IEEE International Symposium on Hardware Oriented Security and Trust (HOST)
December 7-11, 2020
List of Posters
HawkEye: A Threat Detector for Intelligent Surveillance Cameras Powered with AI Models
Speaker: Mathias Echi, Prairie View A&M University
Abstract: In this paper, we present a prototype implementation of systems, such as Hawk-Eye, an AI powered threat detector for smart surveillance cameras. Hawk-Eye is able to develop on central servers hosted in the cloud as well as on surveillance cameras. It enables the initial analysis of the captured images to take place on-site, which reduces the communication overheads and enables swift security actions. At the cloud side, Mask R-CNN model was build that can detect suspicious objects in an image. At the camera side, CNN model was build that can consume a stream of images directly from an on-site webcam, classify them, and displays the results to the user via a GUI-friendly interface. Finally, we evaluated our system using various performance metrics such as classiﬁcation time and accuracy. Our experimental results showed an average overall prediction accuracy of 94% on our dataset.
A post-quantum secure Gaussian noise sampler
Speaker: Rashmi Agrawal, Boston University
Abstract: While the notion of achieving “quantum supremacy” maybe debatable, rapid developments in the field of quantum computing is heading towards more realistic quantum computers. As practical quantum computers start becoming more
feasible, the requirement to have quantum secure cryptosystems becomes more compelling. Due to its many advantages, lattice-based cryptography has become one of the key candidates for designing secure systems for the post-quantum era. The security of lattice-based cryptography is governed by the small error samples generated from a Gaussian distribution. Hence, the Gaussian distribution lies at the core of these cryptosystems. In this paper, we present the hardware design implementation of three different sampling algorithms including rejection, Box-Muller, and the Ziggurat method for the Gaussian Sampler. Our goal is to provide concrete recommendations for future use and adoption in various cryptosystems based on sampling efficiency, hardware cost, and throughput. The key feature of our design implementation is that it performs high-precision sampling to meet the NIST’s recommended security level of 112-bits or higher for the postquantum era, which most existing hardware implementations fail to do. Furthermore, our design implementation is highly optimized for FPGA-based implementation and is also generic so that it can be seamlessly integrated into most cryptosystems. Synthesis results are obtained using Vivado design suite for a Xilinx Zynq-7010 CLG400ACX1341 FPGA board.
RASC v2: Enabling Remote Access to Side-Channels and Leveraging FPGA Acceleration for Real-Time Side-Channel Monitoring
Speaker: Yunkai Bai, University of Florida
Abstract: Nowadays, IoT devices face many threats like hardware trojans and malware attacks. However, the traditional side-channel based defend mechanism has limitations due to large and expensive experiment setups. In this case, RASC is proposed. RASC is a miniature platform that minimizes the traditional side-channel analysis system into two tiny PCBs. Moreover, RASC can communicate with the security house remotely via Bluetooth.
This Poster includes the content of the RASC and two experiments we have done about RASC. The first experiment is AES cracking experiment, and it proves the attack capability of the RASC. The second experiment is the malware detection experiment, and it proves the defense capability of the RASC. In the future, we will use RASC to do the disassembly experiment and let it process data internally.
ReGDS: A Reverse Engineering Framework from GDSII to Gate-level Netlist
Speaker: Rachel Selina Rajarathnam, University of Texas at Austin
Abstract: With many fabless companies outsourcing integrated circuit (IC) fabrication, the extent of design information recoverable by any third-party foundry remains clouded. While traditional reverse engineering schemes from the layout employ expensive high-resolution imaging techniques to recover design information, the extent of design information that can be recovered by the foundry remains ambiguous. To address this ambiguity, we propose ReGDS, a layout reverse engineering (RE) framework, posing as an inside-foundry attack to acquire original design intent. Our framework uses the layout, in GDSII format, and the technology library to extract the transistor-level connectivity information, and exploits unique relationship-based matching to identify logic gates and thereby, recover the original gate-level netlist. Employing circuits ranging from few hundreds to millions of transistors, we validate the scalability of our framework and demonstrate 100% recovery of the original design from the layout.
