introduction to embedded system security
TRANSCRIPT
for know the ABC of a EmbeddedSystemSecurity
Introduction to Embedded system
security
Adel BarkamMohammad BaqeriKashani 2015,Octobe
rMicro Processor Course / SRTTU
05/02/2023 Introduction to Embedded System Security 2
Our resource(Books & papers):
1- M. Tehranipoor and C. Wang, Introduction to Hardware Security and Trust, Springer, 20112- Alexander Biedermann and H. Gregor Molter (Eds.),Design Methodologies for SecureEmbeddedSystems,springer,20103- catherine H.Gebotys ,security in embedded devices , springer 20114- david kleidermacher,Mike Kleider macher ,introduction to embedded system security, ELSEVIER,20125- Hajimohseni Sadegh,A Study on HT design and detection methods,Shahed University,20136- Keith E. Mayes and Konstantinos Markantonakis , Smart Cards, Tokens, Security and Applications , springer 2012
7- …
05/02/2023 Introduction to Embedded System Security 3
Overview: What is embedded system? Examples of ES. What is embedded system
security? Embedded System Security
Vs. Hardware Security Why Embedded System
Security ? Attacks on embedded system Embedded Software Attacks Embedded software Frimware Vs. OS Embedded Hardware Attacks Types of Hardware Attacks PROBING Attacks Side-Channel Attacks
Types of Side-Channel Attacks
Power Analayse Simple Power Analayse
(SPA) Diffrential Power Analayse
(DPA) ElectroMagnetic Analyse Timing Analyse Fault induction Methods of Fault induction Any Question? Case Study for interested Our mission The end.
05/02/2023 Introduction to Embedded System Security 4
What is embedded system?
An embedded system is an electronic product that contains a microprocessor (one or more) andsoftware to perform some constituent function within a larger entity.
05/02/2023 Introduction to Embedded System Security 5
Any definition must be augmented with examples.Embeddedsystem examples are widesly from a RFID tag to satelite!
in aircraft: - traffic collision avoidance system(TCAS); - communication, navigation, and surveillance system (CNS); - electronic flight bag system (EFB)
in automobile: - infotainment “head-unit,” - antilock breaking system, - powertrain engine control unit, - digital instrument cluster, and ... network devices: Switch,Router,AccessPoint,... Some devices: - WSN - Cell Phones - PDAs - smart cards - Household Appliances - Digital Cameras , ....
05/02/2023 Introduction to Embedded System Security 6
What is embedded system security? Security: Security is the ability of an entity to protect resources for which it bears protection responsibility.
Embedded system security: Embedded system Security is the ability of an embedded system to protect resources for which it bears protection responsibility.
05/02/2023 Introduction to Embedded System Security 7
Why embedded system security?
“September 2007, Israeli jets bombed a suspected nuclear installation in northeastern Syria.Among the many mysteries still surrounding that strike was the failure of Syrian radar, supposedly state of the art, to warn the Syrian military of the incoming assault. It wasn’t long before military and technology bloggers concluded that this was an incident ofelectronic warfare and not just any kind. Post after post speculated that the commercial offthe-shelf microprocessors in the Syrian radar might have been purposely fabricated with ahidden “backdoor” inside. By sending a preprogrammed code to those chips, an unknownantagonist had disrupted the chips’ function and temporarily blocked the radar”Source : IEEE spectrum, 2007.
05/02/2023 Introduction to Embedded System Security 8
Why embedded system security?
A hidden 'back door' in a computer chip could allow cyber-criminals a way tooverride and control computer systems on Boeing 787s-- dailymail.co.uk , 30th May 2012Computer Chip in a Commercial Jet Compromised
05/02/2023 Introduction to Embedded System Security 9
Why embedded system security? The Stuxnet worm is likely the first malware to directly target embedded
process control systems.
Stuxnet infiltrated Siemens process control systems at nuclear plants by first subverting the MicrosoftWindows workstations operators use to configure and monitor the embedded controlelectronics
SCADA networks are controlled by common PCs
05/02/2023 Introduction to Embedded System Security 10
Attacks on Embedded Systems
05/02/2023 Introduction to Embedded System Security 11
Attacks on Embedded Systems
05/02/2023 Introduction to Embedded System Security 12
Types of Embedded System Attack Embedded Software Attack Embedded Hardware Attack
05/02/2023 Introduction to Embedded System Security 13
What is Embedded Software ? Embedded software is computer software, written to control
machines or devices.
