Our power grid is rapidly changing. Gone are the days in which both production and consumption of power has been relatively easy to predict. With renewable energy as a producer and ubiquitous high-power equipment in many households, we now face a landscape in which the grid frequency stability is more difficult to maintain. While previously all this high-power equipment was in the control of network operators and energy suppliers, it now has decentralized and moved into the control of consumers. Without Demand Response Capabilities, these devices are out of reach and grid operators can only passively react to whatever is happening downstream. Therefore, it is our position that Demand Response Capabilities is a welcome and inevitable evolution of our power grids – while at the same time we see greater risks than ever before when part of critical infrastructure is now in physical control of consumers, with unlimited time to attempt to tamper with them. We support Demand Response Capabilities, but argue that if they are implemented, it is imperative they be implemented securely.
With security set as a design goal, a different conundrum arises at the same time: what constitutes an appropriate security for the level of risk involved? This is not just a technical question, but also a question that goes into lifecycles of products and their maintenance. New vulnerabilities are discovered in an alarming rate for even the most sophisticated systems. It would be naı̈ve to assume that new systems can be built which do not have any of these issues. Therefore, the question of proper handling and mitigation is one that needs to be answered to allow for secure ongoing operation of a smart grid.
We usually scrutinize security of embedded systems under an extraordinarily sophisticated attacker model: the adversary has physical possession of the target and unlimited time to break it. For the defensive side, this forms an exceptionally challenging scenario. This thesis studies fortification of systems against such adversaries. The principal contributions lie in the field of embedded security, where we explore methods of building secure systems in a resource-efficient manner. This allows implementation of our countermeasures on resource-constrained microcontrollers. While these have a detrimental effect on runtime performance, the cost of the hardware itself remains unaffected, thereby providing an attractive and inexpensive alternative to hardware countermeasures. Next, we will briefly outline our contributions.
Attacks such as Differential Power Analysis (DPA) enable adversaries to exploit even the most minute differences in data dependent energy consumption. To make it more difficult for attackers to gain access to secrets within a chip, effective countermeasures need to be employed. One technique, implemented using only software, is described by us as a first contribution. We use binary recompilation to achieve binary code polymorphism. This causes different characteristic emission patterns for each call of a protected cryptographic primitive. Due to extensive and sophisticated pre-calculations which we perform at compile time, execution is extremely fast during runtime.
Since not only power consumption but also timing differences are something that attackers can exploit with great accuracy, we studied detection of timing leaks. Considering the architecture of today's increasingly complex microcontrollers, manual estimation of runtime has become virtually infeasible. Therefore, as a second contribution, we developed a behavioral Cortex-M core emulator which permits cycle-accurate simulation. We show how to incorporate such an emulator in a semi-automatic vetting process. After compilation, all security-relevant routines within the code are analyzed and checked for timing discrepancies.
The complexity of modern microcontroller units (MCUs) is shown from a different angle when considering attackers who can manipulate firmware. Since the reduction of electromagnetic interference (EMI) is an important goal of system designers, many recent MCUs already include software-tunable EMI countermeasures. In our third contribution, we show how these anti-EMI peripherals can be abused to construct covert channels. Unfortunately for the defensive side, these channels operate in the radio frequency domain and thus could be used for wireless transmission of data — even when the benign application was never intended to perform such communication. We describe how changes in parasitic electromagnetic emission can be used to encode data and what hardware is necessary to recover this data.
To increase the resistance of embedded systems against physical attacks, it is common to use special semiconductors which employ hardware countermeasures. The downside of such integration is that the specialized device usually dictates the exact cryptographic construction. How such hardware can be used nevertheless to augment general-purpose microcontrollers is something we focus on with our fourth contribution. As a demonstration, we incorporate a hardware security module in the handshake of the transport layer security (TLS) protocol. We do so without the need to create a custom cipher suite and without modifying the TLS handshake itself; instead, we use a generic approach by relying on implementation-specific protocol invariants and therefore get around the limitations which would be imposed by nonstandard protocol modifications.
