Publications

Abstract

State-of-the-art fault attacks demand either a large number of low-precision fault injections (statistical attacks) or very few injections using sophisticated equipment (algebraic attacks) to break modern cryptosystems. For example, a popular attack breaks AES-128 with one injection, but the fault effects must be restricted to one 4-bit nibble of its state. This paper combines the advantages of the two by optimizing the probability of achieving the desired failing state bit patterns, and thus the attack's success rate, during conventional, low-cost clock manipulation. The problem bears similarities with small-delay fault test generation, and we extend formal (Boolean satisfiability, or SAT) models that were initially developed for waveform-accurate SDF ATPG procedures. A fundamental distinction of our analysis is the presence of fixed-yet-unknown secret bits, which influence the failing state bit patterns. For this reason, we use a model-counting (#SAT) approach to estimate the success probability as an average across secret bit combinations.

Abstract

Due to the tremendous success of Deep Learning with neural networks (NNs) in recent years and the simultaneous leap of embedded, low-power devices (e.g. wearables, smart-phones, IoT, and smart sensors), enabling the inference of those NNs in power-constrained environments gave rise to specialized NN accelerators. One paradigm followed by many of those accelerators was the transition from digital domain computing towards performing operations in the analog domain, turning them from digital to mixed-signal NN accelerators. While power-efficiency and inference accuracy have been researched with increasing interest, security and protection against a side-channel attack (SCA) have not found much attention. However, side-channels pose a major security concern by allowing an attacker to steal valuable knowledge about proprietary NNs deployed on accelerators. In order to evaluate mixed-signal NNs accelerators concerning SCA robustness, its tendency to leak information through the side-channel needs investigation. In this work, we propose a methodology for enabling side-channel analysis of mixed-signal NNs accelerators, which shows reasonable accuracy in an early development stage. The approach enables the reuse of large portions of design sources for simulation and production while providing flexibility and fast development cycles for changes to the analog design.

Abstract

The tremendous success of artificial neural networks (NNs) in recent years, paired with the leap of embedded, low-power devices (e.g. IoT, wearables and smart sensors), gave rise to specialized NN accelerators that enable the inference of NNs in power-constrained environments. However, manufacturing or operating such accelerators in un-trusted environments poses risks of undesired model theft and hardware counterfeiting. One way to protect NN hardware against those threats is by locking both the model and the accelerator with secret keys that can only be supplied by entitled authorities (e.g. chip designer or distributor). However, current locking mechanisms contain severe drawbacks, such as required model retraining and vulnerability to the powerful satisfyability checking (SAT)-attack.Recently, an approach for jointly protecting the model and the accelerator was proposed. Compared to previous locking mechanisms, it promises to avoid model retraining, not leak useful model information, and resist the SAT-attack, thereby securing the NN accelerator against counterfeiting and the model against intellectual property infringement. In this paper, those claims are thoroughly evaluated and severe issues in the technical evidence are identified. Furthermore, an attack is developed that does not require an expanded threat model but is still able to completely circumvent all of the proposed protection schemes. It allows to reconstruct all NN model parameters (i.e. model theft) and enables hardware counterfeiting.

Abstract

Remote attestation allows validating the trustworthiness of a remote device. Existing attestation schemes either require hardware changes, trusted computing components, or rely on strict timing constraints. In this paper, we present a novel remote attestation approach, called DMA’n’Play, that tackles these practical limitations by leveraging DMA (direct memory access). Since DMA does not require CPU time, DMA’n’Play even allows attestation of devices with real-time constraints. To prevent the exploitation of side-channels which potentially could determine if the attestation is running, we developed DMA’n’Play To-Go, a small, mobile attestation device that can be plugged into the attested device. We evaluated DMA’n’Play on two real-world devices, namely a syringe pump and a drone. Our evaluation shows that DMA’n’Play adds negligible performance overhead and prevents dataonly attacks, by validating critical data in memory.

