Bachelor's Theses
Correlation between local emanations and local fault injection positions
Probe Positioning, Fault, Side Channel
Description
For local fault attacks, a suitable position on the chip needs to be identified before arming an attack on, e.g., some cipher. Currently, one needs to step over the entire chip and test possible fault parameters at each position. Later, the position with the best results in this positioning run will be used for the attack. Since there is a vast amount of possible fault injection parameters, the position search is very time-consuming. There are some approaches in state-of-the-art research publications to speed up this process. However, a detailed methodology is still missing, especially for fault injections.
A correlation between EM emanations and positions prone to faults can drastically speed up the process and provide a major time advantage to any attacker.
Within this work, the dependency of EM and fault positions should be explored in the example of different microcontroller or FPGA implementations. The most important part lies in the reproducibility of results across these different platforms.
Currently, the comparison is done manually. Further approaches should be found during the student work and evaluated in the recorded datasets.
Prerequisites
- Knowledge in Side-Channels and Fault Injections are ideal
- Python and C are mandatory
- Linux skill are also mandatory
Contact
Matthias Probst (matthias.probst@tum.de)
Supervisor:
Digital Hardware Design and Evaluation
Description
I am looking for students who are interested in HW implementations and have knowledge of a HDL language. If you are also interested in cryptography and its applications, you would be a suitable candidate.
Possible implementation tasks are the
- Extension / implementation of symmetric ciphers
- Extension / implementation of message authentication codes
- Extension / implementation of error correction codes / functionality
The implementation will be analysed for its suitability for memory encryption and integrity verification of memory contents. For this assessment, typical performance metrics will be measured and evaluated on an FPGA.
If any of the topics interest you, please email me to discuss the details and your personal interests.
Supervisor:
Master's Theses
Emulation of Confidential Computing Hardware: AMD SEV-SNP / Intel TDX (AISEC)
Description
Servers Confidential Computing technologies are a promising tool for cloud computing. They aim to protect data while being processed in the cloud by preventing the cloud provider and platform owner from gaining access to it. AMD SEV-SNP and Intel TDX in particular do this by providing confidential virtual machines. Memory of these VMs remains confidential and integrity-protected at all times and the technologies provide remote attestation mechanisms for verification. Extensive work has analyzed, broken and improved upon these technologies. Especially for proof of concept implementations, however, creating, testing and verifying code requires specific server hardware that is not readily available to everyone.
This thesis aims to design and implement emulators for either AMD SEV-SNP or Intel TDX.
Task Description
In this thesis, the focus lies on providing AMD SEV-SNP or Intel TDX remote attestation mechanisms to a VM hosted on conventional hardware. For this, the student researches and evaluates required components needed to emulate these. The student then creates a design and proof of concept implementation that provides the corresponding remote attestation mechanism to the guest VM, e.g., by modifying and extending the virtual machine manager (VMM) QEMU. If possible, guest VM and host kernel shall remain unchanged.
Prerequisites
* High motivation and ability to work independently
* Good understanding of virtualization concepts
* Experience with QEMU / KVM and Linux kernels
Contact
Joana Pecholt
E-Mail: joana.pecholt@aisec.fraunhofer.de
Simon Ott
E-Mail: simon.ott@aisec.fraunhofer.de
Supervisor:
Digital Hardware Design and Evaluation
Description
I am looking for students who are interested in HW implementations and have knowledge of a HDL language. If you are also interested in cryptography and its applications, you would be a suitable candidate.
Possible implementation tasks are the
- Extension / implementation of symmetric ciphers
- Extension / implementation of message authentication codes
- Extension / implementation of error correction codes / functionality
The implementation will be analysed for its suitability for memory encryption and integrity verification of memory contents. For this assessment, typical performance metrics will be measured and evaluated on an FPGA.
If any of the topics interest you, please email me to discuss the details and your personal interests.
Supervisor:
Interdisciplinary Projects
Fuzzing Embedded Devices using Feedback from Side-Channel Analysis (AISEC)
Description
Fuzzing is a powerful and versatile technique to hunt security vulnerabilities. Embedded devices, however, usually lack suitable interfaces to apply established fuzzing-concepts known from software. Tapping side-channel information such as power consumption or electromagnetic radiation, can yield these interfaces and enable conventional grey-box fuzzing of an embedded device.