When processors make use of external peripherals, such as dynamic random access memory (DRAM), another attack vector arises: Due to parasitic effects of the physical construction of modern high-density RAM, it is possible that the hardware cannot guarantee data integrity for all bit patterns. To counteract this, a technique commonly used by memory controllers is the scrambling of data to gain an effectively bias-free bitstream on the RAM chip. With our fifth contribution, we show how one such scrambling scheme by Intel works in-depth and how scrambled memory can be descrambled to reveal the original memory content. In the field of forensics, this is highly relevant: When physical memory acquisition, for example by cold-boot attacks, is used to capture a memory image, descrambling of that image is required before it can be analyzed meaningfully. We furthermore discuss how knowledge about scrambler-internal workings may open up possibilities for an attacker to deliberately cause disturbances in RAM.
@phdthesis{bauer2016phdthesis, author = {Johannes Bauer}, advisor = {Felix C Freiling}, referee = {Falko Dressler}, title = {{On Inexpensive Methods for Improving Security of Embedded Systems --- Kostengünstige Maßnahmen zur Erhöhung der Sicherheit eingebetteter Systeme}}, institution = {Department of Computer Science 1}, school = {University of Erlangen}, location = {Erlangen, Germany}, year = {2016}, month = nov, urn = {urn:nbn:de:bvb:29-opus4-81273}, url = {https://nbn-resolving.org/urn:nbn:de:bvb:29-opus4-81273} }
Leakage of information through timing side channels is a problem for all sorts of computing machinery, but the impact of such channels is especially dramatic on embedded systems. The reason for this is that these environments allow attackers to exploit small timing differences down to clock cycle accuracy. On the defensive side it is therefore advisable to evaluate cautiously if security-critical code contains data dependent timing discrepancies. When working with real hardware, testing for such vulnerabilities is a tedious process. In order to reduce the burden of vetting, we study approaches that allow cycle-accurate behavioral emulation of relevant CPU behavior such as instruction pipeline flushes and bus contention. We show that our approach is feasible and efficient by implementing an emulator of the popular ARM Cortex-M core. Then we give an overview about the problems of cycle-accurate emulation and demonstrate our approach towards a cycle-accurate ARM Thumb-2 simulator. Finally, we show how this simulator can be integrated into the build process of firmware to check for the presence of timing side channels before the system is deployed.
@inproceedings{bauer2016ares, title = {Towards Cycle-Accurate Emulation of Cortex-M Code to Detect Timing Side Channels}, author = {Johannes Bauer and Felix C Freiling}, booktitle = {\nth{11} International Conference on Availability, Reliability and Security---ARES~2016}, year = {2016}, publisher = {IEEE}, doi = {10.1109/ARES.2016.94}, url = {https://dx.doi.org/10.1109/ARES.2016.94} }
This is the publication at HOST 2016; a longer version of this has been published as a technical report.
We present a new class of covert channels which can be created by utilizing common hardware but that cannot be detected by such. Our idea is to abuse anti-EMI features of a processor to create a covert channel on the physical layer. Thus, the sender uses the invariants in how digital signals are encoded over analog channels to covertly transport information. This leaked data is present on the wire bound connections of the compromised device, but is also by definition present in the vicinity of the device and can be picked up by radio equipment. As the covert channel is present only on the physical layer, the data on all layers above, as well as the timing behavior on those layers is indistinguishable from uncompromised devices.
@inproceedings{bauer2016host, author = {Johannes Bauer and Sebastian Schinzel and Felix C Freiling and Andreas Dewald}, title = {Information Leakage behind the Curtain: Abusing Anti-{EMI} Features for Covert Communication}, booktitle = {{IEEE} International Symposium on Hardware Oriented Security and Trust---HOST~2016}, year = {2016}, month = may, pages = {130--134}, doi = {10.1109/HST.2016.7495570}, url = {https://dx.doi.org/10.1109/HST.2016.7495570}, }
This is the longer version of the paper that was presented at HOST 2016.
We present a new class of covert channels which can be created by utilizing common hardware but that cannot be detected by such. Our idea is to abuse anti-EMI features of a processor to create a covert channel on the physical layer. Thus, the sender uses the invariants in how digital signals are encoded over analog channels to covertly transport information. This leaked data is present on the wire bound connections of the compromised device, but is also by definition present in the vicinity of the device and can be picked up by radio equipment. As the covert channel is present only on the physical layer, the data on all layers above, as well as the timing behavior on those layers is indistinguishable from uncompromised devices. We present two example implementations of such channels using RS-232 as the carrier and use a common oscilloscope to decode the resulting covert channel. Using this setup, we observed symbol rates of around 5 baud. We derive the theoretical upper bound of the covert channels bandwidth and discuss the factors by which it is influenced.
