# **Secure Processors In Industry**

Mengjia Yan Spring 2022

Based on slides from Christopher W. Fletcher and Jakub Szefer





#### Reminder

- Sign up Piazza
- Recitation
  - Room: 36-153
  - Time: 1-2 pm Friday
  - This Friday: Tutorial on C, Assembly
- HotCRP and paper presentations
  - Demo next Monday: paper bidding
  - Reviews: Signup if you are interested in contributing reviews and reading others' reviews
  - Presentation: Send a private Piazza post if you want to do presentation in pairs

#### Review #3H @

30 Sep 2020

#### Interest

Some interest

#### **Reading Experience**

2. It is an ok paper. (The paper is somewhat interesting or I learned something from reading this paper)

#### Paper summary

Speculative Taint Tracking is a proposed technique that prevents an entire class of data leakage via covert channels - specifically those that rely on misspeculations that can access data and transmit over a transient covert channel. This technique relies on tracking when instructions read data speculatively and taints said data, then doesn't allow any future operation that can possibly leak said data to complete until it is known that the original instruction is no longer speculative.

#### Strengths

- Very clear breakdown of what steps need to be taken to eliminate implicit channels
- Seemingly comprehensive coverage of the stated scope
- Interesting find of the implicit channels available to attackers.

#### Weaknesses (hidden from authors)

- Figure 5 was really confusing to me because I thought that section 5.1 was the only section
  referencing it and thus I didn't understand how b or c would work; but then after giving up
  on trying to figure it out and going onto the next page I realized there was more explanation.
  Some signposting alerting to further explanation later on would have helped me a lot.
- Is an 8% or 14% slowdown actually "acceptable"? While its clearly better than some of the alternatives, they are making this claim without much backing.

#### **Questions for discussion**

- I am still confused by the difference between the spectre threat model and the futuristic model - what is the spectre threat model not including that the futuristic is?
- Is an 8% or 14% slowdown actually "acceptable"?
- Is there a way to use this for only certain processes, so that the slowdown is only sometimes relevant? Or does that defeat the whole purpose?

#### Outline

- Some Basic Crypto
- Case Studies of Secure Processors



Figure 1: Sixty years of hardware support for security

6.888 - L2 Secure Processors

### **Security Goals**

Confidentiality

Example: Lost device

- Integrity
- Identification
- Availability

### Symmetric Cryptography





What if we use the key for multiple times? How about encrypting arbitrary length message? Any problems?

6.888 - L2 Secure Processors

## **Block ciphers (e.g., DES, AES)**

- Divide data in blocks and encrypt/decrypt each block
- AES block size can be 128, 192, 256 bits



Electronic Codebook (ECB) mode encryption

#### ECB IS NOT RECOMMENDED



What if the attacker sees P[i] = P[j], where i and j are block id?

### Block ciphers (e.g., DES, AES) cont.



Compare the two schemes:

- 1) What if a block is tampered or a block is lost?
- 2) Which one has potential higher performance if you have multiple computation units?

When applying AES to encrypt memory, what can be used as Counter?

### **AES Implementation**

- Goal: "approximate" pseudorandom permutations
- 10, 12, 14 rounds depending on key size
- AddRoundKey: One-time pad using round key
- SubBytes: Sbox lookup





#### **AES-NI Instruction Set**

- Short for Advanced Encryption Standard New Instructions
- New instruction + Hardware acceleration
- Both Intel and AMD released supported CPUs around 2010/2011

| Instruction     | Description                                                                         |
|-----------------|-------------------------------------------------------------------------------------|
| AESENC          | This instruction performs a single round of encryption. The instruction combines    |
|                 | the four steps of the AES algorithm - ShiftRows, SubBytes, MixColumns &             |
|                 | AddRoundKey into a single instruction.                                              |
| AESENCLAST      | Instruction for the last round of encryption. Combines the ShiftRows, SubBytes, &   |
|                 | AddRoundKey steps into one instruction.                                             |
| AESDEC          | Instruction for a single round of decryption. This combines the four steps of AES - |
|                 | InvShiftRows, InvSubBytes, InvMixColumns, AddRoundKey into a single instruction     |
| AESDECLAST      | Performs last round of decryption. It combines InvShiftRows, InvSubBytes,           |
|                 | AddRoundKey into one instruction.                                                   |
| AESKEYGENASSIST | This is used for generating the round keys used for encryption.                     |
| AESIMC          | This is used for converting the encryption round keys to a form usable for          |
|                 | decryption using the Equivalent Inverse Cipher.                                     |

#### Now back to lost devices

- Is password login sufficient?
- Where encryption should be used?
- Where to store secret keys?



