Securing Critical Infrastructures
PhD Candidate: Alberto Carelli (241776) XXXII Cycle
Advisor: Prof. Stefano Di Carlo PhD Thesis Defense – September 3rd 2020 Politecnico di Torino - Dipartimento di Automatica e Informatica OUTLINE
Introduction & Core Concepts
Motivations & Goal of the research
Contributions
Conclusions
2 OUTLINE
Introduction & Core Concepts
Motivations & Goal of the research
Contributions
Conclusions
3 INTRODUCTION Definitions - Critical Infrastructures Critical Infrastructures (CIs):
“Infrastructures whose incorrect functioning may negatively affect a subject/group with economic losses and exposure of people to safety and security risk.” [1]
However, no general definition, but several: • Italy [2], Europe [3], United Kingdom [4], United States [5]
4 INTRODUCTION Definitions - Critical Infrastructures CIs: Public/Private companies of 16 Sectors*
Financial Information Chemical Dams Services Technology
Defense Food and Nuclear Reactors, Industrial Communications Agriculture Materials, Waste Base
Critical Emergency Government Transportation Manufacturing Services Facilities Systems
Water, Commercial Healthcare, Energy Wastewater Facilities Public Health Systems
*according to U.S. President’s PPD-21, the U.S. Department of Homeland Security’s (DHS) and the Cybersecurity and Infrastructure Security Agency5 (CISA) INTRODUCTION Definitions - Cyber-Physical Systems CIs are based on Cyber-Physical Systems (CPS): “physical and engineered systems whose operations are monitored, coordinated, controlled and integrated by a computing and communication core”. [1]
Control
Sensors Data Commands Actuators 6 INTRODUCTION Definitions - Cyber-Physical Systems Characteristics of CPSs: • Architecture: Distributed • Components: ⁃ IT + OT (Information Technology) + (Operational Technology) ⁃ Both infrastructures IT & OT are linked to each other • Technologies: • ICS – Industrial Control Systems • SCADA – Supervisory Control and • DCS – Distributed Control Systems Data Acquisition • IIoT/IoT – (Industrial) Internet of Things • PLC – Programmable Logic Controllers • WSN – Wireless Sensor Networks • CNC – Computer Numeric Control • … 7 INTRODUCTION Definitions - Cyber-Physical Systems Characteristics of CPSs: • Architecture: Distributed • Components: ⁃ IT + OT (Information Technology) + (Operational Technology) ⁃ Both infrastructures IT & OT are linked to each other • Technologies: • ICS – Industrial Control Systems • SCADA – Supervisory Control and • DCS – Distributed Control Systems Data Acquisition • IIoT/IoT – (Industrial) Internet of Things • PLC – Programmable Logic Controllers • WSN – Wireless Sensor Networks • CNC – Computer Numeric Control • … 8 INTRODUCTION Definitions – Information Security C.I.A. Triad Information Security
9 INTRODUCTION Definitions – Information Security C.I.A. Triad Information Security
Confidentiality Protection of sensitive information from unauthorized third parties 10 INTRODUCTION Definitions – Information Security C.I.A. Triad Information Security
Integrity Protection of information from unauthorized or unwanted alterations
11 INTRODUCTION Definitions – Information Security C.I.A. Triad Information Security
Availability Ability to readily use an information (or a system) Availability
12 INTRODUCTION Definitions – Information Security C.I.A. Triad Information Security
+ Non-Repudiation + Authentication Availability + Authorization + … 13 OUTLINE
Introduction & Core Concepts
Motivations & Goal of the research
Contributions
Conclusions
14 Source: https://ioactive.com MOTIVATIONS Cyber Attacks
Source: https://www.wired.com/story/ekans-ransomware-industrial-control-systems/
Source: https://www.reuters.com/article/us-ukraine-cyber-attack-energy/ukraines- power-outage-was-a-cyber-attack-ukrenergo-idUSKBN1521BA Source: https://ics-cert.kaspersky.com/news/2020/04/29/israel-water-15cyberattacks/ MOTIVATIONS Cyber Attacks ICS Cyber Attacks
Source: Kaspersky ICS CERT Reports / Threat landscape for industrial automation systems. Ransomware and other malware: key events of H2 2019 Source: Noguchi M. et al., NEC Technology Journal, 2017 16 MOTIVATIONS Cyber Attacks ICS Cyber Attacks
Source: Kaspersky ICS CERT Reports / Threat landscape for industrial automation systems. Ransomware and other malware: key events of H2 2019 Source: Noguchi M. et al., NEC Technology Journal, 2017 17 GOAL Target of PhD
[Carelli2020] Carelli, A., ‘‘Securing Critical Infrastructures’’, 2020
{Target} To provide mechanisms and techniques to improve the cybersecurity of Critical Infrastructures
18 STATE OF THE ART Approaches to Security Traditional: • Isolated & air-gapped Systems [6] [7] [8] [9] • Security-through-obscurity [6] [7] [10] Modern: • Cyber-Security Frameworks [11] • National Strategy [12][13] • Security Advisories from ICS-CERT [14][15] • Monitoring & Auditing [10] 19 CHALLENGES Issues Challenges in securing CIs • Complexity → difficult to «secure» as a whole • Interdependence → damage propagates • Legacy → old systems • Heterogeneity → many forms of security
