Emission Analysis of Hardware Implementations

Today, hardware implementations are the basis for many security applications, such as cryptographic ciphers. Such applications are realized using complex combinatorial logic circuits of substantial size. Therefore, understanding the gate-level implementation can be crucial for the attacker. However, Hardware Description Language (HDL) behavioral models and gate-level net list are seldom available for a particular design. Executing software directly on the device to assist in understanding the implementation is one potential solution. However, this may either be infeasible or completely impossible in practice as target devices may be incapable of executing code. Currently, few works have proposed forms of dynamic gate-level analysis of the actual hardware implementations. Moreover, current reverse-engineering techniques based on physical delayering and optical imaging cannot be applied to programmable logic. In this work we present the first dynamic emission analysis of a hardware implementation. This technique does not require any prior knowledge about the target device. Furthermore, it does not require code to be executed by the target. Hardware implementations consist of basic primitives that form the building blocks of complex hardware functions. By individually analyzing each primitive and correlating the corresponding optical images, the emission fingerprint of each primitive can be identified. As a result the hardware implementation of the device can be reconstructed. We present practical results for a common Complex Programmable Logic Device (CPLD). However, the same approach can be applied to hardware implementations in general.

[1]  Elisabeth Oswald,et al.  Constructive Side-Channel Analysis and Secure Design , 2016, Lecture Notes in Computer Science.

[2]  Jeyavijayan Rajendran,et al.  Security analysis of integrated circuit camouflaging , 2013, CCS.

[3]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[4]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[5]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[6]  Jean-Pierre Seifert,et al.  Differential Photonic Emission Analysis , 2013, COSADE.

[7]  Wolfgang Rankl,et al.  Smart Card Handbook , 1997 .

[8]  Sergei Skorobogatov,et al.  Optical Fault Masking Attacks , 2010, 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[9]  Ramesh Karri,et al.  New scan-based attack using only the test mode , 2013, 2013 IFIP/IEEE 21st International Conference on Very Large Scale Integration (VLSI-SoC).

[10]  Jean-Pierre Seifert,et al.  Functional integrated circuit analysis , 2012, 2012 IEEE International Symposium on Hardware-Oriented Security and Trust.

[11]  Jean-Pierre Seifert,et al.  Breaking and entering through the silicon , 2013, CCS.

[12]  Wolfgang Rankl,et al.  Smart Card Handbook: Rankl/Smart Card Handbook , 2010 .

[13]  Ashish Tiwari,et al.  WordRev: Finding word-level structures in a sea of bit-level gates , 2013, 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[14]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[15]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[16]  Julie Ferrigno,et al.  When AES blinks: introducing optical side channel , 2008, IET Inf. Secur..

[17]  Christof Paar,et al.  Stealthy dopant-level hardware Trojans: extended version , 2013, Journal of Cryptographic Engineering.

[18]  Jean-Pierre Seifert,et al.  Simple photonic emission analysis of AES , 2013, Journal of Cryptographic Engineering.

[19]  Jean-Pierre Seifert,et al.  Simple Photonic Emission Analysis of AES - Photonic Side Channel Analysis for the Rest of Us , 2012, CHES.