2017:

Efficient design of Oscillator based Physical Unclonable Functions on Flash FPGAs, Ugo Mureddu, Oto Petura, Nathalie Bochard, Lilian Bossuet, Viktor Fischer
Second International Verification and Security Workshop (IVSW 2017), 2017.

[ More ]

Abstract: With the scaling down of electronic devices and the boom of wireless communications, more and more smart devices are interconnected in what we call the Internet of Things. Connecting devices of everyday use can greatly improve our comfort, but it can also introduce unprecedented security problems. With billions of devices connected there is a huge risk of unauthorized use. In this context, Physical Unclonable Functions (PUFs) are a promising solution since they extract device intrinsic fingerprint that can be used for hardware identification and authentication. Here we present the first fully functional implementation of Oscillator based PUFs on Flash based FPGA. The implementation is presented for the Ring Oscillator based PUF and the Transient Effect Ring Oscillatory based PUF. After explaining those two PUF principles, we give all the necessary design practices to follow to obtain an efficient PUF implementation on Flash FPGA. Finally, we present the characterization of the PUFs and compare it to previous work. To the best of our knowledge, it is the first work which deals with the implementation of Oscillator based PUF on Flash FPGAs. Moreover, all design files are available online to ensure repeatability.


Practical Key Recovery Attack on MANTIS-5, Christoph Dobraunig, Maria Eichlseder, Daniel Kales, Florian Mendel
International Conference on Fast Software Encryption (TOSC-FSE 2017), 2017.

[ More ]

Abstract: MANTIS is a lightweight tweakable block cipher published at CRYPTO 2016. In addition to the full 14-round version, MANTIS-7, the designers also propose an aggressive 10-round version, MANTIS-5. The security claim for MANTIS-5 is resistance against “practical attacks”, defined as related-tweak attacks with data complexity 2d less than 230 chosen plaintexts (or 240 known plaintexts), and computational complexity at most 2126-d. We present a key-recovery attack against MANTIS-5 with 228 chosen plaintexts and a computational complexity of about 238 block cipher calls, which violates this claim. Our attack is based on a family of differential characteristics and exploits several properties of the lightweight round function and tweakey schedule. To verify the validity of the attack, we also provide a practical implementation which recovers the full key in about 1 core hour using 230 chosen plaintexts.


An Efficient Side-Channel Protected AES Implementation with Arbitrary Protection Order, Hannes Gross; Stefan Mangard; Thomas Korak
RSA Conference Cryptographers’ Track (CT-RSA 2017), 2017.

[ More ]

Abstract: Passive physical attacks, like power analysis, pose a serious threat to the security of digital circuits. In this work, we introduce an efficient sidechannel protected Advanced Encryption Standard (AES) hardware design that is completely scalable in terms of protection order. Therefore, we revisit the private circuits scheme of Ishai et al. [13] which is known to be vulnerable to glitches. We demonstrate how to achieve resistance against multivariate higher-order attacks in the presence of glitches for the same randomness cost as the private circuits scheme. Although our AES design is scalable, it is smaller, faster, and less randomness demanding than other side-channel protected AES implementations. Our first-order secure AES design, for example, requires only 18 bits of randomness per S-box operation and 6 kGE of chip area. We demonstrate the flexibility of our AES implementation by synthesizing it up to the 15th protection order.


Complete activation scheme for IP design protection, Brice Colombier, Ugo Mureddu, Marek Laban, Oto Petura, Lilian Bossuet, Viktor Fischer
IEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2017.

[ More ]

Abstract: Intellectual Property (IP) illegal copying is a major threat in today’s integrated circuits industry which is massively based on a design-and-reuse paradigm. In order to fight this threat, a designer must track how many times an IP has been instantiated. Moreover, illegal copies of an IP must be unusable. We propose a hardware/software scheme which allows a designer to remotely activate an IP with minimal area overhead. The software modifies the IP efficiently and can handle very large netlists. Unique identification of hardware instances is achieved by integrating a TERO-PUF along with a lightweight key reconciliation module. A cryptographic core guarantees security and triggers a logic locking/masking module which makes the IP unusable unless the correct encrypted activation word is applied. The hardware side is implemented on several FPGAs.


