AMD's Secure Encrypted Virtualization (SEV) is a hardware extension available in AMD's EPYC™ server processors to support confidential cloud computing. Although known attacks against SEV, which exploit its lack of encryption in the virtual machine (VM) control block or the lack of integrity protection of the encrypted memory and nested page tables, have been addressed in subsequent releases of SEV-Encrypted State (SEV-ES) and SEV-Secure Nested Paging (SEV-SNP), embodiments of a new Cipher Leaks attack present previously unexplored vulnerabilities for SEV-ES and SEV-SNP. The attack embodiments allow a privileged adversary to infer a guest VM's execution state or recover certain plaintext, e.g., to steal private keys from the constant-time implementation of the Rivest-Shamir-Adleman (RSA) algorithm and the Elliptic Curve Digital Signature Algorithm (ECDSA) in the latest OpenSSL library.

AMD's Secure Encrypted Virtualization (SEV) is a hardware extension available in AMD's EPYC™ server processors to support confidential cloud computing. Although known attacks against SEV, which exploit its lack of encryption in the virtual machine (VM) control block or the lack of integrity protection of the encrypted memory and nested page tables, have been addressed in subsequent releases of SEV-Encrypted State (SEV-ES) and SEV-Secure Nested Paging (SEV-SNP), a new CipherLeaks attack presents a previously unexplored vulnerability for SEV-ES and SEV-SNP. The attack allows a privileged adversary to infer a guest VM's execution states or recover certain plaintext, e.g., to steal private keys from the constant-time implementation of the Rivest-Shamir-Adleman (RSA) algorithm and the Elliptic Curve Digital Signature Algorithm (ECDSA) in the latest OpenSSL library.

Described herein are systems and methods that prevent against fault injection attacks. In various embodiments this is accomplished by taking advantage of the fact that an attacker cannot utilize a result that has been faulted to recover a secret. By using infective computation, an error is propagated in a loop such that the faulted value will provide to the attacker no useful information or information from which useful information may be extracted. Faults from a fault attack will be so large that a relatively large number of bits will change. As a result, practically no secret information can be extracted by restoring bits.

An execution method comprises the following operations: —every time an instruction to be protected of a preceding basic block is loaded, constructing a new value of a signature of this preceding basic block from the value of this instruction to be protected and the preceding value of the signature. The method further includes loading an initialization vector contained in a subsequent basic block and calculating, from said loaded initialization vector, a value reached for signing the preceding basic block. The method also includes comparing the constructed value of the signature with the expected value of this signature, and—only if these values do not match, triggering the signaling of a fault during the execution of the machine code.

A method for obfuscation of operations using minimal additional hardware is presented herein. The method can begin by executing a first iteration of a set of computations, the execution of the set of computations resulting in a first iteration output. The method can continue by executing a second iteration of the set of computations, wherein the second execution is distinct from the first iteration but should satisfy a matching condition. The distinction can be a rearrangement of sub-operations, insertion of dummy sub-operations, or a combination of the two. After the iterations are complete, the iteration outputs can be compared. If the comparison of the first iteration output and the second iteration output satisfy the matching condition, the process result can be output. If the matching condition is not satisfied, an error detected signal can be output.

A bonded structure is disclosed. The bonded structure can include a first semiconductor element having a first front side and a first back side opposite the first front side. The bonded structure can include a second semiconductor element having a second front side and a second back side opposite the second front side, the first front side of the first semiconductor element directly bonded to the second front side of the second semiconductor element along a bond interface without an adhesive. The bonded structure can include security circuitry extending across the bond interface, the security circuitry electrically connected to the first and second semiconductor elements.

An array of non-volatile memory cells includes rows and columns. A volatile storage circuit provides addressable units of storage. A control circuit reads first type data and second type data from one or more of the rows and multiple ones of the columns of the array of non-volatile memory cells. The control circuit stores the first type data and second type data read from each row in one or more addressable units of storage of the volatile storage. A security circuit reads first data from the one or more of the addressable units of the volatile storage and selects from the first data, the second type data that includes one or more bits of each of the one or more of the addressable units. The security circuit performs an integrity check on the selected second type data, and generates an alert signal that indicates a security violation in response to failure of the integrity check.

A device includes a random number generator configured to generate a random number, a memory configured to store at least one lookup table, and a processing circuit configured to generate a generator based on the random number, create the at least one lookup table based on the generator, and write the created at least one lookup table to the memory, wherein the processing circuit is configured to access the memory based on a first input and a second input, and generate a result of a modular multiplication of the first input by the second input based on the at least one lookup table.

A security chip includes: a first medium layer; a second medium layer disposed on the first medium layer, where the first medium layer is an optically denser medium relative to the second medium layer, and a roughness of an upper surface of the first medium layer is greater than or equal to a preset threshold, so that light entering the second medium layer from the first medium layer is able to be totally reflected and/or scattered; and a semiconductor chip disposed on the second medium layer. Based on the above technical solution, light incident from a lower surface of the first medium layer is able to be totally reflected or scattered by the upper surface of the first medium layer, so that most of light cannot reach a logic or storage area on the front of the security chip, thereby achieving the purpose of resisting a laser attack.

A data processing system includes technology for detecting and tolerating faults. The data processing system comprises an electronic control unit (ECU) with a processing core and a fault-tolerant elliptic curve digital signature algorithm (ECDSA) engine. The fault-tolerant ECDSA engine comprises multiple verification state machines (VSMs). The data processing system also comprises nonvolatile storage in communication with the processing core and ECU software in the nonvolatile storage. The ECU software, when executed, enables the data processing system to operate as a node in a distributed data processing system, including receiving digitally signed messages from other nodes in the distributed data processing system. The ECU further comprises a known-answer built-in self-test unit (KA-BISTU). Also, the ECU software comprises fault-tolerant ECDSA engine (FTEE) management software which, when executed by the processing core, utilizes the KA-BISTU to periodically test the fault-tolerant ECDSA engine for faults. Other embodiments are described and claimed.