20 GOAL How to achieve?
C.I.A. Triad CIA triad is mapped on information systems, composed by:
Hardware Software Communication
Availability Focus on the security of these components
21 OUTLINE
Introduction & Core Concepts
Motivations & Goal of the research
Contributions
Conclusions
22 Securing Critical Infrastructures
Contribution: Mitigation against Microarch. SCA CONTRIBUTION
C.I.A. Triad CIA triad is mapped on information systems, composed by:
Hardware Software Communication
Availability Microprocessors are at the base of every system Focus on the#CPU security #Microarchitecure of these #SideChannelAttackscomponents
24 INTRODUCTION Side-Channel Information
25 Exploit this INTRODUCTION information Side-Channel Information
26 INTRODUCTION Side-Channel Information Types of information leaked: - Intended disclosure (Memory Footprint, PMCs, …) - Unintended disclosure (Power, Timing, EM, …)
Categories of Side-Channel Attacks (SCA)*: - Active vs Passive - Invasive vs Semi-Invasive vs Non-Invasive SCA = Sampling - Remote vs Near phase + Analysis phase
*Taxonomies/Survey: [16][17][18] 27 SIDE-CHANNEL ATTACKS State-of-the-Art Attack Target → Secrets, i.e., cryptographic keys - or: - Existing Security Mechanism (bypass kernel ASLR [19]) - Discovery (detecting crypto libs [20]) - User (keylogging [21] ) - Denial-of-Service (DoS) [22]
Attack Surface → CPU Microarchitecture* - Cache memories [25][26] - Translation Lookaside Buffer (TLB) Attacks [27] - Branch Target Buffer (BTB) Attacks [28][29]
*Survey: [23][24] 28 SIDE-CHANNEL ATTACKS Measuring Leakage Performance Monitor Counters (PMCs):
Hardware registers used to store the counts of specific events occurred. Usually employed to measure a behavior for performance/debug/test purposes.
However, PMCs might be considered a source of leak [30]
29 TARGET What is the relation between safety and security of CPS?
Safety and security must be taken into account to prevent misbehavior leading to catastrophic consequences. In modern microprocessors the usage of Performance Monitor Counters (PMCs):
✚ Helps to detect abnormal behavior ⁃ Introduces security vulnerability
30 TARGET What is the relation between safety and security of CPS?
Safety and securityWe want must to protectbe taken into account to prevent misbehavior leadingPMCs to catastrophic from security consequences . attacks without In modern microprocessors the usage of Performance Monitor Counters (PMCs):compromising safety
✚ Helps to detect abnormal behavior ⁃ Introduces security vulnerability
31 Monitor CPS ARCHITECTURE The nodes
Node
0 … Tasks Applications Node N K PMC Encryption E Services Service Service
System Y Operating Operating
Sensors & Actuators Performance Monitor
Counters uProcessor 32 Monitor CPS ARCHITECTURE The nodes
Node 0 … Safety
Tasks tasks Applications Node N K PMC Encryption E Services Service Service
System Y Operating Operating
Sensors & Actuators Performance Monitor
Counters uProcessor 33 SAFETY Safety Technique
Safety mechanism
1) Off-line phase: PMCs profiling Safety is guaranteed through PMCs e.g. [31]
Two PMCs are considered: • CCC (Clock Cycle Counter) → deadline check • DCM (L1 Data Cache Miss) → abnormal 2) On-line phase: PMCs monitoring behavior 34 SAFETY TECHNIQUE Detecting deadline misses Off-line phase: PMCs profiling
• Profile each application to collect PMC values related to their execution time
What is the probability the execution time of the application is lower than t? Cumulative Distribution Function (CDF) of the execution time of an application 35 SAFETY TECHNIQUE Detecting deadline misses Off-line phase: PMCs profiling
• Profile each application to collect PMC values related to their execution time • Define 2 thresholds related to the CDF in order to decide when the execution of an application is safe or critical
Cumulative Distribution Function (CDF) of the execution time of an application 36 SAFETY TECHNIQUE Detecting deadline misses W C Off-line phase: PMCs profiling TH TH
CC • Profile each application to collect PMC CW values related to their execution time • Define 2 thresholds related to the CDF in order to decide when the execution of an application is safe or critical WarningThreshold - WTH Critical Threshold - CTH
푃 푋 > 푊푇퐻 < 퐶푊 → 퐹푋 푊푇퐻 > 1 − 퐶푊 Cumulative Distribution Function (CDF) 푃 푋 > 퐶푇퐻 < 퐶퐶 → 퐹푋 퐶푇퐻 > 1 − 퐶퐶 of the execution time of an application 37 SAFETY TECHNIQUE Detecting deadline misses
On-line phase: PMCs monitoring CTH
• Profile each application to collect PMC values related to their execution time • Define 2 thresholds related to the CDF in order to decide when the execution of an application is safe or critical • Decide if the execution of an application is critical or not critical
Cumulative Distribution Function (CDF) of the execution time of an application 38 SAFETY TECHNIQUE Detecting deadline misses On-line phase: PMCs monitoring Critical Area
• Profile each application to collect PMC values related to their execution time • Define 2 thresholds related to the CDF in order to decide when the execution of an applicationWhen is safethe or criticalexecution • Decidetime if the ofexecution an application of an application is critical or not critical exceeds CTH is classified as critical Cumulative Distribution Function (CDF) of the execution time of an application 39 SAFETY TECHNIQUE Detecting deadline misses
On-line phase: PMCs monitoring WTH
• Profile each application to collect PMC values related to their execution time • Define 2 thresholds related to the CDF in order to decide when the execution of an application is safe or critical • Decide if the execution of an application is critical or not critical • Decide if the execution of an application is safe or potentially critical Cumulative Distribution Function (CDF) of the execution time of an application 40 SAFETY TECHNIQUE Detecting deadline misses On-line phase: PMCs monitoring
• Profile each application to collect PMC values related to their execution time • Define 2 thresholds related to the CDF in Safe Area order to decide when the execution of an applicationWhen is safethe or criticalexecution • Decidetime if the ofexecution an application of an application is critical or not critical is lower than WTH is • Decide if the execution of an application is safe or potentiallyclassified criticalas safe Cumulative Distribution Function (CDF) of the execution time of an application 41 SAFETY TECHNIQUE Detecting deadline misses On-line phase: PMCs monitoring
