Papers by Mohammad Ebrahimabadi
2023 IEEE 41st VLSI Test Symposium (VTS)
2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)
Masking schemes have been introduced to thwart side-channel attacks. In software applications, at... more Masking schemes have been introduced to thwart side-channel attacks. In software applications, attackers can measure leakage at several points in time and combine them to defeat the masking. In hardware gate-level masking, all shares of a masked variable are manipulated at the same time in a nanoscale circuit. In this article, we focus on setups where the attacker uses one mesoscopic probe, which measures an aggregated leakage of all shares. We consider masking schemes where each bit is randomly split (by XOR) into so-called shares (two or more). We analyze two interesting case studies about the interrelationship of attack order vs. the number of shares. First of all, we show that when the unique probe is measuring the sum of each share's individual leakage (so-called Hamming weight model), one measurement can reveal the sensitive unshared value, provided the attacker is able to determine the leakage's least significant bit. Second, we analyze a hardware masking belonging to threshold schemes. Such schemes require fulfilling a so-called incompleteness property, whereby some input shares must be absent from output shares. We analyze a first-order incomplete scheme, i.e., where the number of missing input shares is equal to one. In schemes such as threshold implementation, this requires the number of shares to be strictly more than two. Hence the natural question is whether such a scheme would resist highorder attacks of order also strictly more than two? We answer by the negative, and show that the lowest attack order is two: the security of such a masking scheme is governed by the order of incompleteness and not by the number of shares. We verify our findings using four different sets of experiments including theoretical analysis, digital simulation, HSpice simulation and also real-silicon (FPGA emulation). Index Terms-Gate-level masking, number of shares, threshold schemes/threshold implementation (TI), incompleteness order, high-order monovariate attacks, statistical moments of a distribution, Hamming weight least significant bit leakage, 2nd-order leakage of threshold implementation style.
IEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2023
Masking schemes have been introduced to thwart side-channel attacks. In software applications, at... more Masking schemes have been introduced to thwart side-channel attacks. In software applications, attackers can measure leakage at several points in time and combine them to defeat the masking. In hardware gate-level masking, all shares of a masked variable are manipulated at the same time in a nanoscale circuit. In this article, we focus on setups where the attacker uses one mesoscopic probe, which measures an aggregated leakage of all shares. We consider masking schemes where each bit is randomly split (by XOR) into so-called shares (two or more). We analyze two interesting case studies about the interrelationship of attack order vs. the number of shares. First of all, we show that when the unique probe is measuring the sum of each share's individual leakage (so-called Hamming weight model), one measurement can reveal the sensitive unshared value, provided the attacker is able to determine the leakage's least significant bit. Second, we analyze a hardware masking belonging to threshold schemes. Such schemes require fulfilling a so-called incompleteness property, whereby some input shares must be absent from output shares. We analyze a first-order incomplete scheme, i.e., where the number of missing input shares is equal to one. In schemes such as threshold implementation, this requires the number of shares to be strictly more than two. Hence the natural question is whether such a scheme would resist highorder attacks of order also strictly more than two? We answer by the negative, and show that the lowest attack order is two: the security of such a masking scheme is governed by the order of incompleteness and not by the number of shares. We verify our findings using four different sets of experiments including theoretical analysis, digital simulation, HSpice simulation and also real-silicon (FPGA emulation). Index Terms-Gate-level masking, number of shares, threshold schemes/threshold implementation (TI), incompleteness order, high-order monovariate attacks, statistical moments of a distribution, Hamming weight least significant bit leakage, 2nd-order leakage of threshold implementation style.
GLOBECOM 2022 - 2022 IEEE Global Communications Conference, Dec 4, 2022
2022 IEEE International Conference on E-health Networking, Application & Services (HealthCom)
2022 35th International Conference on VLSI Design and 2022 21st International Conference on Embedded Systems (VLSID)
In most PUF-based authentication schemes, a central server is usually engaged to verify the respo... more In most PUF-based authentication schemes, a central server is usually engaged to verify the response of the device's PUF to challenge bit-streams. However, the server availability may be intermittent in practice. To tackle such an issue, this paper proposes a new protocol for supporting distributed authentication while avoiding vulnerability to information leakage where CRPs could be retrieved from hacked devices and collectively used to model the PUF. The main idea is to provision for scrambling the challenge bit-stream in a way that is dependent on the verifier. The scrambling pattern varies per authentication round for each device and independently across devices. In essence, the scrambling function becomes node-and packetspecific and the response received by two verifiers of one device for the same challenge bit-stream could vary. Thus, neither the scrambling function can be reverted, nor the PUF can be modeled even by a collusive set of malicious nodes. The validation results using data of an FPGA-based implementation demonstrate the effectiveness of our approach in thwarting PUF modeling attacks by collusive actors. We also discuss the approach resiliency against impersonation, Sybil, and reverse engineering attacks.