Abstract

From the perspective of end-users, IoT devices behave like a black box: As long as they work as intended, the user will not detect any compromise. The user has minimal control over the software. Hence, it is very likely that the user misses that illegal recordings and transmissions occur if a security camera or a smart speaker is hacked. In this paper, we present SCAtt-man, the first remote attestation scheme that is specifically designed with the user in mind. SCAtt-man deploys software-based attestation to check the integrity of remote devices, allowing users to verify the integrity of IoT devices with their smartphone. The key novelty of SCAtt-man resides in the utilization of user-observable side-channels such as light or sound in the attestation protocol. Our proof-of-concept implementation targets a smart speaker and an attestation protocol that is based on a data-over-sound protocol. Our evaluation demonstrates the effectiveness of SCAtt-man against a variety of attacks and its usability based on a comprehensive user study with 20 participants.

Abstract

With rapid advancements in electronic gadgets, the security and privacy aspects of these devices are significant. For the design of secure systems, physical unclonable function (PUF) and true random number generator (TRNG) are critical hardware security primitives for security applications. This paper proposes novel implementations of PUF and TRNGs on the RRAM crossbar structure. Firstly, two techniques to implement the TRNG in the RRAM crossbar are presented based on write-back and 50\% switching probability pulse. The randomness of the proposed TRNGs is evaluated using the NIST test suite. Next, an architecture to implement the PUF in the RRAM crossbar is presented. The initial entropy source for the PUF is used from TRNGs, and challenge-response pairs (CRPs) are collected. The proposed PUF exploits the device variations and sneak-path current to produce unique CRPs. We demonstrate, through extensive experiments, reliability of 100%, uniqueness of 47.78%, uniformity of 49.79%, and bit-aliasing of 48.57% without any post-processing techniques. Finally, the design is compared with the literature to evaluate its implementation efficiency, which is clearly found to be superior to the state-of-the-art.

Abstract

In the Internet of Things (IoT), Low-Power Wide-Area Networks (LPWANs) are designed to provide low energy consumption while maintaining a long communications’ range for End Devices (EDs). LoRa is a communication protocol that can cover a wide range with low energy consumption. To evaluate the efficiency of the LoRa Wide-Area Network (LoRaWAN), three criteria can be considered, namely, the Packet Delivery Rate (PDR), Energy Consumption (EC), and coverage area. A set of transmission parameters have to be configured to establish a communication link. These parameters can affect the data rate, noise resistance, receiver sensitivity, and EC. The Adaptive Data Rate (ADR) algorithm is a mechanism to configure the transmission parameters of EDs aiming to improve the PDR. Therefore, we introduce a new algorithm using the Multi-Armed Bandit (MAB) technique, to configure the EDs’ transmission parameters in a centralized manner on the Network Server (NS) side, while improving the EC, too. The performance of the proposed algorithm, the Low-Power Multi-Armed Bandit (LP-MAB), is evaluated through simulation results and is compared with other approaches in different scenarios. The simulation results indicate that the LP-MAB’s EC outperforms other algorithms while maintaining a relatively high PDR in various circumstances.

Abstract

With the exponential increase in the popularity of the RISC-V ecosystem, the security of this platform must be re-evaluated especially for mission-critical and IoT devices. Besides, the insertion of a Hardware Trojan (HT) into a chip after the in-house mask design is outsourced to a chip manufacturer abroad for fabrication is a significant source of concern. Though abundant HT detection methods have been investigated based on side-channel analysis, physical measurements, and functional testing to overcome this problem, there exists stealthy HTs that can hide from detection. This is due to the small overhead of such HTs compared to the whole circuit.In this work, we propose several novel HTs that can be placed into a RISC-V core's post-layout in an untrusted manufacturing environment. Next, we propose a non-invasive analytical method based on contactless optical probing to detect any stealthy HTs. Finally, we propose an open-source library of HTs that can be used to be placed into a processor unit in the post-layout phase. All the designs in this work are done using a commercial 28nm technology.

