On-Device Power Analysis Across Hardware Security Domains

Colin O’Flynn, Alex Dewar
Dalhousie University
What am I doing for next 17 mins (in 42 slides)?

• Introduction Remote & Cross-Domain Attacks
• Attacker Model, TrustZone-M, and SAML11
• Basic CPA Attack on SAML11, bit depth / sample rate effect
• Internal regulator attack experiments
• Attacking a standard SAML11 development kit
• Countermeasures
On-Device Power Analysis
Introducing... TrustZone-M
On-Device Power Analysis across Hardware Security Boundaries

```c
uint8_t get_pt(uint8_t *pt)
{
    while (!adc_done);
    adc_done = 0;
    ADC->CTRLC.bit.FREERUN = 1;
    ADC->SWTRIG.bit.FLUSH = 1; //flush adc conversions
    nsc_func_enc(key, 4, pt, pt);
    simpleserial_putchar('r', I8, pt);
    return 0x00;
}

/*
* \brief Non-secure callable function 1
*/
void __attribute__((cmse_nonsecure_entry)) nsc_func_enc(const uint8_t *keys, uint32_t key_len, const uint8_t *src, uint8_t *dst)
{
    return idau_aes_enc(keys, key_len, src, dst);
}

void DMAC_0_Handler(void)
{
    PORT_SEC->Group->OUTSET.reg = 1 << 7;
    ADC->CTRLC.bit.FREERUN = 0; //disable freerun DMAC->CHINTFLAG.bit.TCMPL = 1; //clear transfer complete flag
    adc_done = 1;
}
```
Specific Implementation Example

• SAML11 → One of first M23 cores available on market (June 2018)
• Original datasheet (since changed) made an interesting claim…

  • Built-in cryptographic accelerator accessible through cryptographic libraries stored in ROM
    – Supporting AES-128 encryption/decryption, SHA-256 authentication, GCM encryption and authentication
    – Cryptographic libraries are especially designed for side channel and fault injection attacks prevention
Product Usage of TrustZone-M / SAML11

• When starting work no products on market used the SAML11
• Made some assumptions about design of products, backed up by datasheet examples:

13.2.5.1 SAM L11 Peripherals Configuration Example

Below is a typical configuration examples where all peripherals except the ADC, TC0, and Event System (EVSYS) are reserved to the Secure application:

• Secure/Non-Secure Peripherals PAC configuration:
  – PAC.NONSECA=PAC.NONSECB=0x0000_0000
  – PAC.NONSECC=0x0000_00091 (ADC, TC0 and EVSYS available for the Non-Secure application)
Assumptions / Attacker Powers

• Attacker must have previously performed an attack to gain code execution on the non-secure space (or otherwise has such access).

• Attacker can run considerable amount of tests / data recovery.
  • We can consider a remote attacker as in-scope… realistically we will look at “quasi-remote”.

• Quasi-remote means not full system access (cannot do DPA at board-level), but perhaps has debugger/communication access.
Example of “Quasi-Remote” Attacker Threat

- Unlocking ECUs is big business.
- Requiring tuners to solder to PCB & capture power traces is a large hurdle.
- But requiring them to plug in a debug connector is very much “in-scope” for these attacks.
  - If DPA attack runs in reasonable time, allows tuners to perform such attacks even with unique keys.
TrustZone-A Attacks

1. General remote attacks presented by Bernstein [Ber05].
2. Arm Cache-timing attacks used to break TrustZone-A [LGS+16], [ZSS+16], [ZSS+18], [LW19], [NCC18].
3. Remote fault attacks also demonstrated on TrustZone-A, such as RowHammer shown on TrustZone-A by [Car17] and CLKscrew [TSS17].
“Remote” Side-Channel Attacks

• Cortex-M frequently lack a true cache, making cache-timing attacks difficult.