• Profile each application to collect PMC values related to their execution time • Define 2 thresholds related to the CDF in Warning Area order toWhen decide thewhen execution the execution of an applicationtime is ofsafe an or criticalapplication • Decide if the execution of an application is critical oris notbetween critical WTH and • Decide if the execution of an application is CTH is classfied as safe or potentiallypotentially criticalcritical Cumulative Distribution Function (CDF) of the execution time of an application 42 SAFETY TECHNIQUE Detecting deadline misses If theOn application-line phase: PMCsis monitoring classified as potentially • Profile criticaleach applicationfor α -totimes collect PMC values related to their execution time • Define 2consecutively thresholds related, the to the CDF in Warning Area orderapplication to decide whenis classifiedthe execution of an application is assafecritical or critical • Decide if the execution of an application is critical or not critical • Decide if the execution of an application is safe or potentially critical Cumulative Distribution Function (CDF) of the execution time of an application 43 SECURITY ATTACK Cache-Timing Attack Security attack Safety Malicious Tasks
Side-channel attack tasks task Applications
• Based on PMCs K • Aims at discovering AES PMC Encryption E encryption key [32] Services Service Service
System Y Operating Operating
We assume that the attacker can: • inject malicious tasks in a node Performance • probe PMCs and trigger the Monitor Counters
encryption process uProcessor 44 SECURITY ATTACK Cache-Timing Attack
Cache-Timing Attack AES Algorithm: It uses S-Box containing pre-computed values S-Box: Table of values, stored in memory
Data Lookup: • If data stored in memory → Cache Hit (Fast) • If data NOT stored in memory → Cache Miss (Slow)
Cache collision: a couple of different lookups targets the SAME cache line Record timing information for (many!) different ciphertexts 45 SECURITY ATTACK Cache-Timing Attack
Cache-Timing Attack AES Algorithm: It uses S-Box containing pre-computed values S-Box: Table of values, stored in memory Measure Data Lookup: with PMCs • If data stored in memory → Cache Hit (Fast) • If data NOT stored in memory → Cache Miss (Slow)
Cache collision: a couple of different lookups targets the SAME cache line Record timing information for (many!) different ciphertexts 46 ATTACK MITIGATION General Strategy Solution: Poison the values of PMCs to neutralize the attack Malicious task
K PMC Encryption E Services Service Service
Y
System Operating Operating
Performance Monitor Counters uProcessor 47 ATTACK MITIGATION General Strategy
Solution: Safety Poison the values of PMCs to neutralize the attack tasks Malicious task
K PMC Encryption E Services Service Service
Y System The safety task will be Operating affected by the poisoning too, thus it might fail! Performance Monitor Counters uProcessor 48 ATTACK MITIGATION General Strategy On-line phase: PMCs monitoring
Both Safety task and malicious task monitor PMCs. As countermeasure for the attack, the PMC value is altered 푃푀퐶′ = 푐푓(푃푀퐶)
푐푓 ?
K cf is the Corruption Function PMC Encryption E Services Service Service
Y System
• Fixed value alteration Operating • Random value alteration • Localized alteration Performance Monitor Counters uProcessor 49 ATTACK MITIGATION General Strategy On-line phase: PMCs monitoring
Both Safety task and malicious task monitor PMCs. As countermeasure for the attack, the PMC value is altered 푃푀퐶′ = 푐푓(푃푀퐶)
푐푓 ?
K cf is the Corruption Function PMC Encryption E Services Service Service
Y System
• Fixed value alteration Operating • Random value alteration • Localized alteration Performance Monitor Counters uProcessor 50 ATTACK MITIGATION Random Value Alteration On-line phase: PMCs monitoring cf is the Corruption Function
푃푀퐶′ = 푐푓(푃푀퐶) = 푃푀퐶 + 푐
Random value alteration K PMC Encryption E 푐 = 푈(0, 푠 × (푊 − 휇)/2) Services Service Service
푇퐻 Y
System Operating Operating • s is a scaling factor
• µ is the average of PMC value Performance Monitor Counters uProcessor 51 ATTACK MITIGATION Random Value Alteration On-line phase: PMCs monitoring cf is the Corruption Function
푃푀퐶′ = 푐푓(푃푀퐶) = 푃푀퐶 + 푐
Random value alteration K PMC Encryption E 푐 = 푈(0, 푠 × (푊 − 휇)/2) Services Service Service
푇퐻 Y
System Operating Operating • s is a scaling factor • µ is the average of PMC value µ PerformanceWTH CTH Monitor Counters uProcessor 52 EXPERIMENTAL RESULTS Random Value Alteration - Results Evaluation of attack mitigation: Random Value Alteration strategy Target → Evaluate & Quantify • impact on safety domain: check Clock Cycle Counter behavior of task (7 applications from MiBench [*]: cjpeg, djpeg, fft, qsort, susan smoothing, susan edges and susan corners) • impact on security domain: check if attack complexity increases Setup: • HW: Intel Core i7 QM720 @1.6 GHz (Q3’09) • SW: Linux-like O.S. with additional modules implemented (PMC Read & AES-Encryption)
• Safety: CW = 5% and CC = 0.6% (100K samples, repeated 1,000 times for each app.) • Security: Online attack
[*] M.R. Guthaus et al., IEEE-WWC-4, 2001 53 EXPERIMENTAL RESULTS
RandomW THValue CAlterationTH - Results C Evaluation of attack mitigation: CRandom Value Alteration strategy C Target → Evaluate & Quantify W • impact on safety domain: check Clock Cycle Counter behavior of task (7 applications from MiBench [*]: cjpeg, djpeg, fft, qsort, susan smoothing, susan edges and susan corners) • impact on security domain: check if attack complexity increases Setup: • HW: Intel Core i7 QM720 @1.6 GHz (Q3’09) • SW: Linux-like O.S. with additional modules implemented (PMC Read & AES-Encryption)
• Safety: CW = 5% and CC = 0.6% (100K samples,Cumulative repeated 1,000Distribution times Functionfor each (CDF) app.) • Security: Online attack of the execution time of an application
[*] M.R. Guthaus et al., IEEE-WWC-4, 2001 54 EXPERIMENTAL RESULTS Task (%) misclassified as critical Scaling factor s ranging from 0.2 to 0.8 and α=3 0,016
0,014
0,012
0,01 s-0.8 0,008 s-0.6 s-0.4 0,006 s-0.2
0,004
0,002
0 enc fft cjpeg djpeg qsort corn edges smooth avg 55 EXPERIMENTAL RESULTS Task (%) misclassified as critical Scaling factor s ranging from 0.2 to 0.8 and α=3 0,016
0,014
0,012
0,01 s-0.8 0,008 s-0.6 s-0.4 0,006 Increasing values of scaling s-0.2 0,004 factor s the percentage of 0,002 misclassified executions increases 0 enc fft cjpeg djpeg qsort corn edges smooth avg 56 EXPERIMENTAL RESULTS Task (%) misclassified Scaling factor s ranging from 0.2 to 0.8 and α=3 0,012
0,01
0,008
s-0.8 0,006 s-0.6 s-0.4 0,004 s-0.2
0,002
0 Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err -0,002 enc fft cjpeg djpeg qsort corn edges smooth avg 57 EXPERIMENTAL RESULTS Task (%) misclassified Scaling factor s ranging from 0.2 to 0.8 and α=3 0,012 The increase of Err 0,01 and Wrn depends on 0,008 the CDF of each s-0.8 0,006 benchmark s-0.6 s-0.4 0,004 s-0.2
0,002
0 Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err Wrn Err -0,002 enc fft cjpeg djpeg qsort corn edges smooth avg 58 EXPERIMENTAL RESULTS Random Value Alteration – Results from Security perspective SAMPLES NEEDED TO RECOVER THE KEY
No protection s=0.2 s=0.4 250 204 200 163 s > 0.4
150 ~3.1x NOT ~2.5x FOUND 100 65
50
0 SAMPLES (MILLIONS)
59 EXPERIMENTAL RESULTS Random Value Alteration – Results from Security perspective
What about the Data Cache Miss (DCM) counter?
