

# Remote IP Protection Using Timing Channels

Ariano-Tim Donda<sup>1,2</sup>    Peter Samarin<sup>1,2</sup>    Jacek Samotyja<sup>1</sup>  
Kerstin Lemke-Rust<sup>1</sup>    Christof Paar<sup>2</sup>

<sup>1</sup>Bonn-Rhein-Sieg University of Applied Sciences, Germany

<sup>2</sup>Ruhr University Bochum, Germany

December 4, 2014



## Suspicious device

- “Trial” binary/bitstream is used in production
- *Given a system: is it my software/bitstream?*
- -> Insert a watermark into the IP
  
- Challenge: bitstream and binary are encrypted

# Motivation: Embedding Watermarks in Side Channels



(Becker et al. 2010)

- Problems:
  - special equipment necessary
  - measurements must be done in proximity to the device

# This Work: Watermarks in the Timing Channel

- 1** Definition of the timing channel
- 2** Embedding watermarks in the timing channel
- 3** Case study: FPGA implementation
- 4** Measurements: remote and near-field

# Definition: The Timing Channel

- Timing attacks on AES (Bernstein, 2005)
- Sender (using binary method)
  - Using the regular data channel:
  - Delays the output by some short time when sending a 1
  - No delay when sending a 0
- Receiver (using binary method)
  - Using the regular data channel:
  - Observes time differences between input and output:  $\Delta_t$
  - Compute  $\bar{\Delta}_t$  by observing many  $\Delta_t$ -s
  - Decode to 1 if  $\Delta_t \geq \bar{\Delta}_t$
  - Decode to 0 if  $\Delta_t < \bar{\Delta}_t$
- Assumptions
  - Known or observable input
  - Observable output

# The Timing Channel: An Example

Send binary sequence: "0110"



- Timing channel can be used as a black box to send any kind of data

- Authorship watermarks
  - Is used to identify the owner of IP
  - Always visible
  - Codeword scheme
  - Challenge response scheme
- Fingerprint watermarks (Easter egg watermarks)
  - Hidden most of the time
  - Becomes visible when the owner enters the right passphrase
  - Challenge response scheme

# Authorship Watermarks: Codeword Scheme

Verifier  $\mathcal{V}$

Codeword  $c_{CW} = (c_{n-1}, \dots, c_0)_2$   
 $i = 0; suc = 0;$

Trigger  $f$  and start timer:  $t_s$

Function  $f$

Codeword  $c_{CW} = (c_{n-1}, \dots, c_0)_2$   
 $i = 0;$

...

$l = \text{sndTC}(c, i);$   
 $i = (i + l) \bmod n;$

...

Stop timer:  $t_e$

$$\Delta_t = t_e - t_s;$$

$w' = (b', l') = \text{rcvTC}(\Delta_t);$

If  $(\text{cmp}(c, i, w') = \text{true})$   $suc = suc + 1;$   
 $i = (i + l) \bmod n;$

# Authorship Watermarks: Challenge Response Scheme



# Fingerprint Watermarks: Challenge Response Scheme



# Proof of Concept: CV Application on an FPGA



# Proof of Concept: Embedding the Codeword Scheme



- Codeword initialized a circular shift register
- Delays are introduced right before finalizing packets
- PC: packet time stamp inspection to compute  $\Delta_t$  between two consecutive timestamps

# Proof of Concept: Embedding the Challenge Response Scheme



- Challenge response scheme using Trivium with a fixed key
- Use binarized image as a seed value for Trivium
- PC: Compute Trivium stream cipher seeded by received thresholded image

# Experiments: Remote Measurement

- FPGA and PC separated by two routers and three switches in the department network of BRSU
- Compare received data with ground truth

| Timing delays ( $\mu s$ ) | Error rate |
|---------------------------|------------|
| 0                         | 0.5047     |
| 20                        | 0.3440     |
| 40                        | 0.2682     |
| 60                        | 0.2521     |
| 80                        | 0.0936     |
| 100                       | 0.0953     |
| 120                       | 0.0583     |

- Advantages
  - low cost—no extra equipment necessary
  - can be done remotely

# Experiments: Measuring in Proximity



# Experiments: Measuring in Proximity (contd.)



- Near-field experiments
  - Direct Ethernet cable measurement
  - EM measurement of Ethernet controller
  - EM measurement at the FPGA
  - Power traces
- Delays of two clock cycles are visible
- Can recover the whole watermark without noise

- Reverse engineering the binary/bitstream
  - no tools publicly available for RE of FPGA bitstreams
  - if tools are available (SW), a complete RE to remove all timing dependencies is hard work
  - better to write from scratch!
- Wrapper attack
  - timing-normalizing wrapper to equalize all  $\Delta_t$
  - countered by sending several bits at a time (the sliding window approach)
  - increasing the delay decreases the operability of the wrapper
  - EM measurements still can reveal what the code does

- Timing channel definition
- Watermarks in the timing channel
- Proof-of-concept implementation on an FPGA
- Advantages
  - remote verification
  - low-cost solution
- Future work
  - Robust  $\mu$ C implementation
  - Fingerprint watermark implementation
  - Less obvious timing channel
    - Use only every 10th I/O pair (for example)
  - Verification over the Internet