 Leaky noise new sites and attacks new sites and attack victors in mixed signal IOT devices The paper is written by Dennis Gnaud Jonas Krauter and Medi Tauri. I'm lucky this time. The names are either German or Persian and I have Experiencing both languages and now Dennis is giving the talk. Okay, I'm yes. Thanks for your introduction So you might ask yourself, what do we mean with leaky noise? So is it something that leaks? Is it some noise and if we combine it it's noise that leaks information So yes, that's what we mean. It's I mean you could say okay every such an attack has some noisy data But what we mean is that nowadays most of the chips are actually mixed signal chips So if we look at a modern chip we have Sorry We have analog and digital components where the digital part is causing noise Well, the analog part is sensitive to noise and in the future We consider that all the chips will be mixed signal or many chips that we are using if you think of all these small Embedded IOT devices they combine everything in a single package, which is also cost-effective Then all these chips can be networked or multi-user and connected even to the internet Now if you consider we have two components in this chip that are actually actually isolated on the logical level They maybe introduce new security threats and we wonder what that could be so in more detail if you look at the summary of this paper we Want to prove that there is an information leakage inside the chip from a digital to the analog part and potentially also back to the digital part, so Actually the attacker can gain information from the victim Through the analog part so for example the attacker could use an ADC an analog to digital converter To gain information that leaks from the victim into the analog side and the method We used to prove that is to sample an ADC during the operation of a cryptographic algorithm so at the same time while it runs we need to gain ADC samples and Then on this data from the ADC we perform leakage assessment and also correlation power analysis and in fact in both cases or we could Like in one case we could actually recover the secret key and for leakage assessment We could also prove that most of the tested platforms are leaky Next I will come to background and related work after that. I explain our experimental setup Explain or show our results and finally conclude the paper. So let's come to the background so Probably a third of power distribution network so inside every chip We have a complex network of resistors capacitors and inductors and they need to supply Supply the chip so you can see Maybe better like this that Typically we have a package of a chip and inside this package we have package pins these pins They are connected to our actual silicon dice through wires and these wires They act as if they were inductors and inside the die We typically also have parasitic inductors and resistors that we balance out by adding capacitors and in the end This gets quite complex so that inside the chip if there is some activity by any Any let's say an AES module that operates it causes voltage fluctuations inside this chip and now consider that this chip could be Analog and digital and the voltage fluctuations from one side go to the other side So in more detail, let's talk about the adversarial model We have in mind here is that we have a digital side with an attacker that can sample an ADC and Victim that runs some cryptographic algorithm so this ADC if we Think more than just our experimental setup this ADC Can also be any other sensor so you can consider even high performance chips nowadays They add a lot of sensors inside the chip to be able to assess during runtime How the chip is performing or to see how the chip is aging and all kinds of sensors for example also temperature so it could be more than than just an ADC and The ADC could now be legally used by the attacker while some other measures in the system prevent communication between attacker and victim and For example, this could be memory protection however, the victim could leak into this analog part and ADC could acquire back this leakage or the attacker can acquire back this leakage through an ADC in A different scenario this attacker could also be at the outside of the system. So instead of being now a An on-chip attacker it could be an unsuspecting unsuspecting victim that accidentally exports more or less this side channel data to the outside and the attacker could be remotely in some way Now for some background that most of you know, especially Since of the last talk, you know, there are power analyzes side channel attacks that can recover the secret grease so power Analyzes or super power measurements specifically here we use this Classic correlation power analyzes where you correlate the power With a hypothesis of what you believe the power would be Depending on your secret key and we also perform leakage assessment as shown in the previous talk not as Modern or more fancy method, but actually this basic test vector leakage assessment where we just compare a set of power traces during which we did encryptions of random methods with a set of power traces where we did a set of Fixed message and we do only this normal vex t-test and the vex t-test say that to get a confidence of I think 99 point nine nine the T value should be above four point five So and if this is the case we can say okay There is a data dependent leakage because we can differentiate random encryptions from fixed encryptions so Also to some related work. So there was a work where I was also involved called inside job Where we show that inside an FPGA or FPGA so see there can be side channel leakage Which is