60 EXPERIMENTAL RESULTS Random Value Alteration – Results from Security perspective
DCM Samples To Recover the key
61 EXPERIMENTAL RESULTS RandomHuge amountValue Alteration of alteration– Results from Security perspective → Key is still found more DCM easily Samples To Recover the key
62 SECURITY ATTACK Cache-Timing Attack
Cache-Timing Attack AESDCM Algorithm: are less It “noisy”uses S-Box compared containing topre CCC.-computed values S-Box: Table of values, stored in memory → Key is found more easily Measure Data Lookup: with PMCs • If data stored in memory → Cache Hit (Fast) • If data NOT stored in memory → Cache Miss (Slow)
Cache collision: a couple of different lookups targets the SAME cache line Record timing information for (many!) different ciphertexts 63 ATTACK MITIGATION Localized Alteration On-line phase: PMCs monitoring cf is the Corruption Function 푃푀퐶′ = 푐푓 푃푀퐶 = 푈 휇 + 휖, 푢푏
Localized alteration K PMC Encryption E Alter PMC readings falling into Services Service Service
Y System the “Collision Area” ONLY Operating 푃푀퐶′ = 푈 휇 + 휖, 푢푏 Performance Monitor 푀퐼푁 ≤ 푃푀퐶 ≤ 퐶표푙푙푇퐻 Counters uProcessor 64 ATTACK MITIGATION Localized Alteration On-line phase: PMCs monitoring µ cf is the Corruption Function 푃푀퐶′ = 푐푓 푃푀퐶 = 푈 휇 + 휖, 푢푏 ub Localized alteration K PMC Encryption E Alter PMC readings falling into Services Service Service
Y System the “Collision Area” ONLY Operating 푃푀퐶′ = 푈 휇 + 휖, 푢푏 Performance Monitor 푀퐼푁 ≤ 푃푀퐶 ≤ 퐶표푙푙푇퐻 Counters uProcessor 65 EXPERIMENTAL RESULTS Localized Alteration – Results from Security perspective Results – Samples needed to recover the Key
CCC DCM
Samples altered [%]
66 EXPERIMENTAL RESULTS Localized Alteration – Safety Results
Misclassifications [%] (from Safe to Critical area)
(DCM) 67 REMARKS
• Interplay between safety and security aspects in the design of a CPS • The PMCs play a double role: ⁃ on the one hand they are employed for a safety mechanism ⁃ on the other hand, they can be exploited as a security vulnerability • Two attack mitigation strategies proposed
68 REMARKS First Contribution - Final remarks
• Interplay betweenThis work safety has andbeen security published: aspects in the
designA. Carelliof a , A.CPS Vallero, S. Di Carlo, Shielding Performance Monitor Counters: a double edged weapon for safety and security. IEEE International • The PMCsSymposium play on Ona -doubleLine Testing androle: Robust System Design (IOLTS) 2018, Platja dAro, Spain, July 2nd - 4th, 2018. ⁃ on the one hand they are employed for a safety mechanism A. Carelli, A. Vallero, S. Di Carlo, Performance Monitor Counters: Interplay ⁃ on theBetween other Safety hand, and Security they in canComplex be Cyberexploited-Physical Systems.as a security IEEE vulnerabilityTransactions on Device and Materials Reliability, vol. 19, no. 1, pp. 73-83, March 2019. • Two attack mitigation strategies proposed
69 OUTLINE
Introduction & Core Concepts
Motivations & Goal of the research
Contributions
Conclusions
70 Securing Critical Infrastructures
Contribution: Secure Bitstream Deployment CONTRIBUTION
C.I.A. Triad CIA triad is mapped on information systems, composed by:
Hardware Software Communication
Availability Applications for Reconfigurable Heterogenous Systems Focus on#FPGA the #Flexibility security #AppDeployment of these components #SecureProtocol
72 INTRODUCTION Heterogeneous Computing • Systems are becoming “more intelligent”[*]: ⁃ Equipped with embedded sensors to ease some tasks ⁃ Many apps exploiting several different resources • Heterogeneous Computing (HC) architectures arise: ⁃ CPU supported by DSP, GPGPU, ASIC, FPGA ⁃ FPGAs are valuable alternative compared to GPUs (lower power consumption)
[*] www.eetimes.com/author.asp?section_id=36&doc_id=1331184 73 INTRODUCTION New application model Applications are assumed to be composed of two parts
Heterogeneous System App FPGA
f
SW BS CPU
Conf. Manager Software IP Core Application for acceleration Software FPGA bitstream file executable code
74 INTRODUCTION New application model Applications are assumed to be composed of two parts
Heterogeneous System App FPGA Hardware Accelerator Platform (HAP) f
SW BS CPU
Conf. Manager Software IP Core Application for acceleration Software FPGA bitstream file executable code
75 TARGET Security concerns FPGA Bitstream
Confidentiality Integrity Authenticity 76 SCENARIO Existing Scenario Hardware BS Vendor (designer)
KHAP , idHAP … … End CPU FPGA User
KHAP Conf. Manager
idHAP Heterogeneous System 77 SCENARIO Existing Scenario Hardware BS
Vendor KHAP (designer) • BS Confidentiality ⁃ [32] [33] • BS Integrity & Authenticity ⁃ [34] [33]
KHAP , idHAP … … End CPU FPGA User
KHAP Conf. Manager
idHAP Heterogeneous System 78 SCENARIO Existing Scenario Hardware Vendor Software (designer) Provider
SW BS
App
