grizzly/deneir
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

emsoft2022 poster and presentation

Browse source
This commit is contained in:
Arthur 'Grizzly' Grisel-Davy 2022-10-10 22:22:05 -04:00
parent bc0c042845
commit 82fafbe76f
30 changed files with 3588 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

22
BPV/emsoft2022/acronyms.tex Normal file
View file

@ -0,0 +1,22 @@
\newabbreviation{hids}{HIDS}{Host-based Intrusion Detection System}
\newabbreviation{ids}{IDS}{Intrusion Detection System}
\newabbreviation{apt}{APT}{Advanced Persistent Threat}
\newabbreviation{plc}{PLC}{Programmable Logic Controller}
\newabbreviation{sdsp}{SDS Pipeline}{State Detection and Segmentation Pipeline}
\newabbreviation{bpv}{BPV}{Boot Process Verifier}
\newabbreviation{lru}{LRU}{Least Recently Used}
\newabbreviation{vpn}{VPN}{Virtual Private Network}
\newabbreviation{dc}{DC}{Direct Current}
\newabbreviation{ac}{AC}{Alternating Current}
\newabbreviation{bios}{BIOS}{Basic Input/Output System}
\newabbreviation{sca}{SCA}{Side-Channel Analysis}
\newabbreviation{os}{OS}{Operating System}
\newabbreviation{iqr}{IQR}{Interquartile Range}
\newabbreviation{aim}{AIM}{Anomaly Infused Model}
\newabbreviation{rom}{ROM}{Read-Only Memory}
\newabbreviation{eprom}{EPROM}{Erasable Programmable Read-Only Memory}
\newabbreviation{vlan}{VLAN}{Virtual Local Area Network}
\newabbreviation{pdu}{PDU}{Power Distribution Unit}
\newabbreviation{oem}{OEM}{Original Equipment Manufacturer}
\newabbreviation{svm}{SVM}{Support Vector Machine}
\newabbreviation{it}{IT}{Information Technology}

535
BPV/emsoft2022/article.tex Normal file
View file

@ -0,0 +1,535 @@
% Specificity of WIP paper:
% Limited to 2 pages.
% Deadline is June 11 AOE.
% Still publish like a regular paper.
% Title must have the 'Work-in-Progress:' prefix.
% Double blind review, single round.
% Short presentation + poster during conference.
%% bare_conf.tex
%% V1.4b
%% 2015/08/26
%% by Michael Shell
%% See:
%% http://www.michaelshell.org/
%% for current contact information.
%%
%% This is a skeleton file demonstrating the use of IEEEtran.cls
%% (requires IEEEtran.cls version 1.8b or later) with an IEEE
%% conference paper.
%%
%% Support sites:
%% http://www.michaelshell.org/tex/ieeetran/
%% http://www.ctan.org/pkg/ieeetran
%% and
%% http://www.ieee.org/
%%*************************************************************************
%% Legal Notice:
%% This code is offered as-is without any warranty either expressed or
%% implied; without even the implied warranty of MERCHANTABILITY or
%% FITNESS FOR A PARTICULAR PURPOSE!
%% User assumes all risk.
%% In no event shall the IEEE or any contributor to this code be liable for
%% any damages or losses, including, but not limited to, incidental,
%% consequential, or any other damages, resulting from the use or misuse
%% of any information contained here.
%%
%% All comments are the opinions of their respective authors and are not
%% necessarily endorsed by the IEEE.
%%
%% This work is distributed under the LaTeX Project Public License (LPPL)
%% ( http://www.latex-project.org/ ) version 1.3, and may be freely used,
%% distributed and modified. A copy of the LPPL, version 1.3, is included
%% in the base LaTeX documentation of all distributions of LaTeX released
%% 2003/12/01 or later.
%% Retain all contribution notices and credits.
%% ** Modified files should be clearly indicated as such, including **
%% ** renaming them and changing author support contact information. **
%%*************************************************************************
% *** Authors should verify (and, if needed, correct) their LaTeX system ***
% *** with the testflow diagnostic prior to trusting their LaTeX platform ***
% *** with production work. The IEEE's font choices and paper sizes can ***
% *** trigger bugs that do not appear when using other class files. *** ***
% The testflow support page is at:
% http://www.michaelshell.org/tex/testflow/
\documentclass[conference, a4paper]{IEEEtran}
% Some Computer Society conferences also require the compsoc mode option,
% but others use the standard conference format.
%
% If IEEEtran.cls has not been installed into the LaTeX system files,
% manually specify the path to it like:
% \documentclass[conference]{../sty/IEEEtran}
\usepackage[toc,acronym,abbreviations,nonumberlist,nogroupskip]{glossaries-extra}
\usepackage{numprint}
\usepackage{tabularx}
\usepackage{multirow}
\usepackage[skip=0.5\baselineskip]{caption}
\usepackage[bottom=42mm,top=18mm,left=12.9mm, right=12.9mm]{geometry}
% margin selected from this reference schema for A4 paper: http://www.ieee-ies.org/images/files/conferences/ieee-pages-and-margins-2016.pdf
% Removed a few mm from the bottom margin to make it fit.
\usepackage[pdftex]{graphicx}
\usepackage[hidelinks]{hyperref}
\usepackage{soul}
\usepackage{algorithm}
\usepackage{algpseudocode}
\usepackage{booktabs}
\input{acronyms}
% Some very useful LaTeX packages include:
% (uncomment the ones you want to load)
% *** MISC UTILITY PACKAGES ***
%
%\usepackage{ifpdf}
% Heiko Oberdiek's ifpdf.sty is very useful if you need conditional
% compilation based on whether the output is pdf or dvi.
% usage:
% \ifpdf
% % pdf code
% \else
% % dvi code
% \fi
% The latest version of ifpdf.sty can be obtained from:
% http://www.ctan.org/pkg/ifpdf
% Also, note that IEEEtran.cls V1.7 and later provides a builtin
% \ifCLASSINFOpdf conditional that works the same way.
% When switching from latex to pdflatex and vice-versa, the compiler may
% have to be run twice to clear warning/error messages.
% *** CITATION PACKAGES ***
%
%\usepackage{cite}
% cite.sty was written by Donald Arseneau
% V1.6 and later of IEEEtran pre-defines the format of the cite.sty package
%~\cite{} output to follow that of the IEEE. Loading the cite package will
% result in citation numbers being automatically sorted and properly
% "compressed/ranged". e.g., [1], [9], [2], [7], [5], [6] without using
% cite.sty will become [1], [2], [5]--[7], [9] using cite.sty. cite.sty's
%~\cite will automatically add leading space, if needed. Use cite.sty's
% noadjust option (cite.sty V3.8 and later) if you want to turn this off
% such as if a citation ever needs to be enclosed in parenthesis.
% cite.sty is already installed on most LaTeX systems. Be sure and use
% version 5.0 (2009-03-20) and later if using hyperref.sty.
% The latest version can be obtained at:
% http://www.ctan.org/pkg/cite
% The documentation is contained in the cite.sty file itself.
% *** GRAPHICS RELATED PACKAGES ***
%
\ifCLASSINFOpdf
% \usepackage[pdftex]{graphicx}
% declare the path(s) where your graphic files are
% \graphicspath{{../pdf/}{../jpeg/}}
% and their extensions so you won't have to specify these with
% every instance of \includegraphics
% \DeclareGraphicsExtensions{.pdf,.jpeg,.png}
\else
% or other class option (dvipsone, dvipdf, if not using dvips). graphicx
% will default to the driver specified in the system graphics.cfg if no
% driver is specified.
