Fig. 7 Physical structure of uABYSS
A protected module (PM) is a container for information that protects that information from attacks intended to read or write it in an unauthorized manner. Protected modules have also been described in the literature as "tamper resistant modules" or "protected processors". We prefer "module" to "processor" because we are not concerned with protecting the hardware itself, but only with protecting the information being processed by the hardware.
The design presented here assumes that the S-box is implemented as a digitally protected module--that is, a module whose protective logic is based on digital technology. We plan to use three-dimensional integrated circuit technology, since we believe that a high level of physical protection can eventually be achieved by applying fabrication methods such as chip bonding to three dimensional circuitry.
Increasingly effective levels of protection are possible:
Fig. 7 Physical structure of uABYSS
The device we discuss in this article is intended to achieve the third level of protection above, although we believe that it is even possible to achieve the fourth and highest level of protection.
Most earlier research on protected modules has either been theoretical in nature or has been subject to military classification. The uABYSS module[1] is an exception. Using this approach, an entire circuit board is enclosed in a cocoon of nichrome wire of approximately 0.09 mm diameter. Several windings, each having thousands of turns, are used. The circuit board records the protected information. The resistance of the windings is monitored in analog fashion to detect attacks (see Fig. 7).
In uABYSS, a 5% change in resistance is taken as a threshold to determine whether an attack is taking place. This comparison is made with the original resistance value. A change of at least 1% from the most recently measured value is also taken as an indication of an attack.
Fig 8: Three-dimensional IC implementation of a digitally protected module.
One of our approaches is illustrated in Fig. 8. The protective mechanism consists of a random access memory (RAM) containing a great number of closely spaced microscopic one-bit detectors. The DPM contains one or more layers of these detectors, packed tightly so as not to leave enough room for penetration between them. Layers of detectors can be staggered so as to increase the effective density. The memory can be implemented using either IC's or printed circuits. With these technologies the center-to-center distance of adjacent detectors can be made as small as 3 um. The detectors are individually addressable, and each one can be read or written. A possible attack is indicated when any detector is found to have lost its normal operating functions.
The testing method is simple: write a random value into the detector and read it back. Then write the complement of that value into the detector and read it back. The element is considered to be working if and only if the retrieved values agree with the written values. If the values do not agree, a possible attack is indicated. We call this event an exception.
If an exception occurs, the microprocessor examines the faulty detector several more times. Repeating the test provides protection against random transient failures such as might be caused by alpha rays. The probability of such a failure and the consequent change of state is proportional to the time between writing and reading If a detector is read immediately after it is written, the probability becomes very small. In some environments the probability of transient errors may be low enough so that transient errors can be disregarded altogether.
If an exception is judged not to be a transient error, then the DPM can test other detectors in the physical vicinity of the erroneous one. The number of faulty elements can then be compared to a threshold. If that threshold is exceeded, we assume that the DPM has been attacked. The threshold test reduces the chance of a false alarm.
Techniques that apply to RAM used in other applications can also be used for the DPM. For instance, the microprocessor can be provided with a list, resembling the list of bad tracks on a disk, that indicates elements known to be faulty. Similarly, it is possible to read and write blocks of several bits in parallel instead of operating on a single bit with each test. However, some economies are possible for the DPM that are not possible in general. For instance it is not necessary to refresh the memory because it can hold its state for at least ten milliseconds without being refreshed. That interval is much greater than the interval between writing and reading a bit. Such economies can help to reduce the cost of manufacturing the DPM.
The design of any type of protected module must address an inherent conflict. In order to make the device more likely to detect an attack it must be made more sensitive; but the more sensitive it is, the greater the likelihood of a false alarm. The more information that can be gotten about a presumed attack, the easier it is to resolve this conflict.
The digital design can provide more information than an analog design in the event of a fault because the digital design has more discrete components. In an analog design such as uABYSS there are relatively few windings. If a resistance measurement is off, there is no way to localize the fault further. In a digital design it is possible to check the detectors in the vicinity of the faulty one. The analog design can be brought closer to the digital one by using many small windings, but the control logic then becomes far more complex and it becomes much harder to manufacture the device.
We next consider various kinds of potential attacks on a digitally protected module and the protection against them:
necessary in order to guard against Trojan horses or other attempts at subversion of the logical protection.
The protective capability of any protected module cannot be regarded as permanent. Once a module has been installed the hardware implementation of its defensive technology is fixed, even though the technology of attack advances continually. With time it becomes easier and easier to find ways of bypassing or otherwise neutralizing whatever defenses the module utilizes. Thus the useful life of a protected module is determined by the progress of the technology of attacks. A useful life of five years is probably not difficult to achieve. Twenty years would be desirable; ten years is probably about the longest time that we would consider practical. However, it is likely that the state of the art in attacking protected modules would be known to their proprietors, and the modules could be replaced when they are known to have become vulnerable.
Three-dimensional large-scale integrated circuits, possibly manufactured using chip-bonding methods, provide an excellent method of realizing digitally protected modules. We have assumed such an implementation in Fig. 8
Layer 1 consists of a protected region where the information to be protected is stored The memory for the information can be implemented using technology at the level of 1 Mbit DRAMs. The protected region either has its own power supply or uses an external power supply. It is possible that there is more than one power supply. The protected region also contains circuitry whose function is to erase the information if an attack is detected. The erasure is accomplished by cutting off the power to Layer 1.