Key Reconciliation Protocols for Error Correction of Silicon PUF Responses, Brice Colombier, Lilian Bossuet, David Hély, Viktor Fischer
IEEE Transactions on Information Forensics and Security, 2017.

[ More ]

Abstract: Physical Unclonable Functions (PUFs) are promising primitives for the lightweight authentication of an integrated circuit (IC). Indeed, by extracting an identifier from random process variations, they allow each instance of a design to be uniquely identified. However, the extracted identifiers are not stable enough to be used as is, and hence need to be corrected first. This is currently achieved using error-correcting codes in secure sketches, that generate helper data through a one-time procedure. As an alternative, we propose key reconciliation protocols. This interactive method, originating from quantum key distribution, allows two entities to correct errors in their respective correlated keys by discussing over a public channel. We believe that this can also be used by a device and a remote server to agree on two different responses to the same challenge from the same PUF obtained at different times. This approach has the advantage of requiring very few logic resources on the device side. The information leakage caused by the key reconciliation process is limited and easily computable. Results of implementation on FPGA targets are presented, showing that it is the most lightweight error-correction module to date.


ISAP - Towards Side-Channel Secure Authenticated Encryption, Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer
24th International Conference on Fast Software Encryption (TOSC-FSE 2017), 2017.

[ More ]

Abstract: Side-channel attacks and in particular differential power analysis (DPA) attacks pose a serious threat to cryptographic implementations. One approach to counteract such attacks are cryptographic schemes based on fresh re-keying. In settings of pre-shared secret keys, such schemes render DPA attacks infeasible by deriving session keys and by ensuring that the attacker cannot collect side-channel leakage on the session key during cryptographic operations with different inputs. While these schemes can be applied to secure standard communication settings, current re-keying approaches are unable to provide protection in settings where the same input needs to be processed multiple times. In this work, we therefore adapt the re-keying approach and present a symmetric authenticated encryption scheme that is secure against DPA attacks and that does not have such a usage restriction. This means that our scheme fully complies with the requirements given in the CAESAR call and hence, can be used like other noncebased authenticated encryption schemes without loss of side-channel protection. Its resistance against side-channel analysis is highly relevant for several applications in practice, like bulk storage settings in general and the protection of FPGA bitfiles and firmware images in particular.


Symbolic Analysis of Higher-Order Side Channel Countermeasures, Elia Bisi, Filippo Melzani, Vittorio Zaccaria
IEEE Transactions on Computers, 2017.

[ More ]

Abstract: In this paper, we deal with the problem of efficiently assessing the higher order vulnerability of a hardware cryptographic circuit. Our main concern is to provide methods that allow a circuit designer to detect early in the design cycle if the implementation of a Boolean-additive masking countermeasure does not hold up to the required protection order. To achieve this goal, we promote the search for vulnerabilities from a statistical problem to a purely symbolical one and then provide a method for reasoning about this new symbolical interpretation. Eventually we show, with a synthetic example, how the proposed conceptual tool can be used for exploring the vulnerability space of a cryptographic primitive.


Physically Unclonable Function using CMOS Breakdown Position, Kai-Hsin Chuang, Erik Bury, Robin Degraeve, Ben Kaczer, Guido Groeseneken, Ingrid Verbauwhede and Dimitri Linten
54th International Reliability Physics Symposium (IRPS 2017), 2017.

[ More ]

Abstract: A novel physically unclonable function (PUF) utilizing the intrinsic randomness of oxide breakdown (BD) positions in CMOS transistors is presented. The advantages of this approach are studied and validated by measurements on test-chips fabricated in a commercial 40nm CMOS process. Experiments show that the required soft BDs can be reliably generated in a sufficiently short period. The randomness of the utilized mechanism shows excellent properties, required for PUF applications: an overall bias of 0.498 and inter-chip hamming distance (HD) of 0.501. Further analysis of the current distributions reveals a dependence of operating voltage on readout resolution and window. Finally, dedicated experiments with external heating and embedded poly-heaters show that these soft BDs are stable and show no read-out errors up to operating temperatures of 600K.