• Previous work on side-channel power analysis done with a ‘remote’ threat model includes:


2. Using on-board ADC of a microcontroller [GKT19].

May require very large set of data transferred out!
“Nearby” Side-Channel Attacks

• Measuring voltage on I/O pin leaks information [SPK+10].
• Band-limited signal measured on switch-mode “line” side can be used for AES attack [SLT16].
• Band-limited radio signals have been previously used in attacking RSA/asymmetric [GST14], [GPPT15].
• Recently AES attacked with radio signal leakage [CPM+18].
Part 1 – External CPA Attack
AES Accelerator Attack

SAML11 AES Hardware Peripheral Power Trace

ADC Measurement vs Sample Number
CPA Results on SAML11 after 5000 traces using ChipWhisperer-Lite

Sample Number

CPA Output

0 1000 2000 3000 0 1000 2000 3000 0 1000 2000 3000 0 1000 2000 3000
AES Accelerator Attack

SAML11 AES Hardware Peripheral Power Trace

![Graph showing AES accelerator attack](image-url)
Effective Bit Depth of Samples?

\[ SNR_{dB} = 6.02N + 1.78dB \]

<table>
<thead>
<tr>
<th>ADC Bits</th>
<th>Max Value</th>
<th>Min Value</th>
<th>Effective Bits</th>
</tr>
</thead>
<tbody>
<tr>
<td>10</td>
<td>929</td>
<td>429</td>
<td>8.97</td>
</tr>
<tr>
<td>8</td>
<td>232</td>
<td>107</td>
<td>6.98</td>
</tr>
<tr>
<td>4</td>
<td>14</td>
<td>6</td>
<td>3.17</td>
</tr>
<tr>
<td>3</td>
<td>7</td>
<td>3</td>
<td>2.32</td>
</tr>
<tr>
<td>2</td>
<td>3</td>
<td>1</td>
<td>1.58</td>
</tr>
</tbody>
</table>
PGE Comparison for Reduced Bit Depth

8-bit ADC Data

3-bit ADC Data

4-bit ADC Data

2-bit ADC Data

Trace Number

Trace Number
Sample Rate Reduction due to Internal ADC

CLKcore
Busy
State
Sample
Synchronous Sampling Mode

ADC clock (even when under sampling) is still fully synchronous.

Sample point does not have time jitter relative to clock edge.

Similar sample rate measured without clock synchronization will have very substantial jitter due to minor frequency mismatches.
Part 2 – On-Board Attack

Segger RTT (JTAG data transfer)
~1100 traces/second
Test Boards

Expected reduction of SNR from A→D
Test A – Highest SNR
Sidenote about Internal Regulators

Does not react to fast transients, external decoupling capacitor required in most devices.
Sidenote about Internal Regulators

Majority of high-freq currents flowing from capacitor.
Sidenote about Internal Regulators

Regulator recharges capacitor (shows up as noise).
Clock Cycle Offset for AES to Measurement

CLKcore

Busy

State

Sample
Guessing Entropy & Cycle Offset

Cycle offset from AES call to start of sampling.

PGE of byte after 200K samples (considering all output samples, not selecting best leakage points).

