The present application claims priority to Japanese Patent Application 2018-067467 filed by the Japanese Patent Office on Mar. 30, 2018, the entire contents of which are incorporated herein by reference.
The present invention relates to detection of an attack on a circuit.
Japanese Patent Application Laid-Open No. 2001-318130 discloses a technology of detecting glitch included in an output signal of a device to be tested.
In one aspect, an attack detector includes first circuitry. The first circuitry is configured to detect occurrence of level change of power or a signal supplied to a predetermined circuit. The first circuitry is configured to store a first attack evaluation value indicating a degree of probability that an attack on the predetermined circuit has occurred. The first circuitry is configured to update the first attack evaluation value based on a detection result of the occurrence of the level change. The first circuitry is configured to perform first determination of determining whether or not the attack has occurred based on the first attack evaluation value.
In one aspect, a controller includes the above-mentioned attack detector, and a second circuitry configured to control the predetermined circuit when it is determined that the attack has occurred in the attack detector.
In one aspect, a processing device includes the above-mentioned controller, and the predetermined circuit controlled by the controller.
In one aspect, an attack detection method is an attack detection method used in an attack detector configured to detect an attack on a predetermined circuit. The attack detection method includes detecting occurrence of level change of power or a signal supplied to the predetermined circuit. The attack detection method includes updating an attack evaluation value indicating a degree of probability that the attack has occurred based on a detection result of the occurrence of the level change. The attack detection method includes determining whether or not the attack has occurred based on the updated attack evaluation value.
As shown in
The controller 3, the processing circuit 2, and the power supply circuit 4 may be formed of one die, or may be formed of a plurality of dies. The die is also referred to as a wafer chip. Further, the controller 3, the processing circuit 2, and the power supply circuit 4 may be housed in one package made of resin or the like, or may be housed in separate packages. Further, two of the controller 3, the processing circuit 2, and the power supply circuit 4 may be housed in one package.
Various examples of the processing device 1 are described below.
<Configuration Example of Processing Circuit>
The controller 20 can integrally manage operation of the processing circuit 2 by controlling other components of the processing circuit 2. It can also be said that the controller 20 is a control circuit. The controller 20 includes, for example, a central processing unit (CPU). Various functions of the controller 20 are implemented by the CPU included in the controller 20 executing the control program in the storage 21.
The communication unit 22 is connected to a communication network including at least one of a wireless network and a wired network. The communication unit 22 can communicate with another device via the communication network. The communication network includes, for example, a network for a mobile phone system including a base station or the like, a wireless local area network (LAN), the Internet, or the like. It can also be said that the communication unit 22 is a communication circuit.
The processing circuit 2 including the configuration as described above can operate based on a clock signal supplied from the controller 3. As described later, the controller 3 can stop the operation of the processing circuit 2 by not supplying a clock signal to the processing circuit 2.
Further, in the processing circuit 2, the controller 20 can perform encryption processing of encrypting data. The data encrypted by the controller 20 is, for example, stored in the storage 21, or transmitted from the communication unit 22 to another device. Further, the controller 20 can perform decryption processing of decrypting the encrypted data. The data decrypted by the controller 20 is, for example, stored in the storage 21. Further, the controller 20 can execute authentication processing of authenticating a user of the processing device 1.
Note that the processing executed by the processing circuit 2 is not limited to the above examples. Further, the configuration of the processing circuit 2 is not limited to the example of
Further, the storage 21 may include a computer-readable non-transitory recording medium other than the ROM and the RAM. The storage 21 may include, for example, a small-sized hard disk drive, a solid state drive (SSD), or the like.
<Configuration Example of Controller>
Here, with the aim of acquiring confidential information from a circuit or the like, an attack may be carried out on the circuit by intentionally changing a level of power or a signal supplied to the circuit. For example, an attack on a circuit to be attacked may be carried out by intentionally causing glitch in a level of power or a signal supplied to the circuit to be attacked. The glitch is spike-like short-duration transient decrease or increase in a level. Such an attack is referred to as a glitch attack, and is one type of fault injection attacks. The fault injection attack may be referred to as a fault attack or fault injection analysis. The term “fault injection attack” by itself hereinafter refers to an attack of intentionally changing a level of power or a signal supplied to a circuit to be attacked.
In the fault injection attack, processing of intentionally decreasing or increasing a level of power or a signal supplied to a circuit to be attacked to thereby cause an error in the operation of the circuit to be attacked and acquire an operation state of the circuit to be attacked at the time may be repeatedly executed. Then, in the fault injection attack, confidential information of the circuit to be attacked may be estimated based on the state of the erroneous operation of the circuit to be attacked that is collected by the repeated execution of the processing.
For example, a case where a key used in encryption processing of a circuit to be attacked that performs the encryption processing is estimated in the fault injection attack is considered. In this case, processing of intentionally decreasing or increasing a level of power or a signal supplied to the circuit to be attacked to thereby cause an error in the encryption processing and acquire a result of the encryption processing at the time is repeatedly executed. Then, the erroneous result of the encryption processing that is collected by the repeated execution of the processing and a correct result of the encryption processing are compared with each other, and the key used in the encryption processing is estimated based on a comparison result of the comparison.
In this manner, in the fault injection attack, change in a level of power or a signal supplied to a circuit to be attacked from an original value may repeatedly occur.
In view of this, the controller 3 according to this example detects occurrence of level change in the power 100 or a signal supplied to the processing circuit 2, and determines whether or not an attack on the processing circuit 2 has occurred based on the detection result. With this, the fault injection attack on the processing circuit 2 can be properly detected. Then, when the controller 3 determines that an attack on the processing circuit 2 has occurred, the controller 3 can enhance safety of the processing circuit 2 by controlling the processing circuit 2.
Here, target level change of the controller 3 refers to change from an original value. Therefore, level change detected by the controller 3 concerning a signal that originally changes its levels as in a clock signal that repeats High levels and Low levels does not include such original level change. For example, when the controller 3 detects occurrence of level change of a clock signal, the controller 3 detects occurrence of change from an original value at timing when a High level of the clock signal is expected, or occurrence of change from the original value at timing when a Low level is expected.
The controller 3 is described in detail below. The power 100 or the signal supplied to the processing circuit 2 may be hereinafter referred to as a “monitor target.” Further, a level of the monitor target may be referred to as a monitor target level 110. Further, the term “level change” or “level decrease” by itself refers to change(s) or decrease(s) in the monitor target level 110. Further, the term “glitch” by itself refers to glitch that occurs in the monitor target level 110.
In this example, the controller 3 is formed by a hardware circuit in which software is not required to implement functions of the hardware circuit. Therefore, in this example, the controller 3 does not include a processor such as a CPU, and a program executed by the processor. Note that all of the functions of the controller 3 or a part of the functions of the controller 3 may be implemented by using software. In other words, all of the functions of the controller 3 or a part of the functions of the controller 3 may be implemented by the processor such as a CPU executing the program.
The clock generator 32 generates a clock signal CLK that serves as a reference of the operation of the processing device 1. It can also be said that the clock generator 32 is a clock generator circuit. The clock signal CLK is supplied to an internal circuit including the attack detector 30 etc. The internal circuit is included in the controller 3. Further, the clock signal CLK is also supplied to the processing circuit 2. The controller 3 and the processing circuit 2 are circuits that operate based on the clock signal CLK. The clock generator 32 may include a crystal oscillator, or may include an oscillator that does not use crystals. Examples of the oscillator that does not use crystals include an oscillator using micro electro mechanical systems (MEMS).
The reset signal generator 33 generates a reset signal RS, and outputs the generated reset signal RS. It can also be said that the reset signal generator 33 is a reset signal generator circuit. The reset signal RS is input to an internal circuit including the attack detector 30 etc., and is also input to the processing circuit 2. The internal circuit is included in the controller 3.
When a reset switch included in the processing device 1 is operated, the reset signal generator 33 asserts the reset signal RS for a certain period of time. With this, when the reset switch is operated, the processing device 1 is restarted, and operation of each of the controller 3 and the processing circuit 2 is initialized. Further, when a state of the power supply circuit 4 is switched from a state of not outputting the power 100 to a state of outputting the power 100, the reset signal generator 33 asserts the reset signal RS for a certain period of time. With this, when a state of the power supply circuit 4 is switched from a state of not outputting the power 100 to a state of outputting the power 100, the processing device 1 is restarted, and operation of each of the controller 3 and the processing circuit 2 is initialized.