Embedded Software Component : Firmware OS Program or Script
05/02/2023 Introduction to Embedded System Security 14
FirmWare VS. OS Firmware:
For any device( printer, scanner, digital camera, etc.) to start running, It should have an initial program to run when it is powered up/booted. It is also called as bootstrap program, BIOS. It is mounted on ROM(a non-volatile memory, whose contents are permanent). Firmware locates the operating system's kernel and loads it into primary memory(RAM) at the time of startup. assembly or C/C++.
Operating System:A complete software stack that manages Embedded's hardware and sets up an environment for the applications to run. In other words, an operating system performs the designated task of the device. Kernel is at the bottom of this software stack and keeps running as long as your device is up and running. When I say Operating system managing the hardware, It is actually Kernel that manages any requests to hardware resources(CPU,memory,input,output).
05/02/2023 Introduction to Embedded System Security 15
Embedded OS There is a lot of embedded OS, typically a real-time operating system(RTOS). LynxOS, VxWorks, BeRTOS, ThreadX, to Windows CE or Linux
(with patched kernel). Others OS: OpenWrt, PikeOS, eCos, Fusion RTOS, Nucleus RTOS,
RTEMS, INTEGRITY, uC/OS, QNX, FreeBSD ,Tiny OS , and OSE.
05/02/2023 Introduction to Embedded System Security 16
Embedded Software Attacks
The software in an embedded system is a source of security vulnerability.
Firmware or OS vulnerabilities.
Three factors which make security risks in software Complexity Extensibility Connectivity
05/02/2023 Introduction to Embedded System Security 17
Embedded Software Attacks
Complexity Software is complicated More lines of code ▪ Increases possibility of bugs and security vulnerabilities
Unsafe programming languages being used C and C++ are most common
05/02/2023 Introduction to Embedded System Security 18
Embedded Software Attacks
Extensibility Modern software systems are designed to be
extended Updates Extensions Loadable device drivers and modules
05/02/2023 Introduction to Embedded System Security 19
Embedded Software Attacks
Connectivity Embedded systems are being connected to the Internet Possible for small failures to occur leading to security
breaches Attacker no longer needs physically access to system ▪ Use a series of automated attacks
05/02/2023 Introduction to Embedded System Security 20
Hardware Attacks
05/02/2023 Introduction to Embedded System Security 21
Hardware Attacks Monitoring attack Manipulation attack Substitution attack Replay attack Modification attack Spoofing attack
05/02/2023 Introduction to Embedded System Security 22
Probing Attacks
Eavesdropping Use of probes to eavesdrop on inter-component communications
Micro-probing Use normal communication interface and abuse security vulnerabilities
05/02/2023 Introduction to Embedded System Security 23
Probing Attacks De-packaging is done by using fuming acid
A Smart Card Chip Surface with Readily Identifiable Features
05/02/2023 Introduction to Embedded System Security 24
Probing Attacks
Once de-packaged, the next step is layout reconstruction During reconstruction internals of chip and be
inferred Micro-probing can be used to observe values on
buses
05/02/2023 Introduction to Embedded System Security 25
Probing Attacks Reverse engineering can target the internal design. An attacker can find potential weaknesses in the chip.
In modern smart cards, various features used to inhibit reverse engineering are implemented using glue logic.
05/02/2023 Introduction to Embedded System Security 26
Side-Channel Attacks Classic cryptography views the secure problems with
mathematical abstractions
Recently, many of the security protocols have been attacked through physical attacks
Exploit weaknesses in the cryptographic system hardware implementation aimed to recover the secret parameters
Modern cryptography is based on Kerckhoffs's -> assumption all of the data required to operate a chip is entirely hidden in the key
05/02/2023 Introduction to Embedded System Security 27
Side-Channel Attacks
A Side-Channel attack is any attack based on information gained from the physical implementation of a cryptosystem(embedded system).
05/02/2023 Introduction to Embedded System Security 28
Side-Channel Emissions Power Consumption: Logic circuits typically consume differing amounts of power based on their input data. Electro-Magnetic: EM emissions, particularly via near-field inductive and capacitive coupling, can also modulate othe signals on the die. Optical: The optical properties of silicon can be modulated byaltering the voltage or current in the silicon. Timing and Delay: Timing attacks exploit data-dependentdifferences in calculation time in cryptographic algorithms. Acoustic : The acoustic emissions are the result of thepiezoelectric properties of ceramic capacitors
05/02/2023 Introduction to Embedded System Security 29
Types of Side-Channel Attack Simple side-channel attacks directly map the results from a small number of traces of the
side channel to the operation of DUA Differential side-channel attacks exploit the correlation between the data values being processed and the
side-channel leakage
Template side-channel attacks
05/02/2023 Introduction to Embedded System Security 30
Power Analayse Attack attacker studies the power consumption of a cryptographic hardware
device (such as a smart card, tamper-resistant "black box", or integrated circuit).