### Is Encrypting Disk Sufficient?

- Cold boot attacks to circumvent software-based disk encryption
- An example: https://www.youtube.com/watch?v=vWHDqBV9yGc
- How to deal with it?
- Data remanence in SRAM and DRAM



#### **Physical Attack Examples**



Tap board used to intercept data transfer over Xbox's HyperTransport bus from *http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html* 



IC analysis. Extract information from a Flash ROM storage cell from http://testequipmentcanada.com/VoltageContrastPaper.html

#### **Physical Tamper Resistance**

- Standalone security modules to protect cryptographic keys and personal identification numbers (PINs)
- A history lesson of physical security by IBM 4758



#### **IBM 4758 Secure Co-Processor**

- Memory remanence
  - constant movement of values from place to place
- Cold boot
  - detects changes of temperature
- X-ray
  - a radiation sensor
- Power side channels
  - Solid aluminium shielding and a lowpass filter (a Faraday cage)



Photo of IBM 4758 Cryptographic Coprocessor (courtesy of Steve Weingart) from https://www.cl.cam.ac.uk/~rnc1/descrack/ibm4758.html

Expensive. Other secure processors only focus on a limited set of physical attacks.

#### **Trusted Platform Module (TPM)**

- "Commoditized IBM 4758"
- Standard LPC interface attaches to commodity motherboards
- Weaker computation capability
- Uses:
  - Disk encryption and password protection
  - Verify platform integrity (firmware+OS)





#### **Integrity Verification**



Use as fingerprints

- One-way hash
  - Practically infeasible to invert, Difficult to find collision
- Avalanche effect
  - "Bob Smith got an A+ in ELE386 in Spring 2005"→01eace851b72386c46
  - "Bob Smith got an B+ in ELE386 in Spring 2005"→936f8991c111f2cefaw



#### How to perform the measurement?

#### **Secure Boot using TPM**



• Static root of trust for measurement (SRTM)



PCR: platform configuration register

### **Security Vulnerabilities of Using TPM**

- Vulnerable to bus sniffing attacks
- TPM Reset attacks
  - SW reports hash values
- Bugs in the trusted software



Han et al. A Bad Dream: Subverting Trusted Platform Module While You Are Sleeping. Usenix Security'18 Wojtczuk et al. Attacking Intel TXT<sup>®</sup> via SINIT code execution hijacking. 2011

### **Open-source Choice: Google Titan**





from https://www.hotchips.org/hc30/1conf/1.14\_Google\_Titan\_GoogleFinalTitanHotChips2018.pdf

6.888 - L2 Secure Processors

### Identification – Public Key Cryptography (e.g., RSA, EC)

- A pair of keys:
  - Private key (K<sub>pri</sub> kept as secret); Public key (K<sub>pub</sub> safe to release publicly)
- Encryption:
  - Encrypt(plaintext, K<sub>pub</sub>) = ciphertext
  - Decrypt(ciphertext, K<sub>pri</sub>) = plaintext
- Digital signatures:
  - Proof that msg comes from whoever owns private key corresponding to K<sub>pub</sub>
  - Sign(msg):
    - h = Hash(msg); signature = Encrypt(h, K<sub>pri</sub>)
    - Return {signature, msg}
  - Verify:
    - Decrypt(signature, K<sub>pub</sub>) ?= Hash(msg)

### Public key infrastructures (PKIs)

Bind public keys with identities
 -> website, chip



#### **Platform Attestation**

• Defend against replay attack: Freshness



#### **Platform Attestation**





### Shrink Trusted Computing Base (TCB)

enclave Ring 3 Ring 3 Ring 3 App Арр Арр Ring 0 Ring 0 Ring 0 Ring 3 Guest OS **Guest OS** Guest OS Арр Ring -1 Ring -1 Ring -1 Hypervisor Hypervisor Hypervisor Ring 0 Ring -2 Ring -2 Ring -2 SMM Guest OS SMM SMM Hardware Hardware Hardware Hardware

**Intel SGX** 

**Arm TrustZone** 

**AMD SEV** 

Trusted

# Next Lecture: Side Channel Introduction