To further validate the effectiveness of the framework in the presence of obfuscation schemes, we apply ReGDS to layouts of conventional XOR/MUX locked circuits and successfully recover the obfuscated netlist. By applying the Boolean SATisfiability (SAT) attack on the recovered obfuscated netlist, one can recover the entire key and, thereby, retrieve the original design intent. Thus ReGDS results in accelerated acquisition of the gate-level netlist by the attacker, in comparison to imaging-based RE schemes. Our experiments unearth the potential threat of possible intellectual property (IP) piracy at any third-party foundry.
Boosting Entropy and Enhancing Reliability for Physically Unclonable Functions
Speaker: Ricardo Ivan Valles Novo, New Mexico State University
Abstract: Physically Unclonable Functions (PUFs) are emerging hardware security primitives that leverage random variations during chip manufacturing process to generate unique secrets. The security level of generated PUF secrets is mainly determined by its unpredictability feature which is typically evaluated using the metric of entropy bits. In this poster, we present a novel entropy boosting technique that significantly improves the upper bound of PUF entropy bits from the scale of log2(N!) up to O(N^2). We also propose a reliability-enhancing scheme to compensate for the impact on reducing reliability by saving a significant portion of potential reliable response bits. Experimental results based on a published large-scale RO PUF frequency dataset validated that the proposed technique significantly boosts PUF entropy bits from the scale of O(N∙log2(N)) up to approach the new upper bound of O(N^2) with a comparable reliability, and the reliability-enhancing technique saves 4x more on the percentage of reliable response bits.
PARAM: A Microprocessor Hardened for Power Side-Channel Attack Resistance
Speaker: Muhammad Arsath K F, Indian Institute of Technology Madras
Abstract: The power consumption of a microprocessor is a huge channel for information leakage. While the most popular exploitation of this channel is to recover cryptographic keys from embedded devices, other applications such as mobile app finger-printing, reverse engineering of firmware, and password recovery are growing threats. Countermeasures proposed so far are tuned to specific applications, such as crypto-implementations. They are not scalable to the large number and variety of applications that typically run on a general purpose microprocessor. In this paper, we investigate the design of a microprocessor, called PARAM with increased resistance to power based side-channel attacks. To design PARAM, we start with identifying the most leaking modules in an open-source RISC V processor. We evaluate the leakage in these modules and then add suitable countermeasures. The countermeasures depend on the cause of leakage in each module and can vary from simple modifications of the HDL code ensuring secure translation by the EDA tools, to obfuscating data and address lines thus breaking correlation with the processor’s power consumption. The resultant processor is instantiated on the SASEBO-GIII FPGA board and found to resist Differential Power Analysis even after one million power traces. Compared to contemporary countermeasures for power side-channel attacks, overheads in area and frequency are minimal.
FPGA Bitstream Camouflaging
Speaker: Geraldine Shirley Nicholas, UNCC
Abstract: Reconfigurable logic enables architectural updates for embedded devices by providing the ability to reprogram partial or entire device. However, this flexibility can be leveraged by the adversary to compromise the device boot process by modifying the bitstream or the boot process with physical or remote access of the device placed in a remote field. We propose a novel multilayer secure boot mechanism for SoCs with a two-stage secure boot process. The first stage uses device bound unique response as a key to decrypt application logic. The security function is extended at runtime by integrating intermittent architecture and application locking mechanism to reveal correct functionality.
Implementation of Secure Shell for Presentation Software using Raspberry Pi
Speaker: Keith Ghant, Alabama A&M University
Abstract: As many generations of computers were progressed for many decades, computers became somehow smaller and the interactive terminals was more user-friendly.
The idea of this terminal interface is that it has a high-level trust between the central computer and all the networks since the network were used to isolate from another physically.
The idea of SSH is that it can be used to file transfers, secure logins, and secure the connection between two parties.
Scalable Adaptive Trusted Transceivers
Speaker: Michael Kines, Ohio State University
Abstract: In the exponential growth of Internet of Things (IoT) devices, cyberattacks take center stage eroding consumer trust and leaking private information. Hardware Trojans inserted by untrusted foundries can broadcast private keys over wireless carriers, power supply side-channels can leak private information, and IoT sensors can easily be spoofed. Trusted hardware is a viable solution; however, it often comes at a significant cost in energy and silicon area, and designs do not adapt to changing requirements. Our approach incorporates scalable performance in transmission range, throughput, power, and trust, to best adapt to the temporal needs of the application space.
