Zur Webseite der Uni Stuttgart

SHIVA: Sichere Hardware in der Informationsverarbeitung

seit 02.2016,    

Forschungsprogramm der Baden-Württemberg Stiftung

IKT-Sicherheit für weltweit vernetzte vertrauenswürdige Infrastrukturen 

 

Sichere Informations- und Kommunikationstechnologien erfordern integrierte und aufeinander abgestimmte Schutzmaßnahmen auf allen Ebenen, beginnend von der Systemarchitektur über die Anwendungen und die Software, die Hardwarearchitektur, die Bausteinebene bis hin zur elektrischen Ebene. Isolierte Schutzmaßnahmen auf einer oder mehreren Ebenen werden entwertet, wenn Angriffe über andere Wege möglich sind. Eine besondere Rolle spielt hier die Hardware eines sicheren IKT-Systems, da sie neben funktionalen Angriffsmöglichkeiten, die auch die Software bietet, zahlreiche nichtfunktionale Angriffskanäle aufweist. Zu diesen gehören beispielsweise elektromagnetische Abstrahlung, Stromverbrauch und insbesondere die nichtfunktionale Infrastruktur. Diese integrierte Chip-Infrastruktur ist notwendig, um mittels kontrolliertem Zugriff auf die Test-, Diagnose- und Wartbarkeitsschnittstellen der Hardware während der Fertigung als auch im Feld einen wirtschaftlichen und zuverlässigen Betrieb zu gewährleisten. Allerdings eröffnet diese Infrastruktur zahlreiche Angriffsmöglichkeiten und kann das System verwundbar machen.

Einer ganz besonderen Gefahr sind hier die sogenannten „Cyber Physical Systems“ (CPS) ausgesetzt, zu denen sicherheitskritische Systeme im Bereich der Automobilelektronik, der Medizintechnik oder auch der Fertigungstechnik (Industrie 4.0) gehören, da sie einem potentiellen Angreifer auch unmittelbar physisch zugänglich sein können. Das Projekt SHIVA wird für die Hardware von IKT-Systemen Entwurfs- und Verifikationsmethoden entwickeln, um auf Chipebene die folgenden Sicherheitseigenschaften zu garantieren:

A) Ausschluss einer beabsichtigen oder unbeabsichtigten Manipulation des Systems

Sowohl aus Sicherheits- als auch aus Lizenzgründen ist es erforderlich zu verhindern, dass ein Anwender die Hardware so beeinflussen kann, dass sie außerhalb ihrer zugelassenen Spezifikation betrieben wird. Ein bekanntes Beispiel sind hier Manipulationen von Steuereinheiten zum Zweck des Fahrzeug-Tunings, welche zur Gefährdung des Betreibers und der Umwelt führen. Entsprechende Gefährdungen finden sich auch in den Bereichen Fertigungstechnik und Medizintechnik. Noch schwerwiegender sind jedoch Manipulationen von dritter Seite, um mutwillig zu schädigen. Auch hierfür finden sich inzwischen Beispielszenarien der Sabotage unterschiedlicher Anwendungen in der Presse.

B) Ausschluss der Beobachtung interner Daten, verwendeter Verfahren und Prozesse

Die Daten, Verfahrensabläufe und Prozessparameter, die IKT-Systeme im industriellen Fertigungsumfeld (Industrie 4.0) oder in medizinischen Anwendungen verarbeiten, sind vertraulich und müssen entsprechend geschützt werden. Sicherheitsplattformen sind derzeit von Halbleiterherstellern angekündigt und zum Teil verfügbar, welche sowohl die Authentifizierung als auch eine „Ende-zu-Ende“ Verschlüsselung unterstützen und dadurch einen sicheren funktionalen Zugriff auf die Prozessoren und die restliche Hardware erlauben. In diesen Ansätzen wird der Chip als Endpunkt betrachtet, aber in aller Regel wird innerhalb der Prozessoren aus Performanzgründen mit Klardaten gearbeitet und lediglich der Speicherinhalt verschlüsselt. Der physische Zugriff auf den Chip und seine integrierte Infrastruktur zur Zuverlässigkeit, Diagnose und Wartung eröffnen viele Möglichkeiten für Seitenangriffe, die ausgeschlossen werden müssen.

C) Schutz des geistigen Eigentums an der Hardware

Anwendungsspezifische Schaltungen und FPGA-basierte rekonfigurierbare Systeme enthalten geistiges Eigentum, das vor Missbrauch und Weitergabe geschützt werden muss, selbst wenn der Zugriff durch den rechtmäßigen Besitzer eines Systems erfolgt. Die Hardware sollte ein Ausforschen der Struktur und sogenanntes „reverse Engineering“ mit funktionalen Mitteln oder über unautorisierte Zugriffe mittels der Infrastruktur nicht gestatten. Zusätzlich dürfen die implementierten Strukturen auch nicht durch Dritte so geändert werden können, dass ungewollte, sicherheitsgefährdende Funktionen versteckt ausgeführt werden. Sogenannte „Trojaner“ sind in der Vergangenheit in konfigurierbare Hardware-Systeme eingeschleust worden, und sogar anwendungsspezifische fremdgefertigte Schaltungen können nicht vertrauenswürdig sein. Schließlich werden sichere Identifikationsverfahren benötigt, die einen Modul und Chip eindeutig erkennen.