% \usepackage[dvips]{graphicx}
% declare the path(s) where your graphic files are
% \graphicspath{{../eps/}}
% and their extensions so you won't have to specify these with
% every instance of \includegraphics
% \DeclareGraphicsExtensions{.eps}
\fi
% graphicx was written by David Carlisle and Sebastian Rahtz. It is
% required if you want graphics, photos, etc. graphicx.sty is already
% installed on most LaTeX systems. The latest version and documentation
% can be obtained at:
% http://www.ctan.org/pkg/graphicx
% Another good source of documentation is "Using Imported Graphics in
% LaTeX2e" by Keith Reckdahl which can be found at:
% http://www.ctan.org/pkg/epslatex
%
% latex, and pdflatex in dvi mode, support graphics in encapsulated
% postscript (.eps) format. pdflatex in pdf mode supports graphics
% in .pdf, .jpeg, .png and .mps (metapost) formats. Users should ensure
% that all non-photo figures use a vector format (.eps, .pdf, .mps) and
% not a bitmapped formats (.jpeg, .png). The IEEE frowns on bitmapped formats
% which can result in "jaggedy"/blurry rendering of lines and letters as
% well as large increases in file sizes.
%
% You can find documentation about the pdfTeX application at:
% http://www.tug.org/applications/pdftex
% *** MATH PACKAGES ***
%
%\usepackage{amsmath}
% A popular package from the American Mathematical Society that provides
% many useful and powerful commands for dealing with mathematics.
%
% Note that the amsmath package sets \interdisplaylinepenalty to 10000
% thus preventing page breaks from occurring within multiline equations. Use:
%\interdisplaylinepenalty=2500
% after loading amsmath to restore such page breaks as IEEEtran.cls normally
% does. amsmath.sty is already installed on most LaTeX systems. The latest
% version and documentation can be obtained at:
% http://www.ctan.org/pkg/amsmath
% *** SPECIALIZED LIST PACKAGES ***
%
%\usepackage{algorithmic}
% algorithmic.sty was written by Peter Williams and Rogerio Brito.
% This package provides an algorithmic environment fo describing algorithms.
% You can use the algorithmic environment in-text or within a figure
% environment to provide for a floating algorithm. Do NOT use the algorithm
% floating environment provided by algorithm.sty (by the same authors) or
% algorithm2e.sty (by Christophe Fiorio) as the IEEE does not use dedicated
% algorithm float types and packages that provide these will not provide
% correct IEEE style captions. The latest version and documentation of
% algorithmic.sty can be obtained at:
% http://www.ctan.org/pkg/algorithms
% Also of interest may be the (relatively newer and more customizable)
% algorithmicx.sty package by Szasz Janos:
% http://www.ctan.org/pkg/algorithmicx
% *** ALIGNMENT PACKAGES ***
%
%\usepackage{array}
% Frank Mittelbach's and David Carlisle's array.sty patches and improves
% the standard LaTeX2e array and tabular environments to provide better
% appearance and additional user controls. As the default LaTeX2e table
% generation code is lacking to the point of almost being broken with
% respect to the quality of the end results, all users are strongly
% advised to use an enhanced (at the very least that provided by array.sty)
% set of table tools. array.sty is already installed on most systems. The
% latest version and documentation can be obtained at:
% http://www.ctan.org/pkg/array
% IEEEtran contains the IEEEeqnarray family of commands that can be used to
% generate multiline equations as well as matrices, tables, etc., of high
% quality.
% *** SUBFIGURE PACKAGES ***
%\ifCLASSOPTIONcompsoc
% \usepackage[caption=false,font=normalsize,labelfont=sf,textfont=sf]{subfig}
%\else
% \usepackage[caption=false,font=footnotesize]{subfig}
%\fi
% subfig.sty, written by Steven Douglas Cochran, is the modern replacement
% for subfigure.sty, the latter of which is no longer maintained and is
% incompatible with some LaTeX packages including fixltx2e. However,
% subfig.sty requires and automatically loads Axel Sommerfeldt's caption.sty
% which will override IEEEtran.cls' handling of captions and this will result
% in non-IEEE style figure/table captions. To prevent this problem, be sure
% and invoke subfig.sty's "caption=false" package option (available since
% subfig.sty version 1.3, 2005/06/28) as this is will preserve IEEEtran.cls
% handling of captions.
% Note that the Computer Society format requires a larger sans serif font
% than the serif footnote size font used in traditional IEEE formatting
% and thus the need to invoke different subfig.sty package options depending
% on whether compsoc mode has been enabled.
%
% The latest version and documentation of subfig.sty can be obtained at:
% http://www.ctan.org/pkg/subfig
% *** FLOAT PACKAGES ***
%
%\usepackage{fixltx2e}
% fixltx2e, the successor to the earlier fix2col.sty, was written by
% Frank Mittelbach and David Carlisle. This package corrects a few problems
% in the LaTeX2e kernel, the most notable of which is that in current
% LaTeX2e releases, the ordering of single and double column floats is not
% guaranteed to be preserved. Thus, an unpatched LaTeX2e can allow a
% single column figure to be placed prior to an earlier double column
% figure.
% Be aware that LaTeX2e kernels dated 2015 and later have fixltx2e.sty's
% corrections already built into the system in which case a warning will
% be issued if an attempt is made to load fixltx2e.sty as it is no longer
% needed.
% The latest version and documentation can be found at:
% http://www.ctan.org/pkg/fixltx2e
%\usepackage{stfloats}
% stfloats.sty was written by Sigitas Tolusis. This package gives LaTeX2e
% the ability to do double column floats at the bottom of the page as well
% as the top. (e.g., "\begin{figure*}[!b]" is not normally possible in
% LaTeX2e). It also provides a command:
%\fnbelowfloat
% to enable the placement of footnotes below bottom floats (the standard
% LaTeX2e kernel puts them above bottom floats). This is an invasive package
% which rewrites many portions of the LaTeX2e float routines. It may not work
% with other packages that modify the LaTeX2e float routines. The latest
% version and documentation can be obtained at:
% http://www.ctan.org/pkg/stfloats
% Do not use the stfloats baselinefloat ability as the IEEE does not allow
% \baselineskip to stretch. Authors submitting work to the IEEE should note
% that the IEEE rarely uses double column equations and that authors should try
% to avoid such use. Do not be tempted to use the cuted.sty or midfloat.sty
% packages (also by Sigitas Tolusis) as the IEEE does not format its papers in
% such ways.
% Do not attempt to use stfloats with fixltx2e as they are incompatible.
% Instead, use Morten Hogholm'a dblfloatfix which combines the features
% of both fixltx2e and stfloats:
%
% \usepackage{dblfloatfix}
% The latest version can be found at:
% http://www.ctan.org/pkg/dblfloatfix
% *** PDF, URL AND HYPERLINK PACKAGES ***
%
%\usepackage{url}
% url.sty was written by Donald Arseneau. It provides better support for
% handling and breaking URLs. url.sty is already installed on most LaTeX
% systems. The latest version and documentation can be obtained at:
% http://www.ctan.org/pkg/url
% Basically, \url{my_url_here}.
% *** Do not adjust lengths that control margins, column widths, etc. ***
% *** Do not use packages that alter fonts (such as pslatex). ***
% There should be no need to do such things with IEEEtran.cls V1.6 and later.
% (Unless specifically asked to do so by the journal or conference you plan
% to submit to, of course. )
% correct bad hyphenation here
%\hyphenation{op-tical net-works semi-conduc-tor}
\usepackage{xcolor}
\usepackage{hyperref}
\usepackage{amssymb}
\newcommand\agd[1]{{\color{red}$\bigstar$}\footnote{agd: #1}}
\newcommand\an[1]{{\color{blue}$\bigstar$}\footnote{an: #1}}
\newcommand\oi[1]{{\color{orange}$\bigstar$}\footnote{oi: #1}}
\newcommand\spabs[1]{{\color{cyan}$\bigstar$}\footnote{spabs: #1}}
\newcommand\amb[1]{{\color{purple}$\bigstar$}\footnote{amb: #1}}
\newcommand\cb[1]{{\color{green}$\bigstar$}\footnote{cb: #1}}
\newcommand{\cn}{{\color{purple}[citation needed]}}
\renewcommand{\labelenumii}{\theenumii}
\renewcommand{\theenumii}{\theenumi.\arabic{enumii}.}
\hyphenpenalty=10000
% ============================ REVIEW and CHANGES =======================
% Add emphasis that this is a novel approach and that the current firmware verification methods have some limitations
% Change title and document to remove references to firmware and prefer "boot sequence verification"
% Fix reference to dataset (maybe footnote is better) and provide step-by-step description of the capture process
% Justify value for parameters.