Hardware/Software Obfuscation against Timing Side-channel Attack on a GPU
Speaker: Elmira Karimi, Northeastern University
Abstract: GPUs are increasingly being used in security appli- cations, especially for accelerating encryption/decryption. While GPUs are an attractive platform in terms of performance, the security of these devices raises a number of concerns. One vulnerability is the data-dependent timing information, which can be exploited by adversary to recover the encryption key.
Memory system features are frequently exploited since they create detectable timing variations. In this paper, our attack model is a coalescing attack, which leverages a critical GPU microarchitectural feature - the coalescing unit. As multiple concurrent GPU memory requests can refer to the same cache block, the coalescing unit collapses them into a single memory transaction. The access time of an encryption kernel is dependent on the number of transactions. Correlation between a guessed key value and the associated timing samples can be exploited to recover the secret key.
In this paper, a series of hardware/software countermeasures are proposed to obfuscate the memory timing side channel, making the GPU more resilient without impacting performance. Our hardware-based approach attempts to randomize the width of the coalescing unit to lower the signal-to-noise ratio. We present a hierarchical Miss Status Holding Register (MSHR) design that can merge transactions across different warps. This feature boosts performance, while, at the same time, secures the execution. We also present a software-based approach to permute the organization of critical data structures, significantly changing the coalescing behavior and introducing a high degree of randomness. Equipped with our new protections, the effort to launch a successful attack is increased up to 1433X × 178X, while also improving encryption/decryption performance up to 7%.
Thwarting Control Plane Attacks with Displaced and Dilated Address Spaces
Speaker: Lauren Biernacki, University of Michigan
Abstract: To maintain the control-flow integrity of today’s machines, code pointers must be protected. Exploits forge and manipulate code pointers to execute arbitrary, malicious code on a host machine. A corrupted code pointer can effectively redirect program execution to attacker-injected code or existing code gadgets, giving attackers the necessary foothold to circumvent system protections. To combat this class of exploits, we employ a Displaced and Dilated Address Space (DDAS), which uses a novel address space inflation mechanism to obfuscate code pointers, code locations, and the relative distance between code objects. By leveraging runtime re-randomization and custom hardware, we are able to achieve a high-entropy control-flow defense with performance overheads well below 5% and similarly low power and silicon area overheads. With DDAS in force, attackers come up against 63 bits of entropy when forging absolute addresses and 18 to 55 bits of entropy for relative addresses, depending on the distance to the desired code gadget. Moreover, an incorrectly forged code address will result in a security exception with a probability greater than 99.996%. Using hardware-based address obfuscation, we provide significantly higher entropy at lower performance overheads than previous software techniques, and our re-randomization mechanism offers additional protections
against possible pointer disclosures.
Circuit Masking Theory to Standardization, A Comprehensive Survey for Hardware Security Researchers and Practitioners
Speaker: Ana Covic, University of Florida
Abstract: Sensitive data, such as firmware and cryptographic keys, can be extracted by mounting physical attacks, e.g., photon emission analysis, micro-probing, etc. These attacks can be launched on an integrated circuit (IC) through either the frontside (i.e., passivation) or backside (i.e., silicon substrate). Unlike frontside attacks confronting obstacles from the upper metal layers, through backside attacks, access to transistors and logic gates can be granted. Our previous work has proposed a backside metal shield connected to inner-logic using through-silicon-vias (TSVs), which made backside attacks significantly more complex. However, it has also hindered failure analysis, a critical step for process and design engineers. In this work, we aim to complement physical countermeasures with provable security approaches that increase the number of simultaneous probes needed to perform probing. Commonly applied mathematical models for probing attacks have employed randomized bits to mask the input and modified computations. As the number of masks increases, the number of probes needed to extract one bit of secret data increases exponentially, assuming noise-free conditions. There are two paths that have been investigated for circuit masking transformations. Firstly, the noise present in probed data can be considered, allowing for the application of side-channel attack models and associated security verification tools. Secondly, in addition to security, the composability of implemented clusters of gates has been investigated for the higher number of random masks. Furthermore, when implementing masking schemes, another challenge to face is the presence of glitches, which inherently happen in logic circuits and reduce the effectiveness of random masks. The goal of our survey is to relate the notion of masking with physical backside attack countermeasures. To this end, our first milestone is to unify provable probing and side-channel models in order to develop and realize more practical countermeasures.
