Marc F. Witteman

Bio: Marc F. Witteman is an academic researcher. The author has contributed to research in topics: Differential fault analysis & Fault injection. The author has an hindex of 6, co-authored 6 publications receiving 503 citations.

Practical Optical Fault Injection on Secure Microcontrollers

Abstract: In this paper we detail the latest developments regarding optical fault injection on secure micro controllers. On these targets, a combination of countermeasures makes fault injection less than trivial. We develop fault injection methods to show experimentally that protected smart cards are still vulnerable. We perform power signal guided fault injection, using a triggering mechanism based on real-time pattern recognition. Furthermore, the use of jitter-free diode lasers shows current countermeasures may be inadequate for the near future.

Improving differential power analysis by elastic alignment

Abstract: To prevent smart card attacks using Differential Power Analysis (DPA), manufacturers commonly implement DPA countermeasures that create misalignment in power trace sets and decrease the effectiveness of DPA. We design and investigate the elastic alignment algorithm for non-linearly warping trace sets in order to align them. Elastic alignment uses FastDTW, originally a method for aligning speech utterances in speech recognition systems, to obtain so-called warp paths that can be used to perform alignment. We show on traces obtained from a smart card with random process interrupts that misalignment is reduced significantly, and that even under an unstable clock the algorithm is able to perform alignment.

Defeating RSA multiply-always and message blinding countermeasures

Abstract: We introduce a new correlation power attack on RSA's modular exponentiation implementations, defeating both message blinding and multiply-always countermeasures. We analyze the correlation between power measurements of two consecutive modular operations, and use this to efficiently recover individual key bits. Based upon simulation and practical application on a state-of-the-art smart card we show the validity of the attack. Further we demonstrate that cross correlation analysis is efficient on hardware RSA implementations, even in the presence of message blinding and strong hiding countermeasures.

Controlling PC on ARM Using Fault Injection

Abstract: Fault injection attacks are a powerful technique to influence the intended behavior of embedded systems. They can be used to exploit or bypass robust security features found in secure embedded systems. Examples of such attacks include differential fault analysis (DFA) and bypassing authentication mechanisms. An embedded system's authenticated boot chain (i.e. secure boot) is an interesting target for fault injection. The initial boot stages are of limited size which means logically exploitable vulnerabilities are not guaranteed to be present. In this paper, we introduce an ARM specific fault injection attack strategy for exploiting embedded systems where externally controlled data is loaded in the program counter (PC) register of the processor. This allows an attacker to control the target's execution flow which eventually will lead to arbitrary code execution on the target. We first simulate the attack using a common fault model, after which we demonstrate the practicality of the attack using a development platform designed around an ARM based, fast and feature rich system on chip (SOC). We conclude with an overview of effective and non-effective countermeasures against this fault injection attack technique.

Fast and Memory-Efficient Key Recovery in Side-Channel Attacks

Abstract: Side-channel attacks are powerful techniques to attack implementations of cryptographic algorithms by observing its physical parameters such as power consumption and electromagnetic radiation that are modulated by the secret state. Most side-channel attacks are of divide-and-conquer nature, that is, they yield a ranked list of secret key chunks, e.g., the subkey bytes in AES. The problem of the key recovery is then to find the correct combined key. An optimal key enumeration algorithm OKEA was proposed by Charvillon et al. at SAC'12. Given the ranked key chunks together with their probabilities, this algorithm outputs the full combined keys in the optimal order --- from more likely to less likely ones. OKEA uses plenty of memory by its nature though, which limits its practical efficiency. Especially in the cases where the side-channel traces are noisy, the memory and running time requirements to find the right key can be prohibitively high. To tackle this problem, we propose a score-based key enumeration algorithm SKEA. Though it is suboptimal in terms of the output order of candidate combined keys, SKEA's memory and running time requirements are more practical than those of OKEA. We verify the advantage at the example of a DPA attack on an 8-bit embedded software implementation of AES-128. We vary the number of traces available to the adversary and report a significant increase in the success rate of the key recovery due to SKEA when compared to OKEA, within practical limitations on time and memory. We also compare SKEA to the probabilistic key enumeration algorithm PKEA by Meier and Staffelbach and show its practical superiority in this case. SKEA is efficiently parallelizable. We propose a high-performance solution for the entire conquer stage of side-channel attacks that includes SKEA and the subsequent full key testing, using AES-NI on Haswell Intel CPUs.

Malware Guard Extension: Using SGX to Conceal Cache Attacks

Abstract: In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers.

