Topics in hArdware SEcurity and RISC-V (TASER)

Leuven, September 18th, 2022

RISC-V logo

Remit

The open nature of, and both eco-system and community associated with RISC-V has arguably led to a "golden period" of research and innovation within the field of computer architecture. This, in turn, has positively impacted the associated field of hardware security, where significant existing challenges remain and new challenges continue to emerge. For example, use of RISC-V in this context offers opportunities (for academic and industrial research and development) which stem from the extensible, configurable nature of the ISA and many associated implementations, plus transparency afforded by access to HDL for many such implementations. Established in 2021 as a CHES affiliated event, the TASER workshop aims to 1) establish and solidify RISC-V as a topic of interest for CHES, and 2) act as an interface between the RISC-V and CHES communities.

Format

Again operating as a CHES affiliated event, and held in-person, the half-day workshop will include a mixture of invited and submitted presentations. Per the associated CFP, we are inviting submission of presentation proposals: submit your proposal via the submission site before the deadline of 11/06/22 23:59:59 Anywhere on Earth (AoE).

Registration

The TASER 2022 workshop is affiliated with CHES 2022: please register with the conference to attend the workshop.

Preliminary Program

Time Content
Welcome
14:00 – 14:30 CEST Speaker Markku-Juhani O. Saarinen (PQShield)
Title Verifying constant-time code with RISC-V Zkt and Dynamic Taint Analysis
Abstract One of the RISC-V security-related extensions ratified in November 2021 is Zkt, the "Data Independent Execution Latency Subset." It extends the hardware-software ISA contract by defining a subset of instructions whose latency is asserted to be independent of input data. Hence these instructions can be trusted to process sensitive data without timing leakage. In the talk, I'll describe and demonstrate a method for verifying constant-time behaviour of RISC-V code. To accomplish the tracing of information flows, we have created a full-system RISC-V emulator that implements Dynamic Taint Analysis (DTA). Examining compiled binary executables rather than source code (or other abstract representation) of the algorithm is essential, as compilers are known to modify security-critical code. The simulated system has special instrumentation functions for tainting sensitive ("red") variables and untainting ("blacking") them. In the simulator, a shadow state is attached to registers and memory locations; symbolic execution and simple inference rules allow the system to determine which output variables are potentially affected by specific input variables. When "red" (secret) tainted variables are used by non-constant-time (non-Zkt) instructions, warnings are created. Untainting is appropriate when a variable is cleared or can be declared as encrypted ciphertext. Production-scale constant-time cryptography, even whole libraries, can be relatively easily instrumented to annotate the secret variables. The same RISC-V binary implementations can be run on real production systems. Once the red/black annotation is in place, the system rarely generates false positives and the automated DTA simulator test benches can be made part of continuous integration test flows.
14:30 – 15:00 CEST Speaker Patrick Karl (Technical University of Munich), Jonas Schupp (Technical University of Munich), and Georg Sigl (Technical University of Munich and Fraunhofer Institute for Applied and Integrated Security)
Title A 22nm ASIC for Flexible Post-Quantum Cryptography
Abstract Post-quantum cryptography is – among others – based on lattices, isogenies or error-correcting codes. In this talk, we present a RISC-V based HW/SW co-design that includes several accelerators for a wide range of post-quantum schemes. The design has been sent for tapeout in Globalfoundries’ 22nm FDSOI technology. The core of the system is based on that of Fritzmann et al., i.e., the PULPino microcontroller extended with several accelerators for lattice-based schemes. This includes several first-order masked accelerators, whereas some of them are tailored for the NIST finalists Kyber and Saber. In addition to these lattice-based accelerators, two co-processors are included in the design. The first one is a high-speed accelerator for the isogeny-based scheme SIKE, but can also be used to accelerate the computation of several Elliptic-Curve operations. The second co-processor is designed to speed up the code-based scheme HQC. During the presentation, we will focus on explaining the architecture, state some performance and cost metrics and talk about the performance limiting factors of the design. The final analysis shows that the design is capable of running at a frequency of up to 500MHz and has an area of 3.125mm2.
15:00 – 15:30 CEST Speaker Shoei Nashimoto (Mitsubishi Electric Corporation), Rei Ueno (Tohoku University), Naofumi Homma (Tohoku University)
Title PoC TEE: Proof-of-Concept Implementation of RISC-V Trusted Execution Environment for Embedded Devices
Abstract This presentation will describe a proof-of-concept (PoC) implementation of RISC-V trusted execution environment (TEE) for embedded devices. The source code of the PoC TEE that runs on a real device is provided with no licensing restrictions. It can be used for multiple purposes including the physical attack resistance evaluation of RISC-V-based TEEs. For more detail, please see our GitHub repo.
Coffee
15:45 – 16:15 CEST Speaker Roderick Bloem (Graz University of Technology), Barbara Gigerl (Graz University of Technology), Marc Gourjon (Hamburg University of Technology and NXP Semiconductors), Vedad Hadžić (Graz University of Technology), Stefan Mangard (Graz University of Technology), and Robert Primas (Graz University of Technology)
Title Power Contracts: Provably Complete Power Leakage Models for Secure Execution of Masked Software on Processors
Abstract Masking is a common countermeasure to protect cryptographic software implementations against power-analysis attacks. In practice, the security of countermeasure like masking relies on several assumptions that are often violated by microarchitectural side-effects of CPUs. State-of-the-art works address this problem by studying these leakage effects and building corresponding leakage models that can then be integrated into software verification flows or tools for automated security assessments. However, these models have only been derived empirically, putting the otherwise rigorous security statements made with verification in question. This talk introduces a novel approach to overcome these issues. First, a contract layer between the CPU hardware and the software is introduced, allowing the specification of microarchitectural side-effects of masked software in an intuitive language. Second, a method for proving the correspondence between contracts and synthesized CPU netlists is presented, ensuring the completeness of the specified leakage models. As a result, any further security proof only needs to happen between software and contract, which brings benefits such as reduced verification runtime, improved user experience, and the possibility of working with vendor-supplied contracts of CPUs whose design is not available on netlist-level due to IP restrictions. Further, the provably complete contract resulting from applying the method to the popular RISC-V IBEX core is presented.
16:15 – 16:45 CEST Speaker Andy Dellow (Huawei UK R&D)
Title Securing the future of open source computing
Abstract Security has often been a late consideration in the development of systems, hardware, and software. The emergence of exploits such as malware, trojans, the recent Spectre, Meltdown, RAMbleed attacks has resulted in serious financial and reputational losses. This illustrates the need to consider security as an essential component, directly built into a system rather than layered on top. RISC-V is a clean slate architecture with a unique opportunity to build in security as an intrinsic part of the hardware software and firmware. This talk will describe the latest initiatives and ongoing work to secure RISC-V and it’s ecosystem.
16:45 – 17:15 CEST Speaker Markku-Juhani O. Saarinen, Patrick Karl, Shoei Nashimoto, Marc Gourjon, Andy Dellow
Title Panel discussion
Wrap-up

Organising Committee