2016:

Cryptanalysis of Simpira v1, Christoph Dobraunig, Maria Eichelseder, Florian Mendel
23rd Conference on Selected Areas in Cryptography (SAC 2016), 2016.

[ More ]

Abstract: Simpira v1 is a recently proposed family of permutations, based on the AES round function. The design includes recommendations for using the Simpira permutations in block ciphers, hash functions, or authenticated ciphers. The designers' security analysis is based on computer-aided bounds for the minimum number of active S-boxes. We show that the underlying assumptions of independence, and thus the derived bounds, are incorrect. For family member Simpira-4, we provide differential trails with only 40 (instead of 75) active S-boxes for the recommended 15 rounds. Based on these trails, we propose full-round collision attacks on the proposed Simpira-4 Davies-Meyer hash construction, with complexity 282.62 for the recommended full 15 rounds and a truncated 256-bit hash value, and complexity 22110.16 for 16 rounds and the full 512-bit hash value. These attacks violate the designers' security claims that there are no structural distinguishers with complexity below 22128.


Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR, Daniel Gruss, Clementine Maurice, Anders Fogh, Moritz Lipp, Stefan Mangard
23rd ACM Conference on Computer and Communications Security (ACM CCS), 2016.

[ More ]

Abstract: Modern operating systems use hardware support to protect against control-flow hijacking attacks such as code-injection attacks. Typically, write access to executable pages is prevented and kernel mode execution is restricted to kernel code pages only. However, current CPUs provide no protection against code-reuse attacks like ROP. ASLR is used to prevent these attacks by making all addresses unpredictable for an attacker. Hence, the kernel security relies fundamentally on preventing access to address information. We introduce Prefetch Side-Channel Attacks, a new class of generic attacks exploiting major weaknesses in prefetch instructions. This allows unprivileged attackers to obtain address information and thus compromise the entire system by defeating SMAP, SMEP, and kernel ASLR. Prefetch can fetch inaccessible privileged memory into various caches on Intel x86. It also leaks the translation-level for virtual addresses on both Intel x86 and ARMv8-A. We build three attacks exploiting these properties. Our first attack retrieves an exact image of the full paging hierarchy of a process, defeating both user space and kernel space ASLR. Our second attack resolves virtual to physical addresses to bypass SMAP on 64-bit Linux systems, enabling ret2dir attacks. We demonstrate this from unprivileged user programs on Linux and inside Amazon EC2 virtual machines. Finally, we demonstrate how to defeat kernel ASLR on Windows 10, enabling ROP attacks on kernel and driver binary code. We propose a new form of strong kernel isolation to protect commodity systems incuring an overhead of only 0.06-5.09%.


Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementne Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida
23rd ACM Conference on Computer and Communications Security (ACM CCS), 2016.

[ More ]

Abstract: Recent work shows that the Rowhammer hardware bug can be used to craft powerful attacks and completely subvert a system. However, existing efforts either describe probabilistic (and thus unreliable) attacks or rely on special (and often unavailable) memory management features to place victim objects in vulnerable physical memory locations. Moreover, prior work only targets x86 and researchers have openly wondered whether Rowhammer attacks on other architectures, such as ARM, are even possible. We show that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses. Rather than assuming special memory management features, our attack, Drammer, solely relies on the predictable memory reuse patterns of standard physical memory allocators. We implement Drammer on Android/ARM, demonstrating the practicability of our attack, but also discuss a generalization of our approach to other Linux-based platforms. Furthermore, we show that traditional x86-based Rowhammer exploitation techniques no longer work on mobile platforms and address the resulting challenges towards practical mobile Rowhammer attacks. To support our claims, we present the first Rowhammer-based Android root exploit relying on no software vulnerability, and requiring no user permissions. In addition, we present an analysis of several popular smartphones and find that many of them are susceptible to our Drammer attack. We conclude by discussing potential mitigation strategies and urging our community to address the concrete threat of faulty DRAM chips in widespread commodity platforms.


Upper Bounds on The Min-Entropy of RO Sum, Arbiter, Feed-Forward Arbiter, and S-ArbRO PUFs, Jeroen Delvaux, Dawu Gu and Ingrid Verbauwhede
IEEE Asian Hardware Oriented Security and Trust Symposium (AsianHOST), 2016.

