Ph.D. Thesis, 2016-11: On Inexpensive Methods for Improving Security of Embedded Systems — Kostengünstige Maßnahmen zur Erhöhung der Sicherheit eingebetteter Systeme

We usually scrutinize security of embedded systems under an extraordinarily sophisticated attacker model: the adversary has physical possession of the target and unlimited time to break it. For the defensive side, this forms an exceptionally challenging scenario. This thesis studies fortification of systems against such adversaries. The principal contributions lie in the field of embedded security, where we explore methods of building secure systems in a resource-efficient manner. This allows implementation of our countermeasures on resource-constrained microcontrollers. While these have a detrimental effect on runtime performance, the cost of the hardware itself remains unaffected, thereby providing an attractive and inexpensive alternative to hardware countermeasures. Next, we will briefly outline our contributions.

Attacks such as Differential Power Analysis (DPA) enable adversaries to exploit even the most minute differences in data dependent energy consumption. To make it more difficult for attackers to gain access to secrets within a chip, effective countermeasures need to be employed. One technique, implemented using only software, is described by us as a first contribution. We use binary recompilation to achieve binary code polymorphism. This causes different characteristic emission patterns for each call of a protected cryptographic primitive. Due to extensive and sophisticated pre-calculations which we perform at compile time, execution is extremely fast during runtime.

Since not only power consumption but also timing differences are something that attackers can exploit with great accuracy, we studied detection of timing leaks. Considering the architecture of today's increasingly complex microcontrollers, manual estimation of runtime has become virtually infeasible. Therefore, as a second contribution, we developed a behavioral Cortex-M core emulator which permits cycle-accurate simulation. We show how to incorporate such an emulator in a semi-automatic vetting process. After compilation, all security-relevant routines within the code are analyzed and checked for timing discrepancies.

The complexity of modern microcontroller units (MCUs) is shown from a different angle when considering attackers who can manipulate firmware. Since the reduction of electromagnetic interference (EMI) is an important goal of system designers, many recent MCUs already include software-tunable EMI countermeasures. In our third contribution, we show how these anti-EMI peripherals can be abused to construct covert channels. Unfortunately for the defensive side, these channels operate in the radio frequency domain and thus could be used for wireless transmission of data — even when the benign application was never intended to perform such communication. We describe how changes in parasitic electromagnetic emission can be used to encode data and what hardware is necessary to recover this data.

To increase the resistance of embedded systems against physical attacks, it is common to use special semiconductors which employ hardware countermeasures. The downside of such integration is that the specialized device usually dictates the exact cryptographic construction. How such hardware can be used nevertheless to augment general-purpose microcontrollers is something we focus on with our fourth contribution. As a demonstration, we incorporate a hardware security module in the handshake of the transport layer security (TLS) protocol. We do so without the need to create a custom cipher suite and without modifying the TLS handshake itself; instead, we use a generic approach by relying on implementation-specific protocol invariants and therefore get around the limitations which would be imposed by nonstandard protocol modifications.

When processors make use of external peripherals, such as dynamic random access memory (DRAM), another attack vector arises: Due to parasitic effects of the physical construction of modern high-density RAM, it is possible that the hardware cannot guarantee data integrity for all bit patterns. To counteract this, a technique commonly used by memory controllers is the scrambling of data to gain an effectively bias-free bitstream on the RAM chip. With our fifth contribution, we show how one such scrambling scheme by Intel works in-depth and how scrambled memory can be descrambled to reveal the original memory content. In the field of forensics, this is highly relevant: When physical memory acquisition, for example by cold-boot attacks, is used to capture a memory image, descrambling of that image is required before it can be analyzed meaningfully. We furthermore discuss how knowledge about scrambler-internal workings may open up possibilities for an attacker to deliberately cause disturbances in RAM.