Das Projekt SHIVA wird von der Baden-Württemberg Stiftung im Rahmen des Forschungsprogramms IKT-Sicherheit über einen Zeitraum von drei Jahren gefördert. Es ist ein Kooperationsprojekt zwischen dem Institut für Technische Informatik der Universität Stuttgart (Prof. Dr. Wunderlich) und dem Lehrstuhl für Rechnerarchitektur der Universität Freiburg (Prof. Dr. Becker). Die Projektkoordination liegt bei Prof. Dr. Wunderlich.

 

Publikationen

Journale und Tagungsberichte
Matching entries: 0
settings...
12. Security Compliance Analysis of Reconfigurable Scan Networks
Lylina, Natalia; Atteya, Ahmed; Raiola, Pascal; Sauer, Matthias; Becker, Bernd; Wunderlich, Hans-Joachim
Proceedings of the IEEE International Test Conference (ITC'19), Washington DC, USA, 11-15 November 2019
2019
DOI PDF 
Keywords: reconfigurable scan networks, side-channel attacks, security validation
Abstract: Hardware security adds another dimension to the design space, and more and more attention is paid to protect a circuit against various types of attacks like sniffing, spoofing or IP theft. However, all the efforts for security taken by a designer might be sacrificed by afterwards integrating infrastructure for test, diagnosis and reliability management. Especially, access mechanisms like reconfigurable scan networks (RSNs) may open options for side-channel attacks. In this paper, an exact method is presented to verify that a specified RSN does not introduce a new data path which was not already present in the original design. The method uses a matrix-based reachability analysis of the original design and the augmented design.The reachability analysis covers complex functional dependencies, caused by configuring a single scan path as well as multiple sequentially activated scan paths through the RSN. %An accurate computation of the set of functionally possible paths introduced by integrating an RSN into the design is done and used to determine whether any new data paths have been added to the design. This approach adds acceptable runtime to the security verification flow of the design, and shows the designer the introduced possible security violations.
BibTeX:
@inproceedings{LylinARSBW2019,
  author = {Lylina, Natalia and Atteya, Ahmed and Raiola, Pascal and Sauer, Matthias and Becker, Bernd and Wunderlich, Hans-Joachim},
  title = {{Security Compliance Analysis of Reconfigurable Scan Networks}},
  booktitle = {Proceedings of the IEEE International Test Conference (ITC'19)},
  year = {2019},
  keywords = {reconfigurable scan networks, side-channel attacks, security validation},
  abstract = {Hardware security adds another dimension to the design space, and more and more attention is paid to protect a circuit against various types of attacks like sniffing, spoofing or IP theft. However, all the efforts for security taken by a designer might be sacrificed by afterwards integrating infrastructure for test, diagnosis and reliability management. Especially, access mechanisms like reconfigurable scan networks (RSNs) may open options for side-channel attacks. In this paper, an exact method is presented to verify that a specified RSN does not introduce a new data path which was not already present in the original design. The method uses a matrix-based reachability analysis of the original design and the augmented design.The reachability analysis covers complex functional dependencies, caused by configuring a single scan path as well as multiple sequentially activated scan paths through the RSN. %An accurate computation of the set of functionally possible paths introduced by integrating an RSN into the design is done and used to determine whether any new data paths have been added to the design. This approach adds acceptable runtime to the security verification flow of the design, and shows the designer the introduced possible security violations.},
  doi = {http://dx.doi.org/10.1109/ITC44170.2019.9000114},
  file = {http://www.iti.uni-stuttgart.de/fileadmin/rami/files/publications/2019/ITC_LylinARSBW2019.pdf}
}
11. On Secure Data Flow in Reconfigurable Scan Networks
Raiola, Pascal; Thiemann, Benjamin; Burchard, Jan; Atteya, Ahmed; Lylina, Natalia; Wunderlich, Hans-Joachim; Becker, Bernd; Sauer, Matthias
Proceedings of the Conference on Design, Automation and Test in Europe (DATE'19), Florence, Italy, 25-29 March 2019, pp. 1016-1021
2019
DOI PDF 
Keywords: Reconfigurable Scan Network, Hardware Security, Data Dependency, IEEE Std 1687
Abstract: Reconfigurable Scan Networks (RSNs) allow flexible access to embedded instruments for post-silicon test, validation and debug or diagnosis. The increased observability and controllability of registers inside the circuit can be exploited by an attacker to leak or corrupt critical information. Precluding such security threats is of high importance but difficult due to complex data flow dependencies inside the reconfigurable scan network as well as across the underlying circuit logic. This work proposes a method that fine-granularly computes dependencies over circuit logic and the RSN. These dependencies are utilized to detect security violations for a given insecure RSN, which is then transformed into a secure RSN. Experimental results demonstrate the applicability of the method to large academical and industrial designs. Additionally, we report on the required effort to mitigate found security violations which also motivates the necessity to consider the circuit logic in addition to pure scan paths.
BibTeX:
@inproceedings{RaiolTBAKWBS2019,
  author = { Raiola, Pascal and Thiemann, Benjamin and Burchard, Jan and Atteya, Ahmed and Lylina, Natalia and Wunderlich, Hans-Joachim and Becker, Bernd and Sauer, Matthias},