Task Description
Our current test set-up is capable of extracting code-coverage information during a fuzzing campaign from the power consumption of a STM32F417IGT microcontroller and feeding it back into our tool, which is based on the popular AFL++ fuzzer. Your task will be to measure the performance of this tool on additional microcontrollers and to increase its effectiveness where applicable. In detail, this entails hooking up a microcontroller to the test set-up, train a machine-learning model to the microcontroller-specific behavior, and measure the performance and effectiveness while fuzzing proof-of-concept and real-world software running on the microcontroller.
As optional task, you can work towards tapping electromagnetic radiation as second side-channel next to power consumption.
Prerequisites
• High motivation and ability to work independently
• Good coding skills in python and general understanding of software architecture
• Interest in offensive security and bug-hunting
Contact
Please send your application with current CV and transcript of records to:
Ferdinand Jarisch
Fraunhofer Institute for Applied and Integrated Security (AISEC)
Product Protection and Industrial Security
Lichtenbergstr. 11, 85748 Garching near Munich
Mail: ferdinand.jarisch@aisec.fraunhofer.de
Phone: +49 89 322 9986-166
Publication Date: 21.11.2023
Supervisor:
Fuzzing the Elkhart Lake PSE (AISEC)
Description
Die Programmable Services Engine (PSE) der Elkhart Lake Plattform ist ein separater ARM Core zur Ausführung von Applikationen getrennt vom Hauptprozessor. Die Firmware der PSE ist eine Softwarekomponente, die zur Bereitstellung sicherheitskritischer Plattformfunktionalitäten eingesetzt wird. Durch den Einsatz der Programmiersprache C können in dieser Komponente angreifbare Schwachstellen mit weitreichenden Sicherheitsimplikationen vorhanden sein.
Aufgabenbeschreibung
Ziel der Arbeit ist die Erstellung eines funktionierenden Fuzzing-Setups für die PSE Firmware der Elkhart Lake Plattform. Im Rahmen der Arbeit sollen zunächst Aufbau und Schnittstellen der Firmware analysiert werden. Darauf aufbauend sollen für Fuzzing geeignet Schnittstellen identifiziert werden.
Basierend auf diesen Vorarbeiten soll dann ein geeigneter Fuzzer ausgewählt und damit ein lauffähiges Fuzzing-Setup aufgebaut werden. Auch die Identifikation und Umsetzung von ggf. notwendigen Änderungen am ausgewählten Fuzzer sind Teil der Arbeit. Abschließend soll eine Evaluation des implementierten Fuzzers im Hinblick auf Code Coverage, Performance und Reproduzierbarkeit erfolgen.
Prerequisites
• Erweiterte Kenntnisse sowie praktische Erfahrung im Bereich Fuzzing
• Vorerfahrung mit Betriebssystemkonzepten und Linux-basierten Betriebssystemen
• Idealerweise Kenntnisse im Bereich Echtzeitbetriebssysteme, insbesondere Zephyr
• Idealerweise Grundkenntnisse im Bereich Rechnerarchitektur
Contact
Bitte senden Sie Ihre Bewerbung mit aktuellem Lebenslauf und Leistungsnachweis an:
Vincent Ahlrichs
Secure Operating Systems
Mail: vincent.ahlrichs@aisec.fraunhofer.de
Tel.: +49 89 322 9986-114
Felix Wruck
Secure Operating Systems
Mail: felix.wruck@aisec.fraunhofer.de
Tel.: +49 89 322 9986-129
Fraunhofer Institut für Angewandte und Integrierte Sicherheit (AISEC)
Lichtenbergstr. 11, 85748 Garching b. München
Supervisor:
Research Internships (Forschungspraxis)
Correlation between local emanations and local fault injection positions
Probe Positioning, Fault, Side Channel
Description
For local fault attacks, a suitable position on the chip needs to be identified before arming an attack on, e.g., some cipher. Currently, one needs to step over the entire chip and test possible fault parameters at each position. Later, the position with the best results in this positioning run will be used for the attack. Since there is a vast amount of possible fault injection parameters, the position search is very time-consuming. There are some approaches in state-of-the-art research publications to speed up this process. However, a detailed methodology is still missing, especially for fault injections.
