We describe the architecture for a single-chip AEGIS processor which can be used to build computing systems secure against both physical and software attacks. Our architecture assumes that all components external to the processor, such as memory, are untrusted. We show two different implementations. In the first case, the core functionality of the operating system is trusted and implemented in a security kernel. We also describe a variant implementation assuming an untrusted operating system.

Secure processors enable new sets of applications such as commercial grid computing, software copy-protection, and secure mobile agents by providing security from both physical and software attacks. This paper proposes new hardware mechanisms for memory integrity verification and encryption, which are two key primitives required in singlechip secure processors. The integrity verification mechanism offers significant performance advantages over existing ones when the checks are infrequent as in grid computing applications. The encryption mechanism improves the performance in all cases. 1.

Physical Unclonable Functions (PUFs) are innovative circuit primitives that extract secrets from physical characteristics of integrated circuits (ICs). We present PUF designs that exploit inherent delay characteristics of wires and transistors that differ from chip to chip, and describe how PUFs can enable low-cost authentication of individual ICs and generate volatile secret keys for cryptographic operations.

Secure processors enable new applications by ensuring private and authentic program execution even in the face of physical attack. In this paper we present the AEGIS secure processor architecture, and evaluate its RTL implementation on FPGAs. By using Physical Random Functions, we propose a new way of reliably protecting and sharing secrets that is more secure than existing solutions based on non-volatile memory. Our architecture gives applications the flexibility of trusting and protecting only a portion of a given process, unlike prior proposals which require a process to be protected in entirety. We also put forward a specific model of how secure applications can be programmed in a high-level language and compiled to run on our system. Finally, we evaluate a fully functional FPGA implementation of our processor, assess the implementation tradeoffs, compare performance, and demonstrate the benefits of partially protecting a program. 1.

Hidden malicious circuits provide an attacker with a stealthy attack vector. As they occupy a layer below the entire software stack, malicious circuits can bypass traditional defensive techniques. Yet current work on trojan circuits considers only simple attacks against the hardware itself, and straightforward defenses. More complex designs that attack the software are unexplored, as are the countermeasures an attacker may take to bypass proposed defenses. We present the design and implementation of Illinois Malicious Processors (IMPs). There is a substantial design space in malicious circuitry; we show that an attacker, rather than designing one specific attack, can instead design hardware to support attacks. Such flexible hardware allows powerful, general purpose attacks, while remaining surprisingly low in the amount of additional hardware. We show two such hardware designs, and implement them in a real system. Further, we show three powerful attacks using this hardware, including a login backdoor that gives an attacker complete and highlevel access to the machine. This login attack requires only 1341 additional gates: gates that can be used for other attacks as well. Malicious processors are more practical, more flexible, and harder to detect than an initial analysis would suggest.

This paper describes a technique that exploits the statistical delay variations of wires and transistors across ICs to build a secret key unique to each IC. To explore its feasibility, we fabricated a candidate circuit to generate a response based on its delay characteristics. We show that there exists enough delay variation across ICs implementing the proposed circuit to identify individual ICs. Further, the circuit functions reliably over a practical range of environmental variation such as temperature and voltage.

Abstract. RFID applications create a need for low-cost security and privacy in potentially hostile environments. Our measurements show that initialization of SRAM produces a physical fingerprint. We propose a system of Fingerprint Extraction and Random Numbers in SRAM (FERNS) that harvests static identity and randomness from existing volatile CMOS storage. The identity results from manufacture-time physically random device threshold mismatch, and the random numbers result from run-time physically random noise. We use experimental data from virtual tags, microcontroller memory, and the WISP UHF RFID tag to validate the principles behind FERNS. We show that a 256byte SRAM can be used to identify circuits among a population of 160 virtual tags, and can potentially produce 128bit random numbers capable of passing cryptographic statistical tests. 1

As part of the Detecting Intrusions at Layer ONe (DILON) project, we show that Ethernet devices can be uniquely identified and tracked—using as few as 25 Ethernet frames—by analyzing variations in their analog signal caused by hardware and manufacturing inconsistencies. An optimal detector, the matched filter, is utilized to create signal profiles, which aid in identifying the device the signal originated from. Several non-traditional applications of the filter are presented in order to improve its ability to discriminate between signals from seemingly identical devices of the same manufacturing lot. The experimental results of applying these filters to three different models of Ethernet cards, totaling 16 devices, are presented and discussed. Important applications of this technology include intrusion detection (discovering node impersonation and network tampering), authentication (preventing unauthorized access to the physical network), forensic data collection (tying a physical device to a specific network incident), and assurance monitoring (determining whether a device will or is in the process of failing). 1.

Abstract. A physically unclonable function (PUF) is a multiple-input, multipleoutput, large entropy physical system that is unreproducible due to its structural complexity. A public physically unclonable function (PPUF) is a PUF that is created so that its simulation is feasible but requires very large time even when ample computational resources are available. Using PPUFs, we have developed conceptually new secret key exchange and public key protocols that are resilient against physical and side channel attacks and do not employ unproven mathematical conjectures. Judicious use of PPUF hardware sharing, parallelism, and provably correct partial simulation enables 10 16 advantage of communicating parties over an attacker, requiring over 500 of years of computation even if the attacker uses all global computation resources.

Abstract. RFID-tags are a new generation of bar-codes with added functionality. They are becoming very popular tools for identification of products in various applications like e.g. supply-chain management. An emerging application is the use of RFID-tags for anti-counterfeiting by embedding them into a product. However, there is a risk related to naively using those tags for several applications. In particular, if no appropriate cryptographic measures are taken, the privacy of a user carrying tagged items can be severely damaged. In order to enable these applications and at the same time minimize the risks, public-key cryptography (PKC) offers attractive solutions. Whether a public-key cryptosystem can be implemented on an RFID tag or not remains an open problem. In this paper, we focus on the problem of anti-counterfeiting measures that can be provided by RFID-tags. More precisely, we investigate which PKC-based identification protocols are useful for this application. We discuss the feasibility of identification protocols based on Elliptic Curve Cryptography (ECC) and show that it is feasible on RFID tags.