[ More ]

Abstract: The focus and novelty of this work is the derivation of tight upper bounds on the min-entropy of several physically unclonable funcions (PUFs), i.e., Ring Oscillator Sum, Arbiter, Feed-Forward Arbiter, and S-ArbRO PUFs. This constrains their usability for the fuzzy extraction of a secret key, as an alternative to storing keys in non-volatile memory. For example, it is shown that an ideal Arbiter PUF with 64 stages cannot provide more than 197 bits of min-entropy. At Financial Cryptography 2012, Van Herrewege et al. assume that 1785 bits of min-entropy can be extracted, which renders their 128-bit key generator instantly insecure. We also derive upper bounds that comply with nonideal PUFs, attributed to, e.g., manufacturing in silicon. As a side contribution hereby, we refute the claim that S-ArbRO PUFs are highly resistant against machine learning.


A Methodology for the Characterization of Leakages in Combinatorial Logic, Guido Bertoni, Marco Martinoli
6th International Conference on Security, Privacy and Applied Cryptographic Engineering (SPACE 2016), 2016.

[ More ]

Abstract: Glitches represent a great danger for hardware implementations of cryptographic schemes. Their intrinsic random nature makes them difficult to tackle and their occurrence threatens side-channel protections. Although countermeasures aiming at structurally solving the problem already exist, they usually require some effort to be applied or introduce non-negligible overhead in the design. Our work addresses the gap between such countermeasures and the naive implementation of schemes being vulnerable in the presence of glitches. Our contribution is twofold: (1) we expand the mathematical framework proposed by Brzozowski and Ésik (FMSD 2003) by meaningfully adding the notion of information leakage, (2) thanks to which we define a formal methodology for the analysis of vulnerabilities in combinatorial circuits when glitches are taken into account.


A Survey of AIS-20/31 Compliant TRNG Cores Suitable for FPGA Devices, Oto Petura, Ugo Mureddu, Nathalie Bochard, Viktor Fischer, Lilian Bossuet
26th International Conference on Field-Programmable Logic and Applications (FPL 2016), 2016.

[ More ]

Abstract: FPGAs are widely used to integrate cryptographic primitives, algorithms, and protocols in cryptographic systems-on-chip (CrySoC). As a building block of CrySoCs, True Random Number Generators (TRNGs) exploit analog noise sources in electronic devices to generate confidential keys, initialization vectors, challenges, nonces, and random masks in cryptographic protocols. TRNGs aimed at cryptographic applications must fulfill the security requirements defined in the German Federal Bureau for Information Security’s (BSI) recommendations AIS-20/31, which has become a de facto standard in Europe. Many TRNG cores have already been published, only a few of which are suitable for FPGAs and even fewer comply with AIS-20/31. Here we present the results of the implementation of AIS-20/31 compliant TRNG cores in three FPGA families: Xilinx Spartan 6, Altera Cyclone V and Microsemi SmartFusion 2. In addition to common design parameters like area, bit rate and power/energy consumption, we compare and discuss the feasibility of generator cores in different FPGAs and the statistical quality of their output. These results will help designers select the best generator and the device family to match the requirements of the data security application. To ensure reproducibility of the results, the open source VHDL code of all generators adapted to individual families can be downloaded from the dedicated web page.


Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes, Christoph Dobraunig, Maria Eichlseder, Thomas Korak, Victor Lomne and Florian Mendel
22nd Annual International Conference on the Theory and Applications of Cryptology and Information Security (Asiacrypt2016), 2016.

[ More ]

