Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zhi Chen1, Junjie Shen1, Alex Nicolau1, Alex Veidenbaum1

Published byAron Dixon Modified over 6 years ago

Similar presentations

Presentation on theme: "Zhi Chen1, Junjie Shen1, Alex Nicolau1, Alex Veidenbaum1"— Presentation transcript:

1 CAMFAS: A Compiler Approach to Mitigate Fault Attacks via Enhanced SIMDization
Zhi Chen1, Junjie Shen1, Alex Nicolau1, Alex Veidenbaum1 Nahid Farhady Ghalaty2 and Rosario Cammarota3 1University of California, Irvine 2Accenture Cyber Security Technology Labs, Virginia, USA 3Qualcomm Research, San Diego, USA

2 Fault Attacks Fault attacks occur as intentional disturbance of a micro-processor To exploit the secret keys of crypto modules. To take control of the micro-processor actions. FDTC'17

3 Fault Attack Process Fault attack vectors include two main steps:
Fault measurement – the process to get faulty data Fault Injection. Fault effect observation. Fault analysis – techniques to process faulty and unaltered information E.g., DFA, DFIA. FDTC'17

4 Fault Attack Countermeasures
Fault attack countermeasures attempt to prevent an attacker from observing the effect of injected faults. Shielding to physically block fault injection Sensors to detect fault injections E.g., temperature, EM, voltage anomaly sensors. Redundancy for fault detection E.g., error-correcting codes (hardware), multi-versioning (software). FDTC'17

5 Motivation Type Overhead Cost Flexibility Efficacy Hardware High Low Software Moderate Table 1: Existing countermeasures on a yardstick. Recent research has shown that multiple fault injections can break redundancy techniques in algorithm or instruction level - refer to Yuce et al. in FDTC’16 Hardware countermeasures Overhead impact silicon area and performance. Increase the hardware design life cycle. Limited flexibility. Software countermeasures (timing and spatial code redundancy) Overhead impact memory footprint, code size, and register pressure, i.e., performance E.g., run crypto algorithm twice, duplicate instructions Tedious and error-prone deployment of the countermeasures. Highly flexible. FDTC'17

6 CAMFAS Rationale Expected outcome
Rely on the mechanism of automatic vectorization (SIMDization) to convert instruction duplication into vector operations. Vector units are ubiquitous in modern micro-processors Intel x86 – SSE, AVX ARM - NEON Expected outcome Reduced performance penalty compared to instruction duplication. Elevated fault coverage due to a reliable insertion of the mitigation with an enhanced version of the auto-vectorizer of the compiler: CAMFAS. FDTC'17

7 CAMFAS Framework ALU instructions: Duplicated and their data is placed in SIMD registers. Memory instructions: Memory addresses are duplicated using gather and scatter. Branches: Condition computation is duplicated. PC update is not checked. Calls: Function calls are not duplicated, but some library calls are duplicated if they have the equivalent SIMD prototypes in LLVM IR (e.g. sqrt, pow, etc.). FDTC'17

8 ALU Instruction Duplication
Original B C A B B’ C C’ Replicate A’ = B’ + C’ A = B + C Vector operation +1/0/-1 Compare A’ = B’ + C’ A = B + C Shuffle There is an error if one of the fields is non-zero FDTC'17

9 Memory Instruction Duplication
Only addresses are protected. Load instruction: gather. Store instruction: address is checked before store. Data can also be checked at the cost of more overhead Original: D = Mem[A] ... Memory D D’ Gather Addr: A Addr: A’ FDTC'17

10 Error Checking Insertion
Shuffle + Compare. Error checking code only inserted at selected positions to reduce the performance overhead. Before stores. Before function calls. Before conditional branches. A==A’ A’==A A’ A FDTC'17

11 Fault Injection Simulation
Use Pin tool to collect dynamic instruction trace. Randomly pick a fault position in trace file. Pick an instruction Flip the chosen bit Repeat fault injection 1000 times for each crypto algorithm.  pick a register  pick a bit Crypto algorithm ip1, regs_i, regs_o ip2, regs_i, regs_o ip3, regs_i, regs_o ipn, regs_i, regs_o Pin Tool Trace File 1 1 Rand(0, 31) Rand(1, n) ip1, regs_i, regs_o ip2, regs_i, regs_o ip3, regs_i, regs_o ipn, regs_i, regs_o Rand(regs_i) Regs_i[1] 1 FDTC'17

