Abstract
The boom of embedded systems and their wide applications, especially in the
area of e-business and -service, have raised increasing concerns about their security. One of the vulnerable components in most embedded systems is memory.
Protecting memory data is essential to the embedded system.
Many designs for memory data protection are based on the cryptographic primitives that have been systematically analysed and extensively evaluated, and often
provide a guaranteed level of security. However, such cryptographic primitives
usually come with significant processing and resource costs and may not be suit-
able to embedded systems, where resources are extremely restricted.
This thesis studies an existing design for protecting the integrity of memory data
in an embedded processor system, where tag is used for data authentication. The
design is highly cost efficient, consumes small on-chip resources and low off-chip
memory, and offers flexibility for good trade-off between the design security and
its implementation cost.
However, the design assumes that the data to be protected are random and fit
the uniform distribution, and the security of the design is mainly focused on
the attacks with random data and tag values. Attacks with chosen values have
merely been addressed. Nevertheless, the chosen-value attacks can exploit
the design weakness, is much stronger than the random attack, and determines
the true security level of a design.
We have identified three pitfalls in this design: 1) there are some correlations
between data and the tag, 2) for a given data, its tag value is not distributed over the
whole tag value space; the effective tag space size for a given data is reduced
and is less than the half of the tag value space, and 3) the effective tag space size
varies for different data. Those weaknesses lead to the low security of the design.
To patch the loopholes, we improve the design by implementing a series of random
flip functions and non-linear Galois field multiplication on the data blocks. We
show, through the theoretical analysis and experimental demonstration, that with the design modifications the tag generated bears no correlation to its data
and the tag is uniformly random over the full tag value space. The improved
design has the same capability to counter attacks with chosen values as to counter
attacks with the random data. Therefore, the design is much secure yet still
retaining the cost effective feature of the original design.