Abstract

With the advent of the Internet of Things, nanoelectronic devices or memristors have been the subject of significant interest for use as new hardware security primitives. Among the several available memristors, BiFe\$\$\backslashmathrmØ\\_\3\\$\$ (BFO)-based electroforming-free memristors have attracted considerable attention due to their excellent properties, such as long retention time, self-rectification, intrinsic stochasticity, and fast switching. They have been actively investigated for use in physical unclonable function (PUF) key storage modules, artificial synapses in neural networks, nonvolatile resistive switches, and reconfigurable logic applications. In this work, we present a physics-inspired 1D compact model of a BFO memristor to understand its implementation for such applications (mainly PUFs) and perform circuit simulations. The resistive switching based on electric field-driven vacancy migration and intrinsic stochastic behaviour of the BFO memristor are modelled using the cloud-in-a-cell scheme. The experimental current--voltage characteristics of the BFO memristor are successfully reproduced. The response of the BFO memristor to changes in electrical properties, environmental properties (such as temperature) and stress are analyzed and consistant with experimental results.

Abstract

This paper proposes a 3-input arbiter-based novel physically unclonable function (PUF) design. Firstly, a 3-input priority arbiter is designed using a simple arbiter, two multiplexers (2:1), and an XOR logic gate. The priority arbiter has an equal probability of 0’s and 1’s at the output, which results in excellent uniformity (49.45%) while retrieving the PUF response. Secondly, a new PUF design based on priority arbiter PUF (PA-PUF) is presented. The PA-PUF design is evaluated for uniqueness, non-linearity, and uniformity against the standard tests. The proposed PA-PUF design is configurable in challenge-response pairs through an arbitrary number of feed-forward priority arbiters introduced to the design. We demonstrate, through extensive experiments, reliability of 100% after performing the error correction techniques and uniqueness of 49.63%. Finally, the design is compared with the literature to evaluate its implementation efficiency, where it is clearly found to be superior compared to the state-of-the-art.

Abstract

The ion-sensitive field-effect transistor (ISFET) is an emerging technology that has received much attention in numerous research areas, including biochemistry, medicine, and security applications. However, compared to other types of sensors, the complexity of ISFETs make it more challenging to achieve a sensitive, fast and repeatable response. Therefore, various readout circuits have been developed to improve the performance of ISFETs, especially to eliminate the temperature effect. This paper presents a new approach for a temperature-independent readout circuit that uses the threshold voltage differences of an ISFET-MOSFET pair. The Linear Technology Simulation Program with Integrated Circuit Emphasis (LTspice) is used to analyze the ISFET performance based on the proposed readout circuit characteristics. A macro-model is used to model ISFET behavior, including the first-level Spice model for the MOSFET part and Verilog-A to model the surface potential, reference electrode, and electrolyte of the ISFET to determine the relationships between variables. In this way, the behavior of the ISFET is monitored by the output voltage of the readout circuit based on a change in the electrolyte's hydrogen potential (pH), determined by the simulation. The proposed readout circuit has a temperature coefficient of $11.9ppm/^\circC$ for a temperature range of 0-100°C and pH between 1 and 13. The proposed ISFET readout circuit outperforms other designs in terms of simplicity and not requiring an additional sensor.