  title = {{On Secure Data Flow in Reconfigurable Scan Networks}},
  booktitle = {Proceedings of the Conference on Design, Automation and Test in Europe (DATE'19)},
  year = {2019},
  pages = {1016--1021},
  keywords = {Reconfigurable Scan Network, Hardware Security, Data Dependency, IEEE Std 1687},
  abstract = {Reconfigurable Scan Networks (RSNs) allow flexible access to embedded instruments for post-silicon test, validation and debug or diagnosis. The increased observability and controllability of registers inside the circuit can be exploited by an attacker to leak or corrupt critical information. Precluding such security threats is of high importance but difficult due to complex data flow dependencies inside the reconfigurable scan network as well as across the underlying circuit logic. This work proposes a method that fine-granularly computes dependencies over circuit logic and the RSN. These dependencies are utilized to detect security violations for a given insecure RSN, which is then transformed into a secure RSN. Experimental results demonstrate the applicability of the method to large academical and industrial designs. Additionally, we report on the required effort to mitigate found security violations which also motivates the necessity to consider the circuit logic in addition to pure scan paths.},
  doi = {http://dx.doi.org/10.23919/DATE.2019.8715172},
  file = {http://www.iti.uni-stuttgart.de/fileadmin/rami/files/publications/2019/DATE_RaiolTBALWBS2019.pdf}
}
10. Detecting and Resolving Security Violations in Reconfigurable Scan Networks
Raiola, Pascal; Kochte, Michael A.; Atteya, Ahmed; Rodríguez Gómez, Laura; Wunderlich, Hans-Joachim; Becker, Bernd; Sauer, Matthias
Proceedings of the 24th IEEE International Symposium on On-Line Testing and Robust System Design (IOLTS'18), Platja d'Aro, Spain, 2-4 July 2018, pp. 91-96
2018
DOI PDF 
Keywords: Reconfigurable Scan Network, Hardware Security, Data Flow, IEEE Std 1687
Abstract: Reconfigurable Scan Networks (RSNs) allow flexible access to embedded instruments for post-silicon validation and debug or diagnosis. However, this scan infrastructure can also be exploited to leak or corrupt critical information as observation and controllability of registers deep inside the circuit are increased. Securing an RSN is mandatory for maintaining safe and secure circuit operations but difficult due to its complex data flow dependencies. This work proposes a method that detects security violations and transforms a given insecure RSN into a secure RSN for which the secure data flow as specified by a user is guaranteed by construction. The presented method is guided by user-defined cost functions that target e.g. test performance or wiring cost. We provide a case study and experimental results demonstrating the applicability of the method to large designs with low runtime.
BibTeX:
@inproceedings{RaiolKARWBS2018,
  author = { Raiola, Pascal and Kochte, Michael A. and Atteya, Ahmed and Rodríguez Gómez, Laura and Wunderlich, Hans-Joachim and Becker, Bernd and Sauer, Matthias},
  title = {{Detecting and Resolving Security Violations in Reconfigurable Scan Networks}},
  booktitle = {Proceedings of the 24th IEEE International Symposium on On-Line Testing and Robust System Design (IOLTS'18)},
  year = {2018},
  pages = {91--96},
  keywords = {Reconfigurable Scan Network, Hardware Security, Data Flow, IEEE Std 1687},
  abstract = {Reconfigurable Scan Networks (RSNs) allow flexible access to embedded instruments for post-silicon validation and debug or diagnosis. However, this scan infrastructure can also be exploited to leak or corrupt critical information as observation and controllability of registers deep inside the circuit are increased. Securing an RSN is mandatory for maintaining safe and secure circuit operations but difficult due to its complex data flow dependencies. This work proposes a method that detects security violations and transforms a given insecure RSN into a secure RSN for which the secure data flow as specified by a user is guaranteed by construction. The presented method is guided by user-defined cost functions that target e.g. test performance or wiring cost. We provide a case study and experimental results demonstrating the applicability of the method to large designs with low runtime.},
  doi = {http://dx.doi.org/10.1109/IOLTS.2018.8474188},
  file = {http://www.iti.uni-stuttgart.de/fileadmin/rami/files/publications/2018/IOLTS_RaiolKARWBS2018.pdf}
}
9. Online Prevention of Security Violations in Reconfigurable Scan Networks
Atteya, Ahmed; Kochte, Michael A.; Sauer, Matthias; Raiola, Pascal; Becker, Bernd; Wunderlich, Hans-Joachim
Proceedings of the 23rd IEEE European Test Symposium (ETS'18), Bremen, Germany, 28 May - 1 June 2018, pp. 1-6
2018
DOI PDF 
Keywords: Hardware security, security specification, IJ-TAG, IEEE Std 1687, reconfigurable scan networks
Abstract: Modern systems-on-chip (SoC) designs are requiring more and more infrastructure for validation, debug, volume test as well as in-field maintenance and repair. Reconfigurable scan networks (RSNs), as allowed by IEEE 1687 (IJTAG) standard, provide flexible access to the infrastructure with low access latency. However, they can also pose a security threat to the system, by leaking information about the system state.
