image image

Embedded Physical Attacks 101

3rd - 5th April 2019 | 3 Days


Lejla Batina, Kostas Papagiannopoulos & Niels Samwel


Modern cryptography has produced a multitude of secure ciphers that protect our daily electronic transactions. However, once the cipher is implemented on a physical device (microprocessor, FPGA, ASIC etc.) it becomes vulnerable to side-channel and fault attacks. Side-channel attacks pose a unique challenge as an intersection of cryptography, electronics and statistics and pervading all aspects of modern hardware security. The attacks monitor closely the power consumption or electromagnetic emission of a cryptographic device and they are able to extract the secret key using statistical techniques. Fault injection attacks, on the other hand, take advantage of inserting some disturbances (such as glitches by changing e.g. voltage, clock, temperature etc.) into the system leading to faulty computations.

In this training we will provide introductions to both, side-channel and fault analysis, showcasing the core techniques for key recovery. During the training the students will get the chance to develop several basic side-channel tools in Matlab/Octave. Subsequently they will use them to perform attacks on datasets in order to extract the secret key.

Course sections:

Introduction to side-channel attacks

  • Basic concepts and background information
  • Side-channel leakage modeling
  • Simple power analysis (SPA)
  • Differential power analysis (DPA)

Correlation power analysis (CPA) in software and hardware

  • Assignment 1: Extracting the cipher key from the electromagnetic emission of an ARM Cortex-M4 processor
  • Assignment 2: Extracting the cipher key from the power consumption of an FPGA-based AES implementation

Template attacks

  • Probability theory and statistics
  • Step-by-step guide to profile and exploit a device's side-channel
  • Assignment 3: Template building/matching using the electromagnetic emission of an industrial control system

Higher order attacks

  • Introduction to side-channel countermeasures (masking, shuffling, etc.)
  • Higher-order side-channel attacks
  • Assignment 4: Second-order attack using correlation and templates on a masking countermeasure implemented on an AVR smartcard

Introduction to fault injection attacks:

  • Fault attacks in practice: principles and use cases
  • Differential Fault Analysis (DFA)
  • Glitching attacks with voltage and Electro Magnetic Fault Injection (EMFI)
  • Assignment 5: Hands-on session on ChipWhisperer

Who should attend the course:

  • Researchers and students who want to learn the core techniques of side-channel and fault analysis
  • Penetration testers, auditors and evaluators of secure embedded devices
  • Developers of secure IoT products
  • Any embedded security enthusiast

What should attendees bring:

  • Laptop with Windows or Linux
  • Matlab or Octave installed

What will be provided:

  • Lecture slides and assignments
  • Matlab code and examples
  • Side-channel datasets captured from AVR/ARM processors and FPGA implementations
  • Fault injection data sets obtained from ChipWhisperer

About the trainers:

Lejla Batina studied and worked as a research assistant at the Technical University Eindhoven where she got her professional doctorate in Engineering degree in Mathematics for Industry - in 2001. After that she worked as a cryptographer for Pijnenburg - Securealink (later SafeNet, BV), in Vught, The Netherlands. She got her Ph.D. degree from KU Leuven, Belgium in 2005 where she also continued with postdoctoral research. She is currently a professor in the Digital Security group of the Computing Science Department at the Radboud University and active participant in the CHES and IACR communities. Her research interests are hardware security, lightweight cryptography, cryptography for pervasive computing (smart cards, RFIDs, etc.), side-channel attacks/countermeasures and implementations of cryptography.

Kostas Papagiannopoulos received a degree in Electrical and Computer engineering from the National Technical University of Athens, Greece in 2011. He received his joint M.Sc. in Information Security from Radboud University, Technical University Eindhoven and University of Twente in 2014. He is currently a Ph.D. candidate in the Digital Security group of Radboud University in Nijmegen, the Netherlands. In addition he was a research visitor at the Riscure testing/evalution lab in Delft, in 2016. His research interests are side-channel attacks and countermeasures, high-performance cryptographic implementations, machine learning and information theory.

Niels Samwel received a BSc in Computer Science from Leiden University,The Netherlands in 2014. He received his joint MSc degree in Cyber Security from Radboud University, Technical University Eindhoven and University of Twente in 2016. He is currently a PhD student in the Digital Security group in the Radboud University, The Netherlands. In addition, he was a research visitor at the University of Pennsylvania in 2017 (working with Daniel Genkin) and at the University of Adelaide in 2018 (working with Yuval Yarom). His research interests are side-channel and fault attacks, countermeasures and cryptographic implementations.