% Refactor the explanation of AIM and IQR. it is not clear enough
% Add a mention on how the method we propose should be used (as part of a SOAR)
\begin{document}
%
% paper title
% Titles are generally capitalized except for words such as a, an, and, as,
% at, but, by, for, in, nor, of, on, or, the, to and up, which are usually
% not capitalized unless they are the first or last word of the title.
% Linebreaks \\ can be used within to get better formatting as desired.
% Do not put math or special symbols in the title.
\title{Work-in-Progress: Boot Sequence Integrity Verification with Power Analysis}
% author names and affiliations
% use a multiple column layout for up to three different
% affiliations
\author{
\IEEEauthorblockN{Arthur Grisel-Davy, Amrita Milan Bhogayata, Srijan Pabbi, Apurva Narayan, Sebastian Fischmeister}\\
%\vspace{0.1cm}
\IEEEauthorblockA{Department of Electrical and Computer Engineering\\
University of Waterloo. Waterloo, Ontario, Canada\\
Email: agriseld@uwaterloo.ca}
}
% conference papers do not typically use \thanks and this command
% is locked out in conference mode. If really needed, such as for
% the acknowledgment of grants, issue a \IEEEoverridecommandlockouts
% after \documentclass
% for over three affiliations, or if they all won't fit within the width
% of the page, use this alternative format:
%
%\author{\IEEEauthorblockN{Michael Shell\IEEEauthorrefmark{1},
%Homer Simpson\IEEEauthorrefmark{2},
%James Kirk\IEEEauthorrefmark{3},
%Montgomery Scott\IEEEauthorrefmark{3} and
%Eldon Tyrell\IEEEauthorrefmark{4}}
%\IEEEauthorblockA{\IEEEauthorrefmark{1}School of Electrical and Computer Engineering\\
%Georgia Institute of Technology,
%Atlanta, Georgia 30332--0250\\ Email: see http://www.michaelshell.org/contact.html}
%\IEEEauthorblockA{\IEEEauthorrefmark{2}Twentieth Century Fox, Springfield, USA\\
%Email: homer@thesimpsons.com}
%\IEEEauthorblockA{\IEEEauthorrefmark{3}Starfleet Academy, San Francisco, California 96678-2391\\
%Telephone: (800) 555--1212, Fax: (888) 555--1212}
%\IEEEauthorblockA{\IEEEauthorrefmark{4}Tyrell Inc., 123 Replicant Street, Los Angeles, California 90210--4321}}
% use for special paper notices
%\IEEEspecialpapernotice{(Invited Paper)}
% make the title area
\maketitle
% As a general rule, do not put math, special symbols or citations
% in the abstract
\begin{abstract}
The current security mechanisms for embedded systems often rely on \gls{ids} running on the system itself. This provides the detector with relevant internal resources but also exposes it to being bypassed by an attacker. If the host is compromised, its IDS can not be trusted anymore and becomes useless. Power consumption offers an accurate and trusted representation of the system's state that can be leveraged to verify its integrity during the boot sequence. We present a novel \gls{ids} that uses the side-channel power consumption of a target device to protect it against various firmware and hardware attacks. The proposed \gls{bpv} uses a combination of rule-based and machine-learning-based side-channel analysis to monitor and evaluate the integrity of different networking equipment with an overall accuracy of \numprint{0.942}. The \gls{bpv} is part of a new layer of cybersecurity mechanisms that leverage the physical emissions of devices for protection.
\end{abstract}
% no keywords
% For peer review papers, you can put extra information on the cover
% page as needed:
% \ifCLASSOPTIONpeerreview
% \begin{center} \bfseries EDICS Category: 3-BBND \end{center}
% \fi
%
% For peerreview papers, this IEEEtran command inserts a page break and
% creates the second title. It will be ignored for other modes.
\IEEEpeerreviewmaketitle
\glsresetall % reset acronyms
\section{Introduction}
The boot sequence of an embedded system contains many security-critical operations. Two examples are loading the firmware and activating hardware components. Firmware loading can be vulnerable to many attacks~\cite{CVE-2019-19642,CVE-2020-15046}, including downgrading firmware, loading malicious firmware, and cancelling firmware updates. Hardware components also provides a means of entry for attackers who can leverage malicious peripherals~\cite{rubber_ducky}, for traffic-sniffing, key-logging, or altering the system's behaviour.
%Over the years, many solutions have been proposed to mitigate these issues. The first and most common countermeasure is verifying the integrity of the firmware before applying an update or before booting up the machine. The methods to verify a firmware typically include but are not limited to cryptography~\cite{firmware_crypto}, blockchain technology~\cite{firmware_blockchain}~\cite{firmware_blockchain_2} or direct data comparison~\cite{firmware_data}. Depending on the complexity, the manufacturer can provide a tag~\cite{firmware_sign} of the firmware or encrypt it to provide trust that it is genuine. The integrity verification can also be performed at run-time as part of the firmware itself or with dedicated hardware~\cite{trustanchor}.
The standard countermeasures to firmware and hardware attacks~\cite{firmware_data} share the common flaw of being performed by the protected machine itself, allowing an attacker to bypass them after infecting the machine. \glspl{ids} face a trade-off between accessing relevant information and keeping the detection mechanism separated from the target machine. Our solution addresses this trade-off by leveraging unforgeable side-channel information.
%\footnote{good place to show that you know related work: while other approaches use software isolation [...] or virtual machines [,,,], our solution ...}
%\subsection{Contributions}
This paper presents a novel solution for firmware verification using side-channel analysis. Building on the assumption that every security mechanism operating on a host is vulnerable to being bypassed and that any deviation from a normal boot sequence operation is a reason for concern, we propose to use the device's power consumption signature during the boot sequence to assess its integrity. The integrity evaluation leverages unforgeable power consumption data collected independently of the host. A distance-based outlier detector can learn the expected pattern and detect any variation in a new boot sequence. Our solution can detect various attacks centred around firmware manipulation. This novel detector is versatile, retrofittable to any embedded system, and requires a theoretic minimum of four training examples, well below current data requirements for state-of-the-art methods \cite{ismail2019deep}.
%\subsection{Threat Model}\label{threat}
Many hardware and firmware attacks leverage machine-specific designs to provide an access point to the attacker. This paper focuses on attacks relying on firmware modifications, but the method for detecting hardware modifications remains the same. Because the firmware is responsible for the initialization of the components, the low-level communications, and some in-depth security features, executing adversary code in place of the expected firmware is a powerful capability~\cite{mitre}. A firmware modification is defined as deploying a new firmware code. Modifications include implementing custom functions, removing security features, or changing the firmware for a different version (downgrade or upgrade), as well as bypassing firmware procedures via hardware tampering. Any loading of a non-approved firmware (including a maliciously modified one) is considered an attack. This type of attack can result in the attacker gaining full control of the device.
%\subsection{Related Work}
Manufacturers have implemented different security mechanisms to guarantee the integrity of the firmware. The first and most common is to cryptographically sign, or compute a checksum of the code. This method suffers many possible bypasses, even with dedicated hardware~\cite{thrangrycats}.
Historically, \gls{sca} is mainly used for attacks. However, defense is also a promising application for this technology with runtime anomaly detection~\cite{timing} or specific attack detection~\cite{DTU}. These mechanisms are powerful at protecting systems that cannot host security software.
\section{Boot Process Verifier}\label{feature_eng}
To enable firmware verification, we design a training and testing pipeline that performs anomaly detection on a boot-up sequence power trace. A boot-up power trace is a time series corresponding to the power consumption of the machine during one complete boot-up sequence. The \gls{bpv} takes as input a power trace and verifies its validity against valid boot-up traces (see Figure \ref{fig:overview}).