In this paper, we present a protection method that monitors access and checks for violations of security properties online. The method prevents unauthorized access to sensitive and secure instruments. In addition, the system integrator can specify more complex security requirements, including giving multiple users different access privileges. Simultaneous accesses to multiple instruments, that would expose sensitive data to an untrusted core (e.g. from 3rd party vendors) or instrument, can be prohibited. The method does not require any change to the RSN architecture and is easily integrable with IP core designs. The area overhead with respect to the size of the RSN is below 6% and scales well with larger networks.
BibTeX:
@inproceedings{AtteyKSRBW2018,
  author = {Atteya, Ahmed and Kochte, Michael A. and Sauer, Matthias and Raiola, Pascal and Becker, Bernd and Wunderlich, Hans-Joachim},
  title = {{Online Prevention of Security Violations in Reconfigurable Scan Networks}},
  booktitle = {Proceedings of the 23rd IEEE European Test Symposium (ETS'18)},
  year = {2018},
  pages = {1--6},
  keywords = {Hardware security, security specification, IJ-TAG, IEEE Std 1687, reconfigurable scan networks },
  abstract = {Modern systems-on-chip (SoC) designs are requiring more and more infrastructure for validation, debug, volume test as well as in-field maintenance and repair. Reconfigurable scan networks (RSNs), as allowed by IEEE 1687 (IJTAG) standard, provide flexible access to the infrastructure with low access latency. However, they can also pose a security threat to the system, by leaking information about the system state.
In this paper, we present a protection method that monitors access and checks for violations of security properties online. The method prevents unauthorized access to sensitive and secure instruments. In addition, the system integrator can specify more complex security requirements, including giving multiple users different access privileges. Simultaneous accesses to multiple instruments, that would expose sensitive data to an untrusted core (e.g. from 3rd party vendors) or instrument, can be prohibited. The method does not require any change to the RSN architecture and is easily integrable with IP core designs. The area overhead with respect to the size of the RSN is below 6% and scales well with larger networks.}, doi = {http://dx.doi.org/10.1109/ETS.2018.8400685}, file = {http://www.iti.uni-stuttgart.de/fileadmin/rami/files/publications/2018/ETS_AtteyKSRBW2018.pdf} }
8. Trustworthy Reconfigurable Access to On-Chip Infrastructure
Kochte, Michael A.; Baranowski, Rafal; Wunderlich, Hans-Joachim
Proceedings of the 1st International Test Conference in Asia (ITC-Asia'17), Taipei, Taiwan, 13-15 September 2017, pp. 119-124
2017
DOI PDF 
Keywords: Hardware security, trustworthiness, IJTAG, IEEE Std 1687, secure DFT, secure pattern retargeting, reconfigurable scan network
Abstract: The accessibility of on-chip embedded infrastructure for test, reconfiguration, or debug poses a serious security problem. Access mechanisms based on IEEE Std 1149.1 (JTAG), and especially reconfigurable scan networks (RSNs), as allowed by IEEE Std 1500, IEEE Std 1149.1-2013, and IEEE Std 1687 (IJTAG), require special care in the design and development. This work studies the threats to trustworthy data transmission in RSNs posed by untrusted components within the RSN and external interfaces. We propose a novel scan pattern generation method that finds trustworthy access sequences to prevent sniffing and spoofing of transmitted data in the RSN. For insecure RSNs, for which such accesses do not exist, we present an automated transformation that improves the security and trustworthiness while preserving the accessibility to attached instruments. The area overhead is reduced based on results from trustworthy access pattern generation. As a result, sensitive data is not exposed to untrusted components in the RSN, and compromised data cannot be injected during trustworthy accesses.
BibTeX:
@inproceedings{KochtBW2017,
  author = {Kochte, Michael A. and Baranowski, Rafal and Wunderlich, Hans-Joachim},
  title = {{Trustworthy Reconfigurable Access to On-Chip Infrastructure}},
  booktitle = {Proceedings of the 1st International Test Conference in Asia (ITC-Asia'17)},
  year = {2017},
  pages = {119--124},
  keywords = {Hardware security, trustworthiness, IJTAG, IEEE Std 1687, secure DFT, secure pattern retargeting, reconfigurable scan network},
  abstract = {The accessibility of on-chip embedded infrastructure for test, reconfiguration, or debug poses a serious security problem. Access mechanisms based on IEEE Std 1149.1 (JTAG), and especially reconfigurable scan networks (RSNs), as allowed by IEEE Std 1500, IEEE Std 1149.1-2013, and IEEE Std 1687 (IJTAG), require special care in the design and development. This work studies the threats to trustworthy data transmission in RSNs posed by untrusted components within the RSN and external interfaces. We propose a novel scan pattern generation method that finds trustworthy access sequences to prevent sniffing and spoofing of transmitted data in the RSN. For insecure RSNs, for which such accesses do not exist, we present an automated transformation that improves the security and trustworthiness while preserving the accessibility to attached instruments. The area overhead is reduced based on results from trustworthy access pattern generation. As a result, sensitive data is not exposed to untrusted components in the RSN, and compromised data cannot be injected during trustworthy accesses.},
  doi = {http://dx.doi.org/10.1109/ITC-ASIA.2017.8097125},
  file = {http://www.iti.uni-stuttgart.de/fileadmin/rami/files/publications/2017/ITC-ASIA_KochtBW2017.pdf}
}
7. Specification and Verification of Security in Reconfigurable Scan Networks
