Robust and Efficient Approaches to Evaluating Side Channel and Fault Attack Resilience

Implementing cryptography on embedded devices is an ongoing challenge: every year new implementation flaws are discovered and new attack paths are being used by real life adversaries. Whilst cryptography can guarantee many security properties, it crucially depends on the ability to keep the used keys secret even in face of determined adversaries.

Over the last two decades a new type of adversary has emerged, able to obtain, from the cryptographic implementation, side channel leakage such as recording of response times, power or EM signals, etc. To account for such adversaries, sophisticated security certification and evaluation methods (Common Criteria, EMVCo, FIPS…) have been established to give users assurance that security claims have withstood independent evaluation and testing. Recently the reliability of these evaluations has come into the spotlight: the Taiwanese citizen card proved to be insecure, and Snowden’s revelations about NSA’s tampering with FIPS standards eroded public confidence.

REASSURE pursued 4 objectives :

• To increase the quality, reliability and efficiency of all aspects of the vulnerability analysis component of existing evaluation schemes. We aimed to deliver a novel, structured detect-map-exploit approach that should improve the quality of evaluation outcomes (assurance) and the comparability of independently conducted evaluations as well as increase the effectiveness of the evaluation process.
• To cater for emerging areas such as the far more dynamic software development practices associated with the developing Internet-of-Things (IoT). Developers in these fields typically do not possess the expertise level nor equipment that (e.g.) smart card manufacturers developed over the last 20 years. Yet, IoT devices represent a more and more critical asset that cannot ignore the threat of physical attacks. Our goal was to help them by researching possibilities for the automation of leakage assessment practices, such that together with suitable leakage simulators, IoT developers could early on assess leakage properties of their code without needing immediate access to a testing lab.
• To deliver practical tools, data sets and shared best-practice within the community of stakeholders, with the expectation that this will improve the quality of the assessment and characterization provided for newly-discovered attacks.
• To get existing stakeholders to adopt the novel technologies and methodologies emerging from this project as well as to provide input into new standardization efforts to ensure that they benefit from the knowledge created by this project.

Project achievements :

Many of the elements described below can be freely downloaded through the Resources tab.

Regarding improvements of evaluation schemes, we delivered, based on a detect-map-exploit approach, a novel evaluation strategy that works “backwards’’ from an idealized and well-defined worst-case adversary. This strategy has the potential to maximise the assurance in evaluations by, per default, instantiating adversaries whose success can be bounded.  We also significantly contributed to the understanding of the radically new attack vectors based on deep learning, and to the use of leakage detection tools in the context of our structured testing regime.

In order to help IoT developers, we assessed the suitability of shortcut formulas as techniques enabling efficient a priori approximation of attack outcomes; we thoroughly analysed the use of leakage detection for conformance testing; we analysed how to automate leakage detection, which is one of the first steps of an evaluation. We also delivered a free introductive training on side-channel attacks, as well as a more advance training on leakage detection, first delivered during a workshop aligned with CARDIS 2018, before becoming a free self-led online training course.

Many of the aforementioned results were integrated into tools, as targeted by our third objective. To help developers and researchers test attacks, and to improve the comparability of results, we published four reference data sets (for AES and ECC), one software implementation for AES and a corresponding set of data sets for deep learning (the ASCAD database). We also released an open-source leakage simulator (ELMO) based on instruction-level profiles for a processor relevant for the IoT (used by NCSC, NXP, now underpins the ROSITA tool), an open source toolbox for SCA (JuliaSCA), an open source implementation for shortcut formulas, scripts related to shortcut formulas for ECC implementations, keyless rank estimation and local random probing model (belief propagation) for the worst-case analysis of ECC countermeasures. Finally, we developed Inspector Cloud, an online tool allowing to perform side-channel attacks.

Regarding dissemination towards the main stakeholders and standardization efforts, we provided comments to 2 ISO standards (20085-1 and -2) that matured during the lifetime of REASSURE. Our work on leakage detection also directly impacted on ISO 17825, and a revision of the standard in envisioned.

We had several meetings with the International Security Certification Initiative’s working group ISCI-WG2, also known as JHAS, which brings together stakeholders from every aspect of smart card security evaluation: certification bodies, evaluation laboratories, hardware vendors, software vendors, card vendors and service providers). Several formal presentations of REASSURE results were delivered during these meetings.

We also established contact with EMVCO, the consortium bringing together Visa, Mastercard, JCB, American Express, China UnionPay, and Discover, as well as the French Groupement des Cartes Bancaires, the industrial consortium Global Platform, bringing together over a 100 companies to develop certification standards, and the European Union Agency for Cybersecurity (ENISA).

REASSURE techniques have been integrated into the processes of industrial partners, yielding significant performance improvements.

Project impact :

With the increase of interconnected and therefore typically security sensitive products in the context of IoT, but also with the rise of existing cyber-physical systems, there is a pressing need to transfer existing knowledge from the highly-sophisticated smart card community to other communities in these emerging areas. Furthermore, experts – be them researchers, manufacturers, evaluators or certificating bodies – are still in need for more efficient, reliable side-channel evaluation methodologies, providing assurance that their outcomes can be relied upon, and that the security metrics they yield are comparable among different teams.

REASSURE results gave birth to 32 scientific publications advancing the state of the art. Several of the techniques developed by REASSURE have been integrated in the analysis chains of the consortium members, bringing significant improvement in their internal procedures. Yet, REASSURE had the ambition of providing useful contributions, not only to its participants, but also to the community. Leakage traces of AES and ECC on various software and hardware platforms have been made available, both to help emerging actors in the field, to provide experts with a common reference allowing the comparison of attacks, and to help assess important new avenues such as deep-learning techniques. Various tools, such as implementation of shortcut formulas, leakage simulators, online analysis software, reference implementation involving popular countermeasures… These traces and tools have been downloaded several hundreds of times over the few months since they were put online. At the end of the project, we believe our combined effort enabled significant improvements in the common understanding of physical attacks.