The attack detector 30 detects occurrence of change in the monitor target level 110, and determines whether or not an attack on the processing circuit 2 has occurred based on the detection result. In this example, the attack detector 30 detects occurrence of glitch in the monitor target level 110, and determines whether or not an attack on the processing circuit 2 has occurred based on the detection result. It can be said that the attack detector 30 is an attack detector circuit. The monitor target level 110 is, for example, a level of the power 100 or a level of the clock signal CLK.
The attack detector 30 includes, for example, a detector 300, a storage 310, an updater 320, and a determination unit 330. It can be said that the detector 300, the storage 310, the updater 320, and the determination unit 330 are a detector circuit, a storage circuit, an updater circuit, and a determination circuit, respectively.
The detector 300 can detect occurrence of glitch in the monitor target level 110. The storage 310 stores an attack evaluation value that indicates a degree of probability that an attack on the processing circuit 2 has occurred.
The updater 320 updates the attack evaluation value in the storage 310 based on the detection result of the detector 300. Specifically, the updater 320 determines that level change (decrease or increase in the monitor target level 110) has occurred based on the detection result of the detector 300. Then, the updater 320 updates the attack evaluation value in the storage 310 in accordance with the occurrence of level change. In this example, the updater 320 updates the attack evaluation value in the storage 310 in accordance with the occurrence of glitch in the monitor target level 110. More specifically, the updater 320 increases the attack evaluation value in the storage 310 in accordance with the occurrence of glitch. With this, as the number of times of occurrence of glitch is increased, the attack evaluation value is increased accordingly. Specifically, it can be said that as the number of times of occurrence of glitch is increased, there is high probability that an attack on the processing circuit 2 has occurred. The determination unit 330 determines whether or not an attack on the processing circuit 2 has occurred based on the attack evaluation value in the storage 310. To increase the attack evaluation value may be hereinafter referred to as to count up the attack evaluation value.
For example, the controller 31 can control the processing circuit 2 by controlling supply of the clock signal CLK to the processing circuit 2. In this example, the controller 31 can activate the processing circuit 2 by supplying the clock signal CLK to the processing circuit 2. Further, the controller 31 can stop the operation of the processing circuit 2 by stopping the supply of the clock signal CLK to the processing circuit 2. When the determination unit 330 determines that an attack on the processing circuit 2 has occurred, the controller 31 stops the supply of the clock signal CLK to the processing circuit 2 to stop the operation of the processing circuit 2. With this, when the fault injection attack on the processing circuit 2 occurs, the operation of the processing circuit 2 can be stopped. Consequently, the probability that the confidential information of the processing circuit 2 is acquired can be reduced. As a result, safety of the processing circuit 2 is enhanced.
When the supply of the clock signal CLK to the processing circuit 2 is stopped to stop the operation of the processing circuit 2, for example, a user can make the processing device 1 restore the operation of the processing circuit 2 by operating the reset switch. When the reset switch is operated, the reset signal generator 33 asserts the reset signal RS for a certain period of time. With this, the operation of the processing device 1 is initialized. When the operation of the processing device 1 is initialized, the controller 31 starts supplying the clock signal CLK to the processing circuit 2. With this, the stopped processing circuit 2 resumes the operation.
Note that, as described above, when a state of the power supply circuit 4 is switched from a state of not outputting the power 100 to a state of outputting the power 100, the reset signal generator 33 asserts the reset signal RS for a certain period of time. Therefore, if the processing device 1 is provided with a power supply switch that can control the output of the power 100 of the power supply circuit 4, the user can make the processing device 1 resume the operation of the processing circuit 2 by operating the power supply switch.
A method in which the controller 31 stops the operation of the processing circuit 2 is not limited to the above example. For example, when the determination unit 330 determines that an attack on the processing circuit 2 has occurred, the controller 31 may assert a reset signal for the processing circuit 2 to stop the operation of the processing circuit 2. In this case, for example, when the reset signal RS is asserted, the controller 31 asserts the reset signal for the processing circuit 2 that is input to the processing circuit 2. Further, the clock signal CLK generated by the clock generator 32 is directly input to the processing circuit 2. Then, when the operation of the processing device 1 is initialized, the controller 31 negates the reset signal for the processing circuit 2. With this, the user can make the processing device 1 resume the operation of the processing circuit 2 by operating the reset switch or the like.
<Detailed Description on Attack Detector>
Next, one example of the operation of the attack detector 30 according to this example is described in detail.
As shown in
In this manner, in this example, the updater 320 increases the attack evaluation value every time level change, such as level decrease, occurs. Therefore, as the number of times of occurrence of level change is increased, the attack evaluation value is increased accordingly. As described above, in the fault injection attack, glitch may repeatedly occur in a level of power or a signal supplied to a circuit to be attacked. Therefore, when the number of times of occurrence of glitch is large, it can be said that there is high probability that an attack on the processing circuit 2 has occurred. Thus, it can be said that as the attack evaluation value that depends on the number of times of occurrence of glitch is increased, there is high probability that an attack on the processing circuit 2 has occurred. In this example, the attack evaluation value is increased only by +1 every time glitch occurs. Further, an initial value of the attack evaluation value is set to zero, for example. Therefore, the attack evaluation value indicates the number of times of occurrence of glitch. It can be said that the attack evaluation value indicates the number of times of occurrence of level change.
The determination unit 330 performs attack determination processing of determining whether or not an attack on the processing circuit 2 has occurred based on the attack evaluation value in the storage 310 at predetermined timing. In the attack determination processing, the determination unit 330 compares the attack evaluation value in the storage 310 and a threshold value, and determines whether or not an attack on the processing circuit 2 has occurred based on a comparison result of the comparison. Specifically, when the attack evaluation value is greater than the threshold value, the determination unit 330 determines that an attack on the processing circuit 2 has occurred. On the other hand, when the attack evaluation value is equal to or less than the threshold value, the determination unit 330 determines that an attack on the processing circuit 2 has not occurred. Note that the determination unit 330 may determine that an attack on the processing circuit 2 has occurred when the attack evaluation value is equal to or greater than the threshold value, and may determine that an attack on the processing circuit 2 has not occurred when the attack evaluation value is less than the threshold value. Processing of executing certain processing when a certain value is greater than a threshold value, and executing different processing when the certain value is equal to or less than the threshold value may be hereinafter replaced by processing of executing the certain processing when the certain value is equal to or greater than the threshold value, and executing the different processing when the certain value is less than the threshold value. Similarly, processing of executing certain processing when a certain value is equal to or greater than a threshold value, and executing different processing when the certain value is less than the threshold value may be hereinafter replaced by processing of executing the certain processing when the certain value is greater than the threshold value, and executing the different processing when the certain value is equal to or less than the threshold value.
As the timing when the determination unit 330 executes the attack determination processing, various timings are conceivable. For example, the determination unit 330 may execute the attack determination processing every Nth time (N>1) the updater 320 updates the attack evaluation value in the storage 310. Alternatively, the determination unit 330 may execute the attack determination processing every certain period of time.
The threshold value used in the attack determination processing is, for example, determined depending on types of the storage 310 that stores the attack evaluation value. As the types of the storage 310, for example, there are a first type in which stored information is cleared in response to power disconnection and reset of the attack detector 30, and a second type in which stored information is not cleared in response to power disconnection and reset of the attack detector 30. If the storage 310 is of the first type, the storage 310 may be hereinafter referred to as a “first-type storage 310.” Further, if the storage 310 is of the second type, the storage 310 may be hereinafter referred to as a “second-type storage 310.”
The first-type storage 310 is, for example, formed of volatile memory. As the volatile memory, for example, RAM or a register is adopted. When the supply of the power 100 to the controller 3 is stopped to cause power disconnection of the attack detector 30, supply of the power to the first-type storage 310 stops. As a result, information in the storage 310 formed of the volatile memory is cleared. Further, when the reset signal generator 33 asserts the reset signal RS by operation on the reset switch or the like while the power 100 is supplied to the controller 3, the information in the first-type storage 310 formed of the volatile memory is cleared. Specifically, when the attack detector 30 is reset while the power 100 is supplied to the controller 3, the information in the first-type storage 310 is cleared. Therefore, the information in the first-type storage 310 is cleared when the attack detector 30 is restarted. In other words, the information in the first-type storage 310 is cleared when the processing device 1 is restarted.
