Introduction to Physical Attacks

Questions and Answers

Regarding physical attacks, under what specific circumstance would altering the sequence of executed instructions provide the least exploitable vulnerability, assuming optimal countermeasure deployment against side-channel information leakage?

• When diverting execution from a complex, multi-stage key derivation function to a simpler, less secure alternative, with rigorous input validation in place.
• When skipping a non-essential memory scrubbing routine following a sensitive key operation, assuming the memory controller implements probabilistic row hammering protection. (correct)
• When altering a conditional branch responsible for dispatching a cryptographic primitive, such that the overall latency of the computation is preserved.
• When duplicating a non-cryptographically-relevant instruction to subtly increase power consumption during unrelated operations, assuming sophisticated power analysis countermeasures.

In the context of side-channel attacks, under what very specific circumstances would the defense strategy of employing a dual-rail precharge logic with dynamic power consumption balancing be rendered inadequate, assuming a highly skilled adversary with access to advanced analytical tools?

• If the inter-rail capacitance mismatch surpasses the technology node's tolerance threshold, allowing for differential power analysis sensitive to second-order effects. (correct)
• If deployed within a physically shielded environment that attenuates electromagnetic emanations, complicating remote signal acquisition.
• If used in conjunction with threshold voltage randomization across the chip, leading to unpredictable variations in timing and power profiles.
• If the clock frequency is sufficiently randomized to disrupt signal averaging during power analysis, mitigating first-order leakage.

What quintessential characteristic distinguishes a 'white-box' evaluation from a 'grey-box' evaluation in the context of security certifications, particularly concerning intellectual property rights and evaluator access?

• White-box evaluations permit reverse engineering activities and vulnerability disclosure, whereas grey-box evaluations prohibit them to protect vendor interests.
• White-box evaluations are conducted exclusively by internal audit teams within the vendor organization, whereas grey-box evaluations are performed by accredited external labs.
• White-box evaluations necessitate unrestricted access to complete source code and design specifications, while grey-box evaluations involve access only to compiled binaries. (correct)
• White-box evaluations require explicit consent from all stakeholders for each vulnerability discovered, unlike grey-box evaluations where pre-established disclosure protocols govern outcomes.

In the context of Common Criteria (CC) certification for secure microcontrollers, which explicit evaluation assurance level component mandates rigorous, independent confirmation that configuration management preserves the integrity of the Target of Evaluation (TOE) throughout its lifecycle?

ALC_CMC.5 (Advanced support) (D)

What inherent property of the Welch's t-test renders it particularly sensitive to detecting side-channel leakage in scenarios characterized by non-Gaussian error distributions, such as those encountered in power analysis attacks against masked cryptographic implementations?

Its ability to quantify the separability between two distributions based on the ratio of mean difference to pooled variance, implicitly exploiting subtle data dependencies. (B)

Considering the objectives of Common Criteria (CC) evaluation, which potential outcome would directly contravene its fundamental aim of promoting international reciprocity in security certifications, thereby undermining its credibility and impact on global trade?

A scenario where certificates issued by national schemes are systematically rejected by commercial laboratories due to perceived conflicts of interest. (B)

In the context of EMV chip technology, what critical modification to the card's architecture would provide the most robust defense against sophisticated relay attacks, assuming an adversary possessing complete control over the communication channel between the card and the terminal?

Incorporating a physically unclonable function (PUF) to dynamically authenticate each transaction, relying on process variations unique to the card's manufacturing. (B)

Assuming a scenario where a cryptographic module certified under Common Criteria (CC) is found to contain a previously unknown vulnerability after certification, under what very narrow set of conditions could the certification body revoke the certificate?

If the vulnerability was present at the time of certification but was not detected due to the submission of inaccurate or misleading evidence by the vendor. (C)

Within the domain of side-channel analysis countermeasures, what key attribute distinguishes algorithmic masking from hardware-based masking techniques, specifically concerning their respective security strengths and implementation complexities?

