Open Access

Given two embedded systems that perform the same task, how can we tell without looking at their source code whether or not they have been independently developed? This is a serious problem that might cause large monetary loss for embedded software companies that distribute their intellectual property (IP) without taking countermeasures against plagiarists. By committing IP violation, the plagiarist can save the cost and time that it took to develop the original software and bring a system with the same functionality but for a cheaper price to market.We address this problem by making use of side channels and faults — properties of physical systems that allow us to distinguish some of the performed instructions and computations. By passively observing the side channels, or even by actively creating them, we can detect plagiarized IP and prove or disprove its existence. In this work we present an overview of our research for IP protection in software.Related lab set-ups for teaching side channel and fault analysis in undergraduate and graduate studies at universities are described. This includes our regularly used Differential Power Analysis (DPA) Lab and Differential Fault Analysis (DFA) Lab as well as advanced labs that result from our research in side channel and fault channel watermarking.

RFID is a technology for automated identification over a radio interface and drives many applications in ubiquitous and pervasive computing today. RFID systems are applied in security-sensitive areas such as ticketing, electronic passports, product anti-counterfeiting or entry systems. This chapter investigates generic and low-level aspects of RFID security and privacy. It gives the basic notions of security threats, objectives and mechanisms and introduces different categories of RFID systems. The chapter discusses security threats, attacks against RFID systems and possible countermeasures. The generic threats are eavesdropping, denial-of-service, manipulation, and generation of messages. It presents specific attacks such as relaying, cloning, and cryptanalytic attacks against widespread RFID systems. Furthermore, the chapter revisits attacks on the physical implementation of security mechanisms.

Common template attacks are probabilistic relying on the multivariate Gaussian distribution regarding the noise of the device under attack. Though this is a realistic assumption, numerical problems are likely to occur in practice due to evaluation in higher dimensions. To avoid this, a feature selection is applied to identify points in time that contribute most information to an attack. An alternative to common template attacks is to apply machine learning in form of support vector machines (SVMs). Recent works brought out approaches that produce comparable results, respectively better in the presence of noise, but still not optimal in terms of efficiency and performance. In this work we show how to adapt the SVM template approach in order to considerably reduce the effort while carrying out the attack and how to better exploit the side-channel information under the assumption of an attack model with a strict order, e.g. Hamming weight model.

We present an implementation for Differential Power Analysis (DPA) that is entirely based on Graphics Processing Units (GPUs). In this paper we make use of advanced techniques offered by the CUDA Framework in order to minimize the runtime. In security testing DPA still plays a major role for the smart card industry and these evaluations require, apart from educationally prepared measurement setups, the analysis of measurements with large amounts of traces and samples, and here time does matter. Most often DPA implementations are tailor-made and adapted to fit certain platforms and hence efficient reference implementations are sparsely seeded. In this work we show that the powerful architecture of graphics cards is well suited to facilitate a DPA implementation, based on the Pearson correlation coefficient, that could serve as a high performant reference, e.g., by analyzing one million traces of 20k samples in less than two minutes.

We introduce a new approach for securing intellectual property in embedded software implementations by using the response of an implementation to fault injections. In our approach, the implementation serves as its own watermark that is recorded through its fault effects. There is no additional code for the watermark. A simulator that maps the fault injections to the executed instructions aids an automated characterization of program code. We provide a proof-of-concept implementation of our watermarking approach using an 8-bit ATMega163 microcontroller and several assembly implementations of AES encryption. The results show that our method is well-suited for detection of identical software copies. In addition, our method shows robust performance in detection of software copies with a large number of added dummy instructions.

We present a new method for protecting chips against counterfeits that makes the IC identification more accessible to the end user. Our method requires the original chip manufacturer to frequently publish identification sequences for each IC. These sequences are excerpts from the output of a stream cipher that is embedded in the protected chip and parameterized by a secret unique key. The key initialization is done by a trusted party after manufacturing. For IC verification, the end user measures the side channel leakage of the chip under test. The chip is assessed to be genuine if the end user finds a significant correlation between the observed side channel leakage and several previously published identification sequences.

We introduce the use of timing channels for digital watermarking of embedded hardware and software components. In addition to previous side channel watermarking schemes, timing analysis offers new perspectives for a remote verification of mobile and embedded products. Timing channels make it possible to detect the presence of a watermark solely by measuring program execution times.

This paper presents implementation results of several side channel countermeasures for protecting the scalar multiplication of ECC (Elliptic Curve Cryptography) implemented on an ARM Cortex M3 processor that is used in security sensitive wireless sensor nodes. Our implementation was done for the ECC curves P-256, brainpool256r1, and Ed25519. Investigated countermeasures include Double-And-Add Always, Montgomery Ladder, Scalar Randomization, Randomized Scalar Splitting, Coordinate Randomization, and Randomized Sliding Window. Practical side channel tests for SEMA (Simple Electromagnetic Analysis) and MESD (Multiple Exponent, Single Data) are included. Though more advanced side channel attacks are not evaluated, yet, our results show that an appropriate level of resistance against the most relevant attacks can be reached.