As can be understood from the description above, the attack evaluation value in the first-type storage 310 is not cleared during activation of the attack detector 30, but is cleared when power disconnection or reset of the attack detector 30 occurs. In other words, the attack evaluation value in the first-type storage 310 is not cleared during activation of the processing device 1, but is cleared when power disconnection or reset of the processing device 1 occurs. Therefore, it can be said that the attack evaluation value in the first-type storage 310 is a value that indicates a degree of probability that an attack has occurred during one-time activation of the processing device 1.
When the first-type storage 310 stores the attack evaluation value, the threshold value used in the attack determination processing is, for example, determined based on a predicted maximum number of times of occurrence of level change (such as glitch) due to noise or the like when an attack on the processing circuit 2 does not occur during one-time activation of the processing device 1. The predicted maximum number of times of occurrence may be hereinafter referred to as a “predicted maximum number of times of occurrence of level change during one-time activation.” The threshold value is, for example, set to a value slightly greater than the predicted maximum number of times of occurrence of level change during one-time activation.
The predicted maximum number of times of occurrence of level change during one-time activation varies depending on a period of time of one-time activation of the processing device 1, an environment in which the processing device 1 is used, or the like. If the processing device 1 is a device that has a relatively short period of time of one-time activation, such as a projector, a car navigation device, and a drone device, the predicted maximum number of times of occurrence of level change during one-time activation is relatively small. On the other hand, if the processing device 1 is a device used in an environment in which the device is subjected to noise from the surroundings, the predicted maximum number of times of occurrence of level change during one-time activation is relatively large. The predicted maximum number of times of occurrence of level change during one-time activation may be determined based on an experiment using an actual device or a simulation. The threshold value compared with the attack evaluation value in the first-type storage may be hereinafter referred to as a “first-type threshold value.”
The second-type storage 310 is, for example, formed of non-volatile memory. As the non-volatile memory, for example, flash memory (flash ROM) or one time programmable read only memory (OTPROM) is adopted. As the flash memory, for example, NAND flash memory, serial peripheral interface (SPI) flash memory, or embedded flash memory may be adopted. The information in the second-type storage 310 formed of the non-volatile memory is not cleared even when the supply of the power 100 to the controller 3 is stopped to cause power disconnection of the attack detector 30. Further, even when the reset signal generator 33 asserts the reset signal RS while the power 100 is supplied to the controller 3, the information in the second-type storage 310 is not cleared.
In this manner, the information in the second-type storage 310 is not cleared during activation of the attack detector 30, and is also not cleared even when the attack detector 30 is restarted.
When the second-type storage 310 stores the attack evaluation value, the threshold value used in the attack determination processing is, for example, determined based on a predicted maximum number of times of occurrence of level change due to noise or the like when an attack on the processing circuit 2 does not occur in a product life of the processing device 1. The predicted maximum number of times of occurrence may be hereinafter referred to as a “predicted maximum number of times of occurrence of level change in a product life.” The threshold value is, for example, set to a value slightly greater than the predicted maximum number of times of occurrence of level change in a product life.
The predicted maximum number of times of occurrence of level change in a product life varies depending on a product life of the processing device 1, an environment in which the processing device 1 is used, or the like. For example, as the product life of the processing device 1 is longer, the predicted maximum number of times of occurrence of level change in a product life is increased accordingly. Further, if the processing device 1 is a device used in an environment in which the device is not liable to be subjected to noise from the surroundings, the predicted maximum number of times of occurrence of level change in a product life is relatively small. The predicted maximum number of times of occurrence of level change in a product life may be determined based on an experiment using an actual device or a simulation. The threshold value compared with the attack evaluation value in the second-type storage may be hereinafter referred to as a “second-type threshold value.”
Note that, when the second-type storage 310 is used, the attack evaluation value in the second-type storage 310 is not cleared even when the processing device 1 is reset. Therefore, even when the attack evaluation value in the second-type storage 310 exceeds the second-type threshold value to cause the controller 31 to stop the operation of the processing circuit 2 and subsequently the processing device 1 is reset to resume the operation of the processing circuit 2, the operation of the processing circuit 2 is immediately stopped. In light of this, the information in the second-type storage 310 may be able to be cleared by inputting a command to the processing device 1 from the outside of the processing device 1.
Further, when the second-type storage 310 is used, the determination unit 330 may execute the attack determination processing every time the attack detector 30 is restarted, i.e., every time the processing device 1 is restarted.
Further, in the fault injection attack on the processing circuit 2, not the spike-like transient level change as glitch, but trapezoidal transient level change that causes longer change in the monitor target level 110 than the glitch may repeatedly occur. The detector 300 may detect such trapezoidal transient level change instead of the glitch. Further, the detector 300 may detect both of the glitch and the trapezoidal transient level change.
As described above, in this example, whether or not an attack on the processing circuit 2 has occurred is determined based on the attack evaluation value updated based on the detection result of the detector 300 that detects occurrence of level change. Therefore, an attack on the processing circuit 2 can be properly detected.
Further, as in this example, when the determination unit 330 determines that an attack on the processing circuit 2 has occurred, safety of the processing circuit 2 can be enhanced by the controller 31 controlling the processing circuit 2.
Further, when the first-type storage 310 is adopted, the attack evaluation value in the storage 310 indicates a degree of probability that an attack occurs during one-time activation of the processing device 1. Therefore, the attack detector 30 can properly detect an attack occurring during one-time activation.
As the attack on the processing circuit 2, a fault injection attack of repeatedly executing processing of restarting the processing device 1 and subsequently causing level change (such as glitch) is also conceivable, other than the fault injection attack of repeatedly causing level change during one-time activation of the processing device 1. The attack detector 30 including the first-type storage 310 may be unable to detect such an attack of repeatedly causing restart.
In contrast, if the storage 310 is of the second type, the attack evaluation value in the storage 310 is not cleared even when the attack detector 30 is restarted. Therefore, the attack detector 30 including the second-type storage 310 can properly detect the attack of repeatedly causing restart.
Further, if the second-type storage 310 is formed of the OTPROM, the attack evaluation value in the second-type storage 310 is hardly manipulated. Consequently, safety of the attack detector 30 is enhanced. Note that, if the second-type storage 310 is formed of the OTPROM, data cannot be written a plurality of times to a storage area of the second-type storage 310 having the same address. Therefore, when the updater 320 writes an updated attack evaluation value to the second-type storage 310, the updater 320 writes the updated attack evaluation value to a storage area different from a storage area that has stored the attack evaluation value.
Note that, when restart of the attack detector 30 occurs repeatedly, there is high probability that the above-mentioned attack of repeatedly causing restart is being carried out on the processing circuit 2.
In view of this, if the storage 310 is of the second type, the determination unit 330 may decrease the second-type threshold value only by a predetermined amount (e.g., “1”) every time the attack detector 30 is restarted. In other words, the determination unit 330 may decrease the second-type threshold value only by a predetermined amount every time the attack detector 30 is reset. With this, the determination unit 330 can detect the attack of repeatedly causing restart early.
Each of the first-type storage 311 and the second-type storage 312 stores an attack evaluation value. The attack evaluation value stored in the first-type storage 311 may be hereinafter referred to as a “first attack evaluation value.” Further, the attack evaluation value stored in the second-type storage 312 may be hereinafter referred to as a “second attack evaluation value.” An initial value of each of the first and second attack evaluation values is set to zero, for example.
In this example, the updater 320 updates the first attack evaluation value in the first-type storage 311 based on the detection result of the detector 300. Further, the updater 320 updates the second attack evaluation value in the second-type storage 312 based on the detection result of the detector 300. For example, the updater 320 updates the first attack evaluation value in the first-type storage 311 based on the detection result of the detector 300 every time level change occurs as in
Here, as described above, the first-type storage is a storage in which stored information is cleared in response to power disconnection and reset of the attack detector 30. Therefore, the first attack evaluation value in the first-type storage 311 returns to the initial value in response to power disconnection and reset of the attack detector 30. In contrast, the second-type storage is a storage in which stored information is not cleared in response to power disconnection and reset of the attack detector 30. Therefore, the second attack evaluation value in the second-type storage 312 basically does not return to the initial value in a product life of the processing device 1. Thus, the first and second attack evaluation values eventually differ even if the first and second attack evaluation values have the same initial values. The first attack evaluation value is a value that indicates a degree of probability that an attack has occurred during one-time activation. The second attack evaluation value is not cleared even when the processing device 1 is restarted.