A correlation between EM emanations and positions prone to faults can drastically speed up the process and provide a major time advantage to any attacker.
Within this work, the dependency of EM and fault positions should be explored in the example of different microcontroller or FPGA implementations. The most important part lies in the reproducibility of results across these different platforms.
Currently, the comparison is done manually. Further approaches should be found during the student work and evaluated in the recorded datasets.
Prerequisites
- Knowledge in Side-Channels and Fault Injections are ideal
- Python and C are mandatory
- Linux skill are also mandatory
Contact
Matthias Probst (matthias.probst@tum.de)
Supervisor:
Optimization of a FFT Hardware Generator for Lattice-Based Cryptography (AISEC)
Lattice-based cryptography has emerged as a promising class of cryptographic algorithms, which are believed to be resistant to attacks from quantum computers. This type of cryptography finds applications in secure communication, digital signatures, and homomorphic encryption, making it versatile and applicable to a wide range of use cases. However, the primary limitation of lattice-based cryptosystems lies in the computation of polynomial multiplication using the Fast Fourier Transform (FFT). To overcome this bottleneck, there is a need for hardware acceleration specifically targeting the FFT algorithm. In a recent work [BDTV23], SGen1, an open-source hardware generator implemented in Scala that generates arbitrary-streaming-width FFTs, was extended and optimized for use in the TFHE homomorphic encryption scheme [CGGI20]. In this work, the usage of SGen for lattice-based cryptography should be evaluated and different configurations should be benchmarked. Additionally, the proposed optimizations from [BDTV23] should be adopted and evaluated in terms of performance and resource utilization.
Description
In scope of this work, you will
- Study and extend SGen for lattice-based cryptography
- Conduct design space exploration to evaluate different trade-offs
- Implement and evaluate a hardware accelerator on a Xilinx FPGA
Prerequisites
- Experience in hardware design using VHDL or SystemVerilog
- Knowledge of basic DSP (Fixed-Point/Floating-Point Arithmetic, FFT, etc.)
- Knowledge and experience about FPGA design flow
- Motivation to learn more about lattice-based cryptography and hardware design
Contact
Please send your application with current CV and transcript of records to:
Tobias Stelzer
Fraunhofer Institute for Applied and Integrated Security (AISEC)
Hardware Security
Lichtenbergstr. 11, 85748 Garching near Munich
Mail: tobias.stelzer@aisec.fraunhofer.de
Phone: +49 89 322 9986-0916
*
References
[BDTV23] Michiel Van Beirendonck, Jan-Pieter D’Anvers, Furkan Turan, and Ingrid Ver-
bauwhede. FPT: A fixed-point accelerator for torus fully homomorphic encryp-
tion. In Weizhi Meng, Christian Damsgaard Jensen, Cas Cremers, and Engin
Kirda, editors, Proceedings of the 2023 ACM SIGSAC Conference on Computer
and Communications Security, CCS 2023, Copenhagen, Denmark, November
26-30, 2023, pages 741–755. ACM, 2023.
[CGGI20] Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène.
TFHE: fast fully homomorphic encryption over the torus. J. Cryptol., 33(1):34–
91, 2020.
Publication Date: 11.06.2024
1 https://acl.inf.ethz.ch/research/hardware/
Supervisor:
Hardware Security with Side-Channel Analysis of SOCs (AISEC)
Description
We are currently seeking students to join our research team for a practical experience in the field of
hardware security. This opportunity offers hands-on experience in conducting side-channel analysis
of System-on-Chips (SOCs).
Responsibilities
• Conduct literature research on hardware security and side-channel analysis techniques
• Build and use a measurement setup to collect side-channel data from SOCs
• Analyze the collected data and identify potential vulnerabilities
• Develop and implement potential attacks on the devices
Prerequisites
• Currently enrolled as a student in a relevant field (e.g., computer science, electrical engineering)
• Strong interest in hardware security and side-channel analysis
• Basic knowledge of computer architecture and embedded systems
• Proficiency with programming languages, especially Python
• Ability to work independently and in a team
This research practicum provides an excellent opportunity to gain practical experience in the exciting
field of hardware security. If you are passionate about cybersecurity and eager to apply your
knowledge in a real-world context, we encourage you to apply for this position.