05/02/2023 Introduction to Embedded System Security 31
Simple Power Analayse
Variations in power consumption occur as the device performs different operations.
different instructions performed by a microprocessor will have differing power consumption. As a result, in a power trace from a smart card performing a DES encryption, the sixteen rounds can be seen clearly.
05/02/2023 Introduction to Embedded System Security 32
* DES Basic Structure
• Input: 64 bits (a block)• Li/Ri– left/right half of the input
block for iteration i (32 bits) – subject to substitution S and permutation P (cf. Fig 2-8– text)
• K - user-supplied key• Ki - round key:
– 56 bits used +8 unused(unused for E but often used for error checking)
• Output: 64 bits (a block)• Note: Ri becomes L(i+1)• All basic op’s are simple logical
ops– Left shift / XOR
[Fig. – cf. J. Leiwo]
K1
K16
InputInput
PermutationL0 R0
S
P
K
R1L1
L16 R16
Final PermutationOutpu
t
05/02/2023 Introduction to Embedded System Security 33
Example1- SPA on DES (cont’d)
The upper trace – entire encryption, including the initial phase, 16 DES rounds, and the initial permutation
The lower trace – detailed view of the second and third rounds
05/02/2023 Introduction to Embedded System Security 34
Example2- SPA on RSA Similarly, squaring and multiplication operations in RSA
implementations can often be distinguished, enabling an adversary to compute the secret key.
if the magnitude of the variations in power consumption are small, standard digital oscilloscopes can easily show the data-induced variations.
This example of RSA in smart card, key is : 00 111
05/02/2023 Introduction to Embedded System Security 35
Differential Power Analayse A side-channel attack which involves statistically
analyzing power consumption. attack exploits biases varying power consumption of
microprocessors operations using secret keys. DPA attacks have signal processing and error
correction properties which can extract secrets from measurements.
05/02/2023 Introduction to Embedded System Security 36
Differential Power Analayse
05/02/2023 Introduction to Embedded System Security 37
DPA Phases
Step 1- data collection: Step2- data analyse:
05/02/2023 Introduction to Embedded System Security 38
Electro-Magnetic Analaysis
05/02/2023 Introduction to Embedded System Security 39
Electro-Magnetic Analaysis
05/02/2023 Introduction to Embedded System Security 40
Electro-Magnetic Analaysis
05/02/2023 Introduction to Embedded System Security 41
Electro-Magnetic Analaysis
05/02/2023 Introduction to Embedded System Security 42
Timing Analysis
Green *7
05/02/2023 Introduction to Embedded System Security 43
Timing Analysis
05/02/2023 Introduction to Embedded System Security 44
Timing Analysis Developers are great interest to reduce the time
implementation
Running time of a crypto processor can be used as an information channel
The idea was proposed by Kocher
These kind of attacks generally require a large amount of samples of timings.
05/02/2023 Introduction to Embedded System Security 45
Timing Analysis
Statistical analysis Time of encrypting data processing
SNR will be effective in successfully These probabilities are then used to guess a
key.
05/02/2023 Introduction to Embedded System Security 46
Timing Analaysis Ex. Of timing analysis for RSA decryption by
kocher’s observation
05/02/2023 Introduction to Embedded System Security 47
Fault Induction Mess with environmental conditions to induce fault in
execution; e.g., clock frequency voltage temperature
May require de-packaging, but is not always tamper-evident
05/02/2023 Introduction to Embedded System Security 48
Methods for Fault Injections Card Tears Physical
putting a 0 or 1 on a databus line Glitching (late 1990s)
causing one or more flipflops or instruction jumps affect EEPROM & ROM
05/02/2023 Introduction to Embedded System Security 49
Goals of Fault Induction Insert computational fault
Null key (exploiting two keys being combined in the wrong way)
Wrong crypto result (Differential Fault Analysis – DFA)
We are able to response you!
Any Question?
05/02/2023 Introduction to Embedded System Security 51
Case Study For intersted Fpga security IP protection BBP security Jtag security ,USB security Hardware trojan IC security & Trust …
05/02/2023 Introduction to Embedded System Security 52
Our Mission . . . Research About this subjects Training this subjects Formation of a embedded security team in srttu
>> See Hacking with Heat!!!
The EndHoping to secure world