In this example, the determination unit 330 determines whether or not an attack on the processing circuit 2 has occurred based on the first attack evaluation value in the first-type storage 311 and the second attack evaluation value in the second-type storage 312. For example, when the first attack evaluation value is equal to or greater than the first-type threshold value, the determination unit 330 determines that an attack on the processing circuit 2 has occurred. Further, when the second attack evaluation value is equal to or greater than the second-type threshold value, the determination unit 330 determines that an attack on the processing circuit 2 has occurred. Further, when the first attack evaluation value is less than the first-type threshold value, and the second attack evaluation value is less than the second-type threshold value, the determination unit 330 determines that an attack on the processing circuit 2 has not occurred. Note that the determination unit 330 may determine that an attack on the processing circuit 2 has occurred when the first attack evaluation value is greater than the first-type threshold value. Further, the determination unit 330 may determine that an attack on the processing circuit 2 has occurred when the second attack evaluation value is greater than the second-type threshold value.
In this manner, whether or not an attack on the processing circuit 2 has occurred is determined based on the first attack evaluation value that indicates a degree of probability that an attack has occurred during one-time activation and the second attack evaluation value that is not reset even when the processing device 1 is restarted. Consequently, both of the fault injection attack of repeatedly causing level change during one-time activation of the processing device 1 and the fault injection attack of repeatedly executing restart of the processing device 1 can be detected properly.
Note that, similarly to the above-mentioned first example, the determination unit 330 may decrease the second-type threshold value that is compared with the second attack evaluation value in the second-type storage 312 every time the attack detector 30 is restarted.
The controller 3 included in the processing device 1 according to this example includes a configuration similar to the configuration of the controller 3 shown in
The determination unit 330 according to this example determines a degree of a risk of an attack on the processing circuit 2 based on a comparison result between the attack evaluation value in the storage 310 and each of a plurality of threshold values that are different from each other. The controller 31 according to this example changes control over the processing circuit 2 depending on the degree of the risk of the attack determined by the determination unit 330.
If the storage 310 is of the first type, the determination unit 330 determines a degree of a risk of an attack on the processing circuit 2 based on a comparison result between the attack evaluation value in the storage 310 and each of a plurality of first-type threshold values that are different from each other. If the storage 310 is of the second type, the determination unit 330 determines a degree of a risk of an attack on the processing circuit 2 based on a comparison result between the attack evaluation value in the storage 310 and each of a plurality of second-type threshold values that are different from each other. Specific examples of the operation of the determination unit 330 and the controller 31 are described below.
For example, a case where the storage 310 is of the first type, and the determination unit 330 determines a degree of a risk of an attack on the processing circuit 2 based on a comparison result between the attack evaluation value and each of first-type first and second threshold values is considered. Note that the first-type second threshold value is greater than the first-type first threshold value. When the attack evaluation value is equal to or greater than the first-type first threshold value and is less than the first-type second threshold value, the determination unit 330 determines that the degree of the risk of the attack on the processing circuit 2 is low. On the other hand, when the attack evaluation value is equal to or greater than the first-type second threshold value, the determination unit 330 determines that the degree of the risk of the attack on the processing circuit 2 is high.
When the determination unit 330 determines that the degree of the risk of the attack is high, the controller 31 stops the operation of the processing circuit 2 as described above. On the other hand, when the determination unit 330 determines that the degree of the risk of the attack is low, the controller 31 outputs to the processing circuit 2 a notification signal for giving notice that the degree of the risk of the attack on the processing circuit 2 is low. It can also be said that the notification signal is a control signal for controlling the processing circuit 2. When the processing circuit 2 receives the notification signal from the controller 31, the processing circuit 2 executes attack countermeasure processing having a level of countermeasures against the attack lower than stopping the operation of the processing circuit 2. As the attack countermeasure processing, for example, the processing circuit 2 performs processing for protecting processing having high probability of being attacked from the attack in the processing performed by the processing circuit 2. As the processing having high probability of being attacked, for example, encryption processing, conditional branch processing, and processing of writing to the storage 21 are conceivable. It can be said that the processing of writing to the storage 21 is processing of writing to a storage area. The term “writing processing” by itself hereinafter simply refers to processing of writing to the storage 21.
As the attack on the encryption processing, for example, there is an attack of estimating a key used in the encryption processing. As the attack on the conditional branch processing, for example, there is an attack of executing a certain process at the branch destination in all cases. For example, conditional branch processing in authentication processing of comparing an input password and an authorized password stored in advance, and determining that the authentication has succeeded when both the passwords match, and determining that the authentication has failed when both the passwords do not match is considered. The conditional branch processing may be hereinafter referred to as “conditional branch processing for authentication.” As the attack on the conditional branch processing for authentication, for example, an attack of determining that the authentication has succeeded in all cases irrespective of whether or not the input password and the authorized password stored in advance match is conceivable. As the attack on the writing processing, there is an attack of writing erroneous data to the storage 21. When the processing circuit 2 receives the notification signal, for example, the processing circuit 2 performs processing of changing the key of the encryption processing as the processing for protecting the processing having high probability of being attacked from the attack. Alternatively, the processing circuit 2 performs processing of changing execution timing of the encryption processing. Alternatively, the processing circuit 2 performs processing of changing execution timing of the conditional branch processing. Alternatively, the processing circuit 2 performs processing of writing the same data a plurality of times to a storage area of the storage 310 having the same address. With this, safety of the processing circuit 2 is enhanced. Note that the processing performed by the processing circuit 2 that has received the notification signal from the controller 31 is not limited to the above. For example, the processing circuit 2 may perform a plurality of types of attack countermeasure processing.
As another example, for example, a case where the storage 310 is of the second type, and the determination unit 330 determines a degree of a risk of an attack on the processing circuit 2 based on a comparison result between the attack evaluation value and each of second-type first to third threshold values is considered. Note that the second-type third threshold value is greater than the second-type second threshold value, and the second-type second threshold value is greater than the second-type first threshold value. When the attack evaluation value is equal to or greater than the second-type first threshold value and is less than the second-type second threshold value, the determination unit 330 determines that the degree of the risk of the attack on the processing circuit 2 is low. Further, when the attack evaluation value is equal to or greater than the second-type second threshold value and is less than the second-type third threshold value, the determination unit 330 determines that the degree of the risk of the attack on the processing circuit 2 is medium. Then, when the attack evaluation value is equal to or greater than the second-type third threshold value, the determination unit 330 determines that the degree of the risk of the attack on the processing circuit 2 is high.
When the determination unit 330 determines that the degree of the risk of the attack is high, the controller 31 stops the operation of the processing circuit 2 as described above. Further, when the determination unit 330 determines that the degree of the risk of the attack is medium, the controller 31 outputs to the processing circuit 2 a first notification signal for giving notice that the degree of the risk of the attack on the processing circuit 2 is medium. Then, when the determination unit 330 determines that the degree of the risk of the attack is low, the controller 31 outputs to the processing circuit 2 a second notification signal for giving notice that the degree of the risk of the attack on the processing circuit 2 is low. It can also be said that each of the first and second notification signals are a control signal for controlling the processing circuit 2.
When the processing circuit 2 receives the first notification signal from the controller 31, the processing circuit 2 executes first attack countermeasure processing having a level of countermeasures against the attack lower than stopping the operation of the processing circuit 2. Further, when the processing circuit 2 receives the second notification signal from the controller 31, the processing circuit 2 executes second attack countermeasure processing having a level of countermeasures against the attack lower than the first attack countermeasure processing. As the first attack countermeasure processing, for example, changing the key used in the encryption processing is conceivable. As the second attack countermeasure processing, for example, changing the execution timing of the encryption processing is conceivable. Combination of the first attack countermeasure processing and the second attack countermeasure processing is not limited to the above.
Note that the determination unit 330 may determine the degree of the risk of the attack on the processing circuit 2 also in the above-mentioned second example. For example, the determination unit 330 may determine the degree of the risk of the attack on the processing circuit 2 based on a comparison result between the first attack evaluation value in the first-type storage 311 and each of the plurality of first-type threshold values that are different from each other. Further, the determination unit 330 may determine the degree of the risk of the attack on the processing circuit 2 based on a comparison result between the second attack evaluation value in the second-type storage 312 and each of the plurality of second-type threshold values that are different from each other. Similarly to the above, the controller 31 changes control over the processing circuit 2 depending on the degree of the risk determined by the determination unit 330.
As described above, in this example, a degree of a risk of an attack on the processing circuit 2 is determined. Therefore, countermeasures against the attack using the determination result can be implemented. For example, as described above, the controller 31 can change control over the processing circuit 2 depending on the degree of the risk determined by the determination unit 330. With this, proper control depending on the degree of the risk of the attack can be performed over the processing circuit 2.
