Problem Description
The increasing use of “TEEs” has illustrated the value of remotely attested secure hardware. However, existing secure hardware that supports these novel use cases is not robust against physical adversaries. This raises the question: can we design a processor capable of supporting complex workloads that is also provides a high level of physical security? If so, what does this design look like?
Answering these questions is harder than it needs to be. A culture of secrecy and obscurity, as well as high frictions to practical academic experiments has left us with ideas and marketing claims for countermeasures, but little certainty as to which work in practice. Additionally, the majority of physical countermeasures have targeted low-cost, low-power “edge” devices, thus the question of what can be done with fewer constraints (e.g. more surface area and power) has been left largely unaddressed.
We broadly encourage work on designing and verifying security mechanisms and highlight the following directions:
- Key storage: Protecting keys is a critical part of securing hardware. Both proposals of novel mechanisms and assessment of current mechanisms are helpful. Documented attacks on secure key storage mechanisms such as this recent work on antifuses point to potentially fruitful application of similar methodologies to other forms of secure non-volatile memory (NVM), and help to focus attention on more promising approaches. Another particular research avenue that deserves attention is weak physical unclonable functions (PUFs) as key generation and storage mechanism. Due to their claimed sensitivity to physical disturbances and (for some designs) potential obviation of meshes that hamper anti-trojan inspection, PUFs hold high promise. Unfortunately, much about PUF properties is yet to be publicly evaluated. While a substantial body of research has been published, most of this research is not directly applicable to our use case as: it has been carried out on FPGAs, does not evaluate whether attacks can be performed with sufficient precision to be able to extract all bits of a defensively encoded key, or targets strong PUFs.
- Tamper response: The ability to detect and react to alterations to the die is critical. Tamper response overlaps with key storage, but is importantly different as tampering attacks can affect other parts of processor logic (e.g. silicon thinning to reduce noise for optical side channel attacks, adding wires with fibs etc). Purely relying on logic-based PUF tamper sensitivity would be ideal as it does not interfere with non-destructive imaging for trojan detection. However, there are good reasons to suspect that this is impractical. Empirical verification is required to establish whether PUFs that are stable across reasonable environmental changes (e.g. power, temperature) will be sensitive to die alterations over a large enough region to protect large much logic. Several proposals, such as this one, advocate to extend the area covered by PUF sensitivity by including a tamper-evident conductive mesh, but have a weak threat model (e.g. excluding FIB attacks). Frontside meshes can be much tighter but do not address backside attacks, while backside meshes (through 3D integration or backside metal) may hold promise but, to our knowledge, have not been publicly evaluated.
- Side channels: Power, EM, optical and other physical channels are serious risks for violation of confidentiality properties. We can partition these channels into dynamic (from computation that is being done) and static (from data at rest). In both categories, academia has presented strong countermeasures broadly known as “masking” (1, 2, 3, 4). These countermeasures are particularly appealing due to their reliance on minimal assumption and the well studied connection between theoretical and practical security. However, these countermeasures come at area and/or latency overhead which must be minimised, especially when complete architectures are considered. In this regard, we would highly value contributions of more efficient schemes (that maintain composability notions such as O-PINI), masked gadgets which improve efficiency of large algorithms/architectures, or flexible hardware-software masking schemes and their validation. Practical validation of security parameters, especially on ASICs, is also highly valuable.
- Fault injection: Fault injection (e.g. laser) can be used both to violate the integrity of a programs control flow or to extract data even without violating control flow. For example of the former, faults can be used to cause a key to be used to sign or decrypt data that a controlling program’s logic does not permit, or simply output data meant to be kept secret. The latter data extraction attacks can be further partitioned into differential fault attacks (DFA) that leverage faulty outputs to reverse engineer secret data, and statistical ineffective-fault attacks (SIFA) that attack mechanisms which detect and halt on errors instead of correcting them. An even stronger class of data extraction attacks involve combining probing (i.e. side channel) and fault injection. While countermeasures with attractive theoretical properties (composability) exist, their overhead is currently prohibitive. Integrating the use of alternative (non-boolean) masking schemes can reduce the required degree of redundancy and therefore overhead. For both data extraction and control flow countermeasures, empirical validation would be highly impactful. Current adversarial models assume limits on the number of simultaneous faults an adversary can inject or the precision at which this can be done, but few documented attempts have attempted to calibrate these bounds.