@TechReport{bauer2016tr, author = {Johannes Bauer and Sebastian Schinzel and Felix C Freiling and Andreas Dewald}, title = {Information Leakage behind the Curtain: Abusing Anti-{EMI} Features for Covert Communication}, institution = {University of Erlangen, Department of Computer Science 1}, year = {2016}, month = mar, number = {CS-2016-03}, urn = {urn:nbn:de:bvb:29-opus4-71576}, url = {https://nbn-resolving.org/urn:nbn:de:bvb:29-opus4-71576}, }
As hard disk encryption, RAM disks, persistent data avoidance technology and memory-only malware become more widespread, memory analysis becomes more important. Cold-boot attacks are a software-independent method for such memory acquisition. However, on newer Intel computer systems the RAM contents are scrambled to minimize undesirable parasitic effects of semiconductors. We present a descrambling attack that requires at most 128 bytes of known plaintext within the image in order to perform full recovery. We further refine this attack using the mathematical relationships within the key stream to at most 50 bytes of known plaintext for a dual memory channel system. We therefore enable cold-boot attacks on systems employing Intel’s memory scrambling technology.
@article{bauer2016dfrws, title = {Lest we forget: Cold-boot attacks on scrambled {DDR3} memory}, author = {Johannes Bauer and Michael Gruhn and Felix C Freiling}, journal = {Digital Investigation}, volume = {16}, pages = {S65--S74}, year = {2016}, publisher = {Elsevier}, doi = {10.1016/j.diin.2016.01.009}, url = {https://dx.doi.org/10.1016/j.diin.2016.01.009}, }
This was presented as an extended abstract at D-A-CH Security 2015 in Bonn. It is in German language and explains how inexpensive symmetric hardware security modules can be incorporated in a TLS handshake without having to modify the protocol itself (such as by introducing a new, custom, cipher suite).
Im Kontext von kleinsten eingebetteten Geräten und Machine-to-Machine-Kommunikationsprotokollen innerhalb des Internet of Things werden zumeist Sicherheitsprotokolle auf Basis symmetrischer Kryptografie verwendet, da diese relativ einfach durch stark ressourcenbeschränkte Geräte handhabbar sind. Die dazu notwendigen geheimen kryptografischen Schlüssel werden aber typischerweise im Flash eines Microcontrollers abgelegt und sind durch physische Angriffe wie Power Analysis oder Decapping gefährdet. Die zur Abwehr derartiger Angriffe notwendigen Hardware-Sicherheitsmodule (HSM) werden üblicherweise nicht in Betracht gezogen weil sie als teuer gelten und häufig über proprietäre Schnittstellen verfügen, die nur schwer in gängige Protokolle integriert werden können. Diese Arbeit beschreibt einen effizienten und generischen Ansatz, wie man ein kostengünstiges HSM, das lediglich symmetrische Kryptografie auf Basis des SHA-256-Hashalgorithmus verwendet, zur Absicherung des weit verbreiteten und akzeptierten Sicherheitsprotokollrahmens TLS verwenden kann. Konkret zeigen wir die Integration eines symmetrischen HSM Atmel ATSHA204A in den Handshake von datagram TLS (DTLS).
@inproceedings{bauer2015dach, author = {Johannes Bauer and Felix C Freiling}, title = {Schutz eingebetteter {Systeme} gegen physische {Angriffe}}, booktitle = {DACH Security 2015 -- Bestandsaufnahme - Konzepte - Anwendungen - Perspektiven}, publisher = {syssec-Verlag}, address = {Bonn, Germany}, year = {2015}, month = sep, isbn = {978-3-000-49965-4}, pages = {387--396} }
This is my Diploma Thesis (Diplomarbeit) which is about methods and utilities which can effecively aid an reverse engineer with his work. As a proof of concept a astronomical CCD camera driver was reverse engineered and reimplemented.