Proceedings of the 19th International Conference on Security and Cryptography
Cryptographic chips are prone to side-channel analysis attacks aiming at extracting their secrets... more Cryptographic chips are prone to side-channel analysis attacks aiming at extracting their secrets. Side-channel leakage is particularly hard to remove completely, unless using a bottom-up approach (compositional security). On the contrary, industrial secure-by-design methods are rather relying on a top-down approach: (would-be) protected circuits are synthesized by Electronic Design Automation (EDA) tools. Tracking that no leakage exists at any refinement stage is therefore a challenge. Experience has shown that multiple leakages can resurge out of the blue when a sound RTL design is turned into a technology-mapped netlist. Checking for leaks and identifying them is a challenge. When the netlist is unstructured (e.g., it results from an EDA tool), dynamic checking appears as the most straightforward approach. It is feasible, given only a few thousand execution traces, to decide with a great certainty whether a leakage hides at some time samples within the trace or not. In practice, such easy detection is fostered by the fact that the activity of signals in cryptographic implementations (even more true for masked implementations) is almost maximal (=50%). The remaining question is about the adequate abstraction level of the simulation. The higher as possible abstractions are preferred, as they potentially capture more situations. However, if the simulation is too abstract, it may model the reality inappropriately. In this paper, we explore whether or not an evenemential simulation (toggle count) is faithful with respect to a low-level simulation (at SPICE level). Our results show that both abstraction levels match qualitatively for unprotected implementations. However, abstract toggle count simulations are no longer connected to real SPICE simulations in masked implementations. The reason is that the effect of the random mask is to mix evenemential simulations (which only reflect "approximately" the SPICE reality) together, in such a way that the useful information is lost. Therefore, masked logic netlist implementations shall be analysed only at SPICE level.
Because of their simple hardware requirements, low bitwidth neural networks (NNs) have gained sig... more Because of their simple hardware requirements, low bitwidth neural networks (NNs) have gained significant attention over the recent years, and have been extensively employed in electronic devices that seek efficiency and performance. Research has shown that scaled-up low bitwidth NNs can have accuracy levels on par with their full-precision counterparts. As a result, there seems to be a tradeoff between quantization (q) and scaling (s) of NNs to maintain the accuracy. In this paper, we propose QS-NAS which is a systematic approach to explore the best quantization and scaling factors for a NN architecture that satisfies a targeted accuracy level and results in the least energy consumption per inference when deployed to a hardware–FPGA in this work. Compared to the literature using the same VGG-like NN with different q and s over the same datasets, our selected optimal NNs deployed to a low-cost tiny Xilinx FPGA from the ZedBoard resulted in accuracy levels higher or on par with those...
IEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2022
Fault Injection Attacks (FIA) have received a lot of attention in recent years. An adversary laun... more Fault Injection Attacks (FIA) have received a lot of attention in recent years. An adversary launches such an attack to abusively take control over the system or to leak sensitive data. Laser illumination has been considered as an effective technique to launch FIA. The laser-based FIAs are mainly used when the adversary opts to target a specific location in the target circuit. However, thanks to the miniaturization of transistors and moving towards smaller feature size, even small laser spots may illuminate more than one gate; making the attack more detectable when the circuitries are equipped with embedded fault detection mechanisms such as digital sensors. In this paper, we use timeto-digital convertors, aka digital sensors, to detect the laser shots. We show that by embedding these digital sensors in the target circuitry, the IR drop caused by the laser illumination can be sensed with a high accuracy. An alarm will be raised when the fault is detected. The simulation results show the high accuracy of the proposed scheme in detecting laser-based FIAs.