Abstract: Since the first demonstration of fault attacks by Boneh et al. on RSA, a multitude of fault attack techniques on various cryptosystems have been proposed. Most of these techniques, like Differential Fault Analysis, Safe Error Attacks, and Collision Fault Analysis, have the requirement to process two inputs that are either identical or related, in order to generate pairs of correct/faulty ciphertexts. However, when targeting authenticated encryption schemes, this is in practice usually precluded by the unique nonce required by most of these schemes. In this work, we present the first practical fault attacks on several noncebased authenticated encryption modes for AES. This includes attacks on the ISO/IEC standards GCM,CCM, EAX, and OCB, as well as several second-round candidates of the ongoing CAESAR competition. All attacks are based on the Statistical Fault Attacks by Fuhr et al., which use a biased fault model and just operate on collections of faulty ciphertexts. Hereby, we put e ort in reducing the assumptions made regarding the capabilities of an attacker as much as possible. In the attacks, we only assume that we are able to influence some byte (or a larger structure) of the internal AES state before the last application of MixColumns, so that the value of this byte is afterwards non-uniformly distributed. In order to show the practical relevance of Statistical Fault Attacks and for evaluating our assumptions on the capabilities of an attacker, we perform several fault-injection experiments targeting real hardware. For instance, laser fault injections targeting an AES co-processor of a smartcard microcontroller, which is used to implement modes like GCM or CCM, show that 4 bytes (resp. all 16 bytes) of the last round key can be revealed with a small number of faulty ciphertexts.


Exploring active manipulation attacks on the TERO random number generator, Yang Cao, Vladimir Rozic, Bohan Yang, Josep Balasch and Ingrid Verbauwhede
59th IEEE International Midwest Symposium on Circuits and Systems (MWSCAS), 2016.

[ More ]

Abstract: True random number generators (TRNGs) are critical components in security systems used to generate session keys, challenges for authentication protocols and masks for secret sharing. Unfortunately, TRNGs are vulnerable to a wide class of physical attacks ranging from passive observation of generated numbers to active manipulation. In this work we investigate the susceptibility of the Transition Effect Ring Oscillator (TERO) TRNG to active manipulation attacks. In particular we perform underpower and low temperature attacks on an implementation of the TERO running on a Xilinx Spartan 6 FPGA and experimentally evaluate the effectiveness of four online tests as countermeasure.


ARMageddon: Cache Attacks on Mobile Devices, Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice and Stefan Mangard
25th Annual USENIX Security Symposium (USENIX Security 2016), 2016.

[ More ]

Abstract: In the last 10 years, cache attacks on Intel x86 CPUs have gained increasing attention among the scientific community and powerful techniques to exploit cache side channels have been developed. However, modern smartphones use one or more multi-core ARM CPUs that have a different cache organization and instruction set than Intel x86 CPUs. So far, no cross-core cache attacks have been demonstrated on non-rooted Android smartphones. In this work, we demonstrate how to solve key challenges to perform the most powerful cross-core cache attacks Prime+Probe, Flush+Reload, Evict+Reload, and Flush+Flush on non-rooted ARM-based devices without any privileges. Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen. Eventually, we are the first to attack cryptographic primitives implemented in Java. Our attacks work across CPUs and can even monitor cache activity in the ARM TrustZone from the normal world. The techniques we present can be used to attack hundreds of millions of Android devices.


TOTAL: TRNG On-the-fly Testing for Attack detection using Lightweight hardware, Bohan Yang, Vladimir Rozic, Nele Mentens, Wim Dehaene and Ingrid Verbauwhede
Design, Automation & Test in Europe Conference & Exhibition (DATE), 2016.

[ More ]

Abstract: We present a design methodology for embedded tests of entropy sources. These tests are necessary to detect attacks and failures of true random number generators. The central idea of this work is to use an empirical design methodology consisting of two phases: collecting the data under attack and finding a useful statistical feature. In this work we focus on statistical features that are implementable in lightweight hardware. This is the first paper to address the design of on-the-fly tests based on the attack effects. The presented design methodology is illustrated with 2 examples: an elementary ring-oscillator based TRNG and a carry-chain based TRNG. The effectiveness of the tests was confirmed on FPGA prototypes.


Iterating Von Neumann’s Post-Processing under Hardware Constraints, Vladimir Rozic, Bohan Yang, Wim Dehaene and Ingrid Verbauwhede
IEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2016.

[ More ]

Abstract: In this paper we present a design methodology and hardware implementations of lightweight post-processing modules for debiasing random bit sequences. This work is based on the iterated Von Neumann procedure (IVN). We present a method to maximize the efficiency of IVN for applications with area and throughput constraints. The resulting hardware modules can be applied for post-processing raw numbers in random number generators.


