CAD-based Security, Cryptography, and Digital Rights Management Farinaz Koushanfar1, Miodrag Ptokonjak2 1ECE & CS Depts., Rice University 2CS Dept., UCLA
Strategic Objective Paradigm shift in the dominating design constraint [Ravi et al.TECS’04] Security Leakage Power DRM Privacy Sys. Security IPP Cryptography HW Authentication Dynamic Power Dominating Design Objective Frequency Area Year 1970 1980 1990 2000 2010
Knowledge and Results Transfer Design automation (DA) has been the premier enabler of IC design DA has often benefited from adopting techniques from other scientific and engineering fields Unique opportunity to have impact in other fields Design Auto. EC Info. Theory Stat. Logic/ Arch. Crypto SW Sec. OS Prob. Design Auto. Math CS Theory OR Logic/ Arch. Num. Anal. Stat. Mech. Bio. Prob.
Cryptography- and DA-based System Security Cryptography: versatile, creative and industrial-practice proven System security challenge Resiliency of crypto-systems against system attacks, such as physical attacks [e.g., Anderson and Kuhn] and side-channel attacks [e.g., Verbauwhede’s work] Cryptography is based on one-way difficult math tasks New security paradigm: difficult technological and design (synthesis and analysis) tasks Nature of the side-channels and physical attacks can be used for creating security mechanisms and protocols
Variability-based IC ID and Security Addition of circuitry exploiting manufacturing variability to generate unique ID for each IC using one mask Specialized process [Loftstrom et al., ISSCC’00; Maeda et al., Trans. ED’03] Threshold mismatches [Su et al., ISSCC’07] Variability-based delay for authentication and security [Prof. Devadas Group (MIT)] Physically Unclonable Functions (PUFs) map a set of challenges to a set of responses Authentication occurs when the IC correctly finds the output of challenge inputs Solely use variability as the security mechanism Roy and Asenov, Science, 2005 Friedberg et al., ISQED, 2005
Example: Active HW Metering NB Example: Active HW Metering $, NA? NA Alice Bob Alice gives her HW IP to the fabrication house (Bob) asking for NA ICs implementing it Bob can make NA+NB ICs and sell the pirated ones Active metering manipulates finite state machine (FSM) of the original design, creating a lock for each IC Each manufactured IC will be uniquely locked (nonfunctional) unless Alice provides a Key Requirements: integration into the standard synthesis flow, low overhead, generalizeable, and resilient against attacks
Why is the Problem Challenging? Very little is known about the tampering attacks Many possibilities: tampering at many levels of abstraction of the synthesis process The likely adversaries are financially and otherwise strong The adversary has a full access to the structural specifications and to test vectors The internal parts of the manufactured ICs are intrinsically opaque
Active HW Metering Key idea: integrate the unique IDs such that each IC starts in a unique nonfunctional state The designer is the only entity who knows how to unlock The original FSM had m distinct states Boosted FSM (BFSM ) has 2k states With M 1-bit flip flops (FFs), we get 2M states: m original and 2M-m don’t cares S*0 S1 S2 S4 S3 Original FSM Example – FSM/STG (state-transition graph) …… . ……… ... Logic Block Random Bits … FF I O Added States S5 S9 S6 S31 S30 S22 … … … … …. S29 Random Bits b1 2M States …… bM
Active Metering: Analysis Powering-up in one of the added states The probability of powering-up in an added state is (2k-m)/2k Diversity of power-up states (unique IDs) The probability PICID(k,d) that no two ICs out of a group of d will have matching IDs out of 2k possible Low overhead of the added states Diversity of keys Storing the input sequence for traversal to the original reset state
Analysis (Cont’d) Non-equal probabilities (P0P1) Nunnikhoven’s approximation Number of ICs: n=2M; di=pi-1/n; i=1,..,n; pi=P1(bit i)
Attack Identification and Formulation Brute-force: guessing the key Reverse engineering of FSM Combinational redundancy removal Emulation of the Unique Block Initial power-up state capturing and replaying (CAR) Initial reset state CAR Control signals CAR Creation of identical ICs using selective IC release
DA-based Security and Cryptography Hardware Trojan horse detection and diagnosis Fingerprinting Passive metering Active metering Challenge-based authentication Smart cards Public-key and secret-key cryptography Software and content authentication and metering Multiple-personality authentication
DA-based Security: Global Impetus Creation of a spectrum of new scientific and engineering problems New types of error correction codes for information theorists Need for new probabilistic and statistical tools, taking into account the hierarchical correlations Paradigm shift operating system policies for real-time content/software/hardware authentication Formal computational theory
Concluding Remarks Security is a premier design challenge Cryptography-based system security vs. technology and synthesis-based security Emphasis of creating new security mechanisms and protocols and demonstrating their industrial relevance Design Automation is the emerging enabler of new types of system security
Thank You! ?