Abstract

Secret-dependent timing behavior in cryptographic implementations has resulted in exploitable vulnerabilities, undermining their security. Over the years, numerous tools to automatically detect timing leakage or even to prove their absence have been proposed. However, a recent study at IEEE S&P 2022 showed that, while many developers are aware of one or more analysis tools, they have major difficulties integrating these into their workflow, as existing tools are tedious to use and mapping discovered leakages to their originating code segments requires expert knowledge. In addition, existing tools focus on compiled languages like C, or analyze binaries, while the industry and open-source community moved to interpreted languages, most notably JavaScript. In this work, we introduce Microwalk-CI, a novel side-channel analysis framework for easy integration into a JavaScript development workflow. First, we extend existing dynamic approaches with a new analysis algorithm, that allows efficient localization and quantification of leakages, making it suitable for use in practical development. We then present a technique for generating execution traces from JavaScript applications, which can be further analyzed with our and other algorithms originally designed for binary analysis. Finally, we discuss how Microwalk-CI can be integrated into a continuous integration (CI) pipeline for efficient and ongoing monitoring. We evaluate our analysis framework by conducting a thorough evaluation of several popular JavaScript cryptographic libraries, and uncover a number of critical leakages.

Abstract

With classical scaling of CMOS transistors according to Dennard’s scaling rules running out of steam, new possibilities to increase the functionality of an integrated circuit at a given footprint are becoming more and more desirable. Among these approaches the possibility to reconfigure the functionality of a transistor on the single devices level stand out, as by such an approach the same physical circuitry is enabled to perform different tasks in different configurations of the circuit. Reconfigurable transistors that allow the reconfiguration from a p-channel to an n-channel transistor and vice versa have emerged as an important example of such devices. The basic concepts required to built such devices have been proposed more then 20 years ago and the field has continuously developed ever since. In this article first the basic classification of reconfigurable field effect transistors is reviewed an described form a new angle. In the second part the important technology enablers to construct reconfigure field effect transistors are examined. Further the historical development, starting at the proposal of the main concepts up to the current status of device and circuit development are described. The most important additional features that have been introduced in the last years in order to even further increase the flexibility of the devices are discussed. Finally the application potential of reconfigurable transistors is described placing the spotlight on hardware security and neuromorphic applications.

Abstract

There is a long history of side channels in the memory hierarchy of modern CPUs. Especially the cache side channel is widely used in the context of transient execution attacks and covert channels. Therefore, many secure cache architectures have been proposed. Most of these architectures aim to make the construction of eviction sets infeasible by randomizing the address-to-cache mapping. In this paper, we investigate the peculiarities of write instructions in recent CPUs. We identify Write+Write, a new side channel on Intel CPUs that leaks whether two addresses contend for the same cache set. We show how Write+Write can be used for rapid construction of eviction sets on current cache architectures. Moreover, we replicate the Write+Write effect in gem5 and demonstrate on the example of ScatterCache 57 how it can be exploited to efficiently attack state-of-the-art cache randomization schemes. In addition to the Write+Write side channel, we show how Write-After-Write effects can be leveraged to efficiently synchronize covert channel communication across CPU cores. This yields the potential for much more stealthy covert channel communication than before.

Abstract

The high demand for performance and energy efficiency poses significant challenges for computing systems in recent years. The memristor-based crossbar array architecture is enthusiastically regarded as a potential competitor to traditional solutions due to its low power consumption and fast switching speed. Especially by leveraging self-rectifying memristive devices, passive crossbar arrays potentially enable high memory densities. Nonetheless, due to the lack of a switching control per cell, these passive, self-rectifying memristive crossbar arrays (srMCA) suffer from sneak path current issues that limit the range of accurate operation of the crossbar array. In this work, the sneak path current issues in the passive srMCAs based on self-rectifying bipolar and complementary switching memristive devices are comparatively analyzed. Under consideration of the worst-case scenario, three reading schemes are investigated: one wordline pull-up (OneWLPU), all wordline pull-up (AllWLPU), and floating (FL) reading schemes. As a conclusion, despite different switching dynamics, both types of self-rectifying memristive devices can efficiently suppress sneak path current in the srMCAs. In the FL reading scheme, the sneak path current flowing through the unselected reversely biased memristive cells in the srMCA can be considered as an accurate estimation for the practical sneak path current in the srMCA. By analyzing the sneak path current in the srMCAs with a size up to 64 × 64, it is demonstrated that the leakage current plays a crucial role for suppressing the sneak path current, and the sneak path current via an individual cell exhibits a continuous decrease while the accumulated total sneak path current in the unselected reverse biased region is increasing with expanding the crossbar size. The comparative study on the bipolar and complementary memristive devices based srMCAs under diverse reading schemes reveals the influence of the switching dynamics on the sneak path current effect in the srMCAs, and provides a beneficial reference and feasible solutions for the future optimization of the crossbar topology with the intention of mitigating sneak path effects.