Note that, similarly to the above-mentioned first example, if the storage 310 is of the second type, the determination unit 330 may decrease the plurality of second-type threshold values every time the attack detector 30 is restarted.
In the above example, the attack evaluation value in the storage 310 is unconditionally updated when level change occurs. Therefore, when many level changes due to noise unexpectedly occur, the attack detector 30 may erroneously determine that an attack on the processing circuit 2 has occurred.
In view of this, the processing device 1 according to this example updates the attack evaluation value in the storage 310 in accordance with occurrence of level change in a period of time in which predetermined processing is executed in the processing circuit 2. As the predetermined processing, for example, processing having high probability of being attacked in the processing executed by the processing circuit 2 is adopted. With this, even when many level changes due to noise unexpectedly occur, the probability that it is erroneously determined that an attack on the processing circuit 2 has occurred can be reduced. The processing device 1 according to this example is described in detail below.
As the target processing, processing having high probability of being attacked in the processing executed by the processing circuit 2 is adopted. As the target processing, for example, encryption processing, conditional branch processing, or writing processing is adopted. The target processing may be repeatedly executed or may be executed only once during one-time activation of the processing device 1. Further, the target processing may be repeatedly executed when the target processing is executed every time the processing device 1 is activated.
The processing circuit 2 outputs period notification information 200 for giving notice of the execution period to the updater 320. The period notification information includes, for example, start notification information for giving notice of the start of the execution period, and end notification information for giving notice of the end of the execution period. It can also be said that the start notification information indicates start timing of the target processing. Further, it can also be said that the end notification information indicates end timing of the target processing. The processing circuit 2 outputs the start notification information to the updater 320 when the processing circuit 2 starts execution of the target processing. Then, the processing circuit 2 outputs the end notification information to the updater 320 when the processing circuit 2 ends the execution of the target processing.
In this manner, the updater 320 updates the attack evaluation value in the storage 310 as described above every time level change occurs in a period of time from when the updater 320 receives the start notification information from the processing circuit 2 until the updater 320 receives the end notification information. Specifically, the updater 320 updates the attack evaluation value in the storage 310 every time level change occurs in the execution period. On the other hand, the updater 320 does not update the attack evaluation value in the storage 310 even when level change occurs in a period of time other than the execution period.
Note that, although only one type of target processing is adopted in the above example, a plurality of types of target processing may be adopted. In this case, concerning each of the plurality of types of target processing, the updater 320 updates the attack evaluation value in the storage 310 in accordance with occurrence of level change in the execution period of the target processing. For example, a case where each of encryption processing, conditional branch processing, and writing processing is adopted as the target processing is considered. In this case, the processing circuit 2 notifies the updater 320 of an execution period of the encryption processing, an execution period of the conditional branch processing, and an execution period of the writing processing. The updater 320 updates the attack evaluation value in the storage 310 in accordance with occurrence of level change in the execution period of the encryption processing. Further, the updater 320 updates the attack evaluation value in the storage 310 in accordance with occurrence of level change in the execution period of the conditional branch processing. Then, the updater 320 updates the attack evaluation value in the storage 310 in accordance with occurrence of level change in the execution period of the writing processing.
Further, although the attack detector 30 is notified of the execution period from the processing circuit 2 in the above example, the attack detector 30 may estimate the execution period by itself. With this, notification of the execution period from the processing circuit 2 is unnecessary.
The attack detector 30 shown in
Here, the power consumption waveform of the processing circuit 2 when the processing circuit 2 executes target processing exhibits a specific waveform depending on the executed target processing. The estimator 360 stores a power consumption waveform of the processing circuit 2 when the processing circuit 2 executes target processing in advance as a reference waveform. Then, the estimator 360 compares acquired power consumption waveform and the reference waveform, and estimates the execution period based on a comparison result of the comparison. Specifically, the estimator 360 estimates start timing and end timing of the execution period based on the comparison result. The estimator 360 outputs the start notification information to the updater 320 at the start timing of the execution period. Further, the estimator 360 outputs the end notification information to the updater 320 at the end timing of the execution period. As shown in
As described above, in this example, the updater 320 updates the attack evaluation value in the storage 310 in accordance with occurrence of level change in the execution period. Thus, even when many level changes due to noise unexpectedly occur, probability that it is erroneously determined that an attack on the processing circuit 2 has occurred can be reduced.
Note that, in the above-mentioned second example, the updater 320 may update the first attack evaluation value in the first-type storage 311 in accordance with occurrence of level change in the execution period. Further, the updater 320 may update the second attack evaluation value in the second-type storage 312 in accordance with occurrence of level change in the execution period.
Further, similarly to the above-mentioned first example, if the storage 310 is of the second type, the determination unit 330 may decrease the second-type threshold value every time the attack detector 30 is restarted.
In the above-mentioned fourth example, when an attack is carried out on the processing circuit 2, the attacker may make the processing circuit 2 repeatedly execute target processing. Then, the attacker may cause level change only once aiming at certain specific timing in the target processing every time the target processing is executed to cause an error in the operation of the processing circuit 2.
For example, a case where the processing circuit 2 performs target processing every time the processing device 1 is activated is considered. In this case, for example, the attacker repeatedly operates the reset switch to repeatedly restart the processing device 1, and makes the processing circuit 2 repeatedly execute the target processing. Then, the attacker causes level change (decrease or increase in the monitor target level 110) only once at certain timing in the target processing every time the target processing is executed. For example, when the target processing is encryption processing in accordance with Advanced Encryption Standard (AES) with a key length of 128 bits, the attacker repeatedly operates the reset switch to make the processing circuit 2 repeatedly execute the encryption processing. Then, the attacker causes level change only once at timing when the tenth round of the encryption processing is executed every time the target encryption processing is executed, and acquires an operation state of the processing circuit 2 performing erroneous operation.
Further, a case where an execution command for commanding execution of target processing can be input from the outside of the processing device 1 to the processing circuit 2 is considered. In this case, the attacker repeatedly inputs an execution command to the activated processing circuit 2 to make the processing circuit 2 repeatedly execute the target processing. Then, the attacker causes level change only once at certain timing in the target processing every time the target processing is executed. For example, when the target processing is the above-mentioned conditional branch processing for authentication, the attacker repeatedly inputs an execution command to the processing circuit 2 to make the processing circuit 2 repeatedly execute the conditional branch processing for authentication. Then, the attacker causes level change only once at specific timing in the conditional branch processing for authentication every time the conditional branch processing for authentication is executed, and acquires an operation state of the processing circuit 2 performing erroneous operation. As the specific timing, timing when processing of determining whether or not an input password and an authorized password stored in advance match is executed is conceivable.
In this manner, the attacker may make the processing circuit 2 repeatedly execute target processing to carry out an attack of causing level change only once during the execution of the target processing every time the target processing is executed. In other words, the attacker may repeatedly cause execution periods to carry out an attack of causing level change only once in a one-time execution period. Such an attack may be hereinafter referred to as “specific-timing attack.” In this example, the processing device 1 that can properly detect the specific-timing attack is described. As compared to the processing device 1 according to the above-mentioned fourth example, the processing device 1 according to this example is different in the operation of the updater 320.
In this example, the updater 320 does not update the attack evaluation value in the storage 310 when level change occurs a plurality of times in a one-time execution period. Then, the updater 320 updates the attack evaluation value in the storage 310 as described above when level change occurs only once in a one-time execution period. With this, when the specific-timing attack is carried out on the processing circuit 2, the attack evaluation value in the storage 310 is updated as appropriate. On the other hand, when level change occurs a plurality of times due to noise in a one-time execution period, the attack evaluation value is not updated. With this, the attack detector 30 can properly detect the specific-timing attack on the processing circuit 2.
Note that, in the case where the updater 320 updates the first attack evaluation value in the first-type storage 311 in accordance with occurrence of level change in the execution period in the above-mentioned second example, the updater 320 need not update the first attack evaluation value when level change occurs a plurality of times in a one-time execution period. Further, in the case where the updater 320 updates the second attack evaluation value in the second-type storage 312 in accordance with occurrence of level change in the execution period, the updater 320 need not update the second attack evaluation value when level change occurs a plurality of times in a one-time execution period.
Further, similarly to the above-mentioned first example, if the storage 310 is of the second type, the determination unit 330 may decrease the plurality of second-type threshold values every time the attack detector 30 is restarted.
