Leaky hardware: modeling and exploiting imperfections in embedded devices

Embedded systems are found in many safety- and security-critical applications, and bring aspects of the physical world to the digital one and vice versa. However, imperfections in this hardware bridge can break the integrity of sensor inputs into an embedded device, causing it to act upon the wrong data. For instance, malicious electromagnetic transmissions can trick systems into inducing defibrillation shocks and raising the temperature of infant incubators, both with potentially severe health consequences. Unfortunately, such attacks which alter sensor outputs without changing the property being measured itself have so far only been studied in an ad-hoc manner. In my thesis, I address this shortcoming in two ways. First, I create a taxonomy of these “out-of-band” signal injection attacks and defenses. Second, I propose a framework that quantifies security in their context through a system model, mathematical definitions, and an algorithm that can compare the “security level” of off-the-shelf systems. In my thesis, I also investigate Field-Programmable Gate Arrays (FPGAs), which are available on public cloud infrastructures, and are also integrated in many consumer end-products, such as smartphones and laptops. As FPGAs are often used in sensitive applications, including genome processing, cryptography, and financial modeling, it is necessary to ensure that they can maintain the secrecy of the data that they process. However, the confidentiality of FPGA data can be broken, as I demonstrate through three new sources of information leakage due to hardware imperfections. The first source exists between “long wires” within seven families of Xilinx FPGAs. I explain how to exploit long-wire leakage for covert- and side-channel attacks, both locally, and on two commercial FPGA clouds through novel ring oscillators structures that bypass currently-deployed countermeasures. The second source of leakage operates even when different FPGA users are isolated to distinct dies of the same chip. These unintended interactions demonstrate that current FPGA architectures are not well-suited for multi-tenancy, despite the physical isolation of user logic. Finally, I show that assigning dedicated FPGAs to different users is still not enough to prevent cross-FPGA communication: shared Power Supply Units (PSUs) leak information between physically distinct FPGA, CPU, and GPU boards, which can be detected via means of a novel receiver design and classification metric. Overall, in my thesis, I highlight that the underlying electrical properties of embedded devices often fall short of protecting the integrity and the confidentiality of the data that they process, and allow remote attackers to spoof sensor measurements or infer cryptographic keys and other types of data.</p

Taxonomy and challenges of out-of-band signal injection attacks and defenses

Recent research has shown that the integrity of sensor measurements can be violated through out-of-band signal injection attacks. These attacks target the conversion process from a physical quantity to an analog property - a process that fundamentally cannot be authenticated. Out-of-band signal injection attacks thus pose previously-unexplored security risks by exploiting hardware imperfections in the sensors themselves, or in their interfaces to microcontrollers. In response to the growing-yet-disjointed literature in the subject, this article presents the first survey of out-of-band signal injection attacks. It focuses on unifying their terminology and identifying commonalities in their causes and effects through a chronological, evolutionary, and thematic taxonomy of attacks. By highlighting cross-influences between different types of out-of-band signal injections, this paper underscores the need for a common language irrespective of the attack method. By placing attack and defense mechanisms in the wider context of their dual counterparts of side-channel leakage and electromagnetic interference, this study identifies common threads and gaps that can help guide and inform future research. Overall, the ever-increasing reliance on sensors embedded in everyday commodity devices necessitates that a stronger focus be placed on improving the security of such systems against out-of-band signal injection attacks

A framework for evaluating security in the presence of signal injection attacks

Sensors are embedded in security-critical applications from medical devices to nuclear power plants, but their outputs can be spoofed through electromagnetic and other types of signals transmitted by attackers at a distance. To address the lack of a unifying framework for evaluating the effect of such transmissions, we introduce a system and threat model for signal injection attacks. We further define the concepts of existential, selective, and universal security, which address attacker goals from mere disruptions of the sensor readings to precise waveform injections. Moreover, we introduce an algorithm which allows circuit designers to concretely calculate the security level of real systems. Finally, we apply our definitions and algorithm in practice using measurements of injections against a smartphone microphone, and analyze the demodulation characteristics of commercial Analog-to-Digital Converters (ADCs). Overall, our work highlights the importance of evaluating the susceptibility of systems against signal injection attacks, and introduces both the terminology and the methodology to do so

Leakier wires: exploiting FPGA long wires for covert- and side-channel attacks

In complex FPGA designs, implementations of algorithms and protocols from third-party sources are common. However, the monolithic nature of FPGAs means that all sub-circuits share common on-chip infrastructure, such as routing resources. This presents an attack vector for all FPGAs that contain designs from multiple vendors, especially for FPGAs used in multi-tenant cloud environments, or integrated into multi-core processors. In this article, we show that “long” routing wires present a new source of information leakage on FPGAs, by influencing the delay of adjacent long wires. We show that the effect is measurable for both static and dynamic signals and that it can be detected using small on-board circuits. We characterize the channel in detail and show that it is measurable even when multiple competing circuits (including multiple long-wire transmitters) are present and can be replicated on different generations and families of Xilinx devices (Virtex 5, Virtex 6, Artix 7, and Spartan 7). We exploit the leakage to create a covert channel with 6kbps of bandwidth and 99.9% accuracy, and a side channel, which can recover signals kept constant for only 1.3μs, with an accuracy of more than 98.4%. Finally, we propose countermeasures to reduce the impact of this leakage