To apply, please submit your resume, your transcript of records and a brief statement of interest
highlighting your relevant experience and motivation for joining this research practicum.
Contact
Name: Valentin Huber
Email: valentin.huber@aisec.fraunhofer.de
Name: Marc Schink
Email: marc.schink@aisec.fraunhofer.de
Supervisor:
Digital Hardware Design and Evaluation
Description
I am looking for students who are interested in HW implementations and have knowledge of a HDL language. If you are also interested in cryptography and its applications, you would be a suitable candidate.
Possible implementation tasks are the
- Extension / implementation of symmetric ciphers
- Extension / implementation of message authentication codes
- Extension / implementation of error correction codes / functionality
The implementation will be analysed for its suitability for memory encryption and integrity verification of memory contents. For this assessment, typical performance metrics will be measured and evaluated on an FPGA.
If any of the topics interest you, please email me to discuss the details and your personal interests.
Supervisor:
Practical evaluation of RowHammer on an Embedded System (AISEC)
Description
RowHammer is a powerful fault injection technique, launched from software, to inject bitfaults into DRAM. Over the last decade, RowHammer was shown to threaten DRAMs. Vendors reacted and deployed countermeasures, which lead to the believe that the problem was solved. However, in the last years, research showed that RowHammer is still threatened by a more sophisticated technique, called Many-sided RowHammer.
In this work, we aim to create bitfaults inside the LPDDR4 of an embedded system by using the Many-Sided RowHammer technique. Therefore, we will port an existing RowHammer tool to our target embedded architecture. We will then evaluate, whether successful Many-sided RowHammer attack is possible on our targetted embedded platform, and which are the necessary parameters. Finally, we want evaluate how an attacker may use the particular achieved fault model.
Prerequisites
The following skills are valuable for the execution of the project:
* Good knowledge of programming in C
* Basic experience with assembly programming
* Basic experience with embedded Linux (e.g., Buildroot, Yocto, Raspbian, etc.)
* Basic knowledge about memory hierarchies and DRAM structure
Contact
If you are interested in this particular HiWi position, please send an email with
* a short CV,
* a short cover letter, and
* your last grading sheet.
Kilian Zinnecker, kilian.zinnecker@aisec.fraunhofer.de
Supervisor:
Trusted Channels for IoT Devices (AISEC)
Description
Remote Attestation is the process of assessing the trustworthiness of a remote computing platform through verifying the integrity of its software stack. Arm Trusted Firmware-M provides the Initial Attestation Service (IAS) to enable attestation on resource-constraint Arm Cortex-M microcontrollers. However, executing a remote attestation protocol without binding it to the device's communication channel opens up the possibility of Man-in-the-Middle (MitM) attacks: In such a scenario, an attacker uses a rogue device to fetch attestation evidence from a good device and establish communication to an IoT hub or other IoT devices. Therefore, the scope of this work is to design and implement a channel binding mechanism for common IoT protocols such as Constraint Application Protocol (CoAP) to augment the communication channel with an attestation mechanism. This includes the following tasks:
• Survey of existing IoT protocols and attestation mechanisms
• Design of a channel binding mechanism, e.g., for CoAP with OSCORE/EDHOC
• Implement a Proof-of-Concept for the solution
• Evaluate the solution
Prerequisites
• High motivation and ability to work independently
• Good Programming skills in C
• At least basic knowledge of cryptographic primitives
• Preferably knowledge about embedded systems and Arm Cortex-M processors
Contact
Simon Ott
Telefon: +49 89 322-9986-143
E-Mail: simon.ott@aisec.fraunhofer.de
Supervisor:
Student Assistant Jobs
Correlation between local emanations and local fault injection positions
Probe Positioning, Fault, Side Channel
Description
For local fault attacks, a suitable position on the chip needs to be identified before arming an attack on, e.g., some cipher. Currently, one needs to step over the entire chip and test possible fault parameters at each position. Later, the position with the best results in this positioning run will be used for the attack. Since there is a vast amount of possible fault injection parameters, the position search is very time-consuming. There are some approaches in state-of-the-art research publications to speed up this process. However, a detailed methodology is still missing, especially for fault injections.