An attack might involve making holes in the device, etching it, or subjecting it to electro-optical reading. Layer 2 is made of devices and wirings designed to detect these kinds of attacks. It will be constructed using a technology such as l-2 um rule semiconductor devices.
The distance between Layer 1 and Layer 2 can be made sufficiently small, on the order of 3 um, so that an attacker will not be able to penetrate between the layers. An attack from below Layer 1 is not feasible because any attempt to reach the components from that direction will cause the components to lose their charge. Should penetration from below be a concern, it is possible to place a layer of detectors there too, thus enclosing the protected region in a sandwich of detectors.
The wires between the two layers serve two purposes: to provide signal paths between the circuitry in the layers and to provide signal paths from the protected layer to the outside world These wires are connected to small pads on the inner surface of each layer. They cover the entire perimeter of the DPM. Any disruption of their signals will have the same effect as a disturbance to the detectors, so they provide an additional level of protection to the device.
The larger pads on the upper surface of the detecting layer are bonding pads like those of a conventional IC. Their purpose is to provide connections for external wiring. Although external connections are logically necessary only for the protected circuits in Layer 1, the wires are routed via Layer 2 in order to prevent an attacker from gaining access to the protected region via the external connections
The DPM can be encapsulated using an appropriate resin, preferably one that is not transparent. By mixing a substance such as alumina with the resin we can increase the resistance of the device to attacks using mechanical or chemical methods, or even attacks using lasers or plasmas. Simpler measures may, however, suffice for s*me environments.
The RAM in Layer 1 depends on a continuous supply of power to maintain its state. If the protective logic of the DPM concludes that an attack has taken place, it grounds the power supply and erases the secret information in the protected region. It is pointless for an attacker to disrupt the power supply because the effect of doing that will be to erase the protected information.
The DPM is not a demanding application of three dimensional IC technology. The number of lines of interlayer wiring is small, particularly in comparison with typical applications of three-dimensional IC's. For example, an image processor would usually require several interlayer connections for each pixel. An image processor capable of handling large images would thus need thousands of inter-layer lines Far fewer lines are needed for the DPM: power supplies, inputs. outputs, and addresses.
Furthermore, the DPM is a general-purpose device that will be produced in quantity. Mass production of DPM's will lead to economies of scale, just as it has with memories, microprocessors, and personal computers.
A likely form of attack is to attempt to make a hole in the device. Because of the spacing of the detectors, a hole whose diameter is as small as ten microns will still destroy at least one detector, and a hole not larger than twenty microns will destroy at least four. The design of the DPM makes it possible to determine not only that four detectors are faulty, but that the four are all in the same region.
The DPM has several different memories, and these memories have distinct purposes. The memory in Layer 1, the protected region, stores the information that is to be protected. The memory in Layer 2 is devoted to detecting attacks.
The order in which the detectors are tested is arbitrary, but the total test duration must be kept short. The detectors can be tested individually or in groups. Group testing helps to keep the testing interval short because the detectors in a group can be tested in parallel
If we have a million elements and test one element every microsecond, then it will take just one second to test all the elements If we test in parallel, the testing time can be made much less than that The time required to erase the protected information is negligible by comparison
There are at least three levels of protection that can be provided for the information in the protected region:
The choice among these levels should be made according to the defensive strength that is required and the cost that is acceptable.
In some applications a less effective method of protection may suffice. The protected information is kept on a mask ROM, and the chip containing the ROM is encapsulated in resin. For applications in which the attackers are not expected to be sophisticated, or in which the protecting device can be inspected by the owner of the protected information, this method may be appropriate since it is simpler and cheaper. Further discussion of it, however, is outside of the scope of this article.
Layer 1 of the DPM is the protected region. Layer 2 of the DPM covers the protected region.
The purpose of the detectors is to insure that nobody can physically invade the protected region without destroying one of the detectors. However, if it is known that physical invasion will not result in the theft of the protected information, the invasion can be tolerated.
At very low temperatures, a RAM may hold an electrical charge for some length of time even without power. Therefore the protected region can contain a monitoring circuit that will erase the secret information should the temperature drop below a specified threshold.
The DPM requires a continual supply of electrical power, whether it is constructed using RAM or EPROM. Once the DPM has been loaded with its protected informatin power is needed for the memory that contains the secret information, the addressing logic, and the testing circuitry.
Maintaining the power supply is not necessary for protection, since if the power is disrupted the device simply loses its information. It is necessary, however, to insure that in the event of a power loss the protected information is erased before the protective mechanism itself fails. This can be achieved by having the protective mechanism monitor the power supply and grounding it entirely if its voltage is not within acceptable limits.
Nevertheless it is very important to protect the device against accidental loss of power, since such an event can lead to the loss of cryptographic keys. and will be a great inconvenience to the user. Thus it is very desirable that the protected region have its own power supply. Using current CI\IOS and battery technology, we can build power supplies that have a lifetime of ten years. As we noted above, the useful lifetime of the DPM is unlikely to be longer than that because of the progress we can anticipate in the technology of attacks.
However, it is also possible to use an external power source provided certain precautions are taken. An external backup battery must be connected at all times once the device has been loaded with its information. It is possible to safeguard against momentary power loss by attaching a condenser to the power line. This condenser can be integrated into the device or external to it.
It will still be necessary occasionally to replace the backup battery. A device such as an electromagnetic plunger can be used to prevent the backup battery from being removed accidentally when the external power line is not connected.
| Virtual School | Middle of Nowhere | Brad Cox |
|---|