KHAP , idHAP … … End CPU FPGA User
KHAP Conf. Manager
idHAP Heterogeneous System 79 SCENARIO Existing Scenario Hardware SW BS Vendor Software App (designer) Provider
KHAP , idHAP … … End CPU FPGA User
KHAP Conf. Manager
idHAP Heterogeneous System 80 SCENARIO Existing Scenario Hardware SW BS Vendor Software App (designer) MITM Provider
KHAP , idHAP … … End CPU FPGA User MATE
KHAP Conf. Manager MITM: man in the middle idHAP MATE: man at the end Heterogeneous System 81 MODEL Involved Entities
End Software Hardware User Provider Vendor
82 BITSTREAM DEPLOYMENT FLOW Simple Scenario Session Key End Software Hardware User Provider Vendor
83 BITSTREAM DEPLOYMENT FLOW Simple Scenario Session Key End Software Hardware User Provider Vendor idHAP
84 BITSTREAM DEPLOYMENT FLOW Simple Scenario Session Key Session Key End Software Hardware User Provider Vendor idHAP
85 BITSTREAM DEPLOYMENT FLOW Simple Scenario Session Key Session Key End Software Hardware User Provider Vendor idHAP idHAP
BS
86 BITSTREAM DEPLOYMENT FLOW Simple Scenario Session Key Session Key End Software Hardware User Provider Vendor idHAP idHAP
BS
KHAP , idHAP … …
87 BITSTREAM DEPLOYMENT FLOW Simple Scenario Session Key Session Key End Software Hardware User Provider Vendor idHAP idHAP
BS
BS KHAP , idHAP KHAP … …
88 BITSTREAM DEPLOYMENT FLOW Simple Scenario Session Key Session Key End Software Hardware User Provider Vendor idHAP idHAP
BS
SW BS BS KHAP , idHAP K … App HAP …
89 BITSTREAM DEPLOYMENT FLOW Simple Scenario Session Key Session Key End Software Hardware User Provider Vendor idHAP idHAP
BS
SW BS BS KHAP , idHAP K … App HAP Host … CPU Untrusted In order to preserve bitstream integrity area and authenticity, at every step KHAP FPGA Trusted digest/signature is added and verified idHAP HAP area 90 BITSTREAM DEPLOYMENT FLOW Simple Scenario Session Key Session Key End Software Hardware User Provider Vendor idHAP idHAP
BS
SW BS BS KHAP , idHAP K … App HAP Host … CPU Untrusted In order to preserve bitstream integrity area and authenticity, at every step KHAP FPGA Trusted digest/signature is added and verified idHAP HAP area 91 LIMITATIONS
Drawbacks: 1. Trust 2. Many different HWVs 3. Overhead
Employ Direct Anonymous Attestation (DAA) protocol [35] It guarantees: • BS Integrity • BS Authenticity • BS Confidentiality • Legitimate EU
It has been standardized by the Trusting Computing Group (TCG) and it is available in the Trusted Platform Module (TPM) since version 1.2. It is also employed in Intel processor as Enhanced Privacy ID – EPID. 92 BITSTREAM DEPLOYMENT FLOW Advanced Scenario Session Key Session Key End Software Hardware User Provider Vendor idHAP
SW BS KHAP , idHAP … App Host … CPU Untrusted area
KHAP FPGA Trusted idHAP HAP area 93 BITSTREAM DEPLOYMENT FLOW Advanced Scenario Session Key Session Key End Software Hardware User Provider Vendor idHAP
SW BS KHAP , idHAP … App Host DAA Verifier DAA Issuer… CPU
FPGA KHAP idHAP HAP 94 BITSTREAM DEPLOYMENT FLOW Advanced Scenario Session Key Session Key End Software Hardware User Provider Vendor idHAP
SW BS KHAP , idHAP … App Host DAA Verifier DAA Issuer… CPU
FPGA KHAP idHAP HAP 95 0. DAA Setup BITSTREAM DEPLOYMENT FLOW Advanced Scenario Session Key Session Key End Software Hardware User Provider Vendor idHAP
SW BS KHAP , idHAP … App Host DAA Verifier DAA Issuer… CPU
K FPGA HAP 1. DAA Join idHAP HAP 96 0. DAA Setup BITSTREAM DEPLOYMENT FLOW Advanced Scenario Session Key Session Key End Software Hardware User Provider Vendor idHAP
SW BS KHAP , idHAP … App Host DAA Verifier DAA Issuer… CPU 2. DAA Sign
K FPGA HAP 1. DAA Join idHAP HAP 97 0. DAA Setup BITSTREAM DEPLOYMENT FLOW Advanced Scenario Session Key Session Key End Software Hardware User Provider Vendor idHAP
SW BS KHAP , idHAP … App Host DAA Verifier DAA Issuer… CPU 2. DAA Sign 3. DAA Verify
K FPGA HAP 1. DAA Join idHAP HAP 98 0. DAA Setup PROPOSED SOLUTION Heterogeneous System End User Heterogeneous Device Storage
CPU Untrusted area
End User Host Controls Bitstream Data I/O
• Considered safe Configuration FPGA manager • Only physical attacks are possible K HAP Trusted area Configuration idHAP Hardware acceleration platform (HAP) 99 Power supply & USB Host interface PROTOTYPE Prototyping board
SEcubeTM Chip (HAP)
µSD card reader
100 PROTOTYPE System structure Heterogeneous System SEcubeTM DevBoard
Host Python Client/Server USB Processes
End user
Software Executes software to Provider Storage communicate with SEcubeTM AES256-CBC for open-source firmware Confidentiality, Hardware SHA256 for Vendor TM SEcube Chip (HAP) Integrity & Authenticity
101 REMARKS