The 23nd International Symposium on Quality Electronic Design (ISQED), 2022
An adversary with physical access to a cryptographic
device may place the device under an externa... more An adversary with physical access to a cryptographic
device may place the device under an external stress such as overclocking, and under-volting in order to generate erroneous outputs
based on which the keys can be retrieved. Among fault-injection
attacks, Fault Sensitivity Analysis (FSA) has received considerable
attention in recent years as in this attack the adversary does
not need to know the faulty output; rather he/she only needs
to know whether the injected fault has led to an error or not.
Although fault-injection attacks, and in particular FSA, have been
extensively studied in literature and a number of countermeasures
have been proposed to mitigate these attacks, the impact of device
aging on the success of these attacks is still an open question.
Due to aging, the specifications of transistors deviate from their
fabrication-time specification, leading to a change of circuit’s delay
over time. In this paper, we focus on the impact of aging in collision
timing attacks (one of the strongest variant of FSA attacks). The
corresponding results, realized by extensive HSpice simulations,
show that the aging-induced impacts can facilitate such an attack.
This calls for aging-resilient countermeasures that sustain the
security over the lifetime of the cryptographic devices.
Journal of electronic testing (JETTA), 2021
Hazards or intentional perturbations must be identified in safety-and security-critical applicati... more Hazards or intentional perturbations must be identified in safety-and security-critical applications. Digital sensors have been shown to be an appealing approach to detect such abnormalities. However, as any sensor technology, digital sensors are prone to mis-calibration. In particular, even if the digital sensor initial calibration is correct, the rate of false and missed alarms might increase when the sensor is aged. In this paper, we thoroughly study the impact of aging-induced false and missed alarms. Indeed aging relates to the usage time, and a priori model (historical data for environmental variation) for predicting the aging is unrealistic for digital sensors as tracking the usage time with related temperature and voltage variation imposes high overhead. Accordingly, we propose an alternative approach where not one but two sensors are deployed. In practice, one The first two authors contributed equally to this work.
IEEE 19th Annual Consumer Communications & Networking Conference (CCNC), 2022
Pervasive sensing is shaping up modern societies and opening the door for many unconventional app... more Pervasive sensing is shaping up modern societies and opening the door for many unconventional applications. Instead of the contemporary access model where sensor data is disseminated to a single user, multi-access scenarios are becoming more prevalent, which raises the issue of how to authenticate users, how to ensure access authorization, and how to prevent information leakage. To address these issues, this paper presents a novel lightweight protocol that promotes a data-driven methodology. The idea is to employ hardware primitives to support authentication of legit data recipients and to factor in the previously shared data samples in generating encryption keys. Our protocol in essence generates encryption keys that vary per packet and in an implicitly synchronized manner between the data source and each recipient. The generated key is also a function of the hardware primitive and thus effectively prevents data access to unauthorized recipients. We analyze the resilience of our protocol to impersonation and message replay, and hardware primitive modeling attacks. The security properties of our solution is validated using the AVISPA toolset and its performance is compared to the asymmetric cryptography approaches.
2020 IEEE 38th International Conference on Computer Design (ICCD), 2020
The integrated circuits can be exposed to various
stresses during run-time due to unexpected envi... more The integrated circuits can be exposed to various
stresses during run-time due to unexpected environmental conditions
or attacks. Ensuring that a circuit is not working out-of-specification
via sensing its operating conditions, e.g., temperature
and voltage, is highly useful in detecting anomalies. Analog
sensors have been used to monitor the operating conditions for
a long time, however, weaknesses including lack of portability
to thin technology nodes, costly & complex calibration process,
and low attack resistance make such sensors inefficient. Digital
sensors, via considering the temperature and voltage effects
altogether instead of treating each separately, have been demonstrated
as a qualified replacement. In this paper, we develop an
integrated framework for continuous monitoring of the operating
voltage and temperature of each chip. The framework includes an
embedded on-chip sensor circuitry along with a Neural Network
model that quantifies the temperature and voltage values via
processing the data collected by this sensor. The experimental
results confirm the high accuracy of the proposed framework in
tracking on-chip voltage and temperature variations, i.e., with
the average error of 0.014V in a range of 0.65V to 1.4V, and the
average error of 3.9°C in a range of -10°C to 150°C, respectively.