Kochte, Michael A.; Sauer, Matthias; Rodríguez Gómez, Laura; Raiola, Pascal; Becker, Bernd; Wunderlich, Hans-Joachim
Proceedings of the 22nd IEEE European Test Symposium (ETS'17), Limassol, Cyprus, 22-26 May 2017, pp. 1-6
2017
DOI PDF 
Keywords: Keywords-Access Control, On-Chip Infrastructure, Reconfigurable Scan Network, Verification, Side-Channel Attack, IEEE Std 1687, IJTAG, Hardware Security
Abstract: A large amount of on-chip infrastructure, such as design-for-test, debug, monitoring, or calibration, is required for the efficient manufacturing, debug, and operation of complex hardware systems. The access to such infrastructure poses severe system safety and security threats since it may constitute a side-channel exposing internal state, sensitive data, or IP to attackers. Reconfigurable scan networks (RSNs) have been proposed as a scalable and flexible scan-based access mechanism to on-chip infrastructure. The increasing number and variety of integrated infrastructure as well as diverse access constraints over the system lifetime demand for systematic methods for the specification and formal verification of access protection and security properties in RSNs. This work presents a novel method to specify and verify fine-grained access permissions and restrictions to instruments attached to an RSN. The permissions and restrictions are transformed into predicates that are added to a formal model of a given RSN to prove which access properties hold or do not hold.
BibTeX:
@inproceedings{KochtSRRBW2017,
  author = {Kochte, Michael A. and Sauer, Matthias and Rodríguez Gómez, Laura and Raiola, Pascal and Becker, Bernd and Wunderlich, Hans-Joachim},
  title = {{Specification and Verification of Security in Reconfigurable Scan Networks}},
  booktitle = {Proceedings of the 22nd IEEE European Test Symposium (ETS'17)},
  year = {2017},
  pages = {1--6},
  keywords = {Keywords-Access Control, On-Chip Infrastructure, Reconfigurable Scan Network, Verification, Side-Channel Attack, IEEE Std 1687, IJTAG, Hardware Security},
  abstract = {A large amount of on-chip infrastructure, such as design-for-test, debug, monitoring, or calibration, is required for the efficient manufacturing, debug, and operation of complex hardware systems. The access to such infrastructure poses severe system safety and security threats since it may constitute a side-channel exposing internal state, sensitive data, or IP to attackers. Reconfigurable scan networks (RSNs) have been proposed as a scalable and flexible scan-based access mechanism to on-chip infrastructure. The increasing number and variety of integrated infrastructure as well as diverse access constraints over the system lifetime demand for systematic methods for the specification and formal verification of access protection and security properties in RSNs. This work presents a novel method to specify and verify fine-grained access permissions and restrictions to instruments attached to an RSN. The permissions and restrictions are transformed into predicates that are added to a formal model of a given RSN to prove which access properties hold or do not hold.},
  doi = {http://dx.doi.org/10.1109/ETS.2017.7968247},
  file = {http://www.iti.uni-stuttgart.de/fileadmin/rami/files/publications/2017/ETS_KochtSRRBW2017.pdf}
}
6. Sensitized Path PUF: A Lightweight Embedded Physical Unclonable Function
Sauer, Matthias; Raiola, Pascal; Feiten, Linus; Becker, Bernd; Rührmair, Ulrich; Polian, Ilia
Proceedings of the Conference on Design, Automation and Test in Europe (DATE'17), Lausanne, Switzerland, March 2017, pp. 680-685
2017
DOI  
Keywords: Delays, Entropy, Logic gates, Multiplexing, Reliability, System-on-chip
Abstract: Physical unclonable functions (PUFs) can be used for a number of security applications, including secure on-chip generation of secret keys. We introduce an embedded PUF concept called sensitized path PUF (SP-PUF) that is based on extracting entropy out of inherent timing variability of modules already present in the circuit. The new PUF sensitizes paths of nearly identical lengths and generates response bits by racing transitions through different paths against each other. SP-PUF has lower area overhead and higher speed than earlier embedded PUFs and requires no helper data stored in non-volatile memory beyond standard error-correction information for fuzzy extraction. Compared with standalone PUFs, the new solution intrinsically and inseparably intertwines PUF behavior with functional circuitry, thus complicating invasive attacks or simplifying their detection.
We present a systematic design flow to turn an arbitrary (sufficiently complex) circuit into an SP-PUF. The flow leverages state-of-the-art sensitization algorithms, formal filtering based on statistical analysis, and MaxSAT-based optimization of SP-PUF's area overhead. Experiments show that SP-PUF extracts 256-bit keys with perfect reliability and nearly perfect uniqueness after fuzzy extraction for the majority of standard benchmark circuits.
BibTeX:
@inproceedings{SauerRFBRP2017,
  author = {Sauer, Matthias and Raiola, Pascal and Feiten, Linus and Becker, Bernd and Rührmair, Ulrich and Polian, Ilia},
  title = {{Sensitized Path PUF: A Lightweight Embedded Physical Unclonable Function}},
  booktitle = {Proceedings of the Conference on Design, Automation and Test in Europe (DATE'17)},
  year = {2017},
  pages = {680-685},
  keywords = {Delays, Entropy, Logic gates, Multiplexing, Reliability, System-on-chip},