• Architecture for secure transfer of FPGA bitstream in a Heterogeneous Computing context • The proposed architecture guarantees: ⁃ That only users purchasing a legitimate copy of an application can use the related bitstream ⁃ Integrity, confidentiality and authenticity of the bitstream is guaranteed against MITM and MATE attackers • Simple Scenario requires (TRUST) agreements between the Software Provider and Hardware Vendor that must be able to access the bitstream in plaintext • Advanced Scenario enhances the proposed protocol avoiding this requirement by employing DAA scheme
102 REMARKS
• Architecture for secure transfer of FPGA bitstream in a Heterogeneous Computing context • The proposed architectureThis work guarantees: has been published: ⁃ That only users purchasing a legitimate copy of an application can use the related bitstreamA. Carelli, C. A. Cristofanini, A. Vallero, C. Basile, P. Prinetto, S. Di Carlo, “Securing ⁃ Integrity,bitstream confidentialityintegrity, confidentiality and authenticity and authenticity of the bitstream in reconfigurable is guaranteed mobile against MITMheterogeneous and MATE systems”. attackers IEEE International Conference on Automation, Quality and Testing, Robotics (AQTR) 2018, Cluj-Napoca, Romania, May 24-26, 2018 • Simple Scenario requires (TRUST) agreements between the Software Provider and Hardware Vendor that must be able to access the bitstream in plaintextA. Carelli, C. Basile, A. Savino, A. Vallero, S. Di Carlo, “Securing Soft IP Cores in FPGA based Reconfigurable Mobile Heterogeneous Systems." arXiv preprint • AdvancedarXiv:1912.00696 Scenario enhances(2019). the proposed protocol avoiding this requirement by employing DAA scheme
103 OUTLINE
Introduction & Core Concepts
Motivations & Goal of the research
Contributions
Conclusions
104 Securing Critical Infrastructures
Contribution: Open HSM and Security Analysis CONTRIBUTION
C.I.A. Triad CIA triad is mapped on information systems, composed by:
Hardware Software Communication
Availability Hardware Security Module Focus on the#TPM security-Like #Flexibility of these #Opencomponents HW/SW
106 INTRODUCTION HSM – Hardware Security Module OnlyKey
Functionalities: Nitrokey • Password Manager • 2-Factor Authentication (2FA) YubiKey • Key Management • Signatures Utimaco https://www.yubico.com/ • Crypto https://hsm.utimaco.com
107 TARGET Open-hardware/open-software security platform • SEcube™ Hardware ⁃ CPU: ARM Cortex M4 ⁃ FPGA: Lattice MachXO2-7000 ⁃ SmartCard: Infineon SLJ 52G
https://www.secube.eu 108 SEcube™ PLATFORM Open-hardware/open-software security platform • SEcube™ Software: ⁃ Device-side: Firmware & Drivers* ⁃ Host-side: Libraries & SDK*
*code available at: https://www.secube.eu 109 SEcube™ PLATFORM Software Target: Secure information exchange between host and device Features: • Encrypted messages, Signed messages, Error Detection → L0 • Key Storage, Login, Logout, 2 Users, Multiple Encryptions (modes) → L1
110 SEcube™ PLATFORM Open-hardware/open-software security platform Protocol
111 SIDE-CHANNEL ATTACKS Passive and non-invasive attacks • Attacks performed on cryptographic device • Focus on “side-channel information”, i.e. information retrieved during encryption process ⁃ Timing (execution time) ⁃ Power Consumption (Power Analysis) ⁃ Electromagnetic Field ⁃ Fault attack
112 POWER ANALISYS Side-channel attack • Power analysis attacks exploit the fact that the instantaneous power consumption of a device built in CMOS technology depends on the data it processes and the operations it performs. • Different techniques: ⁃ Simple Power Analysis – SPA ⁃ Differential Power Analysis – DPA [36]
CMOS Inverter 113 DIFFERENTIAL POWER ANALISYS Side-channel attack • Differential Power Analysis → focus on data dependencies ⁃ Two phases: Data collection & Data Analysis • Data Collection: Gather data needed, i.e. measurements of the physical quantity of interest (i.e., power consumption traces) • Data Analysis: Statistical analysis of number of traces (usually a large number of traces is required) ⁃ Data collected is partitioned through a selection function in 2 sets and averaged. Differential trace is computed
*DPA is often used in combination with other attacks 114 DIFFERENTIAL POWER ANALISYS Side-channel attack • Differential Power Analysis → focus on data dependencies ⁃ Two phases: Data collection & Data Analysis • Data Collection: Gather data needed, i.e. measurements of the physical quantity of interest (i.e., power consumption traces) • Data Analysis: Statistical analysis of number of traces (usually a large number of traces is required) ⁃ Data collected is partitioned through a selection function in 2 sets and averaged. Differential trace is computed
*DPA is often used in combination with other attacks 115 PLATFORMS Target devices • SEcube™ Platform ⁃ DevBoard w/System-on-chip (SoC) ⁃ Open: Hardware + Software
SEcube™ Development Board • STMicroelectronics Nucleo Board: ⁃ Same CPU (STM32F429) ⁃ Same implementation (AES encrypt.)