IEEE Physical Assurance and Inspection of Electronics (PAINE), 2020
One way for an attacker to break a system is to
perturb it. Expected effects are countermeasure d... more One way for an attacker to break a system is to
perturb it. Expected effects are countermeasure deactivation or
data corruption to disclose sensitive information. The prevention
of such actions relies on detection of abnormal operating
conditions. Digital sensors can play this role. A digital sensor is
built out of the very same standard cells as the user logic to
be protected. This ensures the advantage that the sensor and the
user logic are exposed to the same stress. Balancing True positives
and False negatives is a tough question in field of sensors. This
is a general issue, and the best way to mitigate this paradox is
to thoroughly investigate their properties, through simulations
and real experiments. This results in characterizations, which
in turn allows for intuitions on how to handle sensing values.
In this paper, we exhibit the complex relationships between
propagation times in logic and environmental conditions. Those
results reinforce the relevance of the digital sensor versus the
adversarial manipulation of environmental conditions: fewer false
alarms are raised even if temperature (resp. voltage) is extreme,
provided the effect is balanced by voltage (resp. temperature).
Owing to the complex relationship between propagation delays,
temperature and voltage, this cannot happen with a set of
independent temperature and voltage sensors.
34th International Conference on VLSI Design and 2021 20th International Conference on Embedded Systems (VLSID), 2021
Physically Unclonable Functions (PUFs) have been
considered as promising lightweight primitives f... more Physically Unclonable Functions (PUFs) have been
considered as promising lightweight primitives for random number
generation and device authentication. Thanks to the imperfections
occurring during the fabrication process of integrated
circuits, each PUF generates a unique signature which can be
used for chip identification. Although supposed to be unclonable,
PUFs have been shown to be vulnerable to modeling attacks
where a set of collected challenge response pairs are used for
training a machine learning model to predict the PUF response
to unseen challenges. Challenge obfuscation has been proposed
to tackle the modeling attacks in recent years. However, knowing
the obfuscation algorithm can help the adversary to model
the PUF. This paper proposes a modeling-resilient arbiter-PUF
architecture that benefits from the randomness provided by PUFs
in concealing the obfuscation scheme. The experimental results
confirm the effectiveness of the proposed structure in countering
PUF modeling attacks.
IEEE International Conference on Communications (ICC), 2021
A Cyber-Physical System (CPS) refers to the interconnection
of control (actuation), computational... more A Cyber-Physical System (CPS) refers to the interconnection
of control (actuation), computational nodes and sensors,
in order to manage physical processes. In recent years, the
CPS design methodology has been adopted in several large-scale
infrastructures such as smart power grids. Given the application
criticality, sustaining the security of these systems is of utmost
importance. One of the major security goals is to protect CPS
against impersonation, where an adversary intends to manipulate
the system state by sending erroneous data that appears to be
reported by one of the system nodes, e.g. PMUs of a power grid.
This paper proposes a novel hardware-assisted authentication
scheme to counter such a threat, by exploiting imperfections
that occur in the manufacturing process of integrated circuits.
In essence, the proposed scheme associates a fingerprint for
each system node so that the authenticity of the data source
could be verified. In addition, the paper tackles the threat of
message replay where the adversary re-transmits a legitimate
message so that the system factors in outdated rather than fresh
sensor measurements. This paper thwarts such a replay attack
by leveraging the synchronized clocks across the CPS nodes, e.g.,
based on GPS; the idea is to employ a combination of time-stamp
signatures and hardware fingerprints. Our proposed schemes can
also detect and prevent data forgery, and Sybil attacks. The
viability and performance of the proposed schemes are validated
through analysis and prototype implementation.
IEEE Computer Society Annual Symposium on VLSI (ISVLSI), 2021
A Physically Unclonable Function (PUF) is an effective option for device authentication, especial... more A Physically Unclonable Function (PUF) is an effective option for device authentication, especially for IoT frameworks with resource-constrained devices. However, PUFs are vulnerable to modeling attacks which build a PUF model using a small subset of its Challenge-Response Pairs (CRPs). We propose an effective countermeasure against such an attack by employing adversarial machine learning techniques that introduce errors (poison) to the adversary's model. The approach intermittently provides wrong response for the fed challenges. Coordination among the communicating parties is pursued to prevent the poisoned CRPs from causing the device authentication to fail. The experimental results extracted for a PUF implemented on FPGA demonstrate the efficacy of the proposed approach in thwarting modeling attacks. We also discuss the resiliency of the proposed scheme against impersonation and Sybil attacks.