  abstract = {Physical unclonable functions (PUFs) can be used for a number of security applications, including secure on-chip generation of secret keys. We introduce an embedded PUF concept called sensitized path PUF (SP-PUF) that is based on extracting entropy out of inherent timing variability of modules already present in the circuit. The new PUF sensitizes paths of nearly identical lengths and generates response bits by racing transitions through different paths against each other. SP-PUF has lower area overhead and higher speed than earlier embedded PUFs and requires no helper data stored in non-volatile memory beyond standard error-correction information for fuzzy extraction. Compared with standalone PUFs, the new solution intrinsically and inseparably intertwines PUF behavior with functional circuitry, thus complicating invasive attacks or simplifying their detection. 
We present a systematic design flow to turn an arbitrary (sufficiently complex) circuit into an SP-PUF. The flow leverages state-of-the-art sensitization algorithms, formal filtering based on statistical analysis, and MaxSAT-based optimization of SP-PUF's area overhead. Experiments show that SP-PUF extracts 256-bit keys with perfect reliability and nearly perfect uniqueness after fuzzy extraction for the majority of standard benchmark circuits.}, doi = {http://dx.doi.org/10.23919/DATE.2017.7927076} }
5. Hardware and Software: Verification and Testing.
Soeken, Mathias; Raiola, Pascal; Sterin, Baruch; Becker, Bernd; De Micheli, Giovanni; Sauer, Matthias
Proceedings of the 12th International Haifa Verification Conference (HVC), Haifa, Israel, November 2016, pp. 1-17
2016
DOI  
Abstract: We present an algorithm for computing both functional dependency and unateness of combinational and sequential Boolean functions represented as logic networks. The algorithm uses SAT-based techniques from Combinational Equivalence Checking (CEC) and Automatic Test Pattern Generation (ATPG) to compute the dependency matrix of multi-output Boolean functions. Additionally, the classical dependency definitions are extended to sequential functions and a fast approximation is presented to efficiently yield a sequential dependency matrix. Extensive experiments show the applicability of the methods and the improved robustness compared to existing approaches.
BibTeX:
@inproceedings{SoekeRSBDS2016,
  author = {Soeken, Mathias and Raiola, Pascal and Sterin, Baruch and Becker, Bernd and De Micheli, Giovanni and Sauer, Matthias},
  title = {{Hardware and Software: Verification and Testing. }},
  booktitle = {Proceedings of the 12th International Haifa Verification Conference (HVC)},
  publisher = {Springer International Publishing},
  year = {2016},
  pages = {1--17},
  abstract = {We present an algorithm for computing both functional dependency and unateness of combinational and sequential Boolean functions represented as logic networks. The algorithm uses SAT-based techniques from Combinational Equivalence Checking (CEC) and Automatic Test Pattern Generation (ATPG) to compute the dependency matrix of multi-output Boolean functions. Additionally, the classical dependency definitions are extended to sequential functions and a fast approximation is presented to efficiently yield a sequential dependency matrix. Extensive experiments show the applicability of the methods and the improved robustness compared to existing approaches.},
  doi = {http://dx.doi.org/10.1007/978-3-319-49052-6_1}
}
4. Systemic Frequency Biases in Ring Oscillator PUFs on FPGAs
Feiten, Linus; Oesterle, Jonathan; Martin, Tobias; Sauer, Matthias; Becker, Bernd
IEEE Transactions on Multi-Scale Computing Systems
Vol. 2(3), July 2016, pp. 174-185
2016
DOI  
Keywords: Field programmable gate arrays, Radiation detectors, Table lookup, Delays,Reliability, Payloads
Abstract: Physically unclonable functions (PUFs) are an emerging primitive in hardware security, enabling the identification of computer-chips. A promising type particularly for FPGA implementations is the Ring Oscillator (RO) PUF, where signal delays--stemming from uncontrollable variations in the manufacturing process--are used as device-specific characteristics. Based on experimental results gathered with 38 identical Altera FPGAs, we show the existence of non-device-specific i.e., systemic RO frequency biases, traced back to (1) the internal routing within the RO's look-up tables, (2) the RO locations on the FPGAs, or (3) the non-PUF payload activity. As these biases are the same for all devices, the result is poor inter-device uniqueness and unreliable signatures under changing payloads. After characterizing these biases with a newly developed set of metrics, we suggest a method to overcome them: Using only a small sample of devices, the average bias over all devices for each RO is predicted and the relative differences caused by systemic biases are nullified. We demonstrate the viability of this method by determining the sufficient random sample sizes and showing that the inter-device uniqueness is drastically increased and the PUF signatures become reliable even under changing payload activities.
BibTeX:
@article{FeitenOM2016,
  author = {Feiten, Linus and Oesterle, Jonathan and Martin, Tobias and Sauer, Matthias and Becker, Bernd },
  title = {{Systemic Frequency Biases in Ring Oscillator PUFs on FPGAs }},
  journal = {IEEE Transactions on Multi-Scale Computing Systems},
  year = {2016},
  volume = {2},
  number = {3},
  pages = {174-185},
  keywords = {Field programmable gate arrays, Radiation detectors, Table lookup, Delays,Reliability, Payloads},