Efficient Fuzzy Extraction of PUF-Induced Secrets: Theory and Applications, Jeroen Delvaux, Dawu Gu, Ingrid Verbauwhede, Matthias Hiller and Meng-Day Yu
Conference on Cryptographic Hardware and Embedded Systems (CHES), 2016.

[ More ]

Abstract: The device-unique response of a physically unclonable function (PUF) can serve as the root of trust in an embedded cryptographic system. Fuzzy extractors transform this noisy non-uniformly distributed secret into a stable high-entropy key. The overall efficiency thereof, typically depending on error-correction with a binary [n; k; d] block code, is determined by the universal and well-known (n - k) bound on the min-entropy loss. We derive new considerably tighter bounds for PUF-induced distributions that suffer from, e.g., bias or spatial correlations. The bounds are easy-to-evaluate and apply to large non-trivial codes, e.g., BCH, Hamming and Reed-Muller codes. Apart from an inherent reduction in implementation footprint, the newly developed theory also facilitates the analysis of state-of-the-art error-correction methods for PUFs. As such, we debunk the reusability claim of the reverse fuzzy extractor. Moreover, we provide proper quantitative motivation for debiasing schemes, as this was missing in the original proposals.


Analysis of the Kupyna-256 Hash Function, Christoph Dobraunig, Maria Eichlseder and Florian Mendel
24th ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE), 2016.

[ More ]

Abstract: The hash function Kupyna was recently published as the Ukrainian standard DSTU 7564:2014. It is structurally very similar to the SHA-3 finalist GrØstl, but differs in details of the round transformations. Most notably, some of the round constants are added with a modular addition, rather than bitwise xor. This change prevents a straightforward application of some recent attacks, in particular of the rebound attacks on the compression function of similar AES-like hash constructions. However, we show that it is actually possible to mount rebound attacks, despite the presence of modular constant additions. More specifically, we describe collision attacks on the compression function for 6 (out of 10) rounds of Kupyna-256 with an attack complexity of 270, and for 7 rounds with complexity 2125:8. In addition, we have been able to use the rebound attack for creating collisions for the round-reduced hash function itself. This is possible for 4 rounds of Kupyna-256 with complexity 267 and for 5 rounds with complexity 2120.


Square Attack on 7-Round Kiasu-BC, Christoph Dobraunig, Maria Eichlseder and Florian Mendel
14th International Conference on Applied Cryptography and Network Security (ACNS), 2016.

[ More ]

Abstract: Kiasu-BC is a tweakable block cipher presented within the TWEAKEY framework at AsiaCrypt 2014. Kiasu-BC is almost identical to AES-128, the only difference to AES-128 is the tweak addition, where the 64-bit tweak is xored to the first two rows of every round-key. The security analysis of the designers focuses primarily on related-key related-tweak differential characteristics and meet-in-the-middle attacks. For other attacks, they conclude that the security level of Kiasu-BC is similar to AES-128. In this work, we provide the first third-party analysis of Kiasu-BC. We show that we can mount Square attacks on up to 7-round Kiasu-BC with a complexity of about 248:5 encryptions, which improves upon the best published 7-round attacks for AES-128. Furthermore, we show that such attacks are applicable to the round-reduced JCB3-like mode of the CAESAR candidate Kiasu6=. To be specific, we show a key-recovery attack on 7-round Kiasu6= with a complexity of about 282 encryptions.


Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript, Daniel Gruss, Clémentine Maurice and Stefan Mangard
13th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2016.

[ More ]

Abstract: A fundamental assumption in software security is that a memory location can only be modified by processes that may write to this memory location. However, a recent study has shown that parasitic effects in DRAM can change the content of a memory cell without accessing it, but by accessing other memory locations in a high frequency. This so-called Rowhammer bug occurs in most of today's memory modules and has fatal consequences for the security of all affected systems, e.g., privilege escalation attacks. All studies and attacks related to Rowhammer so far rely on the availability of a cache flush instruction in order to cause accesses to DRAM modules at a sufficiently high frequency. We overcome this limitation by defeating complex cache replacement policies. We show that caches can be forced into fast cache eviction to trigger the Rowhammer bug with only regular memory accesses. This allows to trigger the Rowhammer bug in highly restricted and even scripting environments. We demonstrate a fully automated attack that requires nothing but a website with JavaScript to trigger faults on remote hardware. Thereby we can gain unrestricted access to systems of website visitors. We show that the attack works on off-the-shelf systems. Existing countermeasures fail to protect against this new Rowhammer attack.


