Generation 3 Smartcard

The smartcard processors developed in this project incorporate fine-grain memory protection units. This hardware improvement can potentially improve the security of smartcard applications in several areas: - Resistance to glitch attacks; these rely on stressing the processor physically to cause it to execute an instruction in a faulty manner. For example, the "test" operation at the end of a loop that is reading out memory may be skipped, causing the loop to be executed extra times and exposing the contents of more memory than was intended. If the memory protection unit is always set to the "most restrictive possible" state then this kind of attack is made much harder: not only must the correct instruction be glitched, the attacker must also find a way to disable the memory protection unit or arrange for it to be programmed incorrectly. - Resistance to application programming faults; application programming errors that might previously have gone unnoticed, for example an access to an "unallocated" area of memory, will now be trapped automatically and will cause the application to fail. The application programmer can correct errors that are caught in this way during development. Errors of this type that remain in the finished application will cause the application to fail when they occur, but should not affect the security of the card. - Separation of applications into mutually suspicious components. The parts of the application that deal with issues like communication with the card accepting device and dealing with external requests can be completely separated from parts of the application that deal with encryption and key management. Communication between these parts can take place across a well-defined internal interface, with checking on both sides: the part that deals with access to key material can have an internal policy that it will not perform operations using a stored key unless a correct PIN has been presented, and will refuse to do so even if asked to by the component that implements communication with the outside world. - Separation of mechanism and policy. Applications can be written to provide mechanism, for example performing operations using stored key material. Policy about what to permit the application to do can be implemented in separate code that does not have access to the application's internal data. A further benefit of having a fine-grain memory protection unit is that multiple applications, written in the smartcard processor's native machine code, can be supported on the same card without having to trust each other.

The team at Cambridge worked first on the problem of data retention in semiconductor memory. It is commonly assumed that once power is removed from a static RAM, the memory contents are immediately destroyed. This is not the case. The data may remain readable for several seconds, in that the device will revert to its former state if powered up again. If the chip is frozen, this remanence period may increase to minutes or even hours. The existing views of the security engineering community rely on papers published in the 1980s, when technologies were very different. We considered it important to repeat this work using modern components and we found a wide variation in remanence behaviour, even between different devices of the same type and from the same manufacturer. The team at Louvain-la-Neuve started off refining their work on electromagnetic analysis. This technique involves placing a small probe coil on the surface of the chip under test and measuring the current induced in it by the local magnetic field at the chip's surface. In some circumstances, this gives similar information to that obtained by measuring the chip's power consumption (i.e., in power analysis). However, it was shown that electromagnetic analysis gives strictly more information, as the coil can pick up the magnetic fields generated by local signals that are not present outside the chip. This was highly significant in itself; it also turned out to be important for later analysis and protection work. The Cambridge team then turned to optical fault induction. This work started by chance, with the observation that the microscope light caused a short-circuit in the EEPROM read-out amplifier of an SLE66 smartcard that was under test. This led the Cambridge team to wonder whether it would be possible to induce a fault in the component of their choice by illuminating it. A second-hand photographers' flashgun was purchased and mounted on a microscope; it was found that suitably aimed flashes could be used to write arbitrary values into SRAM. This result got considerable publicity. The use of lasers rather than flashguns enabled the technique to be made more precise and to be extended to smaller feature sizes. The team at Louvain-la-Neuve then developed a variant of this technique using their electromagnetic probing tools. By placing a small coil next to a target component in a smartcard chip, and passing a current pulse through the coil, they found that they could induce a sufficiently large eddy current in the chip to cause a targeted malfunction. The final attack technology development brought Cambridge and Louvain together, to explore new ways of recovering data directly from semiconductor memory without using the read operations provided by the chip vendor for that purpose, thereby circumventing any access controls and reading out secret data directly. This is also a semi-invasive attack, in that the chip is still de-packaged, but no direct electrical contact is made and the chip passivation remains intact. We will describe the technique in the context of an optical attack on CMOS RAM, but it has much wider applicability; electromagnetic probing techniques work too, and many other types of memory are vulnerable.

This summary describes the security analysis performed on two of the asynchronous systems developed within the G3Card project. The first of those two chips is the XAP processor designed by the University of Cambridge. The Springbank chip consisted of several versions of the same 16-bit RISC processor, one of which is a 'conventional' clocked circuit (the SyncXAP) and one other being the SecXAP, a dual rail with RTZ asynchronous circuit. With those two processors, we carried out comparative tests based on four attack techniques. - Power Analysis showed that both the SyncXAP and the SecXAP leak information through Hamming weight current consumptions. However, it is shown that for the asynchronous circuit, this power signature is reduced by a few dB. The principal reason for the persistence of information leakage in the SecXAP is proposed as being due to design issues where the automatic place&route tools used produced wires of uneven, unbalanced lengths; - Electromagnetic Analysis yielded the same kind of results as above, except that the SecXAP seemed to radiate off more significant information, which is probably due to the larger circuit size, the absence of the 'noisy' clock and to unevenness due to automatic place&route; - Light/Laser fault injection unveiled weaknesses in the SecXAP's design: The modification of bits within the registers is explained by the fact that the register cells have been implemented using single flip-flops. Corruption of the ALU gave false XOR results in one case, or a constant 0x0001 XOR result for any input in another situation; - Vcc glitches on the SecXAP corrupted register reads, modified data arguments and even caused involuntary memory dumps. The second chip was based on the SmartMIPS architecture. The Silicon Design team of Gemplus designed the Testchip upon which the tests were carried out. The core is a clocked one with two different versions of the multiplier: the normal clocked multiplier (the SyncMDU) and the asynchronous secure multiplier (the AsyncMDU). Only Power Analysis had been performed to compare the two multipliers. We showed that data exchanges between the General Purpose Registers and the MDU's registers leaked information about the Hamming weight of the data being transferred. Similarly, data dependant power signatures when multiplication instructions were executed. Those information leakages were present both for the SyncMDU and the AsyncMDU. However, the 'intensity' of those leakages is less important in the latter case than in the former. This latter observation confirms the one already made on the XAP processors. The general conclusions that can be drawn from those tests are the following: the dual rail with RTZ asynchronous technology does reduce power dependant information leakage by a few decibels (around 20dB). More significant reductions in the information leakage could have been achieved by having appropriate design tools or by doing careful full custom chips. Moreover, those design weaknesses also have a dramatic impact when it comes to injecting exploitable faults. This also means that the task of protecting a chip against fault injections is far from being that simple and that there is still plenty of room left for further research.

The Cambridge and Manchester teams developed dual-rail asynchronous circuits with rapid alarm propagation. The following data encoding scheme was used: Dual-rail Signal Symbolic Meaning: - 00 means Clear. - 01 means Logic-0. - 10 means Logic-1. - 11 means Alarm. During conventional operation circuits move from the Clear state to the Logic (0 or 1) state and back again. Injection of a fault will have one of the following results: - A Logic state turns into an Alarm state raising the alarm. - A multiple fault causes a Clear state to turn into an Alarm state. - A Logic state turns into a Clear state, which results in deadlock. - A Clear state will be turned into a Logic state which also results in deadlock. The Springbank test chip (see Section XAP designs) embodied a processor constructed using these techniques. We were able to demonstrate that these dual-rail circuits inhibited fault injection, which was useful to an attacker. Dual-rail circuits have also been demonstrated to produce substantially less data dependent power since the transitions between Clear and Logic states can be made to consume constant power. The implementation approach taken by Cambridge was to hand craft much of the design. This reduced the CAD tool effort and allowed the relatively simple 16-bit processor designs to be completed for early evaluation. The Manchester Amulet team developed a more complex 32-bit ARM compatible processor employing dual-rail techniques and secure storage latches. A secure latch should be balanced in that its delay is not determined by the data to be stored; additionally however the possibility of determining the difference between the weight of a word loaded into a storage element and that of the word previously held should be removed. A conventional latch will exhibit current variations in proportion to the number of bits changed during the load. Explicitly resetting dual-rail latches prior to loading will remove the current variations due to differing data values, albeit at the cost of slower, more expensive storage. The design was accomplished using the Balsa asynchronous design tool-set as previously described. This tool-set required refinement and additions to its back-end to accommodate the secure logic gate and latch technology. Further results, circuit level details and validation approaches may be found in the publications listed at the end of this document.

It is common for security evaluations of hardware to be undertaken after the device has been manufactured. This is a time consuming, expensive and error prone process. None the less we have recently trodden this well travelled path to produce a test chip (Springbank) and evaluate it. The design and evaluation of the Springbank test chip has taught us a great deal about the typical smart card design process. We began this process in the traditional way with a requirements specification, which included security properties. This lead to us identifying key design criteria, which steered the design process. However, we lacked design time validation of the security criteria and we now know that some side cases were overlooked. Even more worryingly, our colleagues working on attack technologies developed new attacks, which we had not even considered during the design process. What we seem to have recreated in our research project is a microcosm of current industrial practice. Having analysed security attacks on our circuits, we have been able to devise validation techniques, which may be used at design time. Power Analysis: G3Card has been very focused on power analysis attacks. We have determined that data dependant leakage may be detected at design time via systematic simulation. Such simulations allow design comparisons to be made, though it is harder to predict the exact values of emissions. The simulations we have undertaken for power and electromagnetic emissions are based upon switching activity. In the case of power analysis, capacitance masks some of the information. Similarly, for electromagnetic radiation one has to consider wave interference. None the less, switching activity simulation gives a good approximation to the energy being consumed over time, which is a good approximation for EMA and DPA. Fault Injection Analysis: Injecting faults into working processors can change the nature of data being treated or corrupt cryptographic computations in such a way as to unveil secret information. Early forms of these so called active attacks were focused on the device's external interface and often involved introducing glitches on power or clock input pins {AndKuh96}. Changes in temperature, either by cooling or heating the whole device or the introduction of a temperature gradient, may also be used to induce faulty behaviour. Defences against such attacks are simplified by the restricted nature of the channel by which faults are injected and can easily be detected by incorporating a suitable tamper sensor. Far greater control over the nature of the faults injected has been demonstrated recently. These attacks have included the use of localised EM pulses (by UCL), laser light, X-rays and local heating. We have been able to model this range of physical phenomena, which can trigger faults. We can then model a wide range of attack scenarios from single to multiple transistors failures. Given bounds on the control the attacker has, we can determine whether a fault can be injected without being detected. Our long-term aim is to produce a validation suite, which covers a range of fault induction and measurement possibilities, which far exceeds current known attacks. Using this approach we believe that security by design will become a far more powerful technique than security analysis post manufacture.