Biblio

Fault injection is a major threat to embedded system security since it can lead to modified control flows and leakage of critical security parameters, such as secret keys. However, injecting physical faults into devices is cumbersome and difficult since it requires a lot of preparation and manual inspection of the assembly instructions. Furthermore, a single fault injection method cannot cover all possible fault types. Simulating fault injection in comparison, is, in general, less costly, more time-efficient, and can cover a large amount of possible fault combinations. Hence, many different fault injection tools have been developed for this purpose. However, previous tools have several drawbacks since they target only individual architectures or cover merely a limited amount of the possible fault types for only specific memory types. In this paper, we present ARCHIE, a QEMU-based architecture-independent fault evaluation tool, that is able to simulate transient and permanent instruction and data faults in RAM, flash, and processor registers. ARCHIE supports dynamic code analysis and parallelized execution. It makes use of the Tiny Code Generator (TCG) plugin, which we extended with our fault plugin to enable read and write operations from and to guest memory. We demonstrate ARCHIE’s capabilities through automatic binary analysis of two exemplary applications, TinyAES and a secure bootloader, and validate our tool’s results in a laser fault injection experiment. We show that ARCHIE can be run both on a server with extensive resources and on a common laptop. ARCHIE can be applied to a wide range of use cases for analyzing and enhancing open source and proprietary firmware in white, grey, or black box tests.

The popularity of Unmanned Aerial Vehicles (UAV) or more commonly known as Drones is increasing recently. UAVs have tremendous potential in various industries, e.g., military, agriculture, transportation, movie, supply chain, and surveillance. UAVs are also popular among hobbyists for photography, racing, etc. Despite the possibilities, many UAV related security incidents are reported nowadays. UAVs can be targeted by malicious parties and if compromised, life-threatening activities can be performed using them. As a result, governments around the world have started to regulate the use of UAVs. We believe that UAVs need an intelligent and automated defense mechanism to ensure the safety of humans, properties, and the UAVs themselves. A major component where we can incorporate the defense mechanism is the operating system. In this paper, we investigate the security of existing operating systems used in consumer and commercial UAVs. We then survey various security issues of UAV operating systems and possible solutions. Finally, we discuss several research challenges for developing a secure operating system for UAVs.

Today, most embedded systems use Dynamic Voltage and Frequency Scaling (DVFS) to minimize energy consumption and maximize performance. The DVFS technique works by regulating the important parameters that govern the amount of energy consumed in a system, voltage and frequency. For the implementation of this technique, the operating system (OS) includes software applications that dynamically control a voltage regulator or a frequency regulator or both. In this paper, we demonstrate for the first time a malicious use of the frequency regulator against a TrustZone-enabled System-on-Chip (SoC). We demonstrate a use of frequency scaling to create covert channel in a TrustZone-enabled heterogeneous SoC. We present four proofs of concept to transfer sensitive data from a secure entity in the SoC to a non-secure one. The first proof of concept is from a secure ARM core to outside of SoC. The second is from a secure ARM core to a non-secure one. The third is from a non-trusted third party IP embedded in the programmable logic part of the SoC to a non-secure ARM core. And the last proof of concept is from a secure third party IP to a non-secure ARM core.

Near Field Communication (NFC) is a short- range wireless communication technology that supports several features, one of which is an electronic payment. NFC works at a limited distance to exchange information. In terms of security, NFC technology has a gap for attackers to carry out attacks by forwarding information illegally using the target NFC network. A relay attack that occurs due to the theft of some data by an attacker by utilizing close communication from NFC is one of them. Relay attacks can cause a lot of loss in terms of material sacrifice. It takes countermeasures to overcome the problem of electronic payments with NFC technology. Detection of anomalous data is one way that can be done. In an attack, several abnormalities can be detected which can be used to prevent an attack. Markov Chain is one method that can be used to detect relay attacks that occur in electronic payments using NFC. The result shows Markov chain can detect anomalies in relay attacks in the case of electronic payment.

Networks of and embedded (IoT) devices are becoming increasingly popular, particularly, in settings such as smart homes, factories and vehicles. These networks can include numerous (potentially diverse) devices that collectively perform certain tasks. In order to guarantee overall safety and privacy, especially in the face of remote exploits, software integrity of each device must be continuously assured. This can be achieved by Remote Attestation (RA) - a security service for reporting current software state of a remote and untrusted device. While RA of a single device is well understood, collective RA of large numbers of networked embedded devices poses new research challenges. In particular, unlike single-device RA, collective RA has not benefited from any systematic treatment. Thus, unsurprisingly, prior collective RA schemes are designed in an ad hoc fashion. Our work takes the first step toward systematic design of collective RA, in order to help place collective RA onto a solid ground and serve as a set of design guidelines for both researchers and practitioners. We explore the design space for collective RA and show how the notions of security and effectiveness can be formally defined according to a given application domain. We then present and evaluate a concrete collective RA scheme systematically designed to satisfy these goals.