Flush+Flush: A Fast and Stealthy Cache Attack, Daniel Gruss, Clémentine Maurice, Klaus Wagner and Stefan Mangard
13th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2016.

[ More ]

Abstract: Research on cache attacks has shown that CPU caches leak signi_cant information. Proposed detection mechanisms assume that all cache attacks cause more cache hits and cache misses than benign applications and use hardware performance counters for detection. In this article, we show that this assumption does not hold by developing a novel attack technique: the Flush+Flush attack. The Flush+Flush attack only relies on the execution time of the ush instruction, which depends on whether data is cached or not. Flush+Flush does not make any memory accesses, contrary to any other cache attack. Thus, it causes no cache misses at all and the number of cache hits is reduced to a minimum due to the constant cache ushes. Therefore, Flush+Flush attacks are stealthy, i.e., the spy process cannot be detected based on cache hits and misses, or state-of-the-art detection mechanisms. The Flush+Flush attack runs in a higher frequency and thus is faster than any existing cache attack. With 496 KB/s in a cross-core covert channel it is 6:7 times faster than any previously published cache covert channel.


Canary Numbers: Design for Light-weight Online Testability of True Random Number Generators, Vladimir Rozic, Bohan Yang, Nele Mentens and Ingrid Verbauwhede
NIST Random Bit Generation Workshop, 2016.

[ More ]

Abstract: We introduce the concept of canary numbers, to be used in health tests for true random number generators. Health tests are essential components of true random number generators because they are used to detect defects and failures of the entropy source. These tests need to be lightweight, low-latency and highly reliable. The proposed solution uses canary numbers which are an extra output of the entropy source of lower quality. This enables an early-warning attack detection before the output of the generator is compromised. We illustrate the idea with 2 case studies of true random number generators implemented on aXilinx Spartan-6 FPGA.


2015:

Higher-Order Threshold Implementation of the AES S-Box, De Cnudde Thomas, Bilgin Begül, Reparaz Oscar, Nikov Ventzislav, Nikova Svetla,
14th Smart Card Research and Advanced Application Conference (CARDIS), 2015.

[ More ]

Abstract: In this paper we present a threshold implementation of the Advanced Encryption Standard’s S-box which is secure against first- and second-order power analysis attacks. This security guarantee holds even in the presence of glitches, and includes resistance against bivariate attacks. The design requires an area of 7849 Gate Equivalents and 126 bits of randomness per S-box execution. The implementation is tested on an FPGA platform and its security claim is supported by practical leakage detection tests.


On the Impact of Known-Key Attacks on Hash Functions, Bart Mennink and Bart Preneel,
21st Annual International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT), 2015.

[ More ]

Abstract: Hash functions are often constructed based on permutations or blockciphers, and security proofs are typically done in the ideal permutation or cipher model. However, once these random primitives are instantiated, vulnerabilities of these instantiations may nullify the security. At ASIACRYPT 2007, Knudsen and Rijmen introduced known-key security of blockciphers, which gave rise to many distinguishing attacks on existing blockcipher constructions. In this work, we analyze the impact of such attacks on primitive-based hash functions. We present and formalize the weak cipher model, which captures the case a blockcipher has a certain weakness but is perfectly random otherwise. A specific instance of this model, considering the existence of sets of B queries whose XOR equals 0 at bit-positions C, where C is an index set, covers a wide range of known-key attacks in literature. We apply this instance to the PGV compression functions, as well as to the Grøstl (based on two permutations) and Shrimpton-Stam (based on three permutations) compression functions, and show that these designs do not seriously succumb to any differential known-key attack known to date.


Forgery and Subkey Recovery on CAESAR candidate iFeed, Willem Schroé, Bart Mennink, Elena Andreeva and Bart Preneel,
22nd International Conference on Selected Areas in Cryptography (SAC), 2015.

