Search

EP-4736043-A1 - METHOD FOR PROTECTING AGAINST SOFTWARE- BASED SIDE CHANNEL ATTACKS AN ELECTRONIC SYSTEM COMPRISING A SECURE PROCESSOR AND AN INTEGRATED SENSOR

EP4736043A1EP 4736043 A1EP4736043 A1EP 4736043A1EP-4736043-A1

Abstract

The present invention relates to a method for protecting an electronic system (1) comprising a secure processor (102) and an integrated sensor (101) against software-based side channel attacks targeting said secure processor using said integrated sensor, said electronic system further comprising an untrusted processor (104), a sensor register (103) isolated from said untrusted processor for storing at least one output value of the integrated sensor, a blurring device (109) connected to the sensor register and configured for outputting at least one blurred sensor output value whose bits are at least partly blurred, and a memory mapped register (110) accessible by said untrusted processor and storing outputs of the blurring device, said method comprising: - measuring, by the integrated sensor, a physical quantity representative of an activity of the secure processor to obtain a sensor output value, - storing said sensor output value into said sensor register, - generating, by said blurring device, from said sensor output value stored in the sensor register, a blurred sensor output value wherein one or more bits of said blurred sensor output value are blurred according to a blurring device configuration, - storing said blurred sensor output value in said memory mapped register.

Inventors

  • TEGLIA, YANNICK
  • GRAVELLIER, Joseph
  • LOUBET MOUNDI, PHILIPPE

Assignees

  • THALES DIS FRANCE SAS

Dates

Publication Date
20260506
Application Date
20240613

Claims (13)

  1. 1. A method for protecting an electronic system (1 ) comprising a secure processor (102) and an integrated sensor (101 ) against software-based side channel attacks targeting said secure processor using said integrated sensor, said electronic system further comprising an untrusted processor (104), a sensor register (103) isolated from said untrusted processor for storing at least one output value of the integrated sensor, a blurring device (109) connected to the sensor register and configured for outputting at least one blurred sensor output value whose bits are at least partly blurred, and a memory mapped register (110) accessible by said untrusted processor and storing outputs of the blurring device, said method comprising : - measuring (S1 ), by the integrated sensor, a physical quantity representative of an activity of the secure processor to obtain a sensor output value, - storing (S2) said sensor output value into said sensor register, - generating (S3), by said blurring device, from said sensor output value stored in the sensor register, a blurred sensor output value wherein one or more bits of said blurred sensor output value are blurred according to a blurring device configuration, - storing (S4) said blurred sensor output value in said memory mapped register.
  2. 2. The method of claim 1 , comprising configuring said blurring device according to said blurring device configuration according to a control signal sent by a trusted entity through a wire.
  3. 3. The method of claim 1 or 2, comprising configuring said blurring device according to said blurring device configuration by reading a configuration activation message carried into the physical quantity measured by the integrated sensor.
  4. 4. The method of any one of claims 1 to 3, comprising configuring said blurring device according to said blurring device configuration by detecting, by said blurring device, a power consumption pattern in the physical quantity measured by the integrated sensor.
  5. 5. The method of any one of claims 1 to 4, wherein said physical quantity is among a voltage, a frequency and a clock cycle.
  6. 6. The method of claim 5, wherein generating a blurred sensor output value (S3) comprises modifying the low significant bits of the sensor output value.
  7. 7. The method of any one of claims 1 to 6, wherein generating a blurred sensor output value (S3) comprises discarding at least one bit of the sensor output value, the number of discarded bits depending on said blurring device configuration.
  8. 8. The method of any one of claims 1 to 6, wherein generating a blurred sensor output value (S3) comprises applying a random masking to at least one bit of the sensor output value bits.
  9. 9. The method of any one of claims 1 to 6, wherein said sensor output value is encrypted before storing it in the sensor register and wherein generating a blurred sensor output value (S3) comprises decrypting at least one bit of the sensor output value stored in the sensor register, the number of decrypted bits depending on said blurring device configuration.
  10. 10. A computer program product directly loadable into the memory of at least one computer, comprising software code instructions for performing the steps of any one of claim 1 to 9 when said product is run on the computer.
  11. 11. An electronic system (1 ) comprising a secure processor (102), an integrated sensor (101 ), an untrusted processor (104), a sensor register (103) isolated from said untrusted processor for storing at least one output value of the integrated sensor, a blurring device (109) connected to the sensor register and configured for outputting at least one blurred sensor output value whose bits are at least partly blurred, and a memory mapped register (110) accessible by said untrusted processor and storing output of the blurring device, wherein : the integrated sensor measures a physical quantity representative of an activity of the secure processor to obtain a sensor output value, - said sensor output value is stored into said sensor register, - said blurring device generates from said sensor output value stored in the sensor register, a blurred sensor output value wherein one or more bits of said blurred sensor output value are blurred according to a blurring device configuration, - said blurred sensor output value is stored in said memory mapped register.
  12. 12. The electronic system of claim 11 , wherein the integrated sensor (101 ) is a Time-to-Digital Converter sensor or a Ring-oscillator-based sensor configured for outputting a high resolution voltage output value.
  13. 13. The electronic system of claim 10 or 11 configured for performing the steps of any one of claim 1 to 9.