  abstract = {Physically unclonable functions (PUFs) are an emerging primitive in hardware security, enabling the identification of computer-chips. A promising type particularly for FPGA implementations is the Ring Oscillator (RO) PUF, where signal delays--stemming from uncontrollable variations in the manufacturing process--are used as device-specific characteristics. Based on experimental results gathered with 38 identical Altera FPGAs, we show the existence of non-device-specific i.e., systemic RO frequency biases, traced back to (1) the internal routing within the RO's look-up tables, (2) the RO locations on the FPGAs, or (3) the non-PUF payload activity. As these biases are the same for all devices, the result is poor inter-device uniqueness and unreliable signatures under changing payloads. After characterizing these biases with a newly developed set of metrics, we suggest a method to overcome them: Using only a small sample of devices, the average bias over all devices for each RO is predicted and the relative differences caused by systemic biases are nullified. We demonstrate the viability of this method by determining the sufficient random sample sizes and showing that the inter-device uniqueness is drastically increased and the PUF signatures become reliable even under changing payload activities.},
  doi = {http://dx.doi.org/10.1109/TMSCS.2016.2598739}
}
3. Formal Verification of Secure Reconfigurable Scan Network Infrastructure
Kochte, Michael A.; Baranowski, Rafal; Sauer, Matthias; Becker, Bernd; Wunderlich, Hans-Joachim
Proceedings of the 21st IEEE European Test Symposium (ETS'16), Amsterdam, The Netherlands, 23-27 May 2016 , pp. 1-6
2016
DOI PDF 
Keywords: Security, Formal verification, IEEE Std 1687, IJTAG, Reconfigurable scan network, Infrastructure, Sidechannel attack
Abstract: Reconfigurable scan networks (RSN) as standardized by IEEE Std 1687 allow flexible and efficient access to on-chip infrastructure for test and diagnosis, post-silicon validation, debug, bring-up, or maintenance in the field. However, unauthorized access or manipulation of the attached instruments, monitors, or controllers pose security and safety risks. Different RSN architectures have recently been proposed to implement secure access to the connected instruments, for instance by authentication and authorization. To ensure that the implemented security schemes cannot be bypassed, design verification of the security properties is mandatory. However, combinational and deep sequential dependencies of modern RSNs and their extensions for security require novel approaches to formal verification for unbounded model checking. This work presents for the first time a formal design verification methodology for security properties of RSNs based on unbounded model checking that is able to verify access protection at logical level. Experimental results demonstrate that state-of-the-art security schemes for RSNs can be efficiently handled, even for very large designs.
BibTeX:
@inproceedings{KochtBSBW2016,
  author = {Kochte, Michael A. and Baranowski, Rafal and Sauer, Matthias and Becker, Bernd and Wunderlich, Hans-Joachim },
  title = {{Formal Verification of Secure Reconfigurable Scan Network Infrastructure}},
  booktitle = {Proceedings of the 21st IEEE European Test Symposium (ETS'16)},
  year = { 2016 },
  pages = {1-6},
  keywords = {Security, Formal verification, IEEE Std 1687, IJTAG, Reconfigurable scan network, Infrastructure, Sidechannel attack},
  abstract = {Reconfigurable scan networks (RSN) as standardized by IEEE Std 1687 allow flexible and efficient access to on-chip infrastructure for test and diagnosis, post-silicon validation, debug, bring-up, or maintenance in the field. However, unauthorized access or manipulation of the attached instruments, monitors, or controllers pose security and safety risks. Different RSN architectures have recently been proposed to implement secure access to the connected instruments, for instance by authentication and authorization. To ensure that the implemented security schemes cannot be bypassed, design verification of the security properties is mandatory. However, combinational and deep sequential dependencies of modern RSNs and their extensions for security require novel approaches to formal verification for unbounded model checking. This work presents for the first time a formal design verification methodology for security properties of RSNs based on unbounded model checking that is able to verify access protection at logical level. Experimental results demonstrate that state-of-the-art security schemes for RSNs can be efficiently handled, even for very large designs.},
  doi = {http://dx.doi.org/10.1109/ETS.2016.7519290},
  file = {http://www.iti.uni-stuttgart.de/fileadmin/rami/files/publications/2016/ETS_KochtBSBW2016.pdf}
}
2. SHIVA: Sichere Hardware in der Informationsverarbeitung
Kochte, Michael A.; Sauer, Matthias; Raiola, Pascal; Becker, Bernd; Wunderlich, Hans-Joachim
Proceedings of the ITG/GI/GMM edaWorkshop 2016, Hannover, Germany, 11-12 May 2016
2016
URL PDF 
Abstract: Das Projekt ”SHIVA: Sichere Hardware in der Informationsverarbeitung“ ist Teil des Forschungsprogramms ”IKTSicherheit für weltweit vernetzte vertrauenswürdige Infrastrukturen“ der Baden-Württemberg Stiftung. Ziel des Projekts sind die Erforschung von Entwurfs- und Verifikationsmethoden zur Steigerung der Sicherheit mikroelektronischer Hardware, beispielsweise aus der Automobilelektronik, der Medizintechnik oder auch der Fertigungstechnik. Es soll damit die missbräuchliche Verwendung nicht-funktionaler Hardware-Infrastruktur zur Beobachtung interner sensibler Daten, verwendeter Verfahren und Prozesse sowie zu Angriffen auf das geistige Eigentum an der Hardware ausgeschlossen werden. Das Projekt ist eine Kooperation des Instituts für Technische Informatik (ITI) der Universität Stuttgart und des Lehrstuhls für Rechnerarchitektur der Universität Freiburg. Dieser Beitrag stellt die Projektziele und erste Forschungsergebnisse vor.