12 Experimental Platform
Evaluation Experimental Platform CPU Intel Xeon PhiTM 7210 with AVX-512 SIMD extension Memory 16GB OS Ubuntu Server with Linux kernel Compiler framework LLVM 4.0 Target Libgcrypt-1.7.6 CAMFAS can also be applied to other micro-processors support vector extensions. e.g. ARM processors w/ NEON FDTC'17

13 Cipher Execution Results
Detected: program terminates due to fault being detected. Incomplete: execution fails without generating attackable output. Masked: program completes normally and produces correct output. Corrupted: program completes normally and produces faulty output. The fault provides useful information to an attacker for its fault analysis step FDTC'17

14 Fault Coverage Almost full coverage with memory protection!
The remaining corrupted cases are mainly caused by faults injected to error checking code N: No fault detection O: CAMFAS without memory protection W: CAMFAS with memory protection FDTC'17

15 Performance overhead With memory protection: 2.2x.
Without memory protection: 1.7x. FDTC'17

16 Discussion Differential Fault Analysis (DFA)
Requires both correct and faulty cipher texts. CAMFAS detects incorrect result and prevents the generation of faulty cipher text. Differential Fault Intensity Analysis (DFIA) Relies on the bias of fault behavior. CAMFAS effectively prevents faulty output from being propagated. Single-Glitch Attack Injects clock glitches at precisely controlled timing and pipeline stages to thwart redundancy-based countermeasures CAMFAS makes the attack more difficult as duplication and error checking are inserted at the IR level FDTC'17

17 Conclusions Future directions
CAMFAS is a redundancy-based countermeasure implemented in LLVM infrastructure. CAMFAS exploits SIMD units in modern micro-processors to mitigate fault attacks. CAMFAS provides high fault coverage while keeps a moderate performance penalty. Future directions Extend CAMFAS to thwart side-channel attacks. New micro-architectural features to mitigate fault attacks. FDTC'17

18 Thank you! FDTC'17

19 Backup Slides FDTC'17

20 Fault injections can be detrimental
Methods: Laser, EM, heat, etc. Common approach: Differential Fault Analysis (DFA) A single fault is enough to break the cryptosystem Public key cipher: “Bellcore attack” on RSA-CRT [1] Block cipher: DFA on AES [2] [1] Boneh, Dan, Richard A. DeMillo, and Richard J. Lipton. "On the importance of eliminating errors in cryptographic computations." Journal of cryptology 14, no. 2 (2001): [2] Tunstall, Michael, Debdeep Mukhopadhyay, and Subidh Ali. "Differential fault analysis of the advanced encryption standard using a single fault." IFIP International Workshop on Information Security Theory and Practices. Springer, Berlin, Heidelberg, 2011. FDTC'17

21 RSA-CRT RSA with Chinese Remainder Theorem implementation Given:
message 𝑚, private exponent 𝑑, primes (𝑝,𝑞), and 𝑁=𝑝𝑞 RSA signing: 𝑆= 𝑚 𝑑 𝑚𝑜𝑑 𝑁 RSA-CRT: Calculates 𝑆 𝑝 = 𝑚 𝑑 𝑚𝑜𝑑 𝑝 and 𝑆 𝑞 = 𝑚 𝑑 𝑚𝑜𝑑 𝑞 𝑆= 𝑎𝑆 𝑝 + 𝑏𝑆 𝑞 Four times faster than RSA FDTC'17