IEEE JOURNAL ON EMERGING AND SELECTED TOPICS IN CIRCUITS AND SYSTEMS, 2021
The last decade has witnessed remarkable research advances at the intersection of machine learnin... more The last decade has witnessed remarkable research advances at the intersection of machine learning (ML) and hardware security. The confluence of the two technologies has created many interesting and unique opportunities, but also left some issues in their wake. ML schemes have been extensively used to enhance the security and trust of embedded systems like hardware Trojans and malware detection. On the other hand, ML-based approaches have also been adopted by adversaries to assist side-channel attacks, reverse engineer integrated circuits and break hardware security primitives like Physically Unclonable Functions (PUFs). Deep learning is a subfield of ML. It can continuously learn from a large amount of labeled data with a layered structure. Despite the impressive outcomes demonstrated by deep learning in many application scenarios, the dark side of it has not been fully exposed yet. The inability to fully understand and explain what has been done within the super-intelligence can turn an inherently benevolent system into malevolent. Recent research has revealed that the outputs of Deep Neural Networks (DNNs) can be easily corrupted by imperceptibly small input perturbations. As computations are brought nearer to the source of data creation, the attack surface of DNN has also been extended from the input data to the edge devices. Accordingly, due to the opportunities of ML-assisted security and the vulnerabilities of ML implementation, in this paper, we will survey the applications, vulnerabilities and fortification of ML from the perspective of hardware security. We will discuss the possible future research directions, and thereby, sharing a roadmap for the hardware security community in general.
IEEE Design, Automation & Test in Europe Conference & Exhibition (DATE), 2022
Internet-of-Things (IoT) devices are natural targets for side-channel attacks. Still, side-channe... more Internet-of-Things (IoT) devices are natural targets for side-channel attacks. Still, side-channel leakage can be complex: its modeling can be assisted by statistical tools. Projection of the leakage into an orthonormal basis allows to understand its structure, typically linear (1st-order leakage) or non-linear (sometimes referred to as glitches). In order to ensure cryptosystems protection, several masking methods have been published. Unfortunately, they follow different strategies; thus it is hard to compare them. Namely, ISW is constructive, GLUT is systematic, RSM is a low-entropy version of GLUT, RSM-ROM is a further optimization aiming at balancing the leakage further, and TI aims at avoiding, by design, the leakage arising from the glitches. In practice, no study has compared these styles on an equal basis. Accordingly, in this paper, we present a consistent methodology relying on a Walsh-Hadamard transform in this respect. We consider different masked implementations of substitution boxes of PRESENT algorithm, as this function is the most leaking in symmetric cryptography. We show that ISW is the most secure among the considered masking implementations. For sure, it takes strong advantage of the knowledge of the PRESENT substitution box equation. Tabulated masking schemes appear as providing a lesser amount of security compared to unprotected counterparts. The leakage is assessed over time, i.e., considering device aging which contributes to mitigate the leakage differently according to the masking style.
Uploads
Papers by Mohammad Ebrahimabadi
device may place the device under an external stress such as overclocking, and under-volting in order to generate erroneous outputs
based on which the keys can be retrieved. Among fault-injection
attacks, Fault Sensitivity Analysis (FSA) has received considerable
attention in recent years as in this attack the adversary does
not need to know the faulty output; rather he/she only needs
to know whether the injected fault has led to an error or not.
Although fault-injection attacks, and in particular FSA, have been
extensively studied in literature and a number of countermeasures
have been proposed to mitigate these attacks, the impact of device
aging on the success of these attacks is still an open question.
Due to aging, the specifications of transistors deviate from their
fabrication-time specification, leading to a change of circuit’s delay
over time. In this paper, we focus on the impact of aging in collision
timing attacks (one of the strongest variant of FSA attacks). The
corresponding results, realized by extensive HSpice simulations,
show that the aging-induced impacts can facilitate such an attack.