A correlation between EM emanations and positions prone to faults can drastically speed up the process and provide a major time advantage to any attacker.
Within this work, the dependency of EM and fault positions should be explored in the example of different microcontroller or FPGA implementations. The most important part lies in the reproducibility of results across these different platforms.
Currently, the comparison is done manually. Further approaches should be found during the student work and evaluated in the recorded datasets.
Prerequisites
- Knowledge in Side-Channels and Fault Injections are ideal
- Python and C are mandatory
- Linux skill are also mandatory
Contact
Matthias Probst (matthias.probst@tum.de)
Supervisor:
Digital Design Engineer for Security Applications (AISEC)
Description
Fraunhofer AISEC and TU Munich are collaborating in designing security chip prototypes for various research projects. You have the opportunity to work with a team of researchers on realizing innovative security solutions on hardware circuits. During your work, you will use state-of-the-art EDA tools, learn valuable skills related to the different stages of chip design and have the opportunity to contribute to cutting edge research. This job is an ideal starting point for a future career in chip design and information security. We also offer Research Internships and Master Thesis positions.
Task Description
Within this work, you will
• Assist implementing and verifying hardware implementations
• Maintain and improve IP cores and tooling
• Document hardware designs
• Evaluate hardware implementations on AMD/Xilinx FPGAs
Prerequisites
• First experience in hardware design using VHDL or SystemVerilog
• Basic knowledge about FPGA or ASIC design flow
• Good programming skills in Python
• High motivation to learn more about information security and hardware design
Contact
Please send your application with current CV and transcript of records to:
Tobias Stelzer
Fraunhofer Institute for Applied and Integrated Security (AISEC)
Hardware Security
Lichtenbergstr. 11, 85748 Garching near Munich
Mail: tobias.stelzer@aisec.fraunhofer.de
Phone: +49 89 322 9986-0916
Felix Oberhansl
Fraunhofer Institute for Applied and Integrated Security (AISEC) Hardware Security
Lichtenbergstr. 11, 85748 Garching near Munich
Mail: felix.oberhansl@aisec.fraunhofer.de
Phone: +49 89 322 9986-156
Supervisor:
Improvement of an Automotive Privacy Demonstrator (AISEC)
Description
The project AUTOPSY aims to protect the privacy of the data collected and processed in cars and researches on the impact of deploying Privacy Enhancing Techniques (PETs) in an automotive scenario with a focus on platooning in the initial demonstration.
Goal of this work is to build upon an existing demonstrator and further improve it to showcase results in an interesting and interactive way. We are therefore looking for a motivated working student with strong background in embedded systems.
Task description
The tasks cover in particular:
• Developing and improving code for PET implementations, communication and system software
• Deployment of code on automotive embedded systems
• Improvement of visualization and user experience
Prerequisites
• Strong background in programming and debugging embedded systems
• Interest in privacy enhancing techniques
• Strong motivation and independent working style
Date: June 2024
Start: any time
Contact
Dr.-Ing Matthias Hiller
Fraunhofer Institute AISEC
Head of Department Hardware Security
Lichtenbergstrase 11, 85748 Garching (near Munich)
E-Mail: matthias.hiller@aisec.fraunhofer.de
Supervisor:
Aufbau eines Tooling Frameworks für das Hardware Security Labor (AISEC)
Description
Fehlerangriffe auf kryptografische Verfahren sind eine Methode mittels derer ein geheimer Schlüssel aus einem Gerät extrahiert werden kann, indem während der Ausführung mit einer gezielten Störung des Geräts (z.B. durch einen starken elektromagnetischen Puls) eine fehlerhafte Berechnung des kryptografischen Algorithmus erzwungen wird. Abhängig vom kryptografischen Verfahren existieren eine Vielzahl von Angriffen, die auf Basis von fehlerhaften Ausgabewerten den verwendeten Schlüssel ermitteln können.