let's say from digital to digital part and through a trick with FPGA elements We can use indirect voltage measurements to gain side channel leakage So let's say in one part of the FPGA is an AS module and in the other part is a sensor And this sensor can in fact do CPA to extract the secret key from from the AS This was then extended by another group to to FPGA SOC's where we have a CPU integrated with FPGA logic Another work that you might know is screaming channels they have already shown that there is in fact leakage from a digital to analog part in mixed signal chips and The analog part is here more a digital to analog converter Which is used for a radio circuit and on the outside You can use very good measurement equipment to get the side channel leakage out of this out of the electromagnetic Ammonation that is on purpose coming from the let's say Wi-Fi or I think it was a Bluetooth module To also attack a circuit on the digital side of this chip another Selected work that is one of the most interesting ones for more you can read the paper. There's more related work There's side channel leakage across borders in which the authors have shown that you can do a successful power Analyze attack on an IO port pin of the chip So not just by measuring power, but actually you can measure how a digital pin on this chip Is noisy in some way and this noise can also include side channel information In this work. However, what we prove is that the full loop is actually working So it's coming from the digital side to the analog and back to the digital side in the same chip So let's go to our experimental setup The experimental setup was done on three different platforms of two vendors One of them is a expressive is p32 dual core processor Which you ran at one of the default frequencies of 80 megahertz and two boards from st Microelectronics where the default frequencies were 80 and 168 megahertz Both vendors in fact recommend to use at the mbtl s library Which we also used and we performed and the leakage assessment on a s and modular Exponensation and later CPA on a s also used the free artist operating system also Suggested by by these vendors and the GCC compiler with some standard optimization setting So the setup looks very similar to our adversarial model in that we have a victim task that does an encryption And we have an attacker task that does ADC measurements So this ADC is in an analog domain and what we have to do in the setup is typically tell If the ADC is connected to VDD or ground or not connected So the ADC is in fact connected to a port pin of this microcontroller from the inside of the chip So it has a bit of a similarity with this side channel leakage across borders But it's still slightly different since it's now an analog and not a digital connection So to simplify our setup We actually add a helper signal on the encryption from the victim to the attacker task and Additionally, we connect the attacker to a new art and the victim to a new art so that we have you are Connection to our workstation PC and our workstation can now receive the ADC traces and can send encryption requests So have we have a very controlled setup in which we can now perform the leakage assessment or CPA on our workstation And for the results we also first perform the basic test and this basic test We used one of the STM boards While the ADC was not connected and we sampled now 1000 traces and these 1000 traces were just of a stress test code We measure with an oscilloscope and we have now code phases that are more stressful to the CPU and some that are more idle And if we average that we can see from the outside what you would expect that we see a difference in the average voltage and We can now also perform that with an ADC just to see if there's anything to gain And in fact we can see that if we do it internally that in the stress test phases We also see a difference in how the ADC Signal looks it's not necessarily The same level differences as for the oscilloscope, but there's more noise doing stress phases and less if there's no stress Now if we go a bit further. This is now the prerequisite for leakage assessment. It's not the full assessment Here we do the same with 1000 traces averaged and we do fixed and random encryptions And now if you see this at the top you see the average from fixed traces and at the bottom random And you can see that there probably is already from this result. You can probably say okay at the top. It seems there is Some data dependent leakage that is evened out by using random data And this is a part of the t-test For brevity, I will just show you the final results of this For a yes, then we used 1 million traces and for modular Exponization 100k traces not in all cases the ADC was noisy Sometimes if the ADC is a giving a flat line, of course, then we have no way there's no change in data But most cases when there was ADC noise they're actually leaky and the t-value was They beyond this 4.5 threshold and here you can see in summary that for various cases at least For one of the cases each of the boards had some leakage to assess here you can also see What we write here that for a yes We run the ADC at a faster frequency and for modular Exponensation so this might also play a role and potentially There could be still a difference if we run the ADC at the same frequency Okay Then let's come to the correlation power analysis, which you are probably more interested in Which we also tried on this board since it had more leakage So as you see here in actually all cases out of two samples of the board leakage assessment was successful so we use that one and did CPA with 10 million traces which was ciphertext based we use