The \gls{iqr} is a measure of dispersion of samples. It is based on the first and third quartiles and defined as $IQR = Q_3 - Q_1$ with $Q_3$ the third quartile and $Q_1$ the first quartile. This value is commonly used~\cite{han2011data} to detect outliers as a more robust alternative to the $3\sigma$ interval of a Gaussian distribution. The training phase consists in first computing the \gls{iqr} of the Euclidean distances from each training trace to their average. Then, the distance threshold takes the value $Q3 + 1.5\times IQR$. The distance of each new trace to the reference average is computed and compared to the threshold in the detection phase. If the distance is above the pre-computed threshold, the new trace is considered anomalous.
\begin{figure}[t]
\centering
\includegraphics[width=0.9\linewidth]{images/illustration.pdf}
\caption{Overview of the Boot Process Verifier pipeline.}
\label{fig:overview}
\vspace{-0.4cm}
\end{figure}
\section{Experiment}\label{experiment}
To verify the performance of the proposed detector, we designed an experiment to detect firmware modifications on networking devices. These devices are bespoke for transmitting information as fast as possible. We consider four machines representing consumer-available products for different prices and performances: Asus Router RT-N12 D1, Linksys Router MR8300 v1.1, TP-Link Switch T1500G-10PS, HP Switch Procurve 2650 J4899B. As part of the experiment, each device undergoes firmware modifications using OpenWRT for the routers and downgraded firmware for the switches.
%\subsection{Experimental Setup}
We use a hardware device~\cite{hidden} placed in series with the power cable of the target device. The capture box's shunt resistor generates a voltage drop representative of the global power consumption of the machine. This voltage drop value is recorded at a sampling rate of \numprint[KSPS]{10}. A managed \gls{pdu} enables turning each machine ON or OFF automatically. To account for randomness and gather representative boot-up sequences of the device, we performed \numprint{500} boot iterations per machine and per firmware version. The complete dataset is publicly available~\cite{dataset}.
The output of each measurement is a $\approx 24$ hours power trace containing $500$ boot-up sequence event. A threshold-based algorithm extracts the boot-up sequences from the complete trace. The algorithm leverages the rising edge at the start of the boot sequence to detect the start time accurately. We use two hyperparameters $T$ the consumption threshold, and $L$ the length of the boot-up sequence controls the detection and are tuned per machine. When a sample crosses the threshold on a rising edge, the next $L$ samples are saved as a boot-up sequence. The value of $T$ is taken just above the maximum consumption when the machine is off in order to be crossed during the initial consumption rise. The boot time $L$ is around \numprint[s]{20} and the choice of the value is discussed in \ref{results}. The extracted traces are resampled at $50ms$ using a median aggregator, and median and average filters are applied to remove noises that could falsely trigger the detection.
\subsection{Results}\label{results}
Table~\ref{tab:results} shows the experimental results. For each machine, we compute the distance threshold using ten known-good traces and classify ten normal and ten abnormal traces. The procedure is repeated 20 times, and the results averaged per machine. We compute the overall $F_1$ score using arithmetic mean.
\begin{table}[h]
\centering
\begin{tabular}{l|c|c}
\textbf{Machine} & \textbf{Detection $F_1$ Score} & \textbf{Overall $F_1$ Score}\\
\hline
TP-Link switch & 0.866 & \multirow{4}{*}{0.942}\\
HP switch & 0.983 &\\
Asus router & 1 &\\
Linksys router & 0.921 &\\
\end{tabular}
\caption{Results of detection.}
\label{tab:results}
\end{table}
Two hyper-parameters require tuning to achieve the best performance. The length of the extracted sequences needs to cover the whole boot-up while including no post-boot operations that introduce noise. Because the \gls{iqr} method is based on quartiles, a theoretical minimum of four traces is required. Collecting additional traces offers a more robust \gls{iqr} threshold placement, but too many traces ($>20$) offer marginal improvements as the boot-up sequence is usually consistent. Other parameters, such as sampling rate or pre-processing values, do not show to significantly affect the results.
\section{Conclusion}\label{conclusion}
This study illustrates the application of side-channel analysis to detect firmware attacks. The proposed side-channel-based \gls{ids} can reliably detect firmware tampering from the power consumption trace. Moreover, distance-based models leveraged in this study allow minimal training data and time requirements. Deploying this technology to production networking equipment requires minimal downtime and hardware intrusion. Finally, it applies to any clientless equipment.
% trigger a \newpage just before the given reference
% number - used to balance the columns on the last page
% adjust value as needed - may need to be readjusted if
% the document is modified later
%\IEEEtriggeratref{8}
% The "triggered" command can be changed if desired:
%\IEEEtriggercmd{\enlargethispage{-5in}}
% references section
% can use a bibliography generated by BibTeX as a .bbl file
% BibTeX documentation can be easily obtained at:
% http://mirror.ctan.org/biblio/bibtex/contrib/doc/
% The IEEEtran BibTeX style support page is at:
% http://www.michaelshell.org/tex/ieeetran/bibtex/
%\bibliographystyle{IEEEtran}
% argument is your BibTeX string definitions and bibliography database(s)
%\bibliography{IEEEabrv,../bib/paper}
% <OR> manually copy in the resultant .bbl file
% set second argument of \begin to the number of references
% (used to reserve space for the reference number labels box)
\bibliography{bibli}
\bibliographystyle{ieeetr}
% that's all folks
\end{document}

69
BPV/emsoft2022/background_poster_UWAT.pdf Normal file
View file

@ -0,0 +1,69 @@
%PDF-1.5
%µí®û
4 0 obj
<< /Length 5 0 R
/Filter /FlateDecode
>>
stream
xœ…<EFBFBD>KÂ0 D÷>…×H<7F>£+Ö¨²hZî/ᔶX Kù¼ÌxAöÚ/fG£”YY±`„G¨¯jYæWœ.xÂ;Öš:<œ»Gs˜…dGYZ©TÃuçz¦lQKðƒqÉ®u÷Û#f¤>CL”Šàà<0E>¤qýLƒ'Dý@Y)…ˆª…©$ÏDÅ<YC¦”Þ ][n¤_É:Ä ¯í[´\[¼ÁÏðþ³žÒéK
endstream
endobj
5 0 obj
182
endobj
3 0 obj
<<
/ExtGState <<
/a0 << /CA 1 /ca 1 >>
>>
>>
endobj
2 0 obj
<< /Type /Page % 1
/Parent 1 0 R
/MediaBox [ 0 0 2381.399927 3373.680202 ]
/Contents 4 0 R
/Group <<
/Type /Group
/S /Transparency
/I true
/CS /DeviceRGB
>>
/Resources 3 0 R
>>
endobj
1 0 obj
<< /Type /Pages
/Kids [ 2 0 R ]
/Count 1
>>
endobj
6 0 obj
<< /Producer (cairo 1.16.0 (https://cairographics.org))
/Creator <FEFF0049006E006B0073006300610070006500200031002E00320020002800680074007400700073003A002F002F0069006E006B00730063006100700065002E006F007200670029>
/CreationDate (D:20220726120742-04'00)
>>
endobj
7 0 obj
<< /Type /Catalog
/Pages 1 0 R
>>
endobj
xref
0 8
0000000000 65535 f
0000000602 00000 n
0000000368 00000 n
0000000296 00000 n
0000000015 00000 n
0000000274 00000 n
0000000667 00000 n
0000000942 00000 n
trailer
<< /Size 8
/Root 7 0 R
/Info 6 0 R
>>
startxref
994
%%EOF

229
BPV/emsoft2022/beamerposter.sty Normal file
View file

@ -0,0 +1,229 @@
% Copyright 2007 by
% Philippe Dreuw <dreuw@cs.rwth-aachen.de> and
% Thomas Deselaers <deselaers@cs.rwth-aachen.de>
% Slight modifications made in August 2009 by Nathaniel Johnston (nathaniel@nathanieljohnston.com)
%
% This file may be distributed and/or modified
%
% 1. under the LaTeX Project Public License and/or
% 2. under the GNU Public License.
