Zeitouni, Shaza (2022)
Hardware entangled security primitives: attacks and defenses.
Technische Universität Darmstadt
doi: 10.26083/tuprints-00021552
Dissertation, Erstveröffentlichung, Verlagsversion
Kurzbeschreibung (Abstract)
Hardware-assisted security aims at protecting computing systems against software-based attacks that can affect the different software layers. This is attained by leveraging hardware components or modules to enforce strict security measures and thus providing stronger security guarantees compared to software-only solutions. The trusted hardware components form together the so-called trust anchor, which comprises various primitives to support different security protocols and services such as authentication, platform integrity, runtime protection, trusted execution and trusted configuration, to name some. This thesis consists of two parts: i) an offensive part, where we present our findings based on attacks we conducted on hardware-based security primitives that can be deployed in trust anchors for platform authentication and cryptographic key generation, and ii) a defensive part, where we present our novel hardware-assisted defenses/architectures for platform integrity at runtime and trusted configuration that are based on trust anchors of our design. The contributions are organized in three pivots based on the security service provided by the trust anchor. Platform Authentication. Physically Unclonable Functions (PUFs) are hardware security primitives that leverage the innate characteristics of hardware due to its manufacturing process for the generation of device-specific identifiers or cryptographic keys. Therefore, PUFs have been considered as a promising cost-effective primitive/component in trust anchors for constrained embedded devices. In this part of the thesis we evaluate the security of several PUF primitives. We demonstrate a noninvasive fault injection attack on SRAM PUFs that is conducted by controlling the voltage supply to the PUF under attack for the recovery of the secret PUF response [1]. Then, we present remote software-based fault injection attack on Rowhammer PUFs and modeling attacks on Rowhammer PUFs and memristor-based PUFs that require no physical access to the PUF under attack [2, 3]. This pivot is based on the following publications:
[1] Shaza Zeitouni, Yossef Oren, Christian Wachsmann, Patrick Koeberl, Ahmad-Reza Sadeghi. “Remanence Decay Side-Channel: The PUF Case”. In IEEE Transactions on Information Forensics and Security (TIFS), Vol. 11, 2015.
[2] Shaza Zeitouni, David Gens, Ahmad-Reza Sadeghi. “It’s Hammer Time: How to Attack (Rowhammer-based) DRAM-PUFs”. In Proceedings of the 55th ACM/IEEE Design Automation Conference (DAC’18), 2018.
[3] Shaza Zeitouni, Emmanuel Stapf, Hossein Fereidooni, Ahmad-Reza Sadeghi. “On the Security of Strong Memristor-based Physically Unclonable Functions”. In Proceedings of the 57th ACM/IEEE Design Automation Conference (DAC’20), 2020.
Runtime Protection. Memory corruption attacks aim at diverting the execution of software at runtime without violating its integrity at rest. While static attestation is a well established approach to verify the trustworthiness/integrity of software components and detect malware attacks, it cannot detect runtime attacks. In this part of the thesis, we present our runtime defenses for embedded systems under different deployment and adversary models and their underlying hardware-based trust anchors that we design and implement. We present i) LO-FAT, the first hardware-based control-flow attestation scheme to mitigate runtime control-flow attacks [4], ii) ATRIUM, the first runtime attestation scheme to capture executed instructions/binaries and control-flow behavior simultaneously to mitigate runtime control-flow as well as Time of Check Time of Use attacks [5], iii) CHASE, a flexible runtime attestation scheme suitable for real-time constrained devices [6] and iv) HardScope, a runtime context-specific memory isolation scheme to efficiently mitigate currently-known runtime data-oriented attacks [7]. This pivot is based on the following publications:
[4] Ghada Dessouky, Shaza Zeitouni, Thomas Nyman, Andrew Paverd, Lucas Davi, Patrick Koeberl, N. Asokan, Ahmad-Reza Sadeghi. “LO-FAT: Low-Overhead Control Flow ATtestation in Hardware”. In Proceedings of the 54th ACM/IEEE Design Automation Conference (DAC’17), 2017.
[5] Shaza Zeitouni, Ghada Dessouky, Orlando Arias, Dean Sullivan, Ahmad Ibrahim, Yier Jin, Ahmad-Reza Sadeghi. “ATRIUM: Runtime Attestation Resilient Under Memory Attacks”. In Proceedings of the 36th ACM/IEEE International Conference on Computer Aided Design (ICCAD’17), 2017.
[6] Ghada Dessouky, Shaza Zeitouni, Ahmad Ibrahim, Lucas Davi, Ahmad-Reza Sadeghi. “CHASE: Configurable Hardware-Assisted Security Extension for Real-Time Systems”. In Proceedings of the 38th ACM/IEEE International Conference on Computer Aided Design (ICCAD’19), 2019.
[7] Thomas Nyman, Ghada Dessouky, Shaza Zeitouni, Aaro Lehikoinen, Andrew Paverd, N. Asokan, Ahmad-Reza Sadeghi. “HardScope: Hardening Embedded Systems Against Data-Oriented Attacks”. In Proceedings of the 56th ACM/IEEE Design Automation Conference (DAC’19), 2019.
Trusted Configuration. Due to their flexibility and high performance-to-power ratio, Field Programmable Gate Arrays (FPGAs) have found their way into data centers. Major Cloud Service Providers (CSPs) offer their clients FPGA-accelerated compute instances and allow them to freely configure the FPGAs. However, this deployment model engenders a new type of physical attacks that can be launched remotely by clients using only malicious FPGA configurations. In this part of the thesis, we systematize the research work on cloud FPGAs and spot the light on fundamental security concerns and challenges [8]. Among them, the mutual trust problem of FPGA configuration: clients aim to protect their proprietary designs by encrypting FPGA configurations, while CSPs do not support the use of encrypted configurations and require access to FPGA configurations to inspect for malicious primitives, e.g. voltage sensors. To tackle this open challenge, we present a security protocol between the involved parties and its underlying hardware-based trust anchor that we design and implement for trusted configuration on cloud FPGAs [9]. This pivot is based on the following publications:
[8] Ghada Dessouky, Ahmad-Reza Sadeghi, Shaza Zeitouni. “SoK: Secure FPGA Multi-Tenancy in the Cloud: Challenges and Opportunities”. In Proceedings of the 6th IEEE European Symposium on Security and Privacy (EuroS&P’21), 2021.
[9] Shaza Zeitouni, Jo Vliegen, Tommaso Frassetto, Dirk Koch, Ahmad-Reza Sadeghi, Nele Mentens. “Trusted Configuration in Cloud FPGAs”. In Proceedings of the 29th IEEE International Symposium On Field-Programmable Custom Computing Machines (FCCM’21), 2021.
Typ des Eintrags: | Dissertation | ||||
---|---|---|---|---|---|
Erschienen: | 2022 | ||||
Autor(en): | Zeitouni, Shaza | ||||
Art des Eintrags: | Erstveröffentlichung | ||||
Titel: | Hardware entangled security primitives: attacks and defenses | ||||
Sprache: | Englisch | ||||
Referenten: | Sadeghi, Prof. Ahmad-Reza ; Mentens, Prof. Nele | ||||
Publikationsjahr: | 2022 | ||||
Ort: | Darmstadt | ||||
Kollation: | XV, 161 Seiten | ||||
Datum der mündlichen Prüfung: | 20 September 2021 | ||||
DOI: | 10.26083/tuprints-00021552 | ||||
URL / URN: | https://tuprints.ulb.tu-darmstadt.de/21552 | ||||
Kurzbeschreibung (Abstract): | Hardware-assisted security aims at protecting computing systems against software-based attacks that can affect the different software layers. This is attained by leveraging hardware components or modules to enforce strict security measures and thus providing stronger security guarantees compared to software-only solutions. The trusted hardware components form together the so-called trust anchor, which comprises various primitives to support different security protocols and services such as authentication, platform integrity, runtime protection, trusted execution and trusted configuration, to name some. This thesis consists of two parts: i) an offensive part, where we present our findings based on attacks we conducted on hardware-based security primitives that can be deployed in trust anchors for platform authentication and cryptographic key generation, and ii) a defensive part, where we present our novel hardware-assisted defenses/architectures for platform integrity at runtime and trusted configuration that are based on trust anchors of our design. The contributions are organized in three pivots based on the security service provided by the trust anchor. Platform Authentication. Physically Unclonable Functions (PUFs) are hardware security primitives that leverage the innate characteristics of hardware due to its manufacturing process for the generation of device-specific identifiers or cryptographic keys. Therefore, PUFs have been considered as a promising cost-effective primitive/component in trust anchors for constrained embedded devices. In this part of the thesis we evaluate the security of several PUF primitives. We demonstrate a noninvasive fault injection attack on SRAM PUFs that is conducted by controlling the voltage supply to the PUF under attack for the recovery of the secret PUF response [1]. Then, we present remote software-based fault injection attack on Rowhammer PUFs and modeling attacks on Rowhammer PUFs and memristor-based PUFs that require no physical access to the PUF under attack [2, 3]. This pivot is based on the following publications: [1] Shaza Zeitouni, Yossef Oren, Christian Wachsmann, Patrick Koeberl, Ahmad-Reza Sadeghi. “Remanence Decay Side-Channel: The PUF Case”. In IEEE Transactions on Information Forensics and Security (TIFS), Vol. 11, 2015. [2] Shaza Zeitouni, David Gens, Ahmad-Reza Sadeghi. “It’s Hammer Time: How to Attack (Rowhammer-based) DRAM-PUFs”. In Proceedings of the 55th ACM/IEEE Design Automation Conference (DAC’18), 2018. [3] Shaza Zeitouni, Emmanuel Stapf, Hossein Fereidooni, Ahmad-Reza Sadeghi. “On the Security of Strong Memristor-based Physically Unclonable Functions”. In Proceedings of the 57th ACM/IEEE Design Automation Conference (DAC’20), 2020. Runtime Protection. Memory corruption attacks aim at diverting the execution of software at runtime without violating its integrity at rest. While static attestation is a well established approach to verify the trustworthiness/integrity of software components and detect malware attacks, it cannot detect runtime attacks. In this part of the thesis, we present our runtime defenses for embedded systems under different deployment and adversary models and their underlying hardware-based trust anchors that we design and implement. We present i) LO-FAT, the first hardware-based control-flow attestation scheme to mitigate runtime control-flow attacks [4], ii) ATRIUM, the first runtime attestation scheme to capture executed instructions/binaries and control-flow behavior simultaneously to mitigate runtime control-flow as well as Time of Check Time of Use attacks [5], iii) CHASE, a flexible runtime attestation scheme suitable for real-time constrained devices [6] and iv) HardScope, a runtime context-specific memory isolation scheme to efficiently mitigate currently-known runtime data-oriented attacks [7]. This pivot is based on the following publications: [4] Ghada Dessouky, Shaza Zeitouni, Thomas Nyman, Andrew Paverd, Lucas Davi, Patrick Koeberl, N. Asokan, Ahmad-Reza Sadeghi. “LO-FAT: Low-Overhead Control Flow ATtestation in Hardware”. In Proceedings of the 54th ACM/IEEE Design Automation Conference (DAC’17), 2017. [5] Shaza Zeitouni, Ghada Dessouky, Orlando Arias, Dean Sullivan, Ahmad Ibrahim, Yier Jin, Ahmad-Reza Sadeghi. “ATRIUM: Runtime Attestation Resilient Under Memory Attacks”. In Proceedings of the 36th ACM/IEEE International Conference on Computer Aided Design (ICCAD’17), 2017. [6] Ghada Dessouky, Shaza Zeitouni, Ahmad Ibrahim, Lucas Davi, Ahmad-Reza Sadeghi. “CHASE: Configurable Hardware-Assisted Security Extension for Real-Time Systems”. In Proceedings of the 38th ACM/IEEE International Conference on Computer Aided Design (ICCAD’19), 2019. [7] Thomas Nyman, Ghada Dessouky, Shaza Zeitouni, Aaro Lehikoinen, Andrew Paverd, N. Asokan, Ahmad-Reza Sadeghi. “HardScope: Hardening Embedded Systems Against Data-Oriented Attacks”. In Proceedings of the 56th ACM/IEEE Design Automation Conference (DAC’19), 2019. Trusted Configuration. Due to their flexibility and high performance-to-power ratio, Field Programmable Gate Arrays (FPGAs) have found their way into data centers. Major Cloud Service Providers (CSPs) offer their clients FPGA-accelerated compute instances and allow them to freely configure the FPGAs. However, this deployment model engenders a new type of physical attacks that can be launched remotely by clients using only malicious FPGA configurations. In this part of the thesis, we systematize the research work on cloud FPGAs and spot the light on fundamental security concerns and challenges [8]. Among them, the mutual trust problem of FPGA configuration: clients aim to protect their proprietary designs by encrypting FPGA configurations, while CSPs do not support the use of encrypted configurations and require access to FPGA configurations to inspect for malicious primitives, e.g. voltage sensors. To tackle this open challenge, we present a security protocol between the involved parties and its underlying hardware-based trust anchor that we design and implement for trusted configuration on cloud FPGAs [9]. This pivot is based on the following publications: [8] Ghada Dessouky, Ahmad-Reza Sadeghi, Shaza Zeitouni. “SoK: Secure FPGA Multi-Tenancy in the Cloud: Challenges and Opportunities”. In Proceedings of the 6th IEEE European Symposium on Security and Privacy (EuroS&P’21), 2021. [9] Shaza Zeitouni, Jo Vliegen, Tommaso Frassetto, Dirk Koch, Ahmad-Reza Sadeghi, Nele Mentens. “Trusted Configuration in Cloud FPGAs”. In Proceedings of the 29th IEEE International Symposium On Field-Programmable Custom Computing Machines (FCCM’21), 2021. |
||||
Alternatives oder übersetztes Abstract: |
|
||||
Status: | Verlagsversion | ||||
URN: | urn:nbn:de:tuda-tuprints-215527 | ||||
Sachgruppe der Dewey Dezimalklassifikatin (DDC): | 000 Allgemeines, Informatik, Informationswissenschaft > 004 Informatik | ||||
Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Systemsicherheit |
||||
TU-Projekte: | DFG|SFB1119|S2SFB1119 Sadeghi | ||||
Hinterlegungsdatum: | 20 Jun 2022 12:18 | ||||
Letzte Änderung: | 23 Jun 2022 06:42 | ||||
PPN: | |||||
Referenten: | Sadeghi, Prof. Ahmad-Reza ; Mentens, Prof. Nele | ||||
Datum der mündlichen Prüfung / Verteidigung / mdl. Prüfung: | 20 September 2021 | ||||
Export: | |||||
Suche nach Titel in: | TUfind oder in Google |
Frage zum Eintrag |
Optionen (nur für Redakteure)
Redaktionelle Details anzeigen |