Abstract

Biologically-inspired neuromorphic computing paradigms are computational platforms that imitate synaptic and neuronal activities in the human brain to process big data flows in an efficient and cognitive manner. In the past decades, neuromorphic computing has been widely investigated in various application fields such as language translation, image recognition, modeling of phase, and speech recognition, especially in neural networks (NNs) by utilizing emerging nanotechnologies; due to their inherent miniaturization with low power cost, they can alleviate the technical barriers of neuromorphic computing by exploiting traditional silicon technology in practical applications. In this work, we review recent advances in the development of brain-inspired computing (BIC) systems with respect to the perspective of a system designer, from the device technology level and circuit level up to the architecture and system levels. In particular, we sort out the NN architecture determined by the data structures centered on big data flows in application scenarios. Finally, the interactions between the system level with the architecture level and circuit/device level are discussed. Consequently, this review can serve the future development and opportunities of the BIC system design.

Abstract

Neural network (NN) algorithms have become the dominant tool in visual object recognition, natural language processing, and robotics. To enhance the computational efficiency of these algorithms, in comparison to the traditional von Neuman computing architectures, researchers have been focusing on memristor computing systems. A major drawback when using memristor computing systems today is that, in the artificial intelligence (AI) era, well-trained NN models are intellectual property and, when loaded in the memristor computing systems, face theft threats, especially when running in edge devices. An adversary may steal the well-trained NN models through advanced attacks such as learning attacks and side-channel analysis. In this paper, we review different security techniques for protecting memristor computing systems. Two threat models are described based on their assumptions regarding the adversary’s capabilities: a black-box (BB) model and a white-box (WB) model. We categorize the existing security techniques into five classes in the context of these threat models: thwarting learning attacks (BB), thwarting side-channel attacks (BB), NN model encryption (WB), NN weight transformation (WB), and fingerprint embedding (WB). We also present a cross-comparison of the limitations of the security techniques. This paper could serve as an aid when designing secure memristor computing systems.

Abstract

In this work, we introduce two new types of Physical Unclonable Functions (PUFs) based on memristor arrays. Both PUFs use the output behavior of memristor cells when an excitation signal is applied to their input. First, the cells are identified by decomposing the signal response into different frequencies using the discrete Fourier transformation and evaluating the absolute sum of errors. This approach provides a maximum accuracy of 96\% and F1-score of 73\%. In order to improve performance, a convolutional neural network is employed to learn the shapes of the output hysteresis loop. To this end, a conversion algorithm that transforms the outputs to matrices is used. The proposed neural network achieves a maximum accuracy of 97\% and F1-score of 97\%, allowing for the successful utilisation of the examined PUF in practical security applications. As a use case for the proposed PUFs, we introduce a novel neural network-based authentication protocol that can be used to authenticate smart devices to a central IoT hub, e.g., in a smart home.