Algorithmic masking introduces randomness into the cryptographic computation, whereas hardware-based masking reduces signal-to-noise ratio via differential circuit design. (D)

What principal limitation restricts the direct applicability of formal verification techniques, such as model checking or theorem proving, to conclusively demonstrate the absence of side-channel vulnerabilities in a complex System-on-Chip (SoC)?

The inherent complexity of accurately modeling analog circuit behaviors and physical phenomena within formal frameworks, rendering accurate side-channel analysis infeasible. (A)

In the context of fault injection attacks, which specific type of laser-induced fault is best suited for selectively resetting individual bits within a target register inside a secure microcontroller, assuming precise control over the laser's wavelength, pulse duration, and focal point?

Two-photon absorption (TPA) induced single-event upset (SEU) (D)

Considering that side-channel analysis countermeasures often introduce performance overhead, under what highly constrained scenario would implementing loop unrolling offer a net security benefit against power analysis attacks on embedded cryptographic systems?

When implemented alongside algorithmic masking to better distribute the power consumption across multiple clock cycles, thus obfuscating the attack surface. (B)

In the context of security certifications, what specific challenge arises from the continuous evolution of attack methodologies and technological advancements, particularly regarding the long-term validity and relevance of existing certifications?

The difficulty in defining comprehensive and future-proof security requirements, as new attack surfaces emerge and adversary capabilities advance. (D)

What fundamental premise underpins the effectiveness of using electromagnetic (EM) emanations as a side-channel for cryptanalysis, considering the inherent noise and complexity associated with capturing and interpreting these signals?

That EM emanations correlate with internal data processing activities, enabling extraction of sensitive information even when power consumption is effectively masked. (C)

Within the EMV chip card ecosystem, what specific security rationale justifies the mandate for private certification bodies, as opposed to relying solely on government or standards organizations for security evaluations?

To leverage specialized expertise and technical capabilities, as private bodies often possess deeper knowledge of emerging attack techniques and countermeasures. (A)

Considering the inherent limitations of EMV chip technology in the evolving payment landscape, mainly for online sales; what emerging trend poses the greatest challenge to maintaining secure and seamless transactions?

The proliferation of mobile payment platforms and digital wallets, which abstract away the underlying hardware security mechanisms and increase the attack surface. (C)

In scenarios where power analysis attacks target masked cryptographic implementations, under which precise condition would zero-offset higher-order differential power analysis (HO-DPA) yield a statistically significant improvement in signal-to-noise ratio compared to conventional HO-DPA?

When the masking scheme introduces fixed, data-independent power consumption biases, which are effectively eliminated by zero-offsetting the captured traces. (B)

Assuming unfettered physical access to a secure microcontroller employing a hardware-based true random number generator (TRNG), which specific fault injection technique poses the most significant threat to its long-term entropy production rate, assuming minimal environmental disturbances?

Precise clock glitching to induce metastability in the sampling circuit, biasing the output distribution toward deterministic values. (B)

Within the context of physical unclonable functions (PUFs), what inherent trade-off exists between their reliability and uniqueness, considering variations in environmental conditions and manufacturing processes?

Increasing the complexity of the challenge-response pairs (CRPs) improves uniqueness but reduces reliability due to increased sensitivity to noise. (C)

Concerning side-channel attacks on cryptographic implementations, what is the fundamental difference between profiled and unprofiled attacks with respect to their reliance on prior knowledge?

Profiled attacks require access to a training device identical to the target, whereas unprofiled attacks operate directly on the target device without prior knowledge. (B)

What constitutes the most critical difference between software and hardware implementations of cryptographic algorithms from a side-channel attack perspective, mainly concerning vulnerability landscape?

The software's code can change over time, whereas the nature of hardware's physical structure is fixed. (D)

Which of the following is the most accurate description of the 'TOM' adversary model in the context of physical security assessments of cryptographic devices?

Observe, modify and tamper. (C)

What is the most significant limitation of relying solely on Common Criteria (CC) certification for an embedded system's security posture, as the world changes and different attacks develop?