22 Bellcore Attack Run RSA-CRT twice with the same message
Original 𝑆 and fault injected 𝑆’ If the fault was injected to 𝑆′ 𝑝 = 𝑚 𝑑 𝑚𝑜𝑑 𝑝 : i.e., 𝑆 𝑞 = 𝑆′ 𝑞 and 𝑆 𝑝 ≠ 𝑆′ 𝑝 Meaning 𝑆= 𝑆 ′ 𝑚𝑜𝑑 𝑞, but 𝑆 ≠𝑆 ′ 𝑚𝑜𝑑 𝑝 Therefore, 𝑞=gcd⁡(𝑆− 𝑆 ′ , 𝑁) Based on 𝜑 𝑁 = 𝑝−1 𝑞−1 and 𝑑𝑒=1 𝑚𝑜𝑑 𝜑 𝑁 , where 𝑒 is the public exponent Calculated 𝒅! FDTC'17

Download ppt "Zhi Chen1, Junjie Shen1, Alex Nicolau1, Alex Veidenbaum1"

Similar presentations

Computer Organization and Architecture

Computer Organization and Architecture
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
Rung-Bin Lin Chapter 4: Exploiting Instruction-Level Parallelism with Software Approaches4-1 Chapter 4 Exploiting Instruction-Level Parallelism with Software.

Rung-Bin Lin Chapter 4: Exploiting Instruction-Level Parallelism with Software Approaches4-1 Chapter 4 Exploiting Instruction-Level Parallelism with Software.
1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,

1 Implementing an Untrusted Operating System on Trusted Hardware David Lie Chandramohan A. Thekkath Mark Horowitz University of Toronto, Microsoft Research,
Department of Computer Science University of the West Indies.

Department of Computer Science University of the West Indies.
Mitigating the Performance Degradation due to Faults in Non-Architectural Structures Constantinos Kourouyiannis Veerle Desmet Nikolas Ladas Yiannakis Sazeides.

Mitigating the Performance Degradation due to Faults in Non-Architectural Structures Constantinos Kourouyiannis Veerle Desmet Nikolas Ladas Yiannakis Sazeides.
Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.

Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.
From Essentials of Computer Architecture by Douglas E. Comer. ISBN 0131491792. © 2005 Pearson Education, Inc. All rights reserved. 7.2 A Central Processor.

From Essentials of Computer Architecture by Douglas E. Comer. ISBN © 2005 Pearson Education, Inc. All rights reserved. 7.2 A Central Processor.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
NCCS Brown Bag Series. Vectorization Efficient SIMD parallelism on NCCS systems Craig Pelissier* and Kareem Sorathia

NCCS Brown Bag Series. Vectorization Efficient SIMD parallelism on NCCS systems Craig Pelissier* and Kareem Sorathia
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Software Faults and Fault Injection Models --Raviteja Varanasi.

Software Faults and Fault Injection Models --Raviteja Varanasi.
Fault Tolerant Infective Countermeasure for AES

Fault Tolerant Infective Countermeasure for AES
Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.

Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.
IVEC: Off-Chip Memory Integrity Protection for Both Security and Reliability Ruirui Huang, G. Edward Suh Cornell University.

IVEC: Off-Chip Memory Integrity Protection for Both Security and Reliability Ruirui Huang, G. Edward Suh Cornell University.
1 Towards Optimal Custom Instruction Processors Wayne Luk Kubilay Atasu, Rob Dimond and Oskar Mencer Department of Computing Imperial College London HOT.

1 Towards Optimal Custom Instruction Processors Wayne Luk Kubilay Atasu, Rob Dimond and Oskar Mencer Department of Computing Imperial College London HOT.
Eliminating Silent Data Corruptions caused by Soft-Errors Siva Hari, Sarita Adve, Helia Naeimi, Pradeep Ramachandran, University of Illinois at Urbana-Champaign,

Eliminating Silent Data Corruptions caused by Soft-Errors Siva Hari, Sarita Adve, Helia Naeimi, Pradeep Ramachandran, University of Illinois at Urbana-Champaign,
Title of Selected Paper: IMPRES: Integrated Monitoring for Processor Reliability and Security Authors: Roshan G. Ragel and Sri Parameswaran Presented by:

Title of Selected Paper: IMPRES: Integrated Monitoring for Processor Reliability and Security Authors: Roshan G. Ragel and Sri Parameswaran Presented by:

Similar presentations

Ads by Google