In order to efficiently reverse engineer code tools are necessary which perform significantly more than simple disassembly. Such tools should aid the reverse engineer in the areas in which manual work is known to be tedious and error-prone. The engineer on his part aids the tool in the areas where automatic disassembly fails due to code obfuscation. This way the reverse engineer can concentrate on the actual work and can delegate the tedious parts to the utility at hand. To show how such an utility could look like and of what it could be capable of, a camera driver for an astronomical CCD camera is reverse engineered in the process of this work. The second part focuses on the reimplementation and astrophysical problems which need to be solved in order to create good imaging results.
This is the paper for my study thesis, which was accepted by the "Gesellschaft für Informatik e.V." at the Computer Science Days (Informatiktagen) in 2008.
@proceedings{GIeV/informatiktage/2008, title = {Informatiktage 2008: Fachwissenschaftlicher Informatik-Kongress, 14. und 15. März 2008, B-IT Bonn-Aachen International Center for Information Technology Bonn}, booktitle = {Informatiktage}, publisher = {Gesellschaft für Informatik (GI)}, series = {Lecture Notes in Informatics (LNI)}, volume = {S-6}, year = {2008}, month = mar, isbn = {978-3-88579-440-0}, pages = {65--68}, url = {https://www.johannes-bauer.com/personal/publications/StudyThesis-Paper.pdf} }
My study thesis covers design and implementation of a OSEK operating system interface for Linux. OSEK is short for "Open Systems and their Interfaces for Electronics in Automobiles" - it's a real time capable operating system for the automotive area. The thesis covers how the mapping of the OSEK interface onto a UNIX process can be realized and what design decisions are important.
Meine Studienarbeit handelt von dem Design und der Implementierung einer OSEK/VDX-kompatiblem Systemschnittstelle für Linux. OSEK (kurz für Offene Systeme und deren Schnittstellen für Elektronik in Kraftfahrzeugen) ist ein Echtzeitbetriebssystem für den Automotive-Bereich. In der Arbeit wird beschrieben wie man diese OSEK-Schnittstelle auf eine UNIX-Schnittstelle abbilden kann, um OSEK-Prozesse in einem UNIX-System zu simulieren. Die Arbeit ist auf englisch abgefasst.
Embedded real time systems often need to be optimized for high availability and deterministic runtime- and scheduling behavior. The OSEK-OS operating system standard is quite fit for this purpose: by means of the priority ceiling protocol many actions and properties of the system are already known ahead of runtime allowing for a customized generation of the actual operating system code. For testing of functional properties of an OSEK-OS-conform operating system it is useful to test on a platform which has sophisticated debugging utilities available. A Linux system is suitable as most Linux distributions already innately include versatile tools. This study thesis will evaluate the possibility of simulation of an OSEK-OS-conform operating system and it’s mapping onto a UNIX-process.
After a brief explanation of how a OSEK operating system works the developed code generator called josek will be introduced. The method of operation and particularities of josek will be discussed, paying special attention to the scheduler – the integral component of any operating system. It will be explained how a specially crafted stack is used in order to perform task switching and how this stack can be protected with userland means provided by any Linux-process. Problem cases which will appear during development of such an operating system are illuminated and their solution is presented. This includes cases where special compiler optimizations might cause malfunction of the generated code. After the study thesis has shown that and how it is possible to have functional components of an OSEK operating system emulated by a UNIX-process, the study thesis will be completed by a detailed performance review. Not only will the code generated by different configurations of josek be compared against itself, but it will also compare against Trampoline, another open source implementation of an OSEK operating system.
In meinem Hauptseminar AKES hielt ich einen Vortrag über die AVR-Mikrocontrollerfamilie. Sowohl meine Ausarbeitung als auch die Vortragsfolien sind hier verfügbar:
Die ERLUG ist die Erlanger Linux User Group. Sie ist im Netz zu finden unter https://www.erlug.de. Am Wochenende des 15./16. Januar 2005 fanden in den Räumen der FEN (media-art-zentrum) die 3. Erlanger Linuxtage statt. Dort habe ich einige Vorträge gehalten. Die Folien dazu sind hier zum Download verfügbar:
In meinem Grundseminar KVBK hielt ich zwei Vorträge über SunRPC. Der erste ging über die theoretischen Grundlagen und der zweite war eine Anleitung, um im Rechnerraum einen kleinen Chat-Client mittels SunRPC zu programmieren. Desweiteren habe ich zu dem Thema eine kurze Ausarbeitung angefertigt. Alle Dokumente sind hier verfügbar: