Have you ever felt uncomfortable entering your personal details on a website? Only 4.6% of Germans consider the internet to be highly secure when it comes to their personal data [1]. A number of data leaks, as well as posts on this blog, indicate that this concern is not without reason. In a connected world, it is essential that people can trust technical solutions. For electronic devices, this means, among other things, that an attacker in the vicinity of the device cannot steal any sensitive data.
Trustworthiness of electronic devices
If an attacker has physical access to a device, they are not limited solely to software attacks. They can also attack the underlying hardware and exploit any vulnerabilities. Passive side-channel attacks are an example of this. This involves measuring the power consumption or electromagnetic radiation of a device as a way of drawing conclusions about its confidential data. So-called error attacks, which deliberately cause physical interference, also pose a threat to devices. For example, a chip can be forced to function incorrectly due to brief malfunctions in the clock or voltage signal, known as glitches. Furthermore, targeted laser or electromagnetic impulses can also be utilized for error attacks in order to override security measures or to enable statistical attacks on confidential data.
In the Common Criteria (CC) Protection Profiles (PP), protection classes are established for this type of attack. They contain information about whether a device offers effective protection against attackers with a certain amount of knowledge, time and equipment. The practical lab test is carried out by certified testing laboratories. However, drawing up the final test report, which is sent to the responsible certifying body, is often the culmination of a long series of lab tests. Preliminary examinations in secure environments, such as Fraunhofer AISEC’s hardware security lab, allow for early and cost-effective detection of vulnerabilities. For product manufacturers, this process is a double-edged sword. On the one hand, manufacturers want their products to be thoroughly tested, but on the other hand, they want to bring their products to market as quickly as possible. The »Security Evaluation of Hardware Design Synthesis« study conducted by Fraunhofer AISEC on behalf of the German Federal Office for Information Security (BSI) looks at an essential step in the development of a microchip in this context: “front end synthesis.” Front end synthesis is the first step in chip development in which a general technical description is translated into technology-dependent components of a chip.
Chip development — a complex process
The development of modern chips is a complex process and usually starts with a concept in which the required components, for example a microcontroller and its peripherals, are defined. This is followed by a description at the so-called »Register Transfer Level« (RTL), where the functionality of the integrated circuit from one cycle to the next is specified in detail in »Hardware Description Languages« (HDL). This is followed by a first step in the synthesis of all selected components, which is often also referred to as »front end synthesis« or »RTL synthesis«. In this step, the functional description at the RTL level is converted into a technology-dependent net list that contains only elementary logical gates such as NAND and XOR. These gates are defined in a »Process Design Kit« (PDK). For each process in which a chip manufacturer offers production, there is a PDK that defines the standard cells and other design regulations. The various steps of the synthesis are carried out with dedicated »Electronic Design Automation« (EDA) software, which optimizes the circuit, for example, in terms of size or maximum frequency, while ensuring that is functions properly. Taking the net list as a starting point, the backend design process results in the so-called »tape-out«, which contains all the information needed by the foundry to manufacture the integrated circuit.
The study conducted by Fraunhofer AISEC on behalf of the BSI looks at front end or RTL synthesis. This development step is essential for hardening a chip against side channel attacks and error attacks, which often occur at RTL level.
Vulnerability of hardware design synthesis
In order to secure hardware, side channel attacks can be made more difficult or prevented, for example, using »masking«. The confidential information is distributed across numerous data structures, referred to as shares, which is processed by the circuit. For what is known as »second-order masking«, one share is randomly selected. The second share is formed from the first share and the confidential data. The two shares can now be processed in such a way that, in the first statistical order (average) of a physical side channel (e.g., electromagnetic radiation), there is no dependence on the processed data. The desired result of the calculation can then be obtained by recombining the shares. Measures to counter error attacks often rely on redundant circuits that detect incorrect values. Other forms of redundancy, such as temporal repetition or coded data, can also be used.
While researchers in the field of hardware security often have a good overview of hardware attacks and countermeasures, there is a lack of research into how countermeasures can be integrated into complex design processes. The study »Security Evaluation of Hardware Design Synthesis« tackles this issue and shows how the effectiveness of security measures against error attacks is compromised by hardware synthesis. We demonstrate that under certain circumstances, net lists generated by synthesis tools have only limited resilience against hardware attacks. The study takes the perspective of hardware designers and looks at what needs to be considered during hardware synthesis. It presents methods for identifying potential weaknesses at an early stage.
Potentially fatal re-timing
The masking process is considered a countermeasure to side-channel attacks. Based on current research, we are introducing the robust “Probing Model«. This model makes it possible to verify the formal soundness of a masking implementation. The robustness of the model takes into account physical effects such as different signal propagation delays. The model assumes an attacker who, with limited information (so-called probes), attempts to recombine confidential information. Such information can be contained as a digital signal (1 or 0), but it can also arise from switching operations caused, for example, by different signal propagation delays.
We present a detailed case study of a masked AES S-box and look at the “re-timing optimization« that is performed during synthesis and which represents a potentially fatal modification for masked implementations. We demonstrate how re-timing can lead to unwanted side-channel leaks. We introduce open source verification tools from current research that can detect such effects without requiring lab tests. The study looks at methodological approaches that can be used to assemble masked implementations from a few elementary modules. In addition, we analyze the optimizations in the synthesis tool yosys, which is available as open source and allows insights into hardware synthesis.
Hardening after hardware synthesis is rarely effective
The effectiveness of measures against error attacks after hardware synthesis must also be critically examined. Hardening against error attacks and the optimizations performed by synthesis tools stand opposed to one another. The latter optimize the circuits so that as few cells as possible have to be placed in order to keep manufacturing costs down. This involves removing redundant structures. In our study, we use the verification tool SYNFI. This can be used to test how many bit errors are detected by a module protected by redundancy. The BSI study includes case studies examining various optimization strategies, the influence of the standard cells of the PDK and the influence of timing optimizations. For example, it can be observed that the effectiveness of countermeasures decreases sharply with the increase of the target frequency of the circuit. This behavior seems to be the result of parallel structures for optimizing critical paths and fan-outs. However, it is difficult to identify specific effects and trace them back to atomic optimization steps for commercial tools.
Further security-critical steps in the chip design process
There are also potential security challenges at other steps of the chip design. Our study provides initial indications of this and shows that even identical RTL implementations can lead to varying degrees of chip resilience depending on the RTL synthesis. Thus, the security of a chip cannot be assessed solely on the basis of an RTL description. Only a lab analysis of the actual product can conclusively show whether vulnerabilities exist or whether a device is sufficiently hardened. The good news for product manufacturers is that there are already verification approaches that can be used to detect potential vulnerabilities caused by RTL synthesis early and automatically. For these to be widely applicable, however, the commercial EDA software must become more open and transparent and the verification approaches need to be more practical.
Bibliography
[1] Deutschland sicher im Netz – Sicherheitsindex 2024, ARIX Research, Juni 2024
Authors
Felix Oberhansl
Felix Oberhansl has been working as a research associate at Fraunhofer AISEC since 2022. His research focuses on trustworthy electronics. To this goal, he looks at physical attacks via side channels and fault injection and the development of secure hardware.
Kontakt: felix.oberhansl@aisec.fraunhofer.de
Tobias Stelzer
Tobias Stelzer has been a research associate at Fraunhofer AISEC since 2023 and is researching efficient hardware implementations for cryptography.
Kontakt: tobias.stelzer@aisec.fraunhofer.de
Marc Schink
Marc Schink is a researcher in the Hardware Security department at Fraunhofer AISEC. His focus is on the discovery of vulnerabilities in hardware and software. He has already carried out several vulnerability reporting procedures for products from well-known national and international manufacturers.