STM32 Nucleo-144 116 EXPERIMENTAL PROCEDURE Workflow
117 EXPERIMENTAL PROCEDURE Software • Software ⁃ Acquisition (LabView script) ⁃ Firmware (Custom) ▫︎ Encryption (AES) only ▫︎ 128-bits Key – fixed; focus on last byte ▫︎ 128-bits plaintext – varying (data correlation); ▫︎ Several encryption for same plaintext ⁃ DPA Tool [37]
118 EXPERIMENTAL PROCEDURE Tools • Tools: ⁃ Oscilloscope ⁃ Probes ⁃ Boards
119 RESULTS Wrong Key Bits STM Nucleo Board:
No. Samples 2.500 3.333 5.000 10.000
SBox (avg.) 4 3 4 4 AES (avg.) 5 3 5 5
SEcube™ Board:
No. Samples 2.500 3.333 5.000 10.000
SBox (avg.) 4 3 3 4 AES (avg.) 5 4 4 4
120 REMARKS
• Attack focused on just one byte • Attack focused on S-Box performs slightly better • Similar results between the platforms
• Future works: ⁃ Increase number of acquired traces ⁃ Consider AES with hardware implementation ⁃ Compare results with other solution like SASEBO or ChipWhisperer
121 REMARKS
• Attack focused on just one byte • Attack focused on S-Box performs slightly better
• Similar results betweenThis work the has platforms been published:
Bollo, M., Carelli, A., Di Carlo, S., & Prinetto, P. (2017, September). Side-channel • Futureanalysis works: of SEcube™ platform. In 2017 IEEE East-West Design & Test Symposium (EWDTS) (pp. 1-5). IEEE. ⁃ Increase number of acquired traces ⁃ Consider AES with hardware implementation ⁃ Compare results with other solution like SASEBO or ChipWhisperer
122 OUTLINE
Introduction & Core Concepts
Motivations & Goal of the research
Contributions
Conclusions
123 CONCLUSIONS Final remarks Securing Critical Infrastructures challenges
Contributions: ⁃ Security & Safety Interplay in CPU microarchitecture ⁃ Secure Bitstream deployment for new heterogeneous systems ⁃ HSM Open Source Firmware & Sec. Analysis vs DPA
124 PUBLICATIONS LIST • A. Carelli, A. Vallero, S. Di Carlo, “Performance Monitor Counters: Interplay Between Safety and Security in Complex Cyber- Physical Systems”. IEEE Transactions on Device and Materials Reliability, vol. 19, no. 1, pp. 73-83, March 2019. • A. Vallero, A. Savino, A. Carelli, S. Di Carlo, "Bayesian models for early cross-layer reliability analysis and design space exploration. IEEE International Symposium on On-Line Testing and Robust System Design (IOLTS) 2019, Rhodes Island, Greece, July 1st – 3rd, 2019 • A. Carelli, A. Vallero, S. Di Carlo, “Coping with security issues when reconfigurable computing enters the mobile app era” IEEE Transactions on Mobile Computing • A. Carelli, A. Vallero, S. Di Carlo, “Shielding Performance Monitor Counters: a double edged weapon for safety and security”. IEEE International Symposium on On-Line Testing and Robust System Design (IOLTS) 2018, Platja d’Aro, Spain, July 2-4, 2018. • A. Carelli, C. A. Cristofanini, A. Vallero, C. Basile, P. Prinetto, S. Di Carlo, “Securing bitstream integrity, confidentiality and authenticity in reconfigurable mobile heterogeneous systems”. IEEE International Conference on Automation, Quality and Testing, Robotics (AQTR) 2018, Cluj-Napoca, Romania, May 24-26, 2018 • A. Vallero, A. Carelli, S. Di Carlo, “Trading-off reliability and performance in FPGA-based reconfigurable heterogeneous systems”. 13th IEEE International Conference on Design and Technology of Integrated Systems In Nanoscale Era (DTIS) 2018, Taormina, Italy, April 10-12, 2018 • M. Bollo, A. Carelli, S. Di Carlo and P. Prinetto, “Side-channel analysis of SEcube platform”. IEEE East-West Design & Test Symposium (EWDTS) 2017, Novi Sad, Serbia, Sept 29 - Oct 2, 2017 • A. Varriale, P. Prinetto, A. Carelli, P. Trotta, “SECube: Data at Rest and Data in Motion Protection”. The 2016 International Conference on Security and Management (SAM 2016), Las Vegas (USA), 25-28 Jul. 2016 • A. Carelli, G. Di Natale, P. Trotta, T. Margaria, “Towards Model Driven Design of Crypto Primitives and Processes”. The 2016 International Conference on Security and Management (SAM 2016), Las Vegas (USA), 25-28 Jul. 2016 125 PUBLICATIONS LIST • A. Carelli, A. Vallero, S. Di Carlo, “Performance Monitor Counters: Interplay Between Safety and Security in Complex Cyber- Physical Systems”. IEEE Transactions on Device and Materials Reliability, vol. 19, no. 1, pp. 73-83, March 2019. • A. Vallero, A. Savino, A. Carelli, S. Di Carlo, "Bayesian models for early cross-layer reliability analysis and design space exploration. IEEE International Symposium on On-Line Testing and Robust System Design (IOLTS) 2019, Rhodes Island, Greece, July 1st – 3rd, 2019 • A. Carelli, A. Vallero, S. Di Carlo, “Coping with security issues when reconfigurable computing enters the mobile app era” IEEE Transactions on Mobile Computing Summary: • A. Carelli, A. Vallero, S. Di Carlo, “Shielding Performance Monitor Counters: a double edged weapon for safety and security”. IEEE International Symposium on On-Line Testing and Robust System Design (IOLTS) 2018, Platja d’Aro, Spain, July 2-4, 2018. • A. Carelli, C. A. Cristofanini•, A. ValleroNo. , ofC. Basile,Proceedings: P. Prinetto, S. Di 7 Carlo, “Securing bitstream integrity, confidentiality and authenticity in reconfigurable• mobileNo. heterogeneous of Journals: systems”. 1 IEEE International Conference on Automation, Quality and Testing, Robotics (AQTR) 2018,• ClujNo.-Napoca, of Journals Romania, May (Under 24-26, 2018 Review): 1 • A. Vallero, A. Carelli, S. Di Carlo, “Trading-off reliability and performance in FPGA-based reconfigurable heterogeneous systems”. 