# SECURITY SCIENCE COMPANY

October, 30<sup>th</sup> 2018 – Cybersecurity cooperation between France and Japan

Defensive and offensive AI for embedded security

#### **Thomas PERIANIN**

Embedded security engineer

thomas.perianin@secure-ic.com

EUROPE I APAC I AMERICAS I www.secure-ic.com I contact@secure-ic.com 2017 All Rights Reserved I Confidential I Property of Secure-IC





**OUR VISION** 

Going forward, there will be more and more interconnected devices or objects in various market verticals, this is what we call Internet of Things or Internet of Everything. All those objects being interconnected to the cloud, each and every object could be a threat for the whole network. Therefore the security of the objects or the devices is key. Even more, security will become one of the most important assets of the digital world.

#### **1-SECURE-IC SHORT INTRODUCTION**

SECURE-IC

#### **BUSINESS LINES**





#### OUTLINE

- 1. Defensive AI for cybersecurity: Smart Monitor
- 2. Offensive AI fo cybersecurity: ML approach for Cache-Timing Attacks

# SECURITY SCIENCE COMPANY

# Defensive AI: Smart Monitor

#### EMBEDDED CYBER-SECURITY POWERED BY AI

EUROPE I APAC I AMERICAS I www.secure-ic.com I contact@secure-ic.com 2017 All Rights Reserved I Confidential I Property of Secure-IC

#### DIGITAL SENSOR

ALL-IN-ONE DIGITAL FAULT-INJECTION DETECTOR [1-2-3]

#### Monitors for abnormal operating conditions

- Small digital circuits monitoring behavior, conditions
- Raises an alarm when situation becomes critical
- System engineer decides action to perform w/alarm

#### Sensitive to the following

- Temperature
- Voltage
- Clock frequency
- Laser exposure, EM exposure

#### • "Global vs. localized" threats

- Global: Temperature, voltage, clock frequency (single-sensor) [4-5]
- Local: EM [6] or surface-level laser attack (multi-sensor)
- IP is completely Digital which makes it...
  - Difficult to locate because it is melted in the circuit/logic/standard cells
  - Easier to port to a new technology
  - "True-time" hardware alarm (predictable latency)



### SECURE-IC



## HARDWARE-ENABLED AI FOR EMBEDDED SECURITY ML-ENABLED CYBER-PHYSICAL SECURITY

- Digital Sensor: Fault Injection Detection
  - Detect variation of propagation time along a delay chain
  - Problem: false-positives







#### ARTIFICIAL INTELLIGENCE FOR CYBER-SECURITY **AI-ENABLED CYBER-PHYSICAL SECURITY**

Teaming Digital Sensors







SECURE-IC

Architecture 2: Matrix of 64 DS + AES + CyberEU

FPGA board Sakura-G (also on Xilink Ultrascale+) Architecture 1: 4 DS - 50 LUTs for the delay chain (left) and an AES (right).



Digital Sensor: Fault Injection Detection

#### **EMFI-specific Sensors thresholds**



EUROPE I APAC I AMERICAS I www.secure-ic.com I contact@secure-ic.com 2017 All Rights Reserved I Confidential I Property of Secure-IC







## HARDWARE-ENABLED AI FOR EMBEDDED SECURITY MI-ENABLED CYBER-PHYSICAL SECURITY

- Digital Sensor: Fault Injection Detection
  - Enlarge Digital Sensor functionalities (Digital Voltmeter & Thermometer)
     Pragmatic approach: On-chip characterization & threshold on OTP memory



- Threshold setting highly impact sensitivity
- Hard to set with simulation

- Use of OTP to store individual DS threshold after characterization on test chip



SECURE-IC

EUROPE I APAC I AMERICAS I www.secure-ic.com I contact@secure-ic.com 2017 All Rights Reserved I Confidential I Property of Secure-IC

### SECURE-IC

#### EMBEDDED CYBER- SECURITY POWERED BY AI

#### SMART MONITOR FOUNDATIONS



2017 All Rights Reserved I Confidential I Property of Secure-IC

## EMBEDDED CYBER- SECURITY POWERED BY AI

Example of configuration



SECURE-IC



## EMBEDDED CYBER- SECURITY POWERED BY AI AI-ENABLED CYBER-PHYSICAL SECURITY

Example of configuration (increasing security)





### EMBEDDED CYBER- SECURITY POWERED BY AI AI-ENABLED CYBER-PHYSICAL SECURITY

Example of configuration (increasing security)





### EMBEDDED CYBER- SECURITY POWERED BY AI AI-ENABLED CYBER-PHYSICAL SECURITY

SECURE-IC'S SMART MONITOR: AI FOR EMBEDDED SYSTEMS

#### Create collective intelligence between IPs and other whistleblowers

- Sources of information are diverse, abundant
- Signals can come from on-chip analog sensors, digital sensors, software reports...
- ... or from opportunistic media (weak signals) = Indice of Compromission (IoC)

#### By leveraging diversity and complementary

- Sensitive to physical vs logical malfunctions
- Able to detect permanent problems vs transient issues

#### EMBEDDED CYBER- SECURITY POWERED BY AI AI-ENABLED CYBER-PHYSICAL SECURITY

- **Use-case : ML-enhanced EM Fault Injection Detection** 
  - A Fleet of Digital Sensors + Smart Monitor to:

- Improves notably the global accuracy (detection efficiency and falsepositive reduction)

100





SECURE-IC



## EMBEDDED CYBER- SECURITY POWERED BY AI

Use-case : ML-enhanced EM Fault Injection Detection

- A Fleet of Digital Sensors + Smart Monitor for a teaming strategy.