BibTeX:
@inproceedings{KochtSRBW2016,
  author = {Kochte, Michael A. and Sauer, Matthias and Raiola, Pascal and Becker, Bernd and Wunderlich, Hans-Joachim},
  title = {{SHIVA: Sichere Hardware in der Informationsverarbeitung}},
  booktitle = {Proceedings of the ITG/GI/GMM edaWorkshop 2016},
  year = {2016},
  abstract = {Das Projekt ”SHIVA: Sichere Hardware in der Informationsverarbeitung“ ist Teil des Forschungsprogramms ”IKTSicherheit für weltweit vernetzte vertrauenswürdige Infrastrukturen“ der Baden-Württemberg Stiftung. Ziel des Projekts sind die Erforschung von Entwurfs- und Verifikationsmethoden zur Steigerung der Sicherheit mikroelektronischer Hardware, beispielsweise aus der Automobilelektronik, der Medizintechnik oder auch der Fertigungstechnik. Es soll damit die missbräuchliche Verwendung nicht-funktionaler Hardware-Infrastruktur zur Beobachtung interner sensibler Daten, verwendeter Verfahren und Prozesse sowie zu Angriffen auf das geistige Eigentum an der Hardware ausgeschlossen werden. Das Projekt ist eine Kooperation des Instituts für Technische Informatik (ITI) der Universität Stuttgart und des Lehrstuhls für Rechnerarchitektur der Universität Freiburg. Dieser Beitrag stellt die Projektziele und erste Forschungsergebnisse vor.},
  url = {http://www.book-on-demand.de/shop/14818},
  file = {http://www.iti.uni-stuttgart.de/fileadmin/rami/files/publications/2016/EDA_KochtSRBW2016.pdf}
}
1. Dependable On-Chip Infrastructure for Dependable MPSOCs
Kochte, Michael A.; Wunderlich, Hans-Joachim
Proceedings of the 17th IEEE Latin American Test Symposium (LATS'16), Foz do Iguaçu, Brazil, 6-8 April 2016 , pp. 183-188
2016
DOI PDF 
Keywords: Dependability, on-chip infrastructure, reconfigurable scan network, IEEE Std 1687, iJTAG, hardware security
Abstract: Today's MPSOCs employ complex on-chip infrastructure and instrumentation for efficient test, debug, diagnosis, and post-silicon validation, reliability management and maintenance in the field, or monitoring and calibration during operation. To enable flexible and efficient access to such instrumentation, reconfigurable scan networks (RSNs) as recently standardized by IEEE Std 1687 can be used. Given the importance of infrastructure for the dependability of the whole MPSOC, however, the RSN itself must be highly dependable. This paper addresses dependability issues of RSNs including verification, test, and security, and their importance for dependable MPSOCs. First research results are summarized, and open questions for future work are highlighted.
BibTeX:
@inproceedings{KochtW2016,
  author = {Kochte, Michael A. and Wunderlich, Hans-Joachim},
  title = {{Dependable On-Chip Infrastructure for Dependable MPSOCs}},
  booktitle = {Proceedings of the 17th IEEE Latin American Test Symposium (LATS'16)},
  year = { 2016 },
  pages = {183-188},
  keywords = { Dependability, on-chip infrastructure, reconfigurable scan network, IEEE Std 1687, iJTAG, hardware security },
  abstract = {Today's MPSOCs employ complex on-chip infrastructure and instrumentation for efficient test, debug, diagnosis, and post-silicon validation, reliability management and maintenance in the field, or monitoring and calibration during operation. To enable flexible and efficient access to such instrumentation, reconfigurable scan networks (RSNs) as recently standardized by IEEE Std 1687 can be used. Given the importance of infrastructure for the dependability of the whole MPSOC, however, the RSN itself must be highly dependable. This paper addresses dependability issues of RSNs including verification, test, and security, and their importance for dependable MPSOCs. First research results are summarized, and open questions for future work are highlighted.},
  doi = {http://dx.doi.org/10.1109/LATW.2016.7483366},
  file = {http://www.iti.uni-stuttgart.de/fileadmin/rami/files/publications/2016/LATS_KochtW2016.pdf}
}
Created by JabRef on 14/04/2022.
Workshopbeiträge
Matching entries: 0
settings...
2. Quantifying Security in Reconfigurable Scan Networks
Rodríguez Gómez, Laura; Kochte, Michael A.; Atteya, Ahmed; Wunderlich, Hans-Joachim
2nd International Test Standards Application Workshop (TESTA), co-located with IEEE European Test Symposium, Limassol, Cyprus, 25-26 May 2017
2017
 
BibTeX:
@inproceedings{RodriKAW2017,
  author = {Rodríguez Gómez, Laura and Kochte, Michael A. and Atteya, Ahmed and Wunderlich, Hans-Joachim},
  title = {{Quantifying Security in Reconfigurable Scan Networks}},
  booktitle = {2nd International Test Standards Application Workshop (TESTA), co-located with IEEE European Test Symposium},
  year = {2017}
}
1. SAT-based Functional Dependency Computation
Soeken, Mathias; Raiola, Pascal; Sterin, Baruch; Sauer, Matthias
International Workshop on Logic & Synthesis (IWLS), Austin, Texas, USA June 2016
2016
 
BibTeX:
@inproceedings{SoekeRSS2016,
  author = {Soeken, Mathias and Raiola,Pascal and Sterin, Baruch and Sauer, Matthias},
  title = {{SAT-based Functional Dependency Computation}},
  booktitle = {International Workshop on Logic & Synthesis (IWLS)},
  year = {2016}
}
Created by JabRef on 14/04/2022.

Kontakte

Akzeptieren

Diese Webseite verwendet Cookies. Durch die Nutzung dieser Webseite erklären Sie sich damit einverstanden, dass Cookies gesetzt werden. Mehr erfahren, zum Datenschutz