As described above, in the specific-timing attack, level change occurs during execution of target processing every time the target processing is executed. Specifically, in the specific-timing attack, level change successively occurs in a repeatedly appearing plurality of execution periods.
In this example, the updater 320 updates the attack evaluation value in the storage 310 based on successiveness of occurrence of level change between the repeatedly appearing plurality of execution periods. With this, the specific-timing attack on the processing circuit 2 can be more properly detected. Methods of updating the attack evaluation value based on successiveness of occurrence of level change between the repeatedly appearing plurality of execution periods are described below with reference to a plurality of examples.
As shown in
When it is determined to be YES in Step s22, the updater 320 updates the attack evaluation value in Step s23. On the other hand, when it is determined to be NO in Step s22, the updater 320 ends the processing concerning the target execution period. With this, when it is determined to be NO in Step s22, the attack evaluation value is not updated.
Note that, in a case where the target execution period is the first execution period, when the updater 320 determines YES in Step s21, the updater 320 executes Step s23 to update the attack evaluation value without executing Step s22. On the other hand, when the updater 320 determines NO in Step s21, the updater 320 ends the processing concerning the target execution period. Note that, in a case where the target execution period is the first execution period, when the updater 320 determines YES in Step s21, the updater 320 may end the processing concerning the target execution period without executing Steps s22 and s23.
As can be understood from the description above, in this example, when level change occurs a plurality of times in the target execution period (determined to be NO in Step s21), the updater 320 does not update the attack evaluation value. On the other hand, when level change occurs only once in the target execution period (determined to be YES in Step s21), the updater 320 updates the attack evaluation value only when level change occurs only once in an execution period immediately before the target execution period (determined to be YES in Step s22). Therefore, when level change occurs only once in the target execution period, the updater 320 does not update the attack evaluation value when level change does not occur in an execution period immediately before the target execution period (determined to be NO in Step s22). Further, when level change occurs only once in the target execution period, the updater 320 does not update the attack evaluation value when level change occurs a plurality of times in an execution period immediately before the target execution period (determined to be NO in Step s22).
In the example of
On the other hand, in the example of
When the attack evaluation value in the storage 310 is updated in accordance with characteristics of the specific-timing attack as described above, the specific-timing attack on the processing circuit 2 can be properly detected.
As can be understood from the description above, it can be said that the specific-timing attack has two characteristics, namely, a characteristic that level change occurs only once in one execution period, and a characteristic that level change successively occurs in a repeatedly appearing plurality of execution periods. The former characteristic is hereinafter referred to as a “characteristic of the number of times of level change,” and the latter characteristic is referred to as a “characteristic of successiveness.”
In the above-mentioned first case of the sixth example, the attack evaluation value is updated in consideration of both of the characteristic of the number of times of level change and the characteristic of successiveness. In contrast, in the above-mentioned fifth example, the attack evaluation value is updated only in consideration of the characteristic of the number of times of level change, among the characteristic of the number of times of level change and the characteristic of successiveness.
In this example, the updater 320 updates only in consideration of the characteristic of successiveness, among the characteristic of the number of times of level change and the characteristic of successiveness.
As shown in
When it is determined to be YES in Step s32, the updater 320 updates the attack evaluation value in Step s33. On the other hand, when it is determined to be NO in Step s32, the updater 320 ends the processing concerning the target execution period.
Note that, in a case where the target execution period is the first execution period, when the updater 320 determines YES in Step s31, the updater 320 executes Step s33 to update the attack evaluation value without executing Step s32. On the other hand, when the updater 320 determines NO in Step s31, the updater 320 ends the processing concerning the target execution period. Note that, in a case where the target execution period is the first execution period, when the updater 320 determines YES in Step s31, the updater 320 may end the processing concerning the target execution period without executing Steps s32 and s33.
As can be understood from the description above, in a case where level change occurs at least once in a target execution period, the updater 320 according to this example updates the attack evaluation value in the storage 310 when level change occurs at least once in an execution period immediately before the target execution period. Further, in a case where level change occurs at least once in a target execution period, the updater 320 does not update the attack evaluation value in the storage 310 when level change does not occur in an execution period immediately before the target execution period.
In this manner, when the attack evaluation value in the storage 310 is updated in accordance with the characteristic of successiveness of the specific-timing attack, the specific-timing attack on the processing circuit 2 can be properly detected.
Note that the updater 320 may count up the attack evaluation value only by +1 when level change occurs a plurality of times in one execution period. In this case, in the example of
In this example, the updater 320 increases a one-time update amount (i.e., a one-time count-up amount) of the attack evaluation value in accordance with the number of times of successive occurrence of level change in a repeatedly appearing plurality of execution periods in consideration of the characteristic of successiveness of the specific-timing attack. In other words, the updater 320 increases a one-time update amount (i.e., a one-time count-up amount) of the attack evaluation value in accordance with the number of times of successive occurrence of level change in a repeatedly appearing plurality of execution periods. The number of times of successive occurrence of level change in a repeatedly appearing plurality of execution periods may be hereinafter referred to as the “number of times of successive occurrence Z.”
In this example, the updater 320 increases a one-time count-up amount of the attack evaluation value by Y1 every time the number of times of successive occurrence Z is increased by X1. Each of X1 and Y1 is an integer equal to or greater than 1. Each of X1 and Y1 is set to 1, for example. Therefore, the updater 320 increases the one-time count-up amount of the attack evaluation value by 1 every time the number of times of successive occurrence Z is increased by 1. Note that the value of each of X1 and Y1 is not limited to the above. Further, X1 and Y1 may be values different from each other.
Further, in this example, the updater 320 takes the characteristic of the number of times of level change of the specific-timing attack into consideration, and when level change occurs a plurality of times in one execution period, the updater 320 assumes that level change did not occur in the execution period. With this, when level change occurs a plurality of times in a certain execution period, the attack evaluation value and the number of times of successive occurrence Z are not increased. In this example, it can be said that the updater 320 increases the one-time count-up amount of the attack evaluation value in accordance with the number of times only a one-time level change in one execution period successively occurs in a repeatedly appearing plurality of execution periods.
As shown in
On the other hand, when it is determined to be NO in Step s41, the updater 320 sets the number of times of successive occurrence Z to zero in Step s45. Then, in Step s46, the updater 320 sets the one-time count-up amount to an initial value. The initial value is set to zero, for example. After that, the updater 320 ends the processing concerning the target execution period. Note that the order of executing Steps s45 and s46 may be interchanged.
In the example of
The updater 320 increases the number of times of successive occurrence Z by 1 to bring the number of times of successive occurrence Z to “2” in accordance with the occurrence of the level change in the second execution period. Further, the updater 320 increases the one-time count-up amount by 1 to bring the one-time count-up amount to “2.” Then, the updater 320 counts up the attack evaluation value only by +2 from “1” to bring the attack evaluation value to “3.”
The updater 320 increases the number of times of successive occurrence Z by 1 to bring the number of times of successive occurrence Z to “3” in accordance with the occurrence of the level change in the third execution period. Further, the updater 320 increases the one-time count-up amount by 1 to bring the one-time count-up amount to “3.” Then, the updater 320 counts up the attack evaluation value only by +3 from “3” to bring the attack evaluation value to “6.”
The updater 320 increases the number of times of successive occurrence Z by 1 to bring the number of times of successive occurrence Z to “4” in accordance with the occurrence of the level change in the fourth execution period. Further, the updater 320 increases the one-time count-up amount by 1 to bring the one-time count-up amount to “4.” Then, the updater 320 counts up the attack evaluation value only by +4 from “6” to bring the attack evaluation value to “10.”
The updater 320 increases the number of times of successive occurrence Z by 1 to bring the number of times of successive occurrence Z to “5” in accordance with the occurrence of the level change in the fifth execution period. Further, the updater 320 increases the one-time count-up amount by 1 to bring the one-time count-up amount to “5.” Then, the updater 320 counts up the attack evaluation value only by +5 from “10” to bring the attack evaluation value to “15.”
In the example of
In this manner, when the attack evaluation value in the storage 310 is updated in accordance with the characteristic of the number of times of level change and the characteristic of successiveness of the specific-timing attack, the specific-timing attack on the processing circuit 2 can be properly detected.
Note that, in Step s41 described above, the updater 320 may determine whether or not level change has occurred at least once in the target execution period. In this case, the characteristic of the number of times of level change of the specific-timing attack is not taken into consideration, and the number of times of successive occurrence Z, the one-time count-up amount, and the attack evaluation value are increased even when level change occurs a plurality of times in a one-time execution period. It can be said that the updater 320 increases the one-time count-up amount in accordance with the number of times at least a one-time level change in one execution period successively occurs in a repeatedly appearing plurality of execution periods.