Abstract

The spiking neural network (SNN), closely inspired by the human brain, is one of the most powerful platforms to enable highly efficient, low cost, and robust neuromorphic computations in hardware using traditional or emerging electron devices within an integrated system. In the hardware implementation, the building of artificial spiking neurons is fundamental for constructing the whole system. However, with the slowing down of Moore’s Law, the traditional complementary metal-oxide-semiconductor (CMOS) technology is gradually fading and is unable to meet the growing needs of neuromorphic computing. Besides, the existing artificial neuron circuits are complex owing to the limited bio-plausibility of CMOS devices. Memristors with volatile threshold switching (TS) behaviors and rich dynamics are promising candidates to emulate the biological spiking neurons beyond the CMOS technology and build high-efficient neuromorphic systems. Herein, the state-of-the-art about the fundamental knowledge of SNNs is reviewed. Moreover, we review the implementation of TS memristor-based neurons and their systems, and point out the challenges that should be further considered from devices to circuits in the system demonstrations. We hope that this review could provide clues and be helpful for the future development of neuromorphic computing with memristors.

Abstract

In recent years, a new generation of the Internet of Things (IoT 2.0) is emerging, based on artificial intelligence, the blockchain technology, machine learning, and the constant consolidation of pre-existing systems and subsystems into larger systems. In this work, we construct and examine a proof-of-concept prototype of such a system of systems, which consists of heterogeneous commercial off-the-shelf components, and utilises diverse communication protocols. We recognise the inherent need for lightweight security in this context, and address it by employing a low-cost state-of-the-art security solution. Our solution is based on a novel hardware and software co-engineering paradigm, utilising well-known software-based cryptographic algorithms, in order to maximise the security potential of the hardware security primitive (a Physical Unclonable Function) that is used as a security anchor. The performance of the proposed security solution is evaluated, proving its suitability even for real-time applications. Additionally, the Dolev-Yao attacker model is considered in order to assess the resilience of our solution towards attacks against the confidentiality, integrity, and availability of the examined system of systems. In this way, it is confirmed that the proposed solution is able to address the emerging security challenges of the oncoming era of systems of systems.

Abstract

Emerging brain-inspired neuromorphic computing paradigms require devices that can emulate the complete functionality of biological synapses upon different neuronal activities in order to process big data flows in an efficient and cognitive manner while being robust against any noisy input. The memristive device has been proposed as a promising candidate for emulating artificial synapses due to their complex multilevel and dynamical plastic behaviors. In this work, we exploit ultrastable analog BiFeO₃ (BFO)-based memristive devices for experimentally demonstrating that BFO artificial synapses support various long-term plastic functions, i.e., spike timing-dependent plasticity (STDP), cycle number-dependent plasticity (CNDP), and spiking rate-dependent plasticity (SRDP). The study on the impact of electrical stimuli in terms of pulse width and amplitude on STDP behaviors shows that their learning windows possess a wide range of timescale configurability, which can be a function of applied waveform. Moreover, beyond SRDP, the systematical and comparative study on generalized frequency-dependent plasticity (FDP) is carried out, which reveals for the first time that the ratio modulation between pulse width and pulse interval time within one spike cycle can result in both synaptic potentiation and depression effect within the same firing frequency. The impact of intrinsic neuronal noise on the STDP function of a single BFO artificial synapse can be neglected because thermal noise is two orders of magnitude smaller than the writing voltage and because the cycle-to-cycle variation of the current–voltage characteristics of a single BFO artificial synapses is small. However, extrinsic voltage fluctuations, e.g., in neural networks, cause a noisy input into the artificial synapses of the neural network. Here, the impact of extrinsic neuronal noise on the STDP function of a single BFO artificial synapse is analyzed in order to understand the robustness of plastic behavior in memristive artificial synapses against extrinsic noisy input.

Abstract

This work concerns the demonstration of a security solution for a network of networks, which comprises heterogeneous devices and utilises diverse communication protocols. The security solution used in this work employs an architecture presented in a previous work, which is based upon the concept of hardware and software security co-engineering.