## EMBEDDED CYBER- SECURITY POWERED BY AI AI-ENABLED CYBER-PHYSICAL SECURITY

- SECURE-IC'S SMART MONITOR: AI FOR EMBEDDED SYSTEMS
  - Gain assurance in Threat Detection
    - Additional signals are aggregated for security event detection: multimodal analysis
    - Learning phase to "lock down the perimeter" of attack
    - Confidence & Robustness Reduce false alarms and false positive event

#### The right decision at the right time in full knowledge

- Anatomy of an attack (nature, temporality, locality, intensity, attack phase...)
- Gain advantage over attackers (attack diagnosis): reverse the advantage
- Built an on-chip security Headquarter to react properly Security strategy

#### Business Intelligence

- Know your device's every-day life
- Attack typology and statistics for  $\neq$  device categories, geographic areas, technology nodes...



Certification

SMART MONITOR: ARTIFICIAL INTELLIGENCE FOR CYBER-SECURITY **PROGRAM FOUNDATIONS** 



EUROPE I APAC I AMERICAS I www.secure-ic.com I contact@secure-ic.com 2017 All Rights Reserved I Confidential I Property of Secure-IC



## EMBEDDED CYBER- SECURITY POWERED BY AI AI-ENABLED CYBER-PHYSICAL SECURITY



#### SMART MONITOR IMPROVEMENT PERSPECTIVES

- Trade-off between performances & security: RAM cost, input signal rate, #classes, code size, etc..
- More diversity in the types of inputs of the Smart Monitor.
- Security of the ML model (Integrity verification of the training data for ML)
- Study differential ageing of sensors / effect of sensor breakdown: a model per year?
- Dynamical feedback on the model: adaptive model.
- Hardware, Software or a combination of both, depending whether reactivity or flexibility is most important
- Use of dedicated memory to store history: should be protected.
   We are looking for PoC partners!

### SECURE-IC

#### **Bibliography**

[1] Selmane, N., Bhasin, S., Guilley, S., & Danger, J. L. (2011). Security evaluation of application-specific integrated circuits and field programmable gate arrays against setup time violation attacks. *IET information security*, *5*(4), 181-190.

[2] Guilley, S., Sauvage, L., Danger, J. L., Selmane, N., & Pacalet, R. (2008, August). Silicon-level solutions to counteract passive and active attacks. In *FDTC* (pp. 3-17). IEEE-CS.

[3] Luca, B., Shay, G., Israel, K., David, N., & Jean-Pierre, S. (2008). Fifth international workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2008, Washington, DC, USA, 10 August 2008.

[4] Selmane, N., Guilley, S., & Danger, J. L. (2008, May). Practical setup time violation attacks on AES. In *Dependable Computing Conference, 2008. EDCC 2008. Seventh European* (pp. 91-96). IEEE.

[5] Bhasin, S., Selmane, N., Guilley, S., & Danger, J. L. (2009, July). Security evaluation of different AES implementations against practical setup time violation attacks in FPGAs. In *Hardware-Oriented Security and Trust, 2009. HOST'09. IEEE International Workshop on* (pp. 15-21). IEEE.

[6] Riviere, L., Najm, Z., Rauzy, P., Danger, J. L., Bringer, J., & Sauvage, L. (2015). High precision fault injections on the instruction cache of ARMv7-M architectures. *arXiv preprint arXiv:1510.01537*.



### Offensive AI for embedded security

Machine learning approach for Cache Timing Attacks

EUROPE I APAC I AMERICAS I www.secure-ic.com I contact@secure-ic.com 2017 All Rights Reserved I Confidential I Property of Secure-IC **Microarchitectural Attacks** 

- **INTRODUCTION** 
  - Stealthy attacks have emerged, at the intersection of:
    - Hardware security: side-channel & fault injection
    - Software security: they can be perpetrated only by software:
      - Without the need for any equipment,
      - Whenever, even on the field!
  - At the origin of recent Zero-day attacks such as Spectre & Meltdown







Software

Attacks

**Microarchitectural** 

Hardware

Attacks

#### **Microarchitectural Attacks**

**Cache-Timing Attacks** 

- Malicious process spies L1I, L1D or LLC cache
- Cache-access patterns leak information about secret

Causes of cache leakages:

- Through control flow graph: conditional branching, loops
- Through accesses in tables



SECURE-IC

Examples:

- Spectre, CacheBleed (2017), Cache Attacks on Intel SGX (2017)
- Attacks on AES, RSA, ECC, Lattice-Based signatures...
- Cross VM / Cross Cores attacks



SECURE-IC

**Microarchitectural Attacks** 

We measure the access time to the Cache through various strategies:

- EVICT + TIME
- PRIME + PROBE

- FLUSH + RELOAD
- FLUSH + TIME + FLUSH



Time

- Targeting OpenSSL
- ECDSA: Digital Signature Algorithm
- Ephemeral key 256 bits Nonce: Sensitive information



WNAF (W- Non Adjacent form)

```
WNAf: [0, 0, 0, 1, 0, 0, 0, 0, 3 ...., 1, 0, 0, 0, 0, 3, 0, 0, 0]
```







#### 2-Cache Timing Attacks

### SECURE-IC

#### **Cache Timing Leakage**

- **Conditional Branch** -
- → Timing Leakage!!
- **Sequential multiplication** -

 $\rightarrow$  Can be spied

```
for (k = max_len - 1; k \ge 0; k--) {
                                          if (!r is at infinity) {
                                             if (!EC POINT dbl(group, r, r, ctx)) //Secure-IC comment : doubling function
                                                 goto err;
                                         for (i = 0; i < \text{totalnum}; i++) {
                                             if (wNAF len[i] > (size t)k) {
                                                  int digit = wNAF[i][k];
                                                 int is neg;
                                                 if (digit) {
                                                     /*
                                                      */
                                                     if (r is at infinity) {
                                                         /*
                                                          */
                                                     } else {
                                                         if (!EC POINT add
                                                             (group, r, r, val sub[i][digit >> 1], ctx)) //Secure-IC comment : addition function
                                                             goto err;
WNAf: [0,0,0,1,0,0,0,0,3 ...., 1, 0, 0, 0, 0, 3, 0, 0, 0]
```

```
=>
Multiplication: [D, D, D, A, D, D, D, D, A, ..., A, D, D, D, A, D, D, D]
```

}

#### 2-Cache Timing Attacks

### SECURE-IC

#### Architecture of Spying process





### Jean-Luc Danger, Nicolas Debande, Sylvain Guilley, Youssef Souissi: High-order timing attacks. CS2@HiPEAC 2014: 7-12

#### **Secure-IC Catalyzr**

- Static analysis for leakage detection
- Cache spying and timing analysis
- All in one tool



SECURE-IC

**Ukrdm** litets



Screenshots of Catalyzr tool.

Microarchitectural Attack on ECDSA

- Machine Learning enhanced attack on ECDSA of OpenSSL 1.1.0.
- Cryptographic nonce wNaf form: conditional branch testing the nonce digit value.
- Addresses of ec\_GFp\_simple\_add and ec\_GFp\_simple\_dbl: spied with FLUSH+FLUSH.
- Statistical profiling of cache addresses to select most relevant leakage points for attack.
- Pattern recognition (Intel i7-6700 CPU@3.40GHz) with e.g. Random Forest: 95% acuracy.
- ECDSA key fully recovered from nonce bits with LLL Latice reduction algorithm.
- Highly discreet and fully automated key recovery.



CATALYZ

SECURE-IC

**OpenSSL** 

10

20

30

40

50

Cache timings

40

30

20

#### 2-Cache Timing Attacks

- **Profiling Module** 
  - The number of addresses to probe is limited! ۲

Addresses 15 20 10

Cache timings

- What addresses to use for probing?
  - Over several hundreds.
  - Low noise.

- 375 - 350 - 325 - 300 - 275 - 250 - 225 - 200

- Combination of addresses?
- Statistical profiling module : Unsupervised Learning (eg PCA) ۲
- Automatic selection of informative addresses ۲







#### **Pattern recognition**

- Supervised sequence generation with misaligned labels
- Allows to consider different aspects of the problem
- Practical and easy way to implement pattern recognition







SECURE-IC

(0, 4)

#### 2-Cache Timing Attacks

Lattice reduction

-

- Reduce the search space of the nonce
- Lattice reduction algorithm
- Shortest Vector Problem
- Polynomial complexity
- Inputs: nonce bits
- Output: private key



Computation of LLL-reduced lattice basis



SECURE-IC



#### Conclusion

- Machine Learning is a practical way:
  - To select interest points
  - To implement pattern recognition
- Machine Learning provides confidence indicators

#### - Limitations:

- Machine Learning metric => Accuracy (often)
- Efficiency of an attack = different metrics
- The quality of a model is not always reflected in the deployed attack
- Cross architecture models



#### **THANKS** FOR YOUR ATTENTION

#### CONTACT

| EUROPE   | sales-EU@secure-IC.com    |
|----------|---------------------------|
| APAC     | sales-APAC@secure-IC.com  |
| JAPAN    | sales-JAPAN@secure-IC.com |
| AMERICAS | sales-US@secure-IC.com    |

EUROPE I APAC I AMERICAS I www.secure-ic.com I contact@secure-ic.com 2017 All Rights Reserved I Confidential I Property of Secure-IC