CC certification is a one-time evaluation, failing to account for the continuous evolution of attack techniques and the emergence of new vulnerabilities. (B)

Why invest in security evaluation, if that may lead to withdraw the product or change it in different way? Choose the most correct:

Motivation for purchasing security evaluation services: You have to, or the product cannot be sold; Protect against potential future damage; Competitive advantage; Produce secure devices for the safety of customers. (A)

In the context of evaluating the security of cryptographic implementations, what critical information is conveyed by metrics that evaluate device resilience?

Its robustness against a range of potential threats. (A)

In the world of EMVco that uses secure composability (chip, OS, application), what is the crucial element?

Accredited labs. (C)

Side Channel Attacks focuses on:

Exploiting unintentional information leakage such as power consumption or electromagnetic emanation. (B)

What is the relationship between Fault Injection and Side Channel Attacks?

Both are methods to extract cryptographic keys and sensitive data. (B)

What is the difference between profiled attacks and unprofiled attacks in side channel analysis?

Profiled attacks build a model from a clone device and unprofiled attacks directly attack the target device. (B)

The power signature is an EM scan of a chip surface, what can be retrieved from it?

Graphs of EM levels where the operations are being run. (A)

In side channel analysis, what is the Target?

the device the EM emanations are being collected from. (A)

What does physical side channel analysis allow?

the ability to recover the cryptographic keys. (C)

The evaluation sponsor typically has to make code changes. For what is this most likely?

to address vulnerabilities found during the evaluation. (C)

If the device you're testing has a secure boot and root of trust, is it vulnerable to a physical attack?

Flashcards

Side Channel Attacks

Physical attacks can recover cryptographic keys, NN training data and reverse engineer code.

Fault Injection

Physical attacks can recover cryptographic keys, modify memory and register contents, and alter the sequence of executed instructions.

The adversary - TOM

An adversary who tampers, observes, and modifies hardware to extract sensitive information or bypass security measures.

Unprofiled Attacks

Attacks where the adversary does not have access to training data or parameters.

Profiled Attacks

Attacks where the adversary has access to training data or parameters and can create more effective attacks.

Leakage detection

Techniques used to detect leakage from a device for vulnerabilities.

Power Analysis

Analyzing power consumption to identify vulnerabilities.

EM Scan

Scanning a chip surface for electromagnetic emissions to find spots of interest.

Security Evaluation Services

Services purchased by companies to evaluate the security of their products, for compliance, protection, advantage and customer safety.

Security certification

Evidence that a product meets a set of security requirements for specific markets.

Common Criteria

An international set of guidelines and specifications (ISO/IEC 15408) for evaluating the security of IT products.

The vendor

The sponsor for common criteria evaluations is?

A vulnerability is found

A vendor cannot have the common criteria certificate withdrawn if?

EMV chip

Europay Mastercard Visa - specification for inter-operable integrated circuit cards for secure payment transactions.

TEE

A secure way of computing that ensures the confidentiality and integrity of sensitive data while it is being processed.

Study Notes

• Introduction to Physical Attacks
• Presented by Ileana Buhan in March 2024 with Twitter handle @ileanabuhan

Physical Attacks

• Important considerations include why such attacks matter, identifying the adversary, and relevance to the industry.
• The agenda includes why physical assaults are important, the identity of adversaries, key vocabulary, and the industry perspective.

Why Protect Against Physical Attacks?

• Protect against Side Channel and Fault Injection attacks
• Side channel attacks involve recovering cryptographic keys, recovering Neural Network (NN) training data, and reverse engineering code.
• Fault Injection involves recovering cryptographic keys, modifying memory contents, modifying registers contents, and altering the sequence of executed instructions.
• Resilience against physical attacks is mandated in certain industries.

The Adversary - TOM

• Stands for Tamper, Observe, and Modify
• Tampering involves gaining hardware access, which might include proving the tamper resistance of the device.
• Observation includes identifying components and side channels.
• Modification encompasses reading restricted data and bypassing security checks.

Side-Channel Analysis Setups

• Typical power analysis setup includes an oscilloscope, target device, power supply, and current probe.
• Electromagnetic analysis setup includes Langer EM probe, target device, XYZ station, and Riscure EM probe.

