAM), I/O (RS-232) –Based on openRISC 1200 (a simple 4-stage pipelined RISC) –AEGIS instructions are implemented as special traps Processor (FPGA) External Memory RS-232

26 26 Area Estimate Synopsys DC with TSMC 0.18u lib New instructions and PUF add 30K gates, 2KB mem (1.12x larger) Off-chip protection adds 200K gates, 20KB memory (1.9x larger total) The area can be further optimized Core I-Cache (32KB) 0.512mm 2 1.815mm 2 D-Cache (32KB) 2.512mm 2 I/O (UART, SDRAM ctrl, debug unit) 0.258mm 2 IV Unit (5 SHA-1) 1.075mm 2 Encryption Unit (3 AES) 0.864mm 2 Cache (16KB) 1.050mm 2 0.086mm 2 Cache (4KB) 0.504mm 2 Code ROM (11KB) 0.138mm 2 Scratch Pad (2KB) 0.261mm 2 PUF 0.027mm 2

27 27 Performance Slowdown Performance overhead comes from off-chip protections Synthetic benchmark –Reads 4MB array with a varying stride –Measures the slowdown for a varying cache miss-rate Slowdown is reasonable for realistic miss-rates –Less than 20% for integrity –5-10% additional for encryption D-Cache miss-rate Slowdown (%) Integrity Integrity + Privacy 6.25%3.88.3 12.5%18.925.6 25%31.540.5 50%62.180.3 100%130.0162.0

28 28 EEMBC/SPEC Performance 5 EEMBC kernels and 1 SPEC benchmark EEMBC kernels have negligible slowdown –Low cache miss-rate –Only ran 1 iteration SPEC twolf also has reasonable slowdown Benchmark Slowdown (%) Integrity Integrity + Privacy routelookup 0.00.3 ospf 0.23.3 autocor 0.11.6 conven 0.11.3 fbital 0.00.1 twolf (SPEC) 7.115.5

29 29 Related Projects XOM (eXecution Only Memory) –Stated goal: Protect integrity and privacy of code and data –Operating system is completely untrusted –Memory integrity checking does not prevent replay attacks –Privacy enforced for all code and data TCG TPM / Microsoft NGSCB / ARM TrustZone –Protects from software attacks –Off-chip memory integrity and privacy are assumed AEGIS provides “higher security” with “smaller Trusted Computing Base (TCB)”

30 30 Summary Physical attacks are becoming more prevalent –Untrusted owners, physically exposed devices –Requires secure hardware platform to trust remote computation The trusted computing base should be small to be secure and cheap –Hardware: single-chip secure processor Physical random functions Memory protection mechanisms –Software: suspended secure processing Initial overheads of the AEGIS single-chip secure processor is promising

31 31 Questions? More information on www.csg.csail.mit.edu

Download ppt "1 Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions G. Edward Suh, Charles W. O’Donnell, Ishan Sachdev,"

Similar presentations

Trusted Design In FPGAs

Trusted Design In FPGAs
Vpn-info.com.

Vpn-info.com.
Apr. 20, 2001VLSI Test: Bushnell-Agrawal/Lecture 311 Lecture 31 System Test n Definition n Functional test n Diagnostic test  Fault dictionary  Diagnostic.

Apr. 20, 2001VLSI Test: Bushnell-Agrawal/Lecture 311 Lecture 31 System Test n Definition n Functional test n Diagnostic test  Fault dictionary  Diagnostic.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,

1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,
1 SECURE-PARTIAL RECONFIGURATION OF FPGAs MSc.Fisnik KRAJA Computer Engineering Department, Faculty Of Information Technology, Polytechnic University of.

1 SECURE-PARTIAL RECONFIGURATION OF FPGAs MSc.Fisnik KRAJA Computer Engineering Department, Faculty Of Information Technology, Polytechnic University of.
Lecture10 – More on Physically Unclonable Functions (PUFs)

Lecture10 – More on Physically Unclonable Functions (PUFs)
Physical Unclonable Functions and Applications

Physical Unclonable Functions and Applications
Trusted Design In FPGAs Steve Trimberger Xilinx Research Labs.

Trusted Design In FPGAs Steve Trimberger Xilinx Research Labs.
Implementing an Untrusted Operating System on Trusted Hardware.

Implementing an Untrusted Operating System on Trusted Hardware.
1 U NIVERSITY OF M ICHIGAN Reliable and Efficient PUF- Based Key Generation Using Pattern Matching Srini Devadas and Zdenek Paral (MIT), HOST 2011 Thomas.

1 U NIVERSITY OF M ICHIGAN Reliable and Efficient PUF- Based Key Generation Using Pattern Matching Srini Devadas and Zdenek Paral (MIT), HOST 2011 Thomas.
Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.

Accountability in Hosted Virtual Networks Eric Keller, Ruby B. Lee, Jennifer Rexford Princeton University VISA 2009.
Physical Unclonable Functions

Physical Unclonable Functions
Microprocessor or Microcontroller Not just a case of “you say tomarto and I say tomayto” M. Smith, ECE University of Calgary, Canada.

Microprocessor or Microcontroller Not just a case of “you say tomarto and I say tomayto” M. Smith, ECE University of Calgary, Canada.
 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.

 Alexandra Constantin  James Cook  Anindya De Computer Science, UC Berkeley.
Software Certification and Attestation Rajat Moona Director General, C-DAC.

Software Certification and Attestation Rajat Moona Director General, C-DAC.
1 ISENET: Integrated Security for the Expanded Internet Gookwon Edward Suh Massachusetts Institute of Technology.

1 ISENET: Integrated Security for the Expanded Internet Gookwon Edward Suh Massachusetts Institute of Technology.
Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on.

Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on.
What is memory? Memory is used to store information within a computer, either programs or data. Programs and data cannot be used directly from a disk or.

What is memory? Memory is used to store information within a computer, either programs or data. Programs and data cannot be used directly from a disk or.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Similar presentations

Ads by Google