%
%
% ChangeLog:
%
% 1.07 - bugfixed custom size handling, portrait or landscape settings are ignored now
% 1.06 - added the type1cm package for scalable math fonts
% 1.05 - added version check for xkeyval package
% 1.04 - added custom size handling
% 1.03 - improved predefined size handling
% 1.02 - minor bugfixes
% 1.01 - bugfixed size handling
% 1.00 - first beamerposter release
%
\def\beamerposter@version{1.07}
\def\beamerposter@date{2008/03/11}
\def\beamerposter@msg{beamerposter: latex-beamer poster extension}
\typeout{Package: \beamerposter@date. v.\beamerposter@version. \beamerposter@msg}
\NeedsTeXFormat{LaTeX2e}
\ProvidesPackage{beamerposter}[\beamerposter@date. v.\beamerposter@version. \beamerposter@msg]
\RequirePackage{xkeyval}[2006/11/18]
\RequirePackage{type1cm} %% get it from ftp://cam.ctan.org/tex-archive/macros/latex/contrib/type1cm.zip
\newif\ifportrait
\newif\ifcustomsize
\newif\ifdebug
\DeclareOptionX{size}[a0]{
\typeout{beamerposter: checking size input, please wait.}
\XKV@cc*+[\val\nr]{#1}{a0b,a0,a1,a2,a3,a4,custom}{%
\typeout{beamerposter: the input \val\ \nr\ was correct, we proceed.}
\ifcase\nr\relax
%a0b
\setlength{\paperheight}{119cm}
\setlength{\paperwidth}{88cm}
\setlength{\textheight}{116cm}
\setlength{\textwidth}{88cm}
\or
%a0
\setlength{\paperheight}{118.82cm}
\setlength{\paperwidth}{83.96cm}
\setlength{\textheight}{117.82cm}
\setlength{\textwidth}{82.96cm}
\or
%a1
\setlength{\paperheight}{83.96cm}
\setlength{\paperwidth}{59.4cm}
\setlength{\textheight}{82.96cm}
\setlength{\textwidth}{58.4cm}
\or
%a2
\setlength{\paperheight}{59.4cm}
\setlength{\paperwidth}{41.98cm}
\setlength{\textheight}{58.4cm}
\setlength{\textwidth}{40.98cm}
\or
%a3
\setlength{\paperwidth}{41.98cm}
\setlength{\paperheight}{29.7cm}
\setlength{\textwidth}{40.98cm}
\setlength{\textheight}{28.7cm}
\or
%a4
\setlength{\paperheight}{29.7cm}
\setlength{\paperwidth}{21.0cm}
\setlength{\textheight}{28.7cm}
\setlength{\textwidth}{20.0cm}
\or
\customsizetrue
\fi
}{%
\PackageWarning{beamerposter}{the input \val\ was incorrect and was ignored.}
}%
\typeout{beamerposter: finished size input check.}
}
\DeclareOptionX{orientation}[portrait]{
\typeout{beamerposter: checking orientation input, please wait.}
\XKV@cc*+[\val\nr]{#1}{portrait,landscape}{%
\typeout{beamerposter: the input \val\ \nr\ was correct, we proceed.}
\ifcase\nr\relax
\portraittrue
\or
\portraitfalse
\fi
}{%
\PackageWarning{beamerposter}{the input \val\ was incorrect and was ignored.}
}%
\typeout{beamerposter: finished orientation check.}
}
\DeclareOptionX{scale}[1.0]{\edef\myfontscale{#1}\typeout{beamerposter: myfontscale=\myfontscale}}
\DeclareOptionX{width}{\edef\customwidth{#1}\typeout{beamerposter: custom poster width=\customwidth}}
\DeclareOptionX{height}{\edef\customheight{#1}\typeout{beamerposter: custom poster height=\customheight}}
\DeclareOptionX{debug}{\typeout{beamerposter: enabled debug mode}\debugtrue}
\DeclareOptionX*{\PackageWarning{beamerposter}{Unknown option ignored: \CurrentOption}}
%\DeclareOptionX*{\PassOptionsToClass{\CurrentOption}{beamer}}
\ExecuteOptionsX{size=a0,scale=1.0}
\ProcessOptionsX\relax
\ifdebug
\RequirePackage[debug]{fp}
\else
\RequirePackage{fp}
\fi
%% swap sizes for portrait orientation
\ifportrait
\newdimen\tmp
\setlength{\tmp}{\paperwidth}
\setlength{\paperwidth}{\paperheight}
\setlength{\paperheight}{\tmp}
\setlength{\tmp}{\textwidth}
\setlength{\textwidth}{\textheight}
\setlength{\textheight}{\tmp}
\else\relax
\fi
%% overwrite dimensions if custom size
\ifcustomsize
\setlength{\paperwidth}{\customwidth cm}
\setlength{\paperheight}{\customheight cm}
\FPupn{\resulttextwidth}{1 customwidth -}
\FPupn{\resulttextheight}{1 customheight -}
\setlength{\textwidth}{\resulttextwidth cm}
\setlength{\textheight}{\resulttextheight cm}
\fi
%% Setting proper dimensions for a DIN A0 printer
\setlength{\headheight}{0 cm}
\setlength{\headsep}{0 cm}
\setlength{\topmargin}{-12.7 mm} % -1in +1.47cm
\setlength{\oddsidemargin}{-25.4 mm} % -1in +0.4cm
%% For the page layout
\ifdebug
\typeout{beamerposter: paperwidth=\the\paperwidth, paperheight=\the\paperheight}
\typeout{beamerposter: textwidth=\the\textwidth, textwidth=\the\textheight}
\fi
\geometry{
paperwidth=\the\paperwidth,
paperheight=\the\paperheight,
hmargin=1cm,%
vmargin=0cm,%
head=0.5cm, %
headsep=0pt,%
foot=0.5cm %
}
%% scalable vector fonts
\edef\fontSizeX{14.4}\edef\fontSizeY{18}
\FPupn{\resultscriptsizeX}{myfontscale fontSizeX * 2 round}
\FPupn{\resultscriptsizeY}{myfontscale fontSizeY * 2 round}
\renewcommand*{\tiny}{\fontsize{\resultscriptsizeX}{\resultscriptsizeY}\selectfont}
\edef\fontSizeX{17.28}\edef\fontSizeY{22}
\FPupn{\resultfootnotesizeX}{myfontscale fontSizeX * 2 round}
\FPupn{\resultfootnotesizeY}{myfontscale fontSizeY * 2 round}
\renewcommand*{\scriptsize}{\fontsize{\resultfootnotesizeX}{\resultfootnotesizeY}\selectfont}
\edef\fontSizeX{20.74}\edef\fontSizeY{25}
\FPupn{\resultsmallX}{myfontscale fontSizeX * 2 round}
\FPupn{\resultsmallY}{myfontscale fontSizeY * 2 round}
\renewcommand*{\footnotesize}{\fontsize{\resultsmallX}{\resultsmallY}\selectfont}
\edef\fontSizeX{24.88}\edef\fontSizeY{30}
\FPupn{\resultnormalsizeX}{myfontscale fontSizeX * 2 round}
\FPupn{\resultnormalsizeY}{myfontscale fontSizeY * 2 round}
\renewcommand*{\small}{\fontsize{\resultnormalsizeX}{\resultnormalsizeY}\selectfont}
%\edef\fontSizeX{29.86}\edef\fontSizeY{37}
%\FPupn{\resultlargeX}{myfontscale fontSizeX * 2 round}
%\FPupn{\resultlargeY}{myfontscale fontSizeY * 2 round}
%\renewcommand*{\normalsize}{\fontsize{\resultlargeX}{\resultlargeY}\selectfont}
\edef\fontSizeX{29.86}\edef\fontSizeY{37}
\FPupn{\resultlargeX}{myfontscale fontSizeX * 2 round}
\FPupn{\resultlargeY}{myfontscale fontSizeY * 2 round}
\renewcommand*{\normalsize}{\fontsize{\resultlargeX}{\resultlargeY}\selectfont}