Vocabulary

• Side channel evaluations include
• Unprofiled attacks with the goal to attack
• Profiled attacks with the goal to attack
• Leakage detection with the goal to evaluate

Software vs Hardware Implementation

• Software uses lines of code
• Hardware has physical circuitry

Power Signatures

• (SW) DES algorithm execution is the software implementation of the Data Encryption Standard algorithm
• (HW) DES algorithm execution is the hardware implementation of the Data Encryption Standard algorithm

EM (Electromagnetic) Scan

• Visual representation of a chip surface

Industry Perspective: Device Resilience

• Security Evaluations
• Motivation includes fulfilling requirements to sell a product, protect against future damage, gain a competitive edge, and ensure customer safety.

Security Certification

• Evidence that a product meets specified security requirements, regulating market access for payment systems, content protection, and government use.
• Standards are cost-effective due to the recognition of certifications, pre-defined security requirements, and evaluation methodologies.
• Industry, product type (IC, OS application), security requirements, and geographical location are all factors.
• Vendor liability.

Common Criteria (CC)

• Originally established in 1994 by France, Germany, the Netherlands, and the UK
• By 2022, certificate-authorizing members included Australia, Canada, France, Germany, India, Italy, Japan, Malaysia, Netherlands, New Zealand, Norway, Korea, Singapore, Spain, Sweden, Turkey, and the USA.
• Certificate-consuming members include Austria, Czech Republic, Denmark, Ethiopia, Finland, Greece, Hungary, Indonesia, Israel, Pakistan, Poland, Qatar, Slovak Republic, and the UK.
• Separation of evaluator and certifier roles, with the vendor sponsoring the evaluation.

Objectives of CC evaluation

• Ensure high and consistent standards in IT product and protection profile evaluations, boosting confidence in their security.
• Improve the availability of evaluated, security-enhanced IT products and protection profiles.
• Eliminate duplicate evaluations of IT products and protection profiles and improve the efficiency and cost-effectiveness of the evaluation and certification/validation process.

Certified CC products by category (end 2022)

• ICs, Smart Cards, and Smart Card-Related Devices had 1683
• Other leading categories included Other Devices and Systems (890) and Network and Network-Related Devices and Systems (721).

CC Certificates

• Publicly available
• Qualcomm Secure Processor Unit SPU250 is an example of a certificate.
• H1D3 Microcontroller with Crypto Library is an example of a certificate.
• Details about test effort by the evaluators (36 weeks):
  • Characterization tests took 21.1% of the time
  • Physical attacks accounted for 5.6%
  • Perturbation attacks made up 12.2%
  • Side-channel testing consumed 61.1%
  • Logical tests used 0%.

CC Evaluations - Merits

• Consist of white-box evaluations
• Are attack based evaluation
• Recognized in multiple markets
• Uses vetted evaluation labs.

Criticisms of CC Evaluations

• Static certificates, valid for the Target of Evaluation (TOE)
• Require formal documentation.
• Expensive

Security Certification

• Can only be withdrawn if the certificate was created under misinformation; for example, wrong evidence was submitted.

EMV Chip (Europay Mastercard Visa)

• Initially published in 1996, consists of three key elements:
  • Processing capability
  • Secure storage of confidential information
  • Cryptographic processing capability
• Secure composability is the keyword; chip, OS, and application
• Accreditation of labs
• Manufacturers are sponsors of the evaluation
• Certification bodies are private companies

Beyond EMV Chip

• Online payment world, the Chip and Pin are becoming obsolete
• Considerations include support for integrated payment methods, mobile payment, and secure storage of credentials.
• Technology evolves utilizing HCE and TEE

Conclusions

• Security certification regulates evaluation and testing in the security industry.
• Security certifications exist in complex eco-systems.
• Some schemes don't look at the security of the final product, just the development process.
• Challenges include the cost, technology shifts, and validity Impact of remote attacks is unclear White/grey-box Evaluation's Effectiveness The subjective nature of expert scoring of attacks