13th IEEE International Conference on Design and Technology of Integrated Systems In Nanoscale Era (DTIS) 2018, Taormina, Italy, April 10-12, 2018 • M. Bollo, A. Carelli, S. Di Carlo and P. Prinetto, “Side-channel analysis of SEcube platform”. IEEE East-West Design & Test Symposium (EWDTS) 2017, Novi Sad, Serbia, Sept 29 - Oct 2, 2017 • A. Varriale, P. Prinetto, A. Carelli, P. Trotta, “SECube: Data at Rest and Data in Motion Protection”. The 2016 International Conference on Security and Management (SAM 2016), Las Vegas (USA), 25-28 Jul. 2016 • A. Carelli, G. Di Natale, P. Trotta, T. Margaria, “Towards Model Driven Design of Crypto Primitives and Processes”. The 2016 International Conference on Security and Management (SAM 2016), Las Vegas (USA), 25-28 Jul. 2016 126 BIBLIOGRAPHY [1] R. Rajkumar, I. Lee, L. Sha and J. Stankovic, “Cyber-physical systems: the next computing revolution,” in Proc. 47th Design Automation Conf. , 2010, pp. 731-736. [2] Italian Presidency of the Council of Ministers, “Protezione delle Infrastrutture Critiche Informatizzate", 2004. [3] European Union Directive 2008/114/EC. [4] Strategic Framework and Policy Statement on Improving the Resilience of Critical Infrastructure to Distribution from Natural Hazards, UK, 2010 [5] US Public law 107-56 (October 26, 2001) [6] Miller, Bill, and Dale Rowe. "A survey SCADA of and critical infrastructure incidents." In Proceedings of the 1st Annual conference on Research in information technology, pp. 51-56. 2012. [7] Knapp, E. D., & Langill, J. T. Industrial Network Security: Securing critical infrastructure networks for smart grid, SCADA, and other Industrial Control Systems. Syngress, 2014. [8] Guri, M., Solewicz, Y., Daidakulov, A., & Elovici, Y. "Fansmitter: Acoustic data exfiltration from (speakerless) air-gapped computers." arXiv preprint arXiv:1606.05915 (2016). [9] Guri, M., Zadov, B., & Elovici, Y. "Odini: Escaping sensitive data from faraday-caged, air-gapped computers via magnetic fields." IEEE Transactions on Information Forensics and Security 15 (2019): 1190-1203. [10] Stamp, J., Dillinger, J., Young, W. and DePoy, J. "Common vulnerabilities in critical infrastructure control systems." SAND2003-1772C. Sandia National Laboratories (2003). [11] NIST Cybersecurity Framework v1.1 [12] Cyber-Sicherheitsstrategie für Deutschland, 2016 [13] The Italian Cybersecurity Action Plan, 2017 [14] US-ICS-CERT: https://ics-cert.kaspersky.com [15] Kaspersky ICS-CERT: https://us-cert.cisa.gov/ics [16] R. Spreitzer, V. Moonsamy, T. Korak and S. Mangard, "Systematic Classification of Side-Channel Attacks: A Case Study for Mobile Devices," in IEEE Communications Surveys & Tutorials, vol. 20, no. 1, pp. 465-488, Firstquarter 2018. [17] S. Zander, G. Armitage and P. Branch, "A survey of covert channels and countermeasures in computer network protocols," in IEEE Communications Surveys & Tutorials, vol. 9, no. 3, pp. 44-57, Third Quarter 2007. [18] Biswas, Arnab Kumar, Dipak Ghosal, and Shishir Nagaraja. "A survey of timing channels and countermeasures." ACM Computing Surveys (CSUR) 50.1 (2017): 1-39. [19] Hund, R., Willems, C., Holz, T.: Practical Timing Side Channel Attacks against Kernel Space ASLR. In: 2013 IEEE Symposium on Security and Privacy. pp. 191–205 (2013) [20] Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Know thy neighbor: Cryptolibrary detection in cloud. Proceedings on Privacy Enhancing Technologies 1(1), 25–40 (2015) [21] Gruss, D., Spreitzer, R., Mangard, S.: Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches. In: USENIX Security Symposium (2015) [22] Bechtel, Michael, and Heechul Yun. "Denial-of-service attacks on shared cache in multicore: Analysis and prevention." 2019 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS). IEEE, 2019. [23] J. Szefer, Survey of microarchitectural side and covert channels, attacks, and defenses, IACR Cryptology ePrint Archive, Report 2016/479, 2016 [24] Ge, Qian, et al. "A survey of microarchitectural timing attacks and countermeasures on contemporary hardware." Journal of Cryptographic Engineering 8.1 (2018): 1-27. [25] Acıiçmez, Onur, Billy Bob Brumley, and Philipp Grabher. "New results on instruction cache attacks." International Workshop on Cryptographic Hardware and Embedded Systems. Springer, Berlin, Heidelberg, 2010. [26] Aciiçmez, Onur. "Yet another microarchitectural attack: exploiting I-cache." Proceedings of the 2007 ACM workshop on Computer security architecture. 2007. [27] Gras, Ben, et al. "Translation leak-aside buffer: Defeating cache side-channel protections with {TLB} attacks." In 27th {USENIX} Security Symposium ({USENIX} Security 18), pp. 955-972. 2018. [28] Lipp, Moritz, et al. "Meltdown: Reading kernel memory from user space." 27th {USENIX} Security Symposium ({USENIX} Security 18). 2018. [29] Kocher, Paul, et al. "Spectre attacks: Exploiting speculative execution." 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019. [30] Uhsadel, Leif, Andy Georges, and Ingrid Verbauwhede. "Exploiting hardware performance counters." 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE, 2008. [31] Esposito, Stefano, et al. "A novel method for online detection of faults affecting execution-time in multicore-based systems." ACM Transactions on Embedded Computing Systems (TECS) 16.4 (2017): 1-19. [32] Bonneau, Joseph, and Ilya Mironov. "Cache-collision timing attacks against AES." International Workshop on Cryptographic Hardware and Embedded Systems. Springer, Berlin, Heidelberg, 2006. [32] Bossuet, L., Gogniat, G., & Burleson, W. (2006). Dynamically configurable security for SRAM FPGA bitstreams. International Journal of Embedded Systems, 2(1-2), 73-85. [33] Note, Jean-Baptiste, and Éric Rannaud. "From the bitstream to the netlist." FPGA. Vol. 8. 2008 [34] Parelkar, Milind M., and Kris Gaj. "Implementation of EAX mode of operation for FPGA bitstream encryption and authentication." Proceedings. 2005 IEEE International Conference on Field-Programmable Technology, 2005.. IEEE, 2005 [35] E. F. Brickell et al, Direct anonymous attestation, ACM Conference on Computer and Communications Security, ACM, 2004 [36] Kocher, Paul, Joshua Jaffe, and Benjamin Jun. "Introduction to differential power analysis and related attacks." (1998) [37] Di Natale, Giorgio, Marie-Lise Flottes, and Bruno Rouzeyre. "An integrated validation environment for differential power analysis." 4th IEEE International Symposium on Electronic Design, Test and Applications (delta 2008). IEEE, 2008. 127 ACKNOWLEDGEMENTS
128 Questions?
129 END
130