\edef\fontSizeX{35.83}\edef\fontSizeY{45}
\FPupn{\resultLargeX}{myfontscale fontSizeX * 2 round}
\FPupn{\resultLargeY}{myfontscale fontSizeY * 2 round}
\renewcommand*{\large}{\fontsize{\resultLargeX}{\resultLargeY}\selectfont}
\edef\fontSizeX{43}\edef\fontSizeY{54}
\FPupn{\resultLARGEX}{myfontscale fontSizeX * 2 round}
\FPupn{\resultLARGEY}{myfontscale fontSizeY * 2 round}
\renewcommand*{\Large}{\fontsize{\resultLARGEX}{\resultLARGEY}\selectfont}
\edef\fontSizeX{51.6}\edef\fontSizeY{64}
\FPupn{\resulthugeX}{myfontscale fontSizeX * 2 round}
\FPupn{\resulthugeY}{myfontscale fontSizeY * 2 round}
\renewcommand*{\LARGE}{\fontsize{\resulthugeX}{\resulthugeY}\selectfont}
\edef\fontSizeX{61.92}\edef\fontSizeY{77}
\FPupn{\resultHugeX}{myfontscale fontSizeX * 2 round}
\FPupn{\resultHugeY}{myfontscale fontSizeY * 2 round}
\renewcommand*{\huge}{\fontsize{\resultHugeX}{\resultHugeY}\selectfont}
\edef\fontSizeX{67.8}\edef\fontSizeY{84.6}
\FPupn{\resultsemiHugeX}{myfontscale fontSizeX * 2 round}
\FPupn{\resultsemiHugeY}{myfontscale fontSizeY * 2 round}
\newcommand*{\semiHuge}{\fontsize{\resultsemiHugeX}{\resultsemiHugeY}\selectfont}
\edef\fontSizeX{74.3}\edef\fontSizeY{93}
\FPupn{\resultveryHugeX}{myfontscale fontSizeX * 2 round}
\FPupn{\resultveryHugeY}{myfontscale fontSizeY * 2 round}
\renewcommand*{\Huge}{\fontsize{\resultveryHugeX}{\resultveryHugeY}\selectfont}
\edef\fontSizeX{80.3}\edef\fontSizeY{101}
\FPupn{\resultVeryHugeX}{myfontscale fontSizeX * 2 round}
\FPupn{\resultVeryHugeY}{myfontscale fontSizeY * 2 round}
\newcommand*{\veryHuge}{\fontsize{\resultVeryHugeX}{\resultVeryHugeY}\selectfont}
\edef\fontSizeX{107}\edef\fontSizeY{134}
\FPupn{\resultVERYHugeX}{myfontscale fontSizeX * 2 round}
\FPupn{\resultVERYHugeY}{myfontscale fontSizeY * 2 round}
\newcommand*{\VeryHuge}{\fontsize{\resultVERYHugeX}{\resultVERYHugeY}\selectfont}
% set the normalfont (default)
\renewcommand*{\normalfont}{\normalsize}

216
BPV/emsoft2022/beamerthemeUWATposter.sty Normal file
View file

@ -0,0 +1,216 @@
%==============================================================================
% Beamer style for the poster template posted at
% http://www.nathanieljohnston.com/2009/08/latex-poster-template/
%
% Created by the Computational Physics and Biophysics Group at Jacobs University
% https://teamwork.jacobs-university.de:8443/confluence/display/CoPandBiG/LaTeX+Poster
% Modified by Nathaniel Johnston (nathaniel@nathanieljohnston.com) in August 2009
% =============================================================================
\ProvidesPackage{beamerthemeUWATposter}
\RequirePackage{tikz} % for drawing the nice rounded boxes
\usetikzlibrary{arrows,backgrounds}
\RequirePackage[T1]{fontenc}
\RequirePackage{lmodern}
\RequirePackage{textcomp}
\RequirePackage{amsmath,amssymb}
\usefonttheme{professionalfonts}
\newcommand{\makeruleinbox}{{\usebeamercolor[bg]{block alerted title}\centering\hspace*{-0.7cm}\rule{\inboxrule}{0.5cm}}}
\usepackage{ragged2e}
% Spacing before and inside list environments to add white space before lists and between items inside lists
\makeatletter
\def\@listi{\leftmargin\leftmarginii
\topsep 1ex % Spacing before lists
\parsep 0\p@ \@plus\p@
\itemsep 6pt} % Spacing between items
\makeatother
\usecaptiontemplate{\small\structure{\insertcaptionname~\insertcaptionnumber: }\insertcaption} % A fix for figure numbering
%-----------------------------------------------------------
% Define a whole bunch of custom colours and fonts
%-----------------------------------------------------------
\definecolor{yellow_2_UW}{RGB}{255,234,41}
\definecolor{yellow_3_UW}{RGB}{255,213,79}
\definecolor{yellow_4_UW}{RGB}{228,180,41}
% set the basic colors
\setbeamercolor{palette primary} {fg=black,bg=white}
\setbeamercolor{palette secondary} {fg=black,bg=white}
\setbeamercolor{palette tertiary} {bg=black,fg=white}
\setbeamercolor{palette quaternary}{fg=black,bg=white}
\setbeamercolor{structure} {fg=black}
\setbeamercolor{titlelike} {bg=black,fg=white}
\setbeamercolor{frametitle} {bg=black!10,fg=black}
\setbeamercolor{cboxb} {fg=black,bg=black}
\setbeamercolor{cboxr} {fg=black,bg=red}
% set colors for itemize/enumerate
\setbeamercolor{item}{fg=themecolor}
\setbeamercolor{item projected}{fg=white,bg=themecolor}
% set colors for blocks
\setbeamercolor{block title}{fg=themecolor,bg=white}
\setbeamercolor{block body}{fg=black,bg=white}
% set colors for alerted blocks (blocks with frame)
%\setbeamercolor{block alerted title}{fg=themecolor,bg=black}
\setbeamercolor{block alerted title}{fg=themecolor,bg=white}
\setbeamercolor{block alerted body}{fg=black,bg=black!8}
\usepackage{fontspec}
% set the fonts
\setbeamerfont{section in head/foot}{series=\bfseries}
\setbeamerfont{block title}{series=\bfseries}
\setbeamerfont{block alerted title}{series=\bfseries}
\setbeamerfont{frametitle}{series=\bfseries}
\setbeamerfont{frametitle}{size=\large}
\setbeamerfont{block body}{series=\rmfamily}
%\setbeamerfont{block body}{size={\fontsize{32}{36}}}
% set some beamer theme options
\setbeamertemplate{title page}[default][colsep=-4bp,rounded=true]
\setbeamertemplate{sections/subsections in toc}[square]
\setbeamertemplate{items}[circle]
\setbeamertemplate{blocks}[width=0.0]
\beamertemplatenavigationsymbolsempty
% set bibliography style
\setbeamertemplate{bibliography item}[text]
\setbeamercolor{bibliography item}{fg=black,bg=white}
\setbeamercolor{bibliography entry author}{fg=black,bg=white}
\setbeamercolor{bibliography item}{fg=black,bg=white}
% define some length variables that are used by the template
\newlength{\inboxwd}
\newlength{\iinboxwd}
\newlength{\inboxrule}
\makeatletter
\makeatother
%==============================================================================
% Set the lengths of side, middle and columns margin.
%==============================================================================
\newlength{\sidemargin}
\newlength{\middlemargin}
\newlength{\colwidth}
\newlength{\onecolwidth}
\setlength{\sidemargin}{0.04\paperwidth} % Separation width (white space) between columns
\setlength{\middlemargin}{0.02\paperwidth} % Separation width (white space) between columns
\setlength{\colwidth}{\dimexpr (\paperwidth-2\sidemargin-\middlemargin)/2} % Width of one column
\setlength{\onecolwidth}{\dimexpr (\paperwidth-2\sidemargin)}
%\setlength{\twocolwid}{0.9\paperwidth} % Width of two columns
%==============================================================================
% Make a good hrule command
%==============================================================================
\newcommand{\Hrule}[5][.]{%
\begin{columns}
\begin{column}{\dimexpr (\paperwidth-#5)/2}\end{column}
\begin{column}{#5}
\par\addvspace{#3}%
\begingroup\color{#1}%
\hrule height #2
\endgroup
\vspace{#4}
\end{column}
\begin{column}{\dimexpr (\paperwidth-#5)/2}\end{column}
\end{columns}
}
%==============================================================================
% build the poster title
%==============================================================================
\setbeamertemplate{headline}{
\leavevmode % make sure we are in horizontal mode
\begin{columns}
\begin{column}{\sidemargin}\end{column}
\begin{column}{1.5\colwidth}
\vskip2cm
\raggedright
\usebeamercolor{title in headline}{\color{black}\Huge{\textbf{\inserttitle}}\\[0.5ex] \par}
\usebeamercolor{author in headline}{\color{black}\LARGE{\insertauthor}\\[1ex]}
\usebeamercolor{institute in headline}{\color{black}\normalsize{\insertinstitute}}
\vskip1cm
\end{column}
\begin{column}{\middlemargin}\end{column}
\begin{column}{0.5\colwidth}
\begin{center}
\includegraphics[width=\textwidth]{images/UniversityOfWaterloo_logo_vert_cmyk.eps}
\end{center}
\end{column}
\begin{column}{\sidemargin}\end{column}
\end{columns}
}
% Block definition
\setbeamertemplate{block begin}
{
\par\vskip\medskipamount
\begin{beamercolorbox}[colsep*=0ex,dp={2ex},left]{block title}
\vskip-0.25cm
\usebeamerfont{block title}\Large\insertblocktitle
%% Uncomment the next two lines to add a line below the box title
% \vskip-1.5cm
% {\rule{\textwidth}{0.4pt}}
\vskip0.5cm
\end{beamercolorbox}
{\parskip0pt\par}
\ifbeamercolorempty[bg]{block title}
{}
{\ifbeamercolorempty[bg]{block body}{}{\nointerlineskip\vskip-0.5pt}}
\usebeamerfont{block body}
\vskip-0.4cm
\begin{beamercolorbox}[colsep*=0ex,vmode]{block body}
\vspace{-0.1cm}
%{\rule{\textwidth}{0.4pt}}
\justifying
}
\setbeamertemplate{block end}
{
\end{beamercolorbox}
\vskip\smallskipamount
}
% Alert block definition (with frame)
\setbeamertemplate{block alerted begin}
{
\par\vskip\medskipamount
\begin{beamercolorbox}[sep=0ex,rounded=true,left,dp={2ex}]{block alerted title}
\vskip0.01cm
\usebeamerfont{block title}\Large\insertblocktitle
\end{beamercolorbox}
{\parskip0pt\par}
\usebeamerfont{block body}
\vskip-0.8cm
\begin{beamercolorbox}[sep=0.5cm, rounded=true,center]{block alerted title}
\setlength{\inboxwd}{\linewidth}
\addtolength{\inboxwd}{-1cm}
\begin{beamercolorbox}[rounded=true,wd={\inboxwd},center]{block alerted body}
\setlength{\iinboxwd}{\inboxwd}
\setlength{\inboxrule}{\inboxwd}
\addtolength{\iinboxwd}{-0.5cm}
\addtolength{\inboxrule}{0.5cm}
\begin{center}
\begin{minipage}{\iinboxwd}
\justifying
}
\setbeamertemplate{block alerted end}
{
\end{minipage}
\end{center}
\end{beamercolorbox}
\end{beamercolorbox}
\vskip\smallskipamount
}

529
BPV/emsoft2022/bibli.bib Normal file
View file

@ -0,0 +1,529 @@
@online{cve-firmware,
author = {mitre.org},
title = {cve.mitre.org},
year = 2021,
url = {https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Firmware},
urldate = {2021-12-7}
}
@article{BASNIGHT201376,
title = {Firmware modification attacks on programmable logic controllers},
journal = {International Journal of Critical Infrastructure Protection},
volume = {6},
number = {2},
pages = {76-84},
year = {2013},
issn = {1874-5482},
doi = {https://doi.org/10.1016/j.ijcip.2013.04.004},
url = {https://www.sciencedirect.com/science/article/pii/S1874548213000231},
author = {Zachry Basnight and Jonathan Butts and Juan Lopez and Thomas Dube},
}
@misc{rieck2016attacks,
title={Attacks on Fitness Trackers Revisited: A Case-Study of Unfit Firmware Security},
author={Jakob Rieck},
year={2016},
eprint={1604.03313},
archivePrefix={arXiv},
primaryClass={cs.CR}
}
@inproceedings {185175,
author = {Jacob Maskiewicz and Benjamin Ellis and James Mouradian and Hovav Shacham},
title = {Mouse Trap: Exploiting Firmware Updates in {USB} Peripherals},
booktitle = {8th {USENIX} Workshop on Offensive Technologies ({WOOT} 14)},
year = {2014},
address = {San Diego, CA},
url = {https://www.usenix.org/conference/woot14/workshop-program/presentation/maskiewicz},
publisher = {{USENIX} Association},
month = aug,
}
@online{usb_killer,
author = {Dark Purple },
title = {USB Killer},
year = 2021,
url = {https://kukuruku.co/post/usb-killer/},
urldate = {2021-12-18}
}
@online{rubber_ducky,
author = {Hack5},
title = {Rubber Ducky, LAN Turtle, Key Croc},
year = 2021,
url = {https://hak5.org/collections/sale/products/usb-rubber-ducky-deluxe},
urldate = {2021-12-18}
}
@online{minio,
author = {MinIO},
title = {MinIO},
year = 2021,
url = {https://min.io/},
urldate = {2021-12-18}
}
@INPROCEEDINGS{firmware_blockchain,
author={Lim, Jea-Min and Kim, Youngpil and Yoo, Chuck},
booktitle={2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData)},
title={Chain Veri: Blockchain-Based Firmware Verification System for IoT Environment},
year={2018},
volume={},
number={},
pages={1050-1056},
doi={10.1109/Cybermatics_2018.2018.00194}}
@InProceedings{firmware_blockchain_2,
author="Lee, Boohyung
and Malik, Sehrish
and Wi, Sarang
and Lee, Jong-Hyouk",
editor="Lee, Jong-Hyouk
and Pack, Sangheon",
title="Firmware Verification of Embedded Devices Based on a Blockchain",
booktitle="Quality, Reliability, Security and Robustness in Heterogeneous Networks",
year="2017",
publisher="Springer International Publishing",
address="Cham",
pages="52--61",
isbn="978-3-319-60717-7"
}
@InProceedings{firmware_data,
author="McMinn, Lucille
and Butts, Jonathan",
editor="Butts, Jonathan
and Shenoi, Sujeet",
title="A Firmware Verification Tool for Programmable Logic Controllers",
booktitle="Critical Infrastructure Protection VI",
year="2012",
publisher="Springer Berlin Heidelberg",
address="Berlin, Heidelberg",
pages="59--69",
isbn="978-3-642-35764-0"
}
@INPROCEEDINGS{firmware_crypto,
author={Nilsson, Dennis K. and Sun, Lei and Nakajima, Tatsuo},
booktitle={2008 IEEE Globecom Workshops},
title={A Framework for Self-Verification of Firmware Updates over the Air in Vehicle ECUs},
year={2008},
volume={},
number={},
pages={1-5},
doi={10.1109/GLOCOMW.2008.ECP.56}}
@InProceedings{firmware_sign,
author="Jeong, Eunseon
and Park, Junyoung
and Son, Byeonggeun
and Kim, Myoungsu
and Yim, Kangbin",
editor="Barolli, Leonard
and Xhafa, Fatos
and Javaid, Nadeem
and Enokido, Tomoya",
title="Study on Signature Verification Process for the Firmware of an Android Platform",
booktitle="Innovative Mobile and Internet Services in Ubiquitous Computing",
year="2019",
publisher="Springer International Publishing",
address="Cham",
pages="540--545",
isbn="978-3-319-93554-6"
}
@misc{mitre,
title = {MITRE ATT\&CK® T1542.001 Pre-OS Boot: System Firmware},
howpublished = {\url{https://attack.mitre.org/versions/v10/techniques/T1542/001/}},
note = {Accessed: 2022-03-31}
}
@misc{capec,
title = {CAPEC-532: Altered Installed BIOS},
howpublished = {\url{https://capec.mitre.org/data/definitions/532.html}},
note = {Accessed: 2022-03-31}
}
@misc{coreboot,
title = {Coreboot. Fast, secure and flexible OpenSource firmware},
howpublished = {\url{https://www.coreboot.org/}},
note = {Accessed: 2022-03-31}
}
@misc{owrt,
title = {OpenWrt},
howpublished = {\url{https://openwrt.org/}},
note = {Accessed: 2022-03-31}
}
@misc{ddwrt,
title = {DD-WRT},
howpublished = {\url{https://dd-wrt.com/}},
note = {Accessed: 2022-03-31}
}
@misc{freshtomato,
title = {FreshTomato},
howpublished = {\url{https://www.freshtomato.org/}},
note = {Accessed: 2022-03-31}
}
@misc{trustanchor,
title = {Cisco's Trustworthy Technology Datasheet},
howpublished = {\url{https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/trustworthy-technologies-datasheet.pdf}},
note = {Accessed: 2022-04-06}
}
@misc{downtime,
title = {How to Calculate Data Center Downtime},
howpublished = {\url{https://datacenterfrontier.com/how-calculate-data-center-downtime/}},
note = {Accessed: 2022-04-06}
}
@misc{cryptoreview,
author = {YongBin Zhou and
DengGuo Feng},
title = {Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing},
howpublished = {Cryptology ePrint Archive, Report 2005/388},
year = {2005},
note = {\url{https://ia.cr/2005/388}},
}
@misc{curveattack,
author = {Roberto M. Avanzi},
title = {Side Channel Attacks on Implementations of Curve-Based Cryptographic Primitives},
howpublished = {Cryptology ePrint Archive, Report 2005/017},
year = {2005},
note = {\url{https://ia.cr/2005/017}},
}
@InProceedings{keyboard,
author="Anand, S. Abhishek
and Saxena, Nitesh",
editor="Grossklags, Jens
and Preneel, Bart",
title="A Sound for a Sound: Mitigating Acoustic Side Channel Attacks on Password Keystrokes with Active Sounds",
booktitle="Financial Cryptography and Data Security",
year="2017",
publisher="Springer Berlin Heidelberg",
address="Berlin, Heidelberg",
pages="346--364",
}
@INPROCEEDINGS{printer,
author={Al Faruque, Mohammad Abdullah and Chhetri, Sujit Rokka and Canedo, Arquimedes and Wan, Jiang},
booktitle={2016 ACM/IEEE 7th International Conference on Cyber-Physical Systems (ICCPS)},
title={Acoustic Side-Channel Attacks on Additive Manufacturing Systems},
year={2016},
volume={},
number={},
pages={1-10},
doi={10.1109/ICCPS.2016.7479068}}
@inproceedings{iot_anoamly_sca,
author = {Devin Spatz and Devin Smarra and Igor Ternovskiy},
title = {{A review of anomaly detection techniques leveraging side-channel emissions}},
volume = {11011},
booktitle = {Cyber Sensing 2019},
editor = {Igor V. Ternovskiy and Peter Chin},
organization = {International Society for Optics and Photonics},
publisher = {SPIE},
pages = {48 -- 55},
keywords = {Rf emission, loT, Cyber security},
year = {2019},
doi = {10.1117/12.2521450},
URL = {https://doi.org/10.1117/12.2521450}
}
@INPROCEEDINGS{power-devices,
author={Konstantinou, Charalambos and Maniatakos, Michail},
booktitle={2015 IEEE International Conference on Smart Grid Communications (SmartGridComm)},
title={Impact of firmware modification attacks on power systems field devices},
year={2015},
volume={},
number={},
pages={283-288},
doi={10.1109/SmartGridComm.2015.7436314}}
@article{plc_firmware,
title = {Firmware modification attacks on programmable logic controllers},
journal = {International Journal of Critical Infrastructure Protection},
volume = {6},
number = {2},
pages = {76-84},
year = {2013},
issn = {1874-5482},
doi = {https://doi.org/10.1016/j.ijcip.2013.04.004},
url = {https://www.sciencedirect.com/science/article/pii/S1874548213000231},
author = {Zachry Basnight and Jonathan Butts and Juan Lopez and Thomas Dube},
keywords = {Industrial control systems, Programmable logic controllers, Firmware, Modification attacks, Reverse engineering},
}
@article{santamarta2012here,
title={Here be backdoors: A journey into the secrets of industrial firmware},
author={Santamarta, Ruben},
journal={Black Hat USA},
year={2012}
}
@ARTICLE{health_review, author={Yaqoob, Tahreem and Abbas, Haider and Atiquzzaman, Mohammed}, journal={IEEE Communications Surveys Tutorials}, title={Security Vulnerabilities, Attacks, Countermeasures, and Regulations of Networked Medical Devices—A Review}, year={2019}, volume={21}, number={4}, pages={3723-3768}, doi={10.1109/COMST.2019.2914094}}
@article{pacemaker,
author = {Adrian Baranchuk and Bryce Alexander and Debra Campbell and Sohaib Haseeb and Damian Redfearn and Chris Simpson and Ben Glover },
title = {Pacemaker Cybersecurity},
journal = {Circulation},
volume = {138},
number = {12},
pages = {1272-1273},
year = {2018},
doi = {10.1161/CIRCULATIONAHA.118.035261},
URL = {https://www.ahajournals.org/doi/abs/10.1161/CIRCULATIONAHA.118.035261},
eprint = {https://www.ahajournals.org/doi/pdf/10.1161/CIRCULATIONAHA.118.035261}
}
@article{medical_case_study,
author = {Ang Cui, Michael Costello and Salvatore J. Stolfo},
title = {When Firmware Modifications Attack: A Case Study of Embedded Exploitation},
journal = {20th Annual Network & Distributed System Security Symposium 2013},
year = {2013},
}
@InProceedings{railway,
author="B{\"a}ckman, Ronny
and Oliver, Ian
and Limonta, Gabriela",
editor="Casimiro, Ant{\'o}nio
and Ortmeier, Frank
and Schoitsch, Erwin
and Bitsch, Friedemann
and Ferreira, Pedro",
title="Integrity Checking of Railway Interlocking Firmware",
booktitle="Computer Safety, Reliability, and Security. SAFECOMP 2020 Workshops",year="2020",
publisher="Springer International Publishing",
address="Cham",
pages="161--175",}
@INPROCEEDINGS{cars, author={Nilsson, Dennis K. and Phung, Phu H. and Larson, Ulf E.}, booktitle={IET Road Transport Information and Control - RTIC 2008 and ITS United Kingdom Members' Conference}, title={Vehicle ECU classification based on safety-security characteristics}, year={2008}, volume={}, number={}, pages={1-7}, doi={10.1049/ic.2008.0810}}
@article{BASNIGHT201376,
title = {Firmware modification attacks on programmable logic controllers},
journal = {International Journal of Critical Infrastructure Protection},
volume = {6},
number = {2},
pages = {76-84},
year = {2013},
issn = {1874-5482},
doi = {https://doi.org/10.1016