[ More ]

Abstract: iFeed is a blockcipher-based authenticated encryption design by Zhang, Wu, Sui, and Wang and a first round candidate to the CAESAR competition. iFeed is claimed to achieve confidentiality and authenticity in the nonce-respecting setting, and confidentiality in the nonce-reuse setting. Recently, Chakraborti et al. published forgeries on iFeed in the RUP and nonce-reuse settings. The latter attacks, however, do not invalidate the iFeed designers' security claims. In this work, we consider the security of iFeed in the nonce-respecting setting, and show that a valid forgery can be constructed after only one encryption query. Even more, the forgery leaks both subkeys EK(0128) and EK(PMN||1), where K is the secret key and PMN the nonce used for the authenticated encryption. Furthermore, we show how at the price of just one additional forgery one can learn EK(P*) for any freely chosen plaintext P*. These design weaknesses allow one to decrypt earlier iFeed encryptions under the respective nonces, breaking the forward secrecy of iFeed, and leading to a total security compromise of the iFeed design.


A Physical Approach for Stochastic Modeling of TERO-based TRNG, Patrick Haddad, Viktor Fischer, Florent Bernard and Jean Nicolai,
Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2015.

[ More ]

Abstract: Security in random number generation for cryptography is closely related to the entropy rate at the generator output. This rate has to be evaluated using an appropriate stochastic model. The stochastic model proposed in this paper is dedicated to the transition effect ring oscillator (TERO) based true random number generator (TRNG) proposed by Varchola and Drutarovsky in 2010. The advantage and originality of this model is that it is derived from a physical model based on a detailed study and on the precise electrical description of the noisy physical phenomena that contribute to the generation of random numbers. We compare the proposed electrical description with data generated in a 28 nm CMOS ASIC implementation. Our experimental results are in very good agreement with those obtained with both the physical model of TERO’s noisy behavior and with the stochastic model of the TERO TRNG, which we also confirmed using the AIS 31 test suites.


Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches, Daniel Gruss, Raphael Spreitzer and Stefan Mangard,
24th USENIX Security Symposium, 2015.

[ More ]

Abstract: Recent work on cache attacks has shown that CPU caches represent a powerful source of information leakage. However, existing attacks require manual identification of vulnerabilities, i.e., data accesses or instruction execution depending on secret information. In this paper, we present Cache Template Attacks. This generic attack technique allows us to profile and exploit cachebased information leakage of any program automatically, without prior knowledge of specific software versions or even specific system information. Cache Template Attacks can be executed online on a remote system without any prior offline computations or measurements. Cache Template Attacks consist of two phases. In the profiling phase, we determine dependencies between the processing of secret information, e.g., specific key inputs or private keys of cryptographic primitives, and specific cache accesses. In the exploitation phase, we derive the secret values based on observed cache accesses. We illustrate the power of the presented approach in several attacks, but also in a useful application for developers. Among the presented attacks is the application of Cache Template Attacks to infer keystrokes and—even more severe—the identification of specific keys on Linux and Windows user interfaces. More specifically, for lowercase only passwords, we can reduce the entropy per character from log2(26) = 4.7 to 1.4 bits on Linux systems. Furthermore, we perform an automated attack on the T-table-based AES implementation of OpenSSL that is asefficient as state-of-the-art manual cache attacks.


Practical Memory Deduplication Attacks in Sandboxed Javascript, Daniel Gruss, David Bidner and Stefan Mangard,
20th European Symposium on Research in Computer Security (ESORICS), 2015.

[ More ]

Abstract: Page deduplication is a mechanism to reduce the memory footprint of a system. Identical physical pages are identified across borders of virtual machines and programs and merged by the operating system or the hypervisor. However, this enables side-channel information leakage through cache or memory access time. Therefore, it is considered harmful in public clouds today, but it is still considered safe to use in a private environment, i.e., private clouds, personal computers, and smartphones. We present the first memory-disclosure attack in sandboxed Javascript which exploits page deduplication. Unlike previous attacks, our attack does not require the victim to execute an adversary’s program, but simply to open a website which contains the adversary’s Javascript code. We are not only able to determine which applications are running, but also specific user activities, for instance, whether the user has specific websites currently opened. The attack works on servers, personal computers and smartphones, and across the borders of virtual machines.