Assuring integrity of information (e.g., data and/or software) is usually accomplished by cryptographic means, such as hash functions or message authentication codes (MACs). Computing such integrity-ensuring functions can be time-consuming if the amount of input data is large and/or the computing platform is weak. At the same time, in real-time or safety-critical settings, it is often impractical or even undesirable to guarantee atomicity of computing a time-consuming integrity-ensuring function. Meanwhile, standard correctness and security definitions of such functions assume that input data (regardless of its size) remains consistent throughout computation. However, temporal consistency may be lost if another process interrupts execution of an integrity-ensuring function and modifies portions of input that either or both: (1) were already processed, or (2) were not processed yet. Lack of temporal consistency might yield an integrity result that is non-sensical or simply incorrect. Such subtleties and discrepancies between (implicit) assumptions in definitions and implementations can be a source of inconsistenceies, which might lead to vulnerabilities. In this paper, we systematically explore the notion of temporal consistency of cryptographic integrity-ensuring functions. We show that its lack in implementations of such functions can lead to inconsistent results and security violations in protocols and systems using them, e.g., remote attestation, remote updates and secure resets. We consider several mechanisms that guarantee temporal consistency of implementations of integrity-ensuring functions in embedded systems with a focus on remote attestation. We also assess performance of proposed mechanisms on two commodity hardware platforms: I.MX6-SabreLite and ODROID-XU4.

Software attacks are commonly performed against embedded systems in order to access private data or to run restricted services. In this work, we demonstrate some vulnerabilities of commonly use processor which can be leveraged by hackers to attack a system. The targeted devices are based on open processor architectures OpenRISC and RISC-V. Several software exploits are discussed and demonstrated while a hardware countermeasure is proposed and validated on OpenRISC against Return Oriented Programming attack.

Network-connected embedded systems grow on a large scale as a critical part of Internet of Things, and these systems are under the risk of increasing malware. Anomaly-based detection methods can detect malware in embedded systems effectively and provide the advantage of detecting zero-day exploits relative to signature-based detection methods, but existing approaches incur significant performance overheads and are susceptible to mimicry attacks. In this article, we present a formal runtime security model that defines the normal system behavior including execution sequence and execution timing. The anomaly detection method in this article utilizes on-chip hardware to non-intrusively monitor system execution through trace port of the processor and detect malicious activity at runtime. We further analyze the properties of the timing distribution for control flow events, and select subset of monitoring targets by three selection metrics to meet hardware constraint. The designed detection method is evaluated by a network-connected pacemaker benchmark prototyped in FPGA and simulated in SystemC, with several mimicry attacks implemented at different levels. The resulting detection rate and false positive rate considering constraints on the number of monitored events supported in the on-chip hardware demonstrate good performance of our approach.

Remote attestation is a crucial security service particularly relevant to increasingly popular IoT (and other embedded) devices. It allows a trusted party (verifier) to learn the state of a remote, and potentially malware-infected, device (prover). Most existing approaches are static in nature and only check whether benign software is initially loaded on the prover. However, they are vulnerable to runtime attacks that hijack the application's control or data flow, e.g., via return-oriented programming or data-oriented exploits. As a concrete step towards more comprehensive runtime remote attestation, we present the design and implementation of Control-FLow ATtestation (C-FLAT) that enables remote attestation of an application's control-flow path, without requiring the source code. We describe a full prototype implementation of C-FLAT on Raspberry Pi using its ARM TrustZone hardware security extensions. We evaluate C-FLAT's performance using a real-world embedded (cyber-physical) application, and demonstrate its efficacy against control-flow hijacking attacks.

In-vehicle network security is becoming a major concern for the automotive industry. Although there is significant research done in this area, there is still a significant gap between research and what is actually applied in practice. Controller area network (CAN) gains the most concern of community but little attention is given to FlexRay. Many signs indicate the approaching end of CAN usage and starting with other promising technologies. FlexRay is considered one of the main players in the near future. We believe that migration era is near enough to change our mindset in order to supply industry with complete and mature security proposals with FlexRay. This changing mindset is important to fix the lagging issue appeared in CAN between research and industry. Then, we provide a complete migration of CAN authentication protocol towards FlexRay shows the availability of the protocol over different technologies.

Security issues in computer networks have focused on attacks on end systems and the control plane. An entirely new class of emerging network attacks aims at the data plane of the network. Data plane forwarding in network routers has traditionally been implemented with custom-logic hardware, but recent router designs increasingly use software-programmable network processors for packet forwarding. These general-purpose processing devices exhibit software vulnerabilities and are susceptible to attacks. We demonstrate-to our knowledge the first-practical attack that exploits a vulnerability in packet processing software to launch a devastating denial-of-service attack from within the network infrastructure. This attack uses only a single attack packet to consume the full link bandwidth of the router's outgoing link. We also present a hardware-based defense mechanism that can detect situations where malicious packets try to change the operation of the network processor. Using a hardware monitor, our NetFPGA-based prototype system checks every instruction executed by the network processor and can detect deviations from correct processing within four clock cycles. A recovery system can restore the network processor to a safe state within six cycles. This high-speed detection and recovery system can ensure that network processors can be protected effectively and efficiently from this new class of attacks.