This reading list is focused on literature that is relevant to remote-attested hardware that secure against physical and supply chain attackers. A lot of TEE security literature focuses on settings in which heavy sharing of hardware resources - this is not the focus of our line of work as we do not target this kind of multi-tenancy.

Non-Invasive Attacks

Masking

Dynamic leakage

• Unifying Leakage Models: from Probing Attacks to Noisy
  Leakage
  • Motivates the d-probe model
• Trivially and Efficiently Composing Masked Gadgets with Probe Isolating Non-Interference
  • Defines PINI which is the notion to assure composability of masked circuits
• HPC4 - Low-latency Hardware Private Circuits
  • Latest in a line of work designing AND gadgets in the PINI model.
  • satisfies O-PINI allowing truly arbitrary combination
  • 1 clock cycle latency
• Automated Generation of Masked Hardware
  • Great overview (precedes HPC-3)
  • About automated techniques to make application of masking practical
• Prime Masking vs Faults
  • Fault attacks can allow attackers to observe faulty (or missing if safeguard exist) outputs that provide insight into input or intermediate values. Boolean masking does not defend well against this, but prime masking does. Boolean masking also requires minimum levels of noise present in the chip.
  • This paper builds on previous research to prove that prime masking can be efficiently applied.
• PoMMES: Prevention of Micro-architectural Leakages in Masked Embedded Software
  • Covers compiler changes (specifically register allocation) to prevent dependent leakages (e.g. from overwrites)
• Scan Based Side Channel Attack on Data Encryption Standard
  • This one is old but important. Scan chains are a tool we would like to use for trojan detection, but, as this paper shows, they can introduce other attack vectors.

Static leakage

• Static Leakage in Dual-Rail Precharge Logics
  • Examines combination of masking with dual rail logic (AKA “differential logic”) to protect against static and dynamic leaks.
• Laser Logic State Imaging (LLSI) to circumvent masking countermeasures
  • Laser probing can provide a snapshot of registers throughout the chip, breaking the t-probe security model
• On Borrowed Time - Preventing Static Side-Channel Analysis
  • Defense against the above which ensures registers are wiped when clock signal stops.
  • For other defenses, see 1,2
• Unrolled Cryptography on Silicon: A Physical Security Analysis | IACR Transactions on Cryptographic Hardware and Embedded Systems

Fault-based attacks on TEEs

• Bypassing Isolated Execution on RISCV with Fault Injection
  • Shows how faults can be used to get around PMP which the the RISCV primitive used to provide memory isolation.
• Combined Private Circuits
  • This paper provides the most up-to-date composable security definition for combined fault and probing attacks, improving on a previous paper. It also provides some gadgets that satisfy this property. It is the spiritual successor to the PINI security definition.
• Prime Masking vs Faults
  • Fault attacks can allow attackers to observe faulty (or missing if safeguard exist) outputs that provide insight into input or intermediate values. Boolean masking does not defend well against this, but prime masking does. Boolean masking also requires minimum levels of noise present in the chip.
  • The properties of prime masking can be used to improve on the efficiency of Combined Private Circuit implementations given in the paper above.
  • This paper builds on previous research to prove that prime masking can be efficiently applied.
• Beware Insufficient Redundancy
  • Demonstrates an attack on a design that is secure against an unrealistically weak adversary.
• SCFI: State Machine Control-Flow Hardening Against Fault Attacks

Instruction Sets and Microarchitectures

Note, the section above provides the primitives required to build what we find in this section.

• A RISC-V Instruction Set Extension for Flexible Hardware/Software Protection of Cryptosystems Masked at High Orders
  • Introduces a bitwise masked ALU and benchmarks AES.
  • Since only bitwise, this isn’t a “general purpose masked ISE”
  • A security order is chosen and fixed at manufacturing time. Using software techniques (bit and share slicing), security orders can be increased after manufacturing.
• Testing side-channel security of cryptographic implementations against future microarchitectures
  • Provides a language to describe microarchitecture features (typically speculative) to analyse their leakage profile.

AI-specific

• BarraCUDA
• CipherSteal
• Luc Chartier’s Covert Channel Demo
• Jacob Lagerros Power Channel Demo

Invasive Attacks

DRAM attack and defense:

• An Off-Chip Attack on Hardware Enclaves via the Memory Bus
  • good for understanding bus attacks
• Software-Based Off-Chip Memory Protection for RISC-V Trusted Execution Environments
  • useful for understanding how memory protection works
• PHANTOM: practical oblivious computation in a secure processor

Tamper Resistance

• Secure Physical Enclosures from Covers with Tamper-Resistance
  • this one is particularly appealing because the tamper-resistance is tied to secret generation. The hope would be that this implies that there is no point in the production process in which the device secrets are vulnerable to physical attackers.
• Hardware-Based Methods for Electronic Device Protection against Invasive and Non-Invasive Attacks
• Smart Anti-Tamper Conformal Coating System for Electronic Circuits
• New Insights to Key Derivation for Tamper-Evident Physical Unclonable Functions
• Automatic Extraction of Secrets from the Transistor Jungle using Laser-Assisted Side-Channel Attacks

Trojans

• Bunnie’s talk at 38C3
• This paper and update from “Bunnie” Huang are really good
• Trojan Assets and Attack Vectors in Processors by Chuah et al. 2024
  • Focuses on trojans inserted in the RTL. Assumes RTL is closed.
  • Doesn’t address caches, predictors, speculation, etc. which are potent side channels for data disclosure
• This is probably the toughest trojan that we’re aware of: Stealthy Dopant-Level Hardware Trojans. It’s addressed in Bunnie’s update above and also detected in: Reversing Stealthy Dopant-Level Circuits
• Hardware Trojan: Threats and Emerging Solutions
• Red Team vs. Blue Team: A Real-World Hardware Trojan Detection Case Study Across Four Modern CMOS Technology Generations
• Silicon Echoes: Non-Invasive Trojan Detection
• A Red Team/Blue Team Assessment of Functional Analysis Methods for Malicious Circuit Identification
  • Tests FANCI

Other

Open Hardware Security Analyses/Contributions

• Security Verification of Open Titan
• Pre-silicon Fault Analysis of Open Titan
• An Investigation of Hardware Security Bug Characteristics in Open-Source Projects

Irreproducible Keys (Secrecy of Hardware Secrets)

• Towards Secret-Free Security
• A PUF Taxonomy
• SIMPL Systems: On a Public Key Variant of Physical
  Unclonable Functions
• Physically Unclonable Functions: A Study on the State of the Art and Future
  Research Directions
• A Provably Secure Strong PUF Based on LWE: Construction and Implementation

Extending TEEs with prog crypto

• PPMLAC: High Performance Chipset Architecture for Secure Mutli-Party Computation
• Toward Scalable Fully Homomorphic Encryption Through Light Trusted Computing Assistance
• Verifiable ASICs