Parallel Attack on Logic Locking
Speaker: Danielle Duvalsaint, Carnegie Mellon University
Abstract: Logic locking is a design-for-trust technique used to prevent potential threats in the design chain. Many different techniques for logic locking have been introduced, making it difficult to compare the security of the different techniques. This poster will discuss an ATPG based approach that can be used to characterize multiple types of locked circuits. This approach derives key values from locked circuits using ATPG, effectively telling a designer how strong their lock is. Experiments show this approach is effective at measuring the security of multiple lock types and that the analysis can be scaled to simulate an attacker with increased resources.
Hardware Constructions for Error Detection of Lattice-based Cryptosystems Utilized in Secure Post-Quantum Cryptographic Architectures
Speaker: Ausmita Sarker, University of South Florida
Abstract: With the potential advent of quantum computers, public-key cryptographic algorithms will be broken. We cannot wait till such compromising attacks break our security, especially in deeply-embedded hardware systems. The steady progress in quantum computing has motivated standardization by the NIST (Round2: March 2019). Ideal lattices, one class of lattice-based cryptosystems, is based on worst-case hardness of lattice problem, and provides realizable execution, higher efficiency, and low parameter size. Implementations of cryptographic primitives can fall victim to active hardware side-channel attacks, whose secure, efficient, and high error coverage countermeasures are proposed in this work. Ring-learning with error (Ring-LWE) is a popular worst-case lattice problems with a practical key size and O(n.lgn) complexity. Ring polynomial multiplier is the most rigorous computation of ring-LWE, somewhat homomorphic encryption (SHE), fully homomorphic encryption (FHE) and other emerging cryptographic structures.
GRAPh Probability for Logic Locking Evaluation (GRAPPLLE)
Speaker: Christopher Taylor, Ohio State University
Abstract: With the reduction of U.S. based IC fabrication facilities, the risk of IP theft and malicious modifications has increased. Logic locking has been a proposed solution, which causes a chip to operate incorrectly, obscuring its function and increasing the difficulty to insert a change that operates off a desired trigger. The effectiveness of any logic locking technique depends on the design chosen, the amount of camouflage inserted or key length, and the specific location of the inserted cells. Measuring the security added is done using a Boolean Satisfiability Problem (SAT) solver, and the time to break is the metric. This attack requires the use of a fully functional chip (oracle) and relies solely on the input and output data through functional testing. This attack model ignores the underlying structure that exists in a design, the vast amount of repetition, as well as design reuse. We propose GRAPh Probability for Logic Locking Evaluation (GRAPPLLE) a structure attack, based on localized repetition that does not require the use of an oracle. By generated subgraphs around locked elements in a design, we are able to predict with some confidence the correct keys through subgraph similarity located within the same circuit.
Deep Learning Analysis in Colon Histopathology Images
Speaker: Yu Shen, Cornell University
Abstract: Recent success in Deep Learning has changed various fields of study including biomedical image analysis. Traditionally, these analysis consist of hand-crafted feature extraction followed by applying classical computer vision methods. However, with accumulation of digital histopathological images, analysis techniques based on deep learning would ease the increasing workloads on pathologists. In this study, we categorized the state-of-the-art deep learning methods for colon cancer diagnosis in different segmentation applications(Nuclei and Gland). Furthermore, we introduce an original work for gland instance segmentation using Mask-RCNN on colon tissue, and apply boolean analysis to reveals a new gene expression pattern on the glandular epithelium cells.
Toward Consortium-Based Blockchain Infrastructures, Enabling Modeling, Detecting, Tracking of Counterfeit Integrated Circuits
Speaker: Jason Vosatka, University of Florida
Abstract: The electronics supply chains are vulnerable to counterfeit integrated circuits (ICs), as unauthenticated components and subsystems must pass through numerous untrusted entities before reaching their final installation. Moreover, the unknown and unverifiable supply routes across the world makes component-level ‘chain-of-custody’ knowledge an unworkable problem. We propose initial steps toward a consortium-based blockchain infrastructure to provide traceability and provenance of authentic and counterfeit ICs. We propose initial steps toward a modeling and metrics method enabling empirical calculations of relative risk through quantitative, data-driven confidence levels of authentication.