In this example, when there is successive non-occurrence of level change L times (L being an integer equal to or greater than 2) in a repeatedly appearing plurality of execution periods, the updater 320 decreases the attack evaluation value in the storage 310. L is set to “5,” for example. In this case, it can be said that the updater 320 decreases the attack evaluation value when the number of times of successive non-occurrence of level change in a repeatedly appearing plurality of execution periods is five times. The number of times of successive non-occurrence of level change in a repeatedly appearing plurality of execution periods may be hereinafter referred to as the “number of times of successive non-occurrence W.”
As shown in
When the updater 320 confirms in Step s51 that the number of times of occurrence of level change in the target execution period is a plurality of times, the updater 320 sets the number of times of successive occurrence Z to zero in Step s56. Next, in Step s57, the updater 320 sets the number of times of successive non-occurrence W to zero. Then, in Step s58, the updater 320 sets the one-time count-up amount to an initial value. After that, the updater 320 ends the processing concerning the target execution period. Note that the order of executing Steps s56 to s58 may be interchanged.
When the updater 320 confirms in Step s51 that level change does not occur in the target execution period, the updater 320 sets the number of times of successive occurrence Z to zero in Step s59. Next, in Step s60, the updater 320 increases the number of times of successive non-occurrence W by 1. Next, in Step s61, the updater 320 determines whether or not the number of times of successive non-occurrence W is L times. When the updater 320 determines that the number of times of successive non-occurrence W matches the L times, the updater 320 decreases the attack evaluation value in Step s62. In Step s62, the updater 320 decreases the attack evaluation value only by V, for example. V is an integer equal to or greater than 1. In Step s62, the updater 320 may reset the attack evaluation value. Specifically, the updater 320 may set the attack evaluation value to zero. After Step s62, in Step s63, the updater 320 resets the number of times of successive non-occurrence W to set the number of times of successive non-occurrence W to zero. After that, the updater 320 ends the processing concerning the target execution period. Note that Step s59 may be executed later than Step s60. Further, the order of executing Steps s62 and s63 may be interchanged.
When the attack evaluation value in the storage 310 is decreased when there is successive non-occurrence of level change in a repeatedly appearing plurality of execution periods as described above, the specific-timing attack on the processing circuit 2 can be properly detected.
Note that, when it is confirmed in Step s51 that the number of times of occurrence of level change in the target execution period is a plurality of times in the flowchart shown in
Further, the processing of increasing the one-time count-up amount in accordance with the number of times of successive occurrence Z may not be executed in the flowchart shown in
Further, in the flowchart shown in
Further, in the flowchart shown in
In the examples shown in
As in the above-mentioned second example, the above-mentioned first to fourth cases of the sixth example may also be applied to the attack detector 30 in which the storage 310 includes the first-type storage 311 and the second-type storage 312. In this case, similarly to the first to fourth cases of the sixth example, the updater 320 updates the first attack evaluation value in the first-type storage 311 based on successiveness of occurrence of level change between a repeatedly appearing plurality of execution periods. Further, similarly to the first to fourth cases of the sixth example, the updater 320 updates the second attack evaluation value in the second-type storage 312 based on successiveness of occurrence of level change between a repeatedly appearing plurality of execution periods.
Further, even when the determination unit 330 determines a degree of a risk of an attack on the processing circuit 2 as in the third example, the updater 320 can update the attack evaluation value in the storage 310 based on successiveness of detection of level change between a repeatedly appearing plurality of execution periods similarly to the first to fourth cases of the sixth example.
In the above-mentioned third case of the sixth example, the updater 320 increases the one-time count-up amount in accordance with the number of times of successive occurrence Z in consideration of the characteristic of successiveness of the specific-timing attack. In contrast, in this example, the updater 320 decreases a threshold value used in the attack determination processing in accordance with the number of times of successive occurrence Z in consideration of the characteristic of successiveness of the specific-timing attack.
In this example, the updater 320 decreases a threshold value by Y2 every time the number of times of successive occurrence Z is increased by X2. Each of X2 and Y2 is an integer equal to or greater than 1. Each of X2 and Y2 is set to 1, for example. Therefore, the updater 320 decreases the threshold value used in the attack determination processing executed by the determination unit 330 by 1 every time the number of times of successive occurrence Z is increased by 1. Note that the value of each of X2 and Y2 is not limited to the above. Further, X2 and Y2 may be values different from each other.
As shown in
On the other hand, when it is determined to be NO in Step s81, the updater 320 sets the number of times of successive occurrence Z to zero in Step s85. After that, the updater 320 ends the processing concerning the target execution period.
In the example of
In the example of
In this manner, in this example, the threshold value used in the attack determination processing is decreased in accordance with the characteristic of the number of times of level change and the characteristic of successiveness of the specific-timing attack. Therefore, the specific-timing attack on the processing circuit 2 can be properly detected.
Note that, in Step s81 described above, the updater 320 may determine whether or not level change has occurred at least once in the target execution period. In this case, the characteristic of the number of times of level change of the specific-timing attack is not taken into consideration, and the number of times of successive occurrence Z and the attack evaluation value are increased and the threshold value is decreased even when level change occurs a plurality of times in a one-time execution period. It can be said that the updater 320 decreases the threshold value in accordance with the number of times at least a one-time level change in one execution period successively occurs in a repeatedly appearing plurality of execution periods.
Further, as in the above-mentioned second example, this example may also be applied to the attack detector 30 in which the storage 310 includes the first-type storage 311 and the second-type storage 312. In this case, similarly to the above, the updater 320 may decrease the first-type threshold value to be compared with the first attack evaluation value in the first-type storage 311 in accordance with the number of times of successive occurrence Z. Further, the updater 320 may decrease the second-type threshold value to be compared with the second attack evaluation value in the second-type storage 312 in accordance with the number of times of successive occurrence Z.
Further, as in the above-mentioned third example, this example may also be applied to the attack detector 30 that determines a degree of a risk of an attack on the processing circuit 2 by using the determination unit 330 using a plurality of threshold values that are different from each other. In this case, the updater 320 may decrease each of the plurality of threshold values different from each other used by the determination unit 330 in accordance with the number of times of successive occurrence Z similarly to the above.
In the specific-timing attack, the attacker may cause level change aiming at the same timing in a repeatedly appearing plurality of execution periods. For example, when target processing executed in an execution period is encryption processing in accordance with AES with a key length of 128 bits, the attacker may cause level change at timing when the tenth round of the encryption processing is executed in each of the repeatedly appearing plurality of execution periods to carry out an attack on the processing circuit 2.
In view of this, in this example, the attack detector 30 divides each execution period into a plurality of partial periods. In this example, each execution period is divided into first to Kth partial periods. K is an integer equal to or greater than 2. The first to Kth partial periods forming one execution period appear from start to end of the execution period in the mentioned order. Concerning each of the plurality of partial periods, the attack detector 30 stores an attack evaluation value indicating a degree of probability that an attack on the processing circuit 2 has occurred in the partial period in the storage 310. Concerning each of the plurality of partial periods, the attack detector 30 updates the attack evaluation value corresponding to the partial period in accordance with occurrence of level change in the partial period. Then, the attack detector 30 determines whether or not an attack has occurred on the processing circuit 2 based on the attack evaluation values concerning the plurality of partial periods. With this, the specific-timing attack can be more properly detected. The operation of the attack detector 30 according to this example is described in detail below.
<One Example of Update Method of Attack Evaluation Value>
In this example, the storage 310 stores K attack evaluation values that correspond to respective first to Kth partial periods. Concerning each partial period of the first to Kth partial periods, the updater 320 updates the attack evaluation value corresponding to the partial period in the storage 310 in accordance with occurrence of level change in the partial period. The methods of updating the K attack evaluation values that correspond to the respective first to Kth partial periods are the same.
As the method of updating the attack evaluation value, various update methods described above can be adopted. For example, similarly to
As in the above-mentioned sixth example, the updater 320 may update the kth-corresponding attack evaluation value based on successiveness of occurrence of level change between a repeatedly appearing plurality of kth partial periods. The operation of the updater 320 in this case is basically operation in which the target execution period is replaced with the target kth partial period in the details described in the sixth example. The execution period repeatedly appears, and therefore the kth partial period also repeatedly appears.