Description

METHOD FOR PROTECTING AGAINST SOFTWARE- BASED SIDE CHANNEL ATTACKS AN ELECTRONIC SYSTEM COMPRISING A SECURE PROCESSOR AND AN INTEGRATED SENSOR FIELD OF THE INVENTION The present invention relates to the field of chip protection against side attacks, and more particularly to a method, and a corresponding device, for protecting against software-based side channel attacks an electronic system comprising a secure processor and an integrated sensor. BACKGROUND OF THE INVENTION Sensitive information, such as secret keys to be used in cryptographic algorithms are usually protected in order to prevent an access to it by an attacker, even when the attacker has full control of the device performing sensitive operations accessing such sensitive information. Nevertheless, algorithms performing these sensitive operations are subject to side-channel attacks (SCA), based on an analysis of traces from the device when performing the operation, such as power consumption or electromagnetic emissions. As an example, SCA may be used to retrieve at least of a part of a secret or private key when used in a cryptographic operation, such as an exponent of a modular exponentiation, or a scalar when used in the frame of an Elliptic curve cryptography (ECC) protocol, such as ECDSA. In order to protect a processor performing sensitive operations against side channel analysis, it may be useful to analyze the side channel emissions of such a processor when it performs sensitive operations, in order to reduce or jam such emissions by improving the processor design or by embedding countermeasures against SCA. Nevertheless, analyzing side channel emissions from outside a processor usually requires a sophisticated test-bed, which makes it both cumbersome and costly, and prevents large-scale analysis on multiple processors in parallel. In order to make easier side channel analysis, side channel emission sensors may be integrated in the processor or in its vicinity, in a SoC for example. Such a solution makes it much easier to collect side channel traces during operation of the processor. Nevertheless, a drawback of such a solution is that such integrated sensors remain in place after the product comprising the processor has been released. In addition, modem processors use integrated power and temperature sensors for various reasons such as efficiency, security and reliability control. As a result, an attacker may use these sensors for performing his own side channel attack on the processor. Software-based Hardware Attacks (SbHWA) is a recent class of such side-channel attack that doesn’t require any hardware as it uses sensors directly integrated in processors in order to eavesdrop the activity of victim applications. Such an attack does not require any laboratory equipment. Therefore, it makes remote hardware attacks possible. These attacks have been successfully conducted on various platforms such as SoC or FPGAs and demonstrate that it is possible to eavesdrop the power activity of an application using integrated sensor. [Joseph Gravellier, Jean-Max Dutertre, Yannick Teglia, and Philippe Loubet Moundi. 2021. Sideline: How Delay-Lines (May) Leak Secrets from Your SoC. In Constructive Side-Channel Analysis and Secure Design: 12th International Workshop, COSADE 2021 , Lugano, Switzerland, October 25-27, 2021 , Proceedings. Springer-Verlag, Berlin, Heidelberg, 3-30. https://doi.org/10.1007/978-3-030-89915-8_1]. Such attacks can be particularly useful for side channel attacks requiring a lot of data, such as Deep Learning based side channel attacks. Indeed, they may run in background for months or years without the victim application detecting that it’s being spied on. In addition, such integrated sensors are usually electrically connected to the processor in order to enable the processor to control their operation. It adds a physical connection to the processor, which increases the attack surface of the processor and may be leveraged by an attacker to bypass protections embedded in the processor. Therefore, there is a need of a solution enabling to run side channel emission sensors in an electronic device for testing purposes, while preventing any further use of such sensors by an attacker for performing a side channel attack. SUMMARY OF THE INVENTION For this purpose and according to a first aspect, this invention therefore relates to a method for protecting an electronic system comprising a secure processor and an integrated sensor against software-based side channel attacks targeting said secure processor using said integrated sensor, said electronic system further comprising an untrusted processor, a sensor register isolated from said untrusted processor for storing at least one output value of the integrated sensor, a blurring device connected to the sensor register and configured for outputting at least one blurred sensor output value whose bits are at least partly blurred, and a memory mapped register accessible by said untrusted p