Abstract
D.Ing. (Electrical Engineering)
Power Analysis or Side-Channel Attack aimed at embedded systems such as smart
cards has gained momentum to become a very important and well-studied area in computer
security. Side-channels are unwanted and exploitable by-products information
leaked from cryptographic devices that an attacker or a hacker can utilize to reveal
secret information stored or processed by those devices. In most instances it is easier
to acquire the secret keys hidden in cryptographic hardware from such techniques
than to attempt to break the cryptographic algorithm. One such side-channel attack is
the electromagnetic side-channel attack, giving rise to electromagnetic analysis (EMA).
In this thesis, we take a different approach towards side-channels. Instead of exploiting
side-channel to derive cryptographic keys, we present techniques, algorithms and
use-cases to identify instruction-dependent information from smart card code by analyzing
their electromagnetic emanation and power consumption. This has resulted
in the so-called side-channel disassembler offering new applications or uses that were
not previously explored in the embedded design. Although the idea of recognizing
executed micro-controller instructions using side-channel analysis is not new, previous
implementations reported in available literature did not yield good enough accuracy
to be relevant for practical applications.
Our first use-case presents the practical results of a real-life smart card malware detection.
We present an implementation consisting of reconstructing a malware program
executed on a smart card device using the emanated electromagnetic radiation only.
This is useful in the sense that it allows network engineers to immediately detect the
presence of the Sykipot malware in a smart card environment almost instantaneously.
It has been demonstrated that it takes approximately 229 days for network engineers
to detect a malware attack. So this implementation goes a long way towards improving
such statistics. Our solution makes use of machine learning techniques applied to
data involving a substantial number of correlated variables. To effectively reduce the
number of variable under consideration, we use dimension reduction algorithms such
as PCA and LDA. K-Nearest neighbor (k-NN) search is applied as a learning and classification
technique to recognize and detect malware presence in the device. Genetic
Algorithms are further applied to improve some of the k-NN limitations and shortcomings.
Our implementation shows very promising results in the sense that our malware
detection tool produced a recognition rate of up to 90%.
The second use-case analyzes the recorded power consumption of a micro-controller
to extract Hamming weights of executed instructions including operands. These Hamming
weights are transformed into strings that can be used to overcome the popular
dummy instruction countermeasure. Although the presented technique is only applied
to the dummy and random instruction countermeasure, a similar approach can be applied
to other variants of side-channel countermeasures. Such findings highlight the
fact that most available countermeasures can easily be overcome. As a contribution toward
building more effective countermeasures to side-channel analysis, we proposed
three techniques with their simulated results. The first technique relies on mathematical
equations for modeling the performance trade-offs of logic circuits. Using such
equations, effective models for leakage reduction in CMOS are easily deduced. Among
other, it is argued and demonstrated that the use of high dielectric constant can be a
very effective technique for reducing CMOS leakages. In the second proposition, we
highlight the use of strained-Si in CMOS device fabrication. In our proposition, the
emphasis is on mobility enhancement as a result of strain. The study is carried out...