Convolutional Neural Networks with Data Augmentation Against Jitter-Based Countermeasures

Abstract: In the context of the security evaluation of cryptographic implementations, profiling attacks (aka Template Attacks) play a fundamental role. Nowadays the most popular Template Attack strategy consists in approximating the information leakages by Gaussian distributions. Nevertheless this approach suffers from the difficulty to deal with both the traces misalignment and the high dimensionality of the data. This forces the attacker to perform critical preprocessing phases, such as the selection of the points of interest and the realignment of measurements. Some software and hardware countermeasures have been conceived exactly to create such a misalignment. In this paper we propose an end-to-end profiling attack strategy based on the Convolutional Neural Networks: this strategy greatly facilitates the attack roadmap, since it does not require a previous trace realignment nor a precise selection of points of interest. To significantly increase the performances of the CNN, we moreover propose to equip it with the data augmentation technique that is classical in other applications of Machine Learning. As a validation, we present several experiments against traces misaligned by different kinds of countermeasures, including the augmentation of the clock jitter effect in a secure hardware implementation over a modern chip. The excellent results achieved in these experiments prove that Convolutional Neural Networks approach combined with data augmentation gives a very efficient alternative to the state-of-the-art profiling attacks.

Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES

Abstract: This paper considers the use of electromagnetic pulses (EMP) to inject transient faults into the calculations of a hardware and a software AES. A pulse generator and a 500 um-diameter magnetic coil were used to inject the localized EMP disturbances without any physical contact with the target. EMP injections were performed against a software AES running on a CPU, and a hardware AES (with and without countermeasure) embedded in a FPGA. The purpose of this work was twofold: (a) reporting actual faults injection induced by EMPs in our targets and describing their main properties, (b) explaining the coupling mechanism between the antenna used to produce the EMP and the targeted circuit, which causes the faults. The obtained results revealed a localized effect of the EMP since the injected faults were found dependent on the spatial position of the antenna on top of the circuit's surface. The assumption that EMP faults are related to the violation of the target's timing constraints was also studied and ascertained thanks to the use of a countermeasure based on monitoring such timing violations.

Cryptographic hardware and embedded systems : CHES 2008 : 10th International Workshop, Washington, D.C., USA, August 10-13, 2008 : proceedings

Abstract: Side-Channel Analysis 1.- Attack and Improvement of a Secure S-Box Calculation Based on the Fourier Transform.- Collision-Based Power Analysis of Modular Exponentiation Using Chosen-Message Pairs.- Multiple-Differential Side-Channel Collision Attacks on AES.- Implementations 1.- Time-Area Optimized Public-Key Engines: -Cryptosystems as Replacement for Elliptic Curves?.- Ultra High Performance ECC over NIST Primes on Commercial FPGAs.- Exploiting the Power of GPUs for Asymmetric Cryptography.- Fault Analysis 1.- High-Performance Concurrent Error Detection Scheme for AES Hardware.- A Lightweight Concurrent Fault Detection Scheme for the AES S-Boxes Using Normal Basis.- RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks.- Random Number Generation.- A Design for a Physical RNG with Robust Entropy Estimators.- Fast Digital TRNG Based on Metastable Ring Oscillator.- Efficient Helper Data Key Extractor on FPGAs.- Side-Channel Analysis 2.- The Carry Leakage on the Randomized Exponent Countermeasure.- Recovering Secret Keys from Weak Side Channel Traces of Differing Lengths.- Attacking State-of-the-Art Software Countermeasures-A Case Study for AES.- Cryptography and Cryptanalysis.- Binary Edwards Curves.- A Real-World Attack Breaking A5/1 within Hours.- Hash Functions and RFID Tags: Mind the Gap.- Implementations 2.- A New Bit-Serial Architecture for Field Multiplication Using Polynomial Bases.- A Very Compact Hardware Implementation of the MISTY1 Block Cipher.- Light-Weight Instruction Set Extensions for Bit-Sliced Cryptography.- Fault Analysis 2.- Power and Fault Analysis Resistance in Hardware through Dynamic Reconfiguration.- RFID and Its Vulnerability to Faults.- Perturbating RSA Public Keys: An Improved Attack.- Side-Channel Analysis 3.- Divided Backend Duplication Methodology for Balanced Dual Rail Routing.- Using Subspace-Based Template Attacks to Compare and Combine Power and Electromagnetic Information Leakages.- Mutual Information Analysis.- Invited Talks.- RSA-Past, Present, Future.- A Vision for Platform Security.

Hardware Designer's Guide to Fault Attacks

Abstract: Hardware designers invest a significant design effort when implementing computationally intensive cryptographic algorithms onto constrained embedded devices to match the computational demands of the algorithms with the stringent area, power, and energy budgets of the platforms. When it comes to designs that are employed in potential hostile environments, another challenge arises-the design has to be resistant against attacks based on the physical properties of the implementation, the so-called implementation attacks. This creates an extra design concern for a hardware designer. This paper gives an insight into the field of fault attacks and countermeasures to help the designer to protect the design against this type of implementation attacks. We analyze fault attacks from different aspects and expose the mechanisms they employ to reveal a secret parameter of a device. In addition, we classify the existing countermeasures and discuss their effectiveness and efficiency. The result of this paper is a guide for selecting a set of countermeasures, which provides a sufficient security level to meet the constraints of the embedded devices.