This calls for aging-resilient countermeasures that sustain the
security over the lifetime of the cryptographic devices.
stresses during run-time due to unexpected environmental conditions
or attacks. Ensuring that a circuit is not working out-of-specification
via sensing its operating conditions, e.g., temperature
and voltage, is highly useful in detecting anomalies. Analog
sensors have been used to monitor the operating conditions for
a long time, however, weaknesses including lack of portability
to thin technology nodes, costly & complex calibration process,
and low attack resistance make such sensors inefficient. Digital
sensors, via considering the temperature and voltage effects
altogether instead of treating each separately, have been demonstrated
as a qualified replacement. In this paper, we develop an
integrated framework for continuous monitoring of the operating
voltage and temperature of each chip. The framework includes an
embedded on-chip sensor circuitry along with a Neural Network
model that quantifies the temperature and voltage values via
processing the data collected by this sensor. The experimental
results confirm the high accuracy of the proposed framework in
tracking on-chip voltage and temperature variations, i.e., with
the average error of 0.014V in a range of 0.65V to 1.4V, and the
average error of 3.9°C in a range of -10°C to 150°C, respectively.
perturb it. Expected effects are countermeasure deactivation or
data corruption to disclose sensitive information. The prevention
of such actions relies on detection of abnormal operating
conditions. Digital sensors can play this role. A digital sensor is
built out of the very same standard cells as the user logic to
be protected. This ensures the advantage that the sensor and the
user logic are exposed to the same stress. Balancing True positives
and False negatives is a tough question in field of sensors. This
is a general issue, and the best way to mitigate this paradox is
to thoroughly investigate their properties, through simulations
and real experiments. This results in characterizations, which
in turn allows for intuitions on how to handle sensing values.
In this paper, we exhibit the complex relationships between
propagation times in logic and environmental conditions. Those
results reinforce the relevance of the digital sensor versus the
adversarial manipulation of environmental conditions: fewer false
alarms are raised even if temperature (resp. voltage) is extreme,
provided the effect is balanced by voltage (resp. temperature).
Owing to the complex relationship between propagation delays,
temperature and voltage, this cannot happen with a set of
independent temperature and voltage sensors.
considered as promising lightweight primitives for random number
generation and device authentication. Thanks to the imperfections
occurring during the fabrication process of integrated
circuits, each PUF generates a unique signature which can be
used for chip identification. Although supposed to be unclonable,
PUFs have been shown to be vulnerable to modeling attacks
where a set of collected challenge response pairs are used for
training a machine learning model to predict the PUF response
to unseen challenges. Challenge obfuscation has been proposed
to tackle the modeling attacks in recent years. However, knowing
the obfuscation algorithm can help the adversary to model
the PUF. This paper proposes a modeling-resilient arbiter-PUF
architecture that benefits from the randomness provided by PUFs
in concealing the obfuscation scheme. The experimental results
confirm the effectiveness of the proposed structure in countering
PUF modeling attacks.
of control (actuation), computational nodes and sensors,
in order to manage physical processes. In recent years, the
CPS design methodology has been adopted in several large-scale
infrastructures such as smart power grids. Given the application
criticality, sustaining the security of these systems is of utmost
importance. One of the major security goals is to protect CPS
against impersonation, where an adversary intends to manipulate
the system state by sending erroneous data that appears to be
reported by one of the system nodes, e.g. PMUs of a power grid.
This paper proposes a novel hardware-assisted authentication
scheme to counter such a threat, by exploiting imperfections
that occur in the manufacturing process of integrated circuits.
In essence, the proposed scheme associates a fingerprint for
each system node so that the authenticity of the data source
could be verified. In addition, the paper tackles the threat of
message replay where the adversary re-transmits a legitimate
message so that the system factors in outdated rather than fresh
sensor measurements. This paper thwarts such a replay attack
by leveraging the synchronized clocks across the CPS nodes, e.g.,
based on GPS; the idea is to employ a combination of time-stamp
signatures and hardware fingerprints. Our proposed schemes can
also detect and prevent data forgery, and Sybil attacks. The
viability and performance of the proposed schemes are validated
through analysis and prototype implementation.
device may place the device under an external stress such as overclocking, and under-volting in order to generate erroneous outputs
based on which the keys can be retrieved. Among fault-injection
attacks, Fault Sensitivity Analysis (FSA) has received considerable
attention in recent years as in this attack the adversary does
not need to know the faulty output; rather he/she only needs
to know whether the injected fault has led to an error or not.
Although fault-injection attacks, and in particular FSA, have been
extensively studied in literature and a number of countermeasures
have been proposed to mitigate these attacks, the impact of device
aging on the success of these attacks is still an open question.