<table>
<thead>
<tr>
<th>Offset</th>
<th>0</th>
<th>1</th>
<th>2</th>
<th>3</th>
<th>4</th>
<th>5</th>
<th>6</th>
<th>7</th>
<th>8</th>
<th>9</th>
<th>10</th>
<th>11</th>
<th>12</th>
<th>13</th>
<th>14</th>
<th>15</th>
</tr>
</thead>
<tbody>
<tr>
<td>5</td>
<td>0.1</td>
<td>116.2</td>
<td>0.1</td>
<td>20.0</td>
<td>109.8</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>27.5</td>
<td>0.0</td>
<td>26.0</td>
<td>0.1</td>
<td>0.0</td>
<td>0.1</td>
<td>0.0</td>
</tr>
<tr>
<td>6</td>
<td>0.0</td>
<td>0.4</td>
<td>0.0</td>
<td>29.9</td>
<td>0.0</td>
<td>0.2</td>
<td>0.1</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
</tr>
<tr>
<td>7</td>
<td>0.0</td>
<td>0.2</td>
<td>0.0</td>
<td>12.8</td>
<td>0.0</td>
<td>0.1</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
</tr>
<tr>
<td>8</td>
<td>0.0</td>
<td>0.2</td>
<td>0.0</td>
<td>17.1</td>
<td>0.0</td>
<td>0.4</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
</tr>
<tr>
<td>9</td>
<td>9.9</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>53.8</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
</tr>
<tr>
<td>10</td>
<td>61.5</td>
<td>0.0</td>
<td>10.4</td>
<td>30.5</td>
<td>0.0</td>
<td>40.1</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>32.6</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
</tr>
<tr>
<td>11</td>
<td>3.4</td>
<td>0.0</td>
<td>0.0</td>
<td>82.1</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>31.1</td>
<td>0.0</td>
<td>61.5</td>
<td>2.1</td>
<td>0.0</td>
<td>0.0</td>
<td>3.6</td>
<td>0.0</td>
</tr>
<tr>
<td>12</td>
<td>1.1</td>
<td>2.1</td>
<td>0.8</td>
<td>0.0</td>
<td>7.8</td>
<td>83.0</td>
<td>0.0</td>
<td>5.6</td>
<td>0.0</td>
<td>0.0</td>
<td>0.1</td>
<td>3.6</td>
<td>0.0</td>
<td>10.9</td>
<td>6.6</td>
<td>0.0</td>
</tr>
<tr>
<td>13</td>
<td>0.8</td>
<td>3.5</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>174.9</td>
<td>0.0</td>
<td>47.8</td>
<td>0.0</td>
<td>0.0</td>
<td>3.5</td>
<td>0.0</td>
<td>0.0</td>
<td>5.2</td>
<td>0.6</td>
<td>0.0</td>
</tr>
<tr>
<td>14</td>
<td>0.1</td>
<td>0.4</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>179.2</td>
<td>0.0</td>
<td>33.2</td>
<td>0.0</td>
<td>0.0</td>
<td>1.2</td>
<td>0.5</td>
<td>0.0</td>
<td>20.4</td>
<td>0.2</td>
<td>0.0</td>
</tr>
<tr>
<td>15</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>38.9</td>
<td>20.8</td>
<td>0.0</td>
<td>0.1</td>
<td>0.0</td>
<td>0.0</td>
<td>0.9</td>
<td>7.6</td>
<td>115.1</td>
<td>10.9</td>
<td>49.9</td>
<td>0.0</td>
</tr>
<tr>
<td>16</td>
<td>102.1</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>99.2</td>
<td>0.0</td>
<td>8.2</td>
<td>152.6</td>
<td>0.0</td>
<td>0.0</td>
<td>45.2</td>
<td>0.0</td>
</tr>
<tr>
<td>17</td>
<td>0.0</td>
<td>0.0</td>
<td>0.2</td>
<td>33.4</td>
<td>0.0</td>
<td>124.4</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>68.9</td>
<td>0.0</td>
<td>0.0</td>
<td>77.4</td>
<td>0.2</td>
<td>0.0</td>
<td>0.0</td>
</tr>
<tr>
<td>18</td>
<td>0.0</td>
<td>0.1</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>3.5</td>
<td>0.2</td>
<td>0.0</td>
<td>0.0</td>
<td>10.9</td>
<td>0.0</td>
<td>0.4</td>
<td>0.0</td>
</tr>
<tr>
<td>19</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>0.0</td>
<td>2.5</td>
<td>2.2</td>
<td>7.2</td>
<td>0.0</td>
<td>37.0</td>
<td>0.2</td>
<td>0.0</td>
<td>0.2</td>
</tr>
</tbody>
</table>

CHES 2019 - Atlanta, Georgia
Board ‘B’
Board C/D ➔ Dev Kit
Part 3 - Development Kit Attack
Finding Leakage – TVLA Testing

Caveat: Due to strong down-sampling, hard to focus T-Test on middle 1/3 of AES only

Aligns with peak from CPA results
Switching Power Supply Mode

Switching Supply

ADC Reading

Sample Number

CHES 2019 - Atlanta, Georgia
Switching Power Supply Mode

Switching Supply

High Pass Filter

Switching Supply [HPF=0.25]
TVLA of Switching Regulator

TVLA, 50000 Traces, Switching Regulator [HPF=0.25]
Cross-Domain Attacks

• Cross-domain attack uses availability of peripherals in non-secure world to attack secure world.

• A remote exploit in non-secure world could be used to recover data from secure world.

• Requires lots of data (~160 000 000 traces, 5GB).
  • Is ‘remote’ plausible  →  Not convinced.
  • Is ‘nearby’ plausible  →  Yes.

• Countermeasures include:
  • Moving peripherals to secure world (caveat – we don’t want some libs in non-secure).
  • Validating environment (caveat – secure code cannot touch non-secure).
Availability of Datasets, Code, Etc

https://github.com/colinoflynn/xdomain-dpa-m23

- 520M+ trace sets
- 285GB of data files…
Thank-You and Questions

https://github.com/colinoflynn/xdomain-dpa-m23

Email: colin@oflynn.com (Colin)   adewar@dal.ca (Alex)
Twitter: @colinoflynn

Thank you to many reviews & notes from those that wished to remain anonymous.