Measuring long wire leakage with ring oscillators in cloud FPGAs

Recent investigations into FPGA routing resources have shown that long wires in FPGAs leak information about their state in a way which can be measured using ring oscillators. Although in many cases this leakage does not pose a security threat, the possibility of multi-tenant use of FPGA resources invites potential side-and covert-channel attacks exploiting long wire leakage. However, prior work has ignored the realities of cloud environments, which may pose restrictions on the generated bitstreams, such as disallowing combinatorial loops. In this paper, we first demonstrate that the long wire leakage phenomenon persists even in the high-end Virtex UltraScale+ FPGA family. We then evaluate two ring oscillator designs that overcome combinatorial loop restrictions employed by cloud FPGA providers. We experimentally measure the long wire leakage of Virtex UltraScale+ FPGAs in the lab as well as in the Amazon and Huawei FPGA clouds. We show that the two new ring oscillator designs provide almost-identical estimates for the strength of the leakage as traditional ring oscillators, allowing us to measure femtosecond-scale changes in the delays of the long wires. We finally present a set of defense mechanisms that can prevent the new ring oscillator designs from being instantiated in the cloud and the long wire leakage from being exploited

Leakier wires: exploiting FPGA long wires for covert- and side-channel attacks

In complex FPGA designs, implementations of algorithms and protocols from third-party sources are common. However, the monolithic nature of FPGAs means that all sub-circuits share common on-chip infrastructure, such as routing resources. This presents an attack vector for all FPGAs that contain designs from multiple vendors, especially for FPGAs used in multi-tenant cloud environments, or integrated into multi-core processors. In this article, we show that “long” routing wires present a new source of information leakage on FPGAs, by influencing the delay of adjacent long wires. We show that the effect is measurable for both static and dynamic signals and that it can be detected using small on-board circuits. We characterize the channel in detail and show that it is measurable even when multiple competing circuits (including multiple long-wire transmitters) are present and can be replicated on different generations and families of Xilinx devices (Virtex 5, Virtex 6, Artix 7, and Spartan 7). We exploit the leakage to create a covert channel with 6kbps of bandwidth and 99.9% accuracy, and a side channel, which can recover signals kept constant for only 1.3μs, with an accuracy of more than 98.4%. Finally, we propose countermeasures to reduce the impact of this leakage

Measuring long wire leakage with ring oscillators in cloud FPGAs

Recent investigations into FPGA routing resources have shown that long wires in FPGAs leak information about their state in a way which can be measured using ring oscillators. Although in many cases this leakage does not pose a security threat, the possibility of multi-tenant use of FPGA resources invites potential side-and covert-channel attacks exploiting long wire leakage. However, prior work has ignored the realities of cloud environments, which may pose restrictions on the generated bitstreams, such as disallowing combinatorial loops. In this paper, we first demonstrate that the long wire leakage phenomenon persists even in the high-end Virtex UltraScale+ FPGA family. We then evaluate two ring oscillator designs that overcome combinatorial loop restrictions employed by cloud FPGA providers. We experimentally measure the long wire leakage of Virtex UltraScale+ FPGAs in the lab as well as in the Amazon and Huawei FPGA clouds. We show that the two new ring oscillator designs provide almost-identical estimates for the strength of the leakage as traditional ring oscillators, allowing us to measure femtosecond-scale changes in the delays of the long wires. We finally present a set of defense mechanisms that can prevent the new ring oscillator designs from being instantiated in the cloud and the long wire leakage from being exploited

On bitcoin security in the presence of broken cryptographic primitives

Digital currencies like Bitcoin rely on cryptographic primitives to operate. However, past experience shows that cryptographic primitives do not last forever: increased computational power and advanced cryptanalysis cause primitives to break frequently, and motivate the development of new ones. It is therefore crucial for maintaining trust in a cryptocurrency to anticipate such breakage. We present the first systematic analysis of the effect of broken primitives on Bitcoin. We identify the core cryptographic building blocks and analyze the ways in which they can break, and the subsequent effect on the main Bitcoin security guarantees. Our analysis reveals a wide range of possible effects depending on the primitive and type of breakage, ranging from minor privacy violations to a complete breakdown of the currency. Our results lead to several observations on, and suggestions for, the Bitcoin migration plans in case of broken or weakened cryptographic primitives