some simple alignment since our our Helper signal was not Good enough So in the default setup we use the same setup as for leakage assessment Here we had less than 25 ADC samples for the full as and thus we could only recover two secrets Key bites with a high confidence Which might be because of the low samples but of course we also just did the normal CPA attack and more advanced attacks Could probably be more successful So we also simplified the setup in which we use ADC connected to VDD since it was also supposed to be maybe more leaky and we had Just 56 megahertz and no optimization So we could sample it faster in relation to how fast algorithm runs and 60 samples for the full as you could then recover six secret key bites and Here and I'll show you the best correlating bites at the top In the let's say harder case. We needed about two million traces to say that We can recover some of the bites and in the second case we needed about five hundred K traces So as a conclusion Leaky noise is Probably a problem for some systems since we have data dependent noise That leaks into the analog part and an attacker can recover back this data Such that it is now feasible that attacks across security domains are possible in mixed signal chips and it could even be possible for certain remote power analysis attacks and Of course that is not the case for all applications But if an application if it's unsure then our call to application developers is that you should try to prevent ADC use during cryptography or any use of of reading from analog components in the chip and our call to Soc integrators would be that you should consider digital noise as security risk Since if you look at any data sheet of microcontrollers and the small soc platforms Then what you might find is that ADC is negatively impacted from the digital part or any sensor is negatively impacted if there is too much Digital parts active in the chip. However, they don't necessarily consider that this noise is correlated to data of this digital part So potentially this also means that power analysis countermeasures might be Applicable in more situations and might be required in more situations than what was thought previously Okay, and with that I am done if you have any questions feel free to ask Thank you for the talk. Is there any question? Okay. I have a question Can you get back to I don't remember the slight number where you showed you have the alignment problem? I Was just writing alignment. Yeah. Yeah, you said that you had to align them But this is complete alignment of the whole of the trace or is this based on was just plus minus two ADC samples in fact But it improved the results already, okay But means that the whole of the circuit a whole of the traces shift that means that you don't align per clock cycle It's just whole of the traces the whole trace the trace that we record So we just post process the traces. It's not that we did anything fancy for the first result we still use the Inter task communication of three artists. So of course, there can be some some Parts that don't very good enough in the second part for for this We also change this by adding just a global variable for synchronization It's also improved alignment a little bit Was it not okay, which still was not good enough. So we still use the alignment on on this data probably because We are not entirely sure in just programming this microcontroller at which point in time the ADC starts sampling in relation to the software that runs Is the frequency that you get you can get data from ADC is very low What is the frequency? It seems that when you are running at 168 megahertz. You are not able to get a data speed The data from the ADC Yeah, as you see it's not very fast. There's a table one second Yes, this is where the ADC sample rates that we use differently per algorithm. Okay, this is actually Not true. It's okay, but this were about the sample rates that we used So for RSA you have to consider modular exponentiation Just if you ignore that the target algorithm you are at the 80 megahertz at the first toolkit board And then you are at 100 something kilohertz What is what is a slash 16? What what is a slash 16? Of samples we had for the AES, but it doesn't mean it's for the complete AS algorithm It was just the arm of samples we had for that time frame So what was the target of the AES? I guess was running in software, right? It was running in software on the CPU. Yeah, okay all on the CPU which kind of implementation It was And that's TLS. Okay. So that is a t-table based Implementation, okay. Yeah. Thank you. Any other question? Okay So in one of your results you showed a thousand traces to break and then in the second you have a million traces So that's a period of magnitude. Can you comment on the on the wide range the difference between those two results? Not sure if I got you right. So you're asking I Believe you showed a result where you when one slide it said you took a thousand traces To break. Yeah, we used we used ten million traces But here you see after two million at least some of the bytes already correlate well Okay, I thought you had an earlier result where you showed one thousand traces To break we just did it as some pre preliminary experiments. We averaged one thousand traces. Okay for So here this is ten million for the CPA. You see here goes until ten million. It's a factor of one thousand and before For the leakage assessment here. We used just one million for as and for modular exponentiation one hundred K Okay, so yeah, thank you so much. I think we don't have enough time if you can do it in offline You can do it off. Yeah. Okay. Let's thank the all the speakers of the sessions