For example, a case of replacing the target execution period with the target kth partial period in the flowchart of
Further, a case of replacing the target execution period with the target kth partial period in the flowchart of
Further, a case of replacing the target execution period with the target kth partial period in the flowchart of
Further, a case of replacing the target execution period with the target kth partial period in the flowcharts of
Note that, in consideration of the characteristic of the number of times of level change of the specific-timing attack, the updater 320 may not update the kth-corresponding attack evaluation value when level change occurs in a plurality of partial periods including the kth partial period in the execution period in each of the methods of updating the kth-corresponding attack evaluation value described above.
<One Example of Attack Determination Processing>
The determination unit 330 according to this example determines whether or not an attack has occurred on the processing circuit 2 based on the first-corresponding attack evaluation value to the Kth-corresponding attack evaluation value in the storage 310 in the attack determination processing. For example, the determination unit 330 calculates the sum of the first-corresponding attack evaluation value to the Kth-corresponding attack evaluation value in the attack determination processing. Then, when the calculated sum is less than a predetermined value, the determination unit 330 determines that an attack on the processing circuit 2 has not occurred. The predetermined value is set to 50, for example, but is not limited thereto. On the other hand, when the calculated sum is equal to or greater than the predetermined value, the determination unit 330 calculates a ratio with respect to the calculated sum as an evaluation value ratio for each of the first-corresponding attack evaluation value to the Kth-corresponding attack evaluation value. Then, when an evaluation value ratio equal to or greater than a threshold value TH exists in the evaluation value ratios concerning the first-corresponding attack evaluation value to the Kth-corresponding attack evaluation value, the determination unit 330 determines that an attack on the processing circuit 2 has occurred. On the other hand, when an evaluation value ratio equal to or greater than the threshold value TH does not exist in the evaluation value ratios concerning the first-corresponding attack evaluation value to the Kth-corresponding attack evaluation value, the determination unit 330 determines that an attack on the processing circuit 2 has not occurred. The threshold value TH is set to 80%, for example. Note that the threshold value TH may be set to a value other than 80%.
In this manner, in this example, whether or not an attack has occurred on the processing circuit 2 is determined based on the attack evaluation values concerning the plurality of partial periods forming the execution period. Therefore, the specific-timing attack of causing level change aiming at the same timing in the repeatedly appearing plurality of execution periods can be properly detected.
The updater 320a and the determination unit 330a form an update determination unit 380a that updates an attack evaluation value 315a stored in the storage 310 and performs attack determination processing based on the attack evaluation value 315a. The updater 320b and the determination unit 330b form an update determination unit 380b that updates an attack evaluation value 315b stored in the storage 310 and performs attack determination processing based on the attack evaluation value 315b. The updater 320c and the determination unit 330c form an update determination unit 380c that updates an attack evaluation value 315c stored in the storage 310 and performs attack determination processing based on the attack evaluation value 315c. Operations of the plurality of update determination units 380a to 380c are different from each other.
For example, the updater 320a and the determination unit 330a included in the update determination unit 380a operate similarly to the updater 320 and the determination unit 330 according to the above-mentioned first example. Specifically, during activation of the processing device 1, the updater 320a constantly performs update processing of updating the attack evaluation value 315a every time level change occurs. The determination unit 330a determines whether or not an attack on the processing circuit 2 has occurred based on a comparison result between the attack evaluation value 315a and a threshold value.
For example, the updater 320b and the determination unit 330b included in the update determination unit 380b operate similarly to the updater 320 and the determination unit 330 according to the above-mentioned sixth example. Specifically, the updater 320b updates the attack evaluation value 315b in the storage 310 based on successiveness of occurrence of level change between the repeatedly appearing plurality of execution periods. In this example, for example, the updater 320b increases a one-time count-up amount of the attack evaluation value 315a in accordance with the number of times of successive occurrence Z, similarly to the third case of the sixth example. The determination unit 330b determines whether or not an attack on the processing circuit 2 has occurred based on a comparison result between the attack evaluation value 315b and a threshold value.
For example, the updater 320c and the determination unit 330c included in the update determination unit 380c operate similarly to the updater 320 and the determination unit 330 according to the above-mentioned eighth example. In this case, the storage 310 stores K attack evaluation values 315c that correspond to the respective first to Kth partial periods forming the execution period. Concerning each of the K attack evaluation values 315c in the storage 310, the updater 320c updates the attack evaluation value 315c in accordance with occurrence of level change in a partial period corresponding to the attack evaluation value 315c. The determination unit 330c calculates the sum of the K attack evaluation values 315c in the attack determination processing. Then, when the calculated sum is less than a predetermined value, the determination unit 330c determines that an attack on the processing circuit 2 has not occurred. On the other hand, when the calculated sum is equal to or greater than the predetermined value, the determination unit 330c calculates a ratio with respect to the calculated sum as an evaluation value ratio for each of the K attack evaluation values 315c. Then, when an evaluation value ratio equal to or greater than a threshold value TH exists in the evaluation value ratios concerning the K attack evaluation values, the determination unit 330c determines that an attack on the processing circuit 2 has occurred. On the other hand, when an evaluation value ratio equal to or greater than the threshold value TH does not exist in the evaluation value ratios concerning the K attack evaluation values, the determination unit 330c determines that an attack on the processing circuit 2 has not occurred.
In this example, when the determination unit 330a determines that an attack on the processing circuit 2 has occurred, the controller 31 stops the operation of the processing circuit 2, as in the first example. Further, when the determination unit 330b determines that an attack on the processing circuit 2 has occurred, the controller 31 stops the operation of the processing circuit 2. Further, when the determination unit 330c determines that an attack on the processing circuit 2 has occurred, the controller 31 stops the operation of the processing circuit 2.
In this manner, in this example, the plurality of update determination units that perform different operations are provided. Therefore, a plurality of types of fault injection attacks on the processing circuit 2 can be detected.
For example, the update determination unit 380a can properly detect a fault injection attack of causing level change in a period other than the execution period in which the target processing is performed.
Further, the update determination unit 380b can properly detect a specific-timing attack of causing level change a plurality of times over the entire execution period. For example, the attacker may repeatedly cause level change from start to end of an execution period to determine timing to finally carry out an attack in the execution period based on an operation state of the processing circuit 2 at the time. For example, a case where the target processing is encryption processing in accordance with AES with a key length of 128 bits is considered. In this case, the attacker may repeatedly cause level change from start to end of the execution period of the encryption processing to determine that timing at which the tenth round of the encryption processing is executed is timing to finally carry out an attack based on an operation state of the processing circuit 2 at the time. The update determination unit 380b can detect the specific-timing attack before the timing to finally carry out an attack in the execution period is determined.
Further, the update determination unit 380c can properly detect a specific-timing attack of causing level change aiming at certain specific timing in the execution period.
Note that the controller 31 may change control over the processing circuit 2 depending on cases. Such cases include a case where it is determined that an attack has occurred in the determination unit 330a, a case where it is determined that an attack has occurred in the determination unit 330b, and a case where it is determined that an attack has occurred in the determination unit 330c. For example, a case where an attack is carried out on the encryption processing performed by the processing circuit 2 is considered. In this case, when it is determined that an attack has occurred in the determination unit 330a, the controller 31 makes the processing circuit 2 change execution timing of the encryption processing, for example. Further, when it is determined that an attack has occurred in the determination unit 330b, the controller 31 makes the processing circuit 2 change a key used in the encryption processing, for example. Further, when it is determined that an attack has occurred in the determination unit 330c, the controller 31 stops the operation of the processing circuit 2, for example. Combination of the details of the control over the processing circuit 2 is not limited to the above.
In the above examples, the attack detector 30 includes three update determination units that perform different operations from each other. However, the attack detector 30 may include two update determination units that perform different operations from each other, and may include four or more update determination units that perform different operations from each other. Further, the plurality of attack evaluation values 315a, 315b, and 315c managed respectively the update determination units 380a, 380b, and 380c may be stored in a plurality of storages different from each other. In this case, the plurality of storages may include the first-type storage, and may include the second-type storage.
While the processing device 1 has been described in detail, the foregoing description is in all aspects illustrative, and the present invention is not limited thereto. The above-mentioned various modifications may be applied in combination on the condition that the combination is consistent. It is therefore understood that numerous unillustrated modifications can be devised without departing from the scope of the invention.
Number | Date | Country | Kind |
---|---|---|---|
2018-067467 | Mar 2018 | JP | national |