PUFFIN promises to protect gamers’ identities

In a search that began in February this year, computer scientists have found that impossible to replicate, unique features of graphics processing units (GPUs) could be the future of user authentication and security, particularly for the online gaming community.

This is the first major finding of a collaborative project between Eindhoven University of Technology, Technische Universität Darmstadt, Katholieke Universiteit Leuven, and the Netherlands-based company Intrinsic-ID. Entitled ‘Physically unclonable functions found in standard PC components’ – or PUFFIN, for short – the project has a total budget of €1.3m and is due to continue until February 2015.

Project leader Professor Dr Tanja Lange, from the Department of Mathematics and Computer Science at Eindhoven University of Technology, spoke to ScienceOmega.com about the progress made by PUFFIN so far. She began by explaining the significance and usefulness of physically unclonable function (PUF) properties.

"This subject belongs to the area of user authentication, security and cryptography," Professor Lange said. "One common problem is that secrets can be copied or stolen, giving other users (willingly or unwillingly) the possibility to impersonate the legitimate user.

"People have tried to work around this problem by using external hardware such as security tokens or smart cards, and by using secrets that change over time, but it remains a problem that these secrets can be cloned. If you have a physical property that cannot be cloned then it removes those problems and offers completely new possibilities."

Researchers involved in the project have established that software can be used to detect minute and uncontrollable variations between GPUs. This silicon fingerprint can, it is hoped, be used to link a particular processor to a specific user account.

"The manufacturing differences between two graphics processors are on a scale that is an order of magnitude smaller than that which silicon processes can influence," revealed Professor Lange. "This means that no fab (semiconductor fabrication plant) in the world could produce a card that would have the same properties as a given one. By using these properties as a secret we have something at hand that cannot be copied or stolen."

The only way this security measure could be breached would be with a physical break-in in which the GPU was stolen.

So far, the team has found these properties only in graphics cards. Although previous research outside the project has detected PUFs in field-programmable gate arrays (FPGAs), this type of array is rarely found in computers or mobiles and therefore has limited usefulness.

"Searching for these properties is made harder by the way the devices are accessed by the operating system (OS)," stated Professor Lange. "We want to reach the uninitialized memory, while usually the OS and device drivers go through every possible effort not to expose you to those 'random' behaviours, making sure to zero the memory before you get to touch it. Of course, that behaviour is easy to predict and to replicate."

Professor Lange describes mobile phones as the team’s next target in the hunt for similar manufacturing differences.

"On test chips of the same type as those in mobile phones we can see some good properties, so we know that looking at that hardware is a move in the right direction. However, once we try to do the same on a mobile phone we're fought off by the OS protections. I don’t think this will stop us for long, though."

The recently announced finding, Professor Lange suggested, will be most applicable for the online gaming, as GPUs are not typically a standard component outside the gaming community. As the recent trouble encountered by companies such as Blizzard Entertainment – makers of the ever-popular World of Warcraft series – goes to show, there is a significant market for user authentication.

Information from Battle.net accounts across the world, with the exception of China, was exposed when Blizzard’s network was hacked earlier this year. With the use of approaches like those being developed by the PUFFIN project, these attacks could be prevented.

"The idea is that when the gamer joins an online game he or she is asked for their usual credentials but also gives access to their GPU to authenticate their identity. If all these factors of authentication match the gamer gets to access their character. This would prevent the theft of characters while still allowing people to have multiple users on the PC."

Looking further ahead, the discovery of PUFs in a greater number of hardware devices could pave the way for hard disk encryption, as Professor Lange outlined. Because the devices contribute randomness, there is the added benefit for the user of not having to remember an extraordinarily long password.

"During the boot process the system talks to all attached devices – the central processing unit (CPU), random access memory (RAM) and GPU as well as any other cards attached – and combines them with user input to a secret key to decrypt the hard disk. If the disk is moved to a different PC (with the aim of stealing sensitive information in bulk, for example) or if someone replaces a part with a bugged one, it cannot decrypt because the other devices are not present or have changed."

Professor Lange described the next steps in the work she and her colleagues are carrying out.

"Part of the project is now busy analysing the data we get out of the graphics processors to see how many bits we can get and how we can 'clean' the measurement; because some bits flip randomly, we need to do some sort of noise reduction. Of course we're also looking into use cases for this."

Although they do not yet have a final product which can be distributed to entertainment software companies as a solution to all their information security concerns, the team continues to explore the possibilities for GPUs and other devices, most notably CPUs and mobile phones.