Aufgabe der hier ausgeschriebenen Stelle ist die Mitarbeit am Aufbau eines Tooling Frameworks für das Hardware Security Labor des Fraunhofer AISEC. Das Tooling soll verschiedene existierende Angriffe implementieren sodass diese für Analysen im Labor genutzt werden können. Folgende Tätigkeiten sind hierfür voraussichtlich durchzuführen:
• Literaturrecherche sowie Lesen und Verstehen von relevanten Publikationen
• Python-Implementierung von kryptografischen Verfahren mit der Möglichkeit Fehlerinjektionen zu simulieren
• Implementierung und Testen ausgewählter Angriffe
Prerequisites
• Sehr gute Sprachkenntnisse in Deutsch und/oder Englisch
• Gute Programmierkenntnisse in Python
• Selbstständige Arbeitsweise
Contact
Bodo Selmke
bodo.selmke@aisec.fraunhofer.de
+49 89 3229986 132
Ivan Gavrilan
ivan.gavrilan@aisec.fraunhofer.de
+49 89 3229986 1004
Bewerbungen bitte per E-Mail, begleitende Unterlagen mit sensitivem Inhalt (Lebenslauf etc.) können auch hier hochgeladen werden (bitte als zip o.ä. mit dem Bewerbernamen als Dateinamen):
https://owncloud.fraunhofer.de/index.php/s/ZrbiiP54WdNKZDD
Supervisor:
Digital Hardware Design and Evaluation
Description
I am looking for students who are interested in HW implementations and have knowledge of a HDL language. If you are also interested in cryptography and its applications, you would be a suitable candidate.
Possible implementation tasks are the
- Extension / implementation of symmetric ciphers
- Extension / implementation of message authentication codes
- Extension / implementation of error correction codes / functionality
The implementation will be analysed for its suitability for memory encryption and integrity verification of memory contents. For this assessment, typical performance metrics will be measured and evaluated on an FPGA.
If any of the topics interest you, please email me to discuss the details and your personal interests.
Supervisor:
Tutor/in: Sichere Implementierung kryptographischer Verfahren
Seitenkanalanalyse, Implementierungen, Tutor, Tutorin
Description
Die Vorlesung Sichere Implementierung kryptographischer Verfahren (SIKA) wird durch eine Übung begleitet, in der vier Programmieraufgaben durchgeführt werden. Zur Unterstützung der Studierenden, zur Betreuung des Seitenkanalmessplatzes und zum Testen der Abgabe-Umgebung wird ein/e Tutor/in gesucht.
Die Programmierübungen beinhalten die Implementierung von AES in C und die Entwicklung verschiedener Angriffe auf RSA und AES in Python. Im Rahmen des Differential Power Analysis(DPA)-Angriffs wird der Stromverbrauch einer Implementierung mit dem Oszilloskop aufgezeichnet. Für die Abgabe und Auswertung der Progammieraufgaben wird dabei die Coderunner-Umgebung aus Moodle verwendet.
Im Rahmen der Tätigkeit können für die Unterstützung bei den Progammieraufgaben feste Sprechzeiten am Lehrstuhl für Sicherheit in der Informationstechnik eingerichtet werden. Zum Testen der Coderunner-Umgebung sollten die Aufgaben jeweils eine Woche vor dem Übungstermin eigenständig gelöst und abgegeben werden, um mögliche Probleme der Umgebung aufzudecken.
Zeitraum und Stundenanzahl:
Ab 01. November 2024 bis 31. Januar 2025 mit 6-12 Stunden pro Woche, geringfügige Anpassung des Zeitraums, der Stundenzahl und Absprache von flexiblen Arbeitszeiten sind möglich.
Prerequisites
- Programmierkenntnisse in C und Python
- Grundverständnis im Umgang mit Messgeräten, z.B. Oszilloskop
- Idealerweise Belegung der SIKA-Vorlesung in einem vorhergehenden Semester
- Eigenständige Arbeitsweise
Contact
Technische Universität München
Lehrstuhl für Sicherheit in der Informationstechnik
Manuel Brosch
Theresientr. 90, N1007
E-Mail: manuel.brosch@tum.de