### HARDWARE SHIFT-LEFT

PRE-SILICON FAULT INJECTION EVALUATION AND POWER SIDE CHANNEL TESTING

**NICOLE FERN** 

# riscure

driving your security forward

# PRODUCTS IN THE WILD CONSTANTLY BEING HACKED USING FI AND SCA



It's already possible to hack an AirTag The security risks are small, but there's a lot of potential for entimatants.



https://www.engadget.com/airtagnfc-hack-205735409.html



http://www.ausgamestore.com/xbox-360slim/matrix-glitcher-slim.html



KULEUVER Research group COSIC, KU Leuven «Besta vit/s Page Pagent Viscanda Best Grende Ger

#### Dismantling DST80-based Immobiliser Systems

Cor manifectures deploy which is immediate systems in order to prevent cor their, Havenes, In man cases the underlying cryptographic primitives used to authenticate a transponter are proprietary in nature and thus orgen to public society, in 1995 Treas instruments released the Organi Separate Transponder (ISST), the first cryptographic Badia Frequency (Derofication tog [1], These HFID tags no



follow us on YouTube

https://www.esat.kuleuven.be/cosic/blog/dism antling-dst80-based-immobiliser-systems/

### **SECURITY TOOLING PHILOSOPHY**

- Enable codifying of security insights that can integrate into continuous compute loop
- Enable developers/designers to perform security analysis
- An EDA tool with a light salting of security is not a security tool



### **GOAL OF THIS TALK**

- Share our approach to infusing security knowledge into EDA tools and leveraging their best features for pre-silicon SCA/FI analysis
- Show some technical details and case studies behind our pre-silicon offerings
- Show pre-silicon SCA/FI analysis can be used as verification step to **detect** and **mitigate** issues before tapeout
- Show you don't need to be a security expert to find issues
- Gather feedback

## PRE-SILICON FAULT INJECTION

### **FI SIMULATION**

- 1. Fault Model
  - Set of signals and time intervals faults injected during simulation
- 2. Outcomes
  - Classify effects of the fault as security relevant or not
  - Threat modelling required to implement security violation detectors ("assertions")



### **CPU CASE STUDY: PICORV32**



Identify sensitive RTL registers

- How can we flip a branch condition?
- Fault Model: single bit flips for all clocks and all registers/wires



https://github.com/YosysHQ/picorv32

### RESULTS

- Total faults injected: 1386400
- Exploitable: 408

| Gltiched Signal Name    | Status           | PC       | Function        | Source File |
|-------------------------|------------------|----------|-----------------|-------------|
| picorv32.instr_rdcycleh | TEST_EXPLOITABLE | 00000078 | set test status | main.c:38   |
|                         |                  | 0000070  |                 |             |
| picorv32.instr_rdinstr  | TEST_EXPLOITABLE | 00000078 | set_test_status | main.c:38   |
| picorv32.instr_rdinstrh | TEST_EXPLOITABLE | 0000078  | set_test_status | main.c:38   |
| picorv32.instr_rdcycleh | TEST_EXPLOITABLE | 0000078  | set_test_status | main.c:38   |
| picorv32.instr_rdinstr  | TEST_EXPLOITABLE | 00000078 | set_test_status | main.c:38   |
| picorv32.instr_rdinstrh | TEST_EXPLOITABLE | 00000078 | set_test_status | main.c:38   |

Vulnerable lines of code highlighted

Software countermeasures



### **VERIFYING FI COUNTERMEASURES**

- HW countermeasure: duplicate program counter and reset core if mismatch
- SW countermeasure: implement double check for success condition in software

|                     | Vanilla | Harden RTL | Harden SW | Harden RTL + SW |
|---------------------|---------|------------|-----------|-----------------|
| Total               | 1386400 | 1540800    | 1386400   | 1540800         |
| Exploitable faults  | 408     | 358        | 20        | 2               |
| Exploitable signals | 268     | 264        | 4         | 2               |
| Detections          | 0       | 0          | 376       | 361             |



(this experiment is waaay to limited to conclude anything general about hardware vs software countermeasures)

### **ADDITIONAL CASE STUDIES**

- OpenTitan AES round counter protection
  - FI simulation revealed that countermeasures inserted by OpenTitan team were optimized away by synthesis tool
  - Reported to OpenTitan team and they have a fix
  - <u>https://github.com/lowRISC/opentitan</u>
- Arm Cortex-M0
  - FI Simulator (netlist) v. EMFI on real device
  - There is a reasonable overlap with post-silicon testing



### PRE-SILICON SIDE CHANNEL ANALYSIS

### **SCA SIMULATION: SCATE**



We can simulate traces to obtain "traditional" CPA plots – noiseless!





### WITH RANKED LEAKY GATE LIST YOU CAN...

• Pinpoint root cause of leakage in design





• Begin to automate countermeasure insertion (future work)



### **DESIGN SPACE EXPLORATION**

For top N leaky gates gates, trade off security / user defined function / countermeasure



Security metric, e.g. leakage points

#### **CASE STUDY: MASKED AES DESIGN**



 $X \rightarrow Y$ 

 $\begin{array}{c} x \bigoplus m_1 \longrightarrow y \bigoplus m_2 \\ ((x \bigoplus m_1) \bigoplus m_1) \bigoplus m_2 \longrightarrow y \bigoplus m_2 \end{array}$ 

### **CASE STUDY: MASKED AES DESIGN**



### **KEY TAKEAWAYS**



"With post-silicon we can fix the next chip, with pre-silicon we can fix the current chip."

- Customer Quote

We are:

Enabling **non-security-expert** designers **to root cause** security issues Enabling continuous integration of insight and experience from security experts into the tooling Reducing the need for **time consuming / expensive** post-silicon testing Reducing the **risk** of post-silicon **certification failure** and **insecure** products "Good security tools find potential vulnerabilities. Great security tools find practical vulnerabilities."

– Jasper Van Woudenberg(CTO, Riscure North America)

## riscure

driving your security forward

**Riscure B.V.** Frontier Building, Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 www.clscure.com

#### **Riscure North America**

550 Kearny St., Suite 330 San Francisco, CA 94108 USA Phone: +1 650 646 99 79 inforequest ariscure.com

#### Riscure China Room 2030-31, No. 989, Changle Road,

Shanghai 200031 China Phone: +86 21 5117 5435 inforcn@riscure.com

## riscure

driving your security forward