Abstract

The reconfigurable field-effect transistor (RFET), is an electronic device whose conduction mechanism can be reversibly reconfigured between n-type and p-type operation modes. To enable this functionality, those devices do not rely on chemical doping caused by impurities but rather on electrostatic doping, i.e. the generation of mobile carriers via an external potential. This functionality has been first concieved in the early 2000s to reduce the source-drain leakage in ambipolar thin film transistors. Over the years many different concepts have been developed employing different conduction mechanisms as well as channel materials, such as silicon nanowires, carbon nanotubes or two-dimensional layered materials. In addition the focus the research shifted more and more towards the circuit level, bringing the unique device characteristics to fruitation. In this work, we will give an historic overview of the main development phases including thier key-achievements starting from the earlier years reaching untill today. Further, we discuss the most interesting circuit properties arising from the device functionality and summarize the broad range of their potential future applications.

Abstract

Emerging memristive devices offer enormous advantages for applications such as non-volatile memories and in-memory computing (IMC), but there is a rising interest in using memristive technologies for security applications in the era of internet of things (IoT). In this review article, for achieving secure hardware systems in IoT, low-power design techniques based on emerging memristive technology for hardware security primitives/systems are presented. By reviewing the state-of-the-art in three highlighted memristive application areas, i.e. memristive non-volatile memory, memristive reconfigurable logic computing and memristive artificial intelligent computing, their application-level impacts on the novel implementations of secret key generation, crypto functions and machine learning attacks are explored, respectively. For the low-power security applications in IoT, it is essential to understand how to best realize cryptographic circuitry using memristive circuitries, and to assess the implications of memristive crypto implementations on security and to develop novel computing paradigms that will enhance their security. This review article aims to help researchers to explore security solutions, to analyze new possible threats and to develop corresponding protections for the secure hardware systems based on low-cost memristive circuit designs.

Abstract

Smart factories, critical infrastructures, and medical devices largely rely on embedded systems that need to satisfy realtime constraints to complete crucial tasks. Recent studies and reports have revealed that many of these devices suffer from crucial vulnerabilities that can be exploited with fatal consequences. Despite the security and safety-critical role of these devices, they often do not feature state-of-the-art security mechanisms. Moreover, since realtime systems have strict timing requirements, integrating new security mechanisms is not a viable option as they often influence the device's runtime behavior. One solution is to offload security enhancements to a remote instance, the so-called remote attestation.We present RealSWATT, the first software-based remote attestation system for realtime embedded devices. Remote attestation is a powerful security service that allows a party to verify the correct functionality of an untrusted remote device. In contrast to previous remote attestation approaches for realtime systems, RealSWATT does neither require custom hardware extensions nor trusted computing components. It is designed to work within real-world IoT networks, connected through Wi-Fi. RealSWATT leverages a dedicated processor core for remote attestation and provides the required timing guarantees without hardware extensions. We implement RealSWATT on the popular ESP32 microcontroller, and we evaluate it on a real-world medical device with realtime constraints. To demonstrate its applicability, we furthermore integrate RealSWATT into a framework for off-the-shelf IoT devices and apply it to a smart plug, a smoke detector, and a smart light bulb.

Abstract

Implementations of cryptographic libraries have been scrutinized for secret-dependent execution behavior exploitable by microarchitectural side-channel attacks. To prevent unintended leakages, most libraries moved to constant-time implementations of cryptographic primitives. There have also been efforts to certify libraries for use in sensitive areas, like Microsoft CNG and Botan, with specific attention to leakage behavior.In this work, we show that a common oversight in these libraries is the existence of utility functions, which handle and thus possibly leak confidential information. We analyze the exploitability of base64 decoding functions across several widely used cryptographic libraries. Base64 decoding is used when loading keys stored in PEM format. We show that these functions by themselves leak sufficient information even if libraries are executed in trusted execution environments. In fact, we show that recent countermeasures to transient execution attacks such as LVI ease the exploitability of the observed faint leakages, allowing us to robustly infer sufficient information about RSA private keys with a single trace. We present a complete attack, including a broad library analysis, a high-resolution last level cache attack on SGX enclaves, and a fully parallelized implementation of the extend-and-prune approach that allows a complete key recovery at medium costs.