Georg Sigl

Alexander Hepp, Matthias Ludwig, Michaela Brunner et al.

The safety, security, and reliability of microelectronic systems depend on a trustworthy, secured supply chain and design flow. Globally distributed supply chains or unintentional design weaknesses leave the door open for attacks on the hardware level. These scenarios encompass counterfeiting, hardware trojans, or on-device attacks. For these, hardware reverse engineering (RE) results play a pivotal role. The ongoing publication of new RE-involved attacks motivated the development of the common RE scoring system (CRESS). The system enables a general classification of RE-involved scenarios for a common, consistent rating. In this work, the originally qualitative system is extended to a quantitative system. We performed an extensive interview study with experts in the field. The interview results allowed us to derive weights that measure the severity of different RE-involved attack categories. The weights form an equation that quantifies scenarios, resulting in the severity-indicating CRESS score. The score enables the coherent rating of novel scenarios, renders them comparable, and supports the development of effective countermeasures. To showcase the effectiveness of the quantitative CRESS Score, six selected case studies are rated qualitatively and quantitatively. The CRESS Score proves to be significantly more expressive than the industry-standard Common Vulnerability Scoring System (CVSS).

Manuel Brosch, Matthias Probst, Stefan Kögler et al.

The use of neural networks in edge devices is increasing, which introduces new security challenges related to the neural networks' confidentiality. As edge devices often offer physical access, attacks targeting the hardware, such as side-channel analysis, must be considered. To enhance the performance of neural network inference, hardware accelerators are commonly employed. This work investigates the influence of parallel processing within such accelerators on correlation-based side-channel attacks that exploit power consumption. The focus is on neurons that are part of the same fully-connected layer, which run parallel and simultaneously process the same input value. The theoretical impact of concurrent multiply-and-accumulate operations on overall power consumption is evaluated, as well as the success rate of correlation power analysis. Based on the observed behavior, equations are derived that describe how the correlation decreases with increasing levels of parallelism. The applicability of these equations is validated using a vector-multiplication unit implemented on an FPGA.

Elie Bursztein, Michael Gruber, Karel Král et al.

Side Channel Analysis (SCA) relaxes the black-box assumption of conventional cryptanalysis by incorporating physical measurements acquired during cryptographic operations. Electro-magnetic (EM) emissions of a chip during computations often provide a very valuable source of side channel leakage. During the evaluation of a chip for electro-magnetic side channel emissions one needs to position an electro-magnetic probe in an advantageous position relative to the chip. Previous literature focused on hot-spot finding and to a lower extend repositioning. Trace augmentations have been considered to aid portability of profiling using one physical device and attacking another device. This paper focuses on training a single neural network using traces from multiple EM probe positions to detect leakage from a larger area over the attacked device. We provide dual evaluation of EM traces - from two completely independent labs - profiling on data from one lab and attacking traces from the other lab.

Stefan Hristozov, Manuel Huber, Lei Xu et al.

Many modern IoT applications rely on the Constrained Application Protocol (CoAP) because of its efficiency and seamless integrability in the existing Internet infrastructure. One of the strategies that CoAP leverages to achieve these characteristics is the usage of proxies. Unfortunately, in order for a proxy to operate, it needs to terminate the (D)TLS channels between clients and servers. Therefore, end-to-end confidentiality, integrity and authenticity of the exchanged data cannot be achieved. In order to overcome this problem, an alternative to (D)TLS was recently proposed by the Internet Engineering Task Force (IETF). This alternative consists of two novel protocols: 1) Object Security for Constrained RESTful Environments (OSCORE) providing authenticated encryption for the payload data and 2) Ephemeral Diffie-Hellman Over COSE (EDHOC) providing the symmetric session keys required for OSCORE. In this paper, we present the design of four firmware libraries for these protocols especially targeted for constrained microcontrollers and their detailed evaluation. More precisely, we present the design of uOSCORE and uEDHOC libraries for regular microcontrollers and uOSCORE-TEE and uEDHOC-TEE libraries for microcontrollers with a Trusted Execution Environment (TEE), such as microcontrollers featuring ARM TrustZone-M. Our firmware design for the later class of devices concerns the fact that attackers may exploit common software vulnerabilities, e.g., buffer overflows in the protocol logic, OS or application to compromise the protocol security. uOSCORE-TEE and uEDHOC-TEE achieve separation of the cryptographic operations and keys from the remainder of the firmware, which could be vulnerable. We present an evaluation of our implementations in terms of RAM/FLASH requirements, execution speed and energy on a broad range of microcontrollers.

Martin Striegel, Florian Jakobsmeier, Yacov Matveev et al.

Setting up a large-scale wireless sensor network is challenging, as firmware must be distributed and trust between sensor nodes and a backend needs to be established. To perform this task efficiently, we propose an approach named Box, which utilizes an intelligent Faraday cage (FC). The FC acquires firmware images and secret keys from a backend, patches the firmware with the keys and deploys those customized images over the air to sensor nodes placed in the FC. Electromagnetic shielding protects this exchange against passive attackers. We place few demands on the sensor node, not requiring additional hardware components or firmware customized by the manufacturer. We describe this novel workflow, implement the Box and a backend system and demonstrate the feasibility of our approach by batch-deploying firmware to multiple commercial off-the-shelf sensor nodes. We conduct a user-study with 31 participants with diverse backgrounds and find, that our approach is both faster and more user-friendly than firmware distribution over a wired connection.

Grace Li Zhang, Bing Li, Meng Li et al.

With recent advances in reverse engineering, attackers can reconstruct a netlist to counterfeit chips by opening the die and scanning all layers of authentic chips. This relatively easy counterfeiting is made possible by the use of the standard simple clocking scheme, where all combinational blocks function within one clock period, so that a netlist of combinational logic gates and flip-flops is sufficient to duplicate a design. In this paper, we propose to invalidate the assumption that a netlist completely represents the function of a circuit with unconventional timing. With the introduced wave-pipelining paths, attackers have to capture gate and interconnect delays during reverse engineering, or to test a huge number of combinational paths to identify the wave-pipelining paths. To hinder the test-based attack, we construct false paths with wave-pipelining to increase the counterfeiting challenge. Experimental results confirm that wave-pipelining true paths and false paths can be constructed in benchmark circuits successfully with only a negligible cost, thus thwarting the potential attack techniques.

Stefan Hristozov, Manuel Huber, Georg Sigl

Many IoT use cases involve constrained battery-powered devices offering services in a RESTful manner to their communication partners. Such services may involve, e.g., costly computations or actuator/sensor usage, which may have significant influence on the power consumption of the service Providers. Remote attackers may excessively use those services in order to exhaust the Providers' batteries, which is a form of a Denial of Service (DoS) attack. Previous work proposed solutions based on lightweight symmetric authentication. These solutions scale poorly due to requiring pre-shared keys and do not provide protection against compromised service Requesters. In contrast, we consider more powerful attackers even capable of compromising legit Requesters. We propose a method that combines attacker detection and throttling, conducted by a third trusted Backend, with a lightweight authentication protocol. For attacker detection and throttling, we propose a novel approach using rate limitation algorithms. In addition, we propose and formally verify two authentication protocols suitable for different, widely used IoT network topologies. Our protocols ensure service availability for benign Requesters even if Providers are under a battery exhaustion attack. The protocols do neither require pre-shared keys between Requesters and Providers, nor the usage of asymmetric cryptography and public key infrastructures on the Provider. This makes our protocols suitable for a variety of IoT deployments involving constrained devices and constrained networks. We demonstrate the feasibility of our method through a simulation and a proof of concept implementation.

Matthias Niedermaier, Florian Fischer, Dominik Merli et al.

The amount of connected devices in the industrial environment is growing continuously, due to the ongoing demands of new features like predictive maintenance. New business models require more data, collected by IIoT edge node sensors based on inexpensive and low performance Microcontroller Units (MCUs). A negative side effect of this rise of interconnections is the increased attack surface, enabled by a larger network with more network services. Attaching badly documented and cheap devices to industrial networks often without permission of the administrator even further increases the security risk. A decent method to monitor the network and detect "unwanted" devices is network scanning. Typically, this scanning procedure is executed by a computer or server in each sub-network. In this paper, we introduce network scanning and mapping as a building block to scan directly from the Industrial Internet of Things (IIoT) edge node devices. This module scans the network in a pseudo-random periodic manner to discover devices and detect changes in the network structure. Furthermore, we validate our approach in an industrial testbed to show the feasibility of this approach.

Matthias Niedermaier, Dominik Merli, Georg Sigl

The Industrial Internet of Things (IIoT) has already become a part of our everyday life be it water supply, smart grid, or production, IIoT is everywhere. For example, factory operators want to know the current state of the production line. These new demands for data acquisition in modern plants require industrial components to be able to communicate. Nowadays, network communication in Industrial Control Systems (ICSs) is often implemented via an IP-based protocol. This intercommunication also brings a larger attack surface for hackers. If an IIoT device is influenced by attackers, the physical process could be affected. For example, a high network load could cause a high Central Processing Unit (CPU) load and influence the reaction time on the physical control side. In this paper, we introduce a dual Microcontroller Unit (MCU) setup to ensure a resilient controlling for IIoT devices like Programmable Logic Controllers (PLCs). We introduce a possible solution for the demand of secure architectures in the IIoT. Moreover, we provide a Proof of Concept (PoC) implementation with a benchmark and a comparison with a standard PLC.

Matthias Niedermaier, Martin Striegel, Felix Sauer et al.

Communication between sensors, actors and Programmable Logic Controllers (PLCs) in industrial systems moves from two-wire field buses to IP-based protocols such as Modbus/TCP. This increases the attack surface because the IP-based network is often reachable from everywhere within the company. Thus, centralized defenses, e.g. at the perimeter of the network do not offer sufficient protection. Rather, decentralized defenses, where each part of the network protects itself, are needed. Network Intrusion Detection Systems (IDSs) monitor the network and report suspicious activity. They usually run on a single host and are not able to capture all events in the network and they are associated with a great integration effort. To bridge this gap, we introduce a method for intrusion detection that combines distributed agents on Industrial Internet of Things (IIoT) edge devices with a centralized logging. In contrast to existing IDSs, the distributed approach is suitable for industrial low performance microcontrollers. We demonstrate a Proof of Concept (PoC) implementation on a MCU running FreeRTOS with LwIP and show the feasibility of our approach in an IIoT application.

Martin Striegel, Carsten Rolfes, Johann Heyszl et al.

Wireless Sensor Networks (WSNs) often lack interfaces for remote debugging. Thus, fault diagnosis and troubleshooting are conducted at the deployment site. Currently, WSN operators lack dedicated tools that aid them in this process. Therefore, we introduce EyeSec, a tool for WSN monitoring and maintenance in the field. An Augmented Reality Device (AR Device) identifies sensor nodes using optical markers. Portable Sniffer Units capture network traffic and extract information. With those data, the AR Device network topology and data flows between sensor nodes are visualized. Unlike previous tools, EyeSec is fully portable, independent of any given infrastructure and does not require dedicated and expensive AR hardware. Using passive inspection only, it can be retrofitted to already deployed WSNs. We implemented a proof of concept on low-cost embedded hardware and commodity smart phones and demonstrate the usage of EyeSec within a WSN test bed using the 6LoWPAN transmission protocol.