@phdthesis{bauer2016phdthesis,
    author = {Johannes Bauer},
    advisor = {Felix C Freiling},
    referee = {Falko Dressler},
    title = {{On Inexpensive Methods for Improving Security of Embedded Systems --- Kostengünstige Maßnahmen zur Erhöhung der Sicherheit eingebetteter Systeme}},
    institution = {Department of Computer Science 1},
    school = {University of Erlangen},
    location = {Erlangen, Germany},
    year = {2016},
    month = nov,
    urn = {urn:nbn:de:bvb:29-opus4-81273},
    url = {https://nbn-resolving.org/urn:nbn:de:bvb:29-opus4-81273}
}

Paper, 2016-08: Availability, Reliability and Security in Information Systems (ARES 2016): Towards Cycle-Accurate Emulation of Cortex-M Code to Detect Timing Side Channels

Leakage of information through timing side channels is a problem for all sorts of computing machinery, but the impact of such channels is especially dramatic on embedded systems. The reason for this is that these environments allow attackers to exploit small timing differences down to clock cycle accuracy. On the defensive side it is therefore advisable to evaluate cautiously if security-critical code contains data dependent timing discrepancies. When working with real hardware, testing for such vulnerabilities is a tedious process. In order to reduce the burden of vetting, we study approaches that allow cycle-accurate behavioral emulation of relevant CPU behavior such as instruction pipeline flushes and bus contention. We show that our approach is feasible and efficient by implementing an emulator of the popular ARM Cortex-M core. Then we give an overview about the problems of cycle-accurate emulation and demonstrate our approach towards a cycle-accurate ARM Thumb-2 simulator. Finally, we show how this simulator can be integrated into the build process of firmware to check for the presence of timing side channels before the system is deployed.

@inproceedings{bauer2016ares,
    title     = {Towards Cycle-Accurate Emulation of Cortex-M Code to Detect Timing Side Channels},
    author    = {Johannes Bauer and Felix C Freiling},
    booktitle = {\nth{11} International Conference on Availability, Reliability and Security---ARES~2016},
    year      = {2016},
    publisher = {IEEE},
    doi       = {10.1109/ARES.2016.94},
    url       = {https://dx.doi.org/10.1109/ARES.2016.94}
}

Paper, 2016-05: IEEE International Symposium on Hardware Oriented Security and Trust (HOST 2016): Information Leakage behind the Curtain: Abusing Anti-EMI Features for Covert Communication

This is the publication at HOST 2016; a longer version of this has been published as a technical report.

We present a new class of covert channels which can be created by utilizing common hardware but that cannot be detected by such. Our idea is to abuse anti-EMI features of a processor to create a covert channel on the physical layer. Thus, the sender uses the invariants in how digital signals are encoded over analog channels to covertly transport information. This leaked data is present on the wire bound connections of the compromised device, but is also by definition present in the vicinity of the device and can be picked up by radio equipment. As the covert channel is present only on the physical layer, the data on all layers above, as well as the timing behavior on those layers is indistinguishable from uncompromised devices.

@inproceedings{bauer2016host,
    author    = {Johannes Bauer and Sebastian Schinzel and Felix C Freiling and Andreas Dewald},
    title     = {Information Leakage behind the Curtain: Abusing Anti-{EMI} Features for Covert Communication},
    booktitle = {{IEEE} International Symposium on Hardware Oriented Security and Trust---HOST~2016},
    year      = {2016},
    month     = may,
    pages     = {130--134},
    doi       = {10.1109/HST.2016.7495570},
    url       = {https://dx.doi.org/10.1109/HST.2016.7495570},
}

Technical Report, 2016-03: Information Leakage behind the Curtain: Abusing Anti-EMI Features for Covert Communication

This is the longer version of the paper that was presented at HOST 2016.

We present a new class of covert channels which can be created by utilizing common hardware but that cannot be detected by such. Our idea is to abuse anti-EMI features of a processor to create a covert channel on the physical layer. Thus, the sender uses the invariants in how digital signals are encoded over analog channels to covertly transport information. This leaked data is present on the wire bound connections of the compromised device, but is also by definition present in the vicinity of the device and can be picked up by radio equipment. As the covert channel is present only on the physical layer, the data on all layers above, as well as the timing behavior on those layers is indistinguishable from uncompromised devices. We present two example implementations of such channels using RS-232 as the carrier and use a common oscilloscope to decode the resulting covert channel. Using this setup, we observed symbol rates of around 5 baud. We derive the theoretical upper bound of the covert channels bandwidth and discuss the factors by which it is influenced.