Due to aging, the specifications of transistors deviate from their
fabrication-time specification, leading to a change of circuit’s delay
over time. In this paper, we focus on the impact of aging in collision
timing attacks (one of the strongest variant of FSA attacks). The
corresponding results, realized by extensive HSpice simulations,
show that the aging-induced impacts can facilitate such an attack.
This calls for aging-resilient countermeasures that sustain the
security over the lifetime of the cryptographic devices.
stresses during run-time due to unexpected environmental conditions
or attacks. Ensuring that a circuit is not working out-of-specification
via sensing its operating conditions, e.g., temperature
and voltage, is highly useful in detecting anomalies. Analog
sensors have been used to monitor the operating conditions for
a long time, however, weaknesses including lack of portability
to thin technology nodes, costly & complex calibration process,
and low attack resistance make such sensors inefficient. Digital
sensors, via considering the temperature and voltage effects
altogether instead of treating each separately, have been demonstrated
as a qualified replacement. In this paper, we develop an
integrated framework for continuous monitoring of the operating
voltage and temperature of each chip. The framework includes an
embedded on-chip sensor circuitry along with a Neural Network
model that quantifies the temperature and voltage values via
processing the data collected by this sensor. The experimental
results confirm the high accuracy of the proposed framework in
tracking on-chip voltage and temperature variations, i.e., with
the average error of 0.014V in a range of 0.65V to 1.4V, and the
average error of 3.9°C in a range of -10°C to 150°C, respectively.
perturb it. Expected effects are countermeasure deactivation or
data corruption to disclose sensitive information. The prevention
of such actions relies on detection of abnormal operating
conditions. Digital sensors can play this role. A digital sensor is
built out of the very same standard cells as the user logic to
be protected. This ensures the advantage that the sensor and the
user logic are exposed to the same stress. Balancing True positives
and False negatives is a tough question in field of sensors. This
is a general issue, and the best way to mitigate this paradox is
to thoroughly investigate their properties, through simulations
and real experiments. This results in characterizations, which
in turn allows for intuitions on how to handle sensing values.
In this paper, we exhibit the complex relationships between
propagation times in logic and environmental conditions. Those
results reinforce the relevance of the digital sensor versus the
adversarial manipulation of environmental conditions: fewer false
alarms are raised even if temperature (resp. voltage) is extreme,
provided the effect is balanced by voltage (resp. temperature).
Owing to the complex relationship between propagation delays,
temperature and voltage, this cannot happen with a set of
independent temperature and voltage sensors.
considered as promising lightweight primitives for random number
generation and device authentication. Thanks to the imperfections
occurring during the fabrication process of integrated
circuits, each PUF generates a unique signature which can be
used for chip identification. Although supposed to be unclonable,
PUFs have been shown to be vulnerable to modeling attacks
where a set of collected challenge response pairs are used for
training a machine learning model to predict the PUF response
to unseen challenges. Challenge obfuscation has been proposed
to tackle the modeling attacks in recent years. However, knowing
the obfuscation algorithm can help the adversary to model
the PUF. This paper proposes a modeling-resilient arbiter-PUF
architecture that benefits from the randomness provided by PUFs
in concealing the obfuscation scheme. The experimental results
confirm the effectiveness of the proposed structure in countering
PUF modeling attacks.
of control (actuation), computational nodes and sensors,
in order to manage physical processes. In recent years, the
CPS design methodology has been adopted in several large-scale
infrastructures such as smart power grids. Given the application
criticality, sustaining the security of these systems is of utmost
importance. One of the major security goals is to protect CPS
against impersonation, where an adversary intends to manipulate
the system state by sending erroneous data that appears to be
reported by one of the system nodes, e.g. PMUs of a power grid.
This paper proposes a novel hardware-assisted authentication
scheme to counter such a threat, by exploiting imperfections
that occur in the manufacturing process of integrated circuits.
In essence, the proposed scheme associates a fingerprint for
each system node so that the authenticity of the data source
could be verified. In addition, the paper tackles the threat of
message replay where the adversary re-transmits a legitimate
message so that the system factors in outdated rather than fresh
sensor measurements. This paper thwarts such a replay attack
by leveraging the synchronized clocks across the CPS nodes, e.g.,
based on GPS; the idea is to employ a combination of time-stamp
signatures and hardware fingerprints. Our proposed schemes can
also detect and prevent data forgery, and Sybil attacks. The
viability and performance of the proposed schemes are validated
through analysis and prototype implementation.