@TechReport{bauer2016tr,
    author      = {Johannes Bauer and Sebastian Schinzel and Felix C Freiling and Andreas Dewald},
    title       = {Information Leakage behind the Curtain: Abusing Anti-{EMI} Features for Covert Communication},
    institution = {University of Erlangen, Department of Computer Science 1},
    year        = {2016},
    month       = mar,
    number      = {CS-2016-03},
    urn         = {urn:nbn:de:bvb:29-opus4-71576},
    url         = {https://nbn-resolving.org/urn:nbn:de:bvb:29-opus4-71576},
}

Paper, 2016-03: International Digital Forensics Workshop in Europe (DFRWS EU 2016): Lest we forget: Cold-boot attacks on scrambled DDR3 memory

As hard disk encryption, RAM disks, persistent data avoidance technology and memory-only malware become more widespread, memory analysis becomes more important. Cold-boot attacks are a software-independent method for such memory acquisition. However, on newer Intel computer systems the RAM contents are scrambled to minimize undesirable parasitic effects of semiconductors. We present a descrambling attack that requires at most 128 bytes of known plaintext within the image in order to perform full recovery. We further refine this attack using the mathematical relationships within the key stream to at most 50 bytes of known plaintext for a dual memory channel system. We therefore enable cold-boot attacks on systems employing Intel’s memory scrambling technology.

@article{bauer2016dfrws,
    title     = {Lest we forget: Cold-boot attacks on scrambled {DDR3} memory},
    author    = {Johannes Bauer and Michael Gruhn and Felix C Freiling},
    journal   = {Digital Investigation},
    volume    = {16},
    pages     = {S65--S74},
    year      = {2016},
    publisher = {Elsevier},
    doi       = {10.1016/j.diin.2016.01.009},
    url       = {https://dx.doi.org/10.1016/j.diin.2016.01.009},
}

Extended Abstract, 2015-09: D-A-CH Security 2015: Bestandsaufnahme - Konzepte - Anwendungen - Perspektiven

This was presented as an extended abstract at D-A-CH Security 2015 in Bonn. It is in German language and explains how inexpensive symmetric hardware security modules can be incorporated in a TLS handshake without having to modify the protocol itself (such as by introducing a new, custom, cipher suite).

Im Kontext von kleinsten eingebetteten Geräten und Machine-to-Machine-Kommunikationsprotokollen innerhalb des Internet of Things werden zumeist Sicherheitsprotokolle auf Basis symmetrischer Kryptografie verwendet, da diese relativ einfach durch stark ressourcenbeschränkte Geräte handhabbar sind. Die dazu notwendigen geheimen kryptografischen Schlüssel werden aber typischerweise im Flash eines Microcontrollers abgelegt und sind durch physische Angriffe wie Power Analysis oder Decapping gefährdet. Die zur Abwehr derartiger Angriffe notwendigen Hardware-Sicherheitsmodule (HSM) werden üblicherweise nicht in Betracht gezogen weil sie als teuer gelten und häufig über proprietäre Schnittstellen verfügen, die nur schwer in gängige Protokolle integriert werden können. Diese Arbeit beschreibt einen effizienten und generischen Ansatz, wie man ein kostengünstiges HSM, das lediglich symmetrische Kryptografie auf Basis des SHA-256-Hashalgorithmus verwendet, zur Absicherung des weit verbreiteten und akzeptierten Sicherheitsprotokollrahmens TLS verwenden kann. Konkret zeigen wir die Integration eines symmetrischen HSM Atmel ATSHA204A in den Handshake von datagram TLS (DTLS).

@inproceedings{bauer2015dach,
    author    = {Johannes Bauer and Felix C Freiling},
    title     = {Schutz eingebetteter {Systeme} gegen physische {Angriffe}},
    booktitle = {DACH Security 2015 -- Bestandsaufnahme - Konzepte - Anwendungen - Perspektiven},
    publisher = {syssec-Verlag},
    address   = {Bonn, Germany},
    year      = {2015},
    month     = sep,
    isbn      = {978-3-000-49965-4},
    pages     = {387--396}
}

Diploma Thesis, 2009-08-31: Constraint-Based Reverse Engineerings and its Applications in Astrophysics

This is my Diploma Thesis (Diplomarbeit) which is about methods and utilities which can effecively aid an reverse engineer with his work. As a proof of concept a astronomical CCD camera driver was reverse engineered and reimplemented.

Paper, 2008-01-15: Informatiktage 2008 — Design of an OSEK/VDX-compatible System API for Linux

Here is the paper for my study thesis, which was accepted by the "Gesellschaft für Informatik e.V." at the Computer Science Days (Informatiktagen) in 2008.

@proceedings{GIeV/informatiktage/2008,
  title     = {Informatiktage 2008: Fachwissenschaftlicher Informatik-Kongress,
               14. und 15. M{\"a}rz 2008, B-IT Bonn-Aachen International
               Center for Information Technology Bonn},
  booktitle = {Informatiktage},
  publisher = {Gesellschaft f{\"u}r Informatik (GI)},
  series    = {Lecture Notes in Informatics (LNI)},
  volume    = {S-6},
  year      = {2008},
  month     = mar,
  isbn      = {978-3-88579-440-0},
  pages     = {65--68},
  url       = {http://www.johannes-bauer.com/personal/publications/StudyThesis-Paper.pdf}
}

Study Thesis, 2007-09-26: Design of an OSEK/VDX-compatible System API for Linux

My study thesis covers design and implementation of a OSEK operating system interface for Linux. OSEK is short for "Open Systems and their Interfaces for Electronics in Automobiles" - it's a real time capable operating system for the automotive area. The thesis covers how the mapping of the OSEK interface onto a UNIX process can be realized and what design decisions are important.

Meine Studienarbeit handelt von dem Design und der Implementierung einer OSEK/VDX-kompatiblem Systemschnittstelle für Linux. OSEK (kurz für Offene Systeme und deren Schnittstellen für Elektronik in Kraftfahrzeugen) ist ein Echtzeitbetriebssystem für den Automotive-Bereich. In der Arbeit wird beschrieben wie man diese OSEK-Schnittstelle auf eine UNIX-Schnittstelle abbilden kann, um OSEK-Prozesse in einem UNIX-System zu simulieren. Die Arbeit ist auf englisch abgefasst.

Seminar Paper, 2006-05-10: Ausgewählte Kapitel eingebetteter Systeme

In meinem Hauptseminar AKES hielt ich einen Vortrag über die AVR-Mikrocontrollerfamilie. Sowohl meine Ausarbeitung als auch die Vortragsfolien sind hier verfügbar:

2005-01-15: Erlanger Linux User Group - 3. Erlanger Linuxtage

Die ERLUG ist die Erlanger Linux User Group. Sie ist im Netz zu finden unter http://www.erlug.de. Am Wochenende des 15./16. Januar 2005 fanden in den Räumen der FEN (media-art-zentrum) die 3. Erlanger Linuxtage statt. Dort habe ich einige Vorträge gehalten. Die Folien dazu sind hier zum Download verfügbar:

Project Paper, 2004-12-14: Konzepte von Betriebssytem-Komponenten

In meinem Grundseminar KVBK hielt ich zwei Vorträge über SunRPC. Der erste ging über die theoretischen Grundlagen und der zweite war eine Anleitung, um im Rechnerraum einen kleinen Chat-Client mittels SunRPC zu programmieren. Desweiteren habe ich zu dem Thema eine kurze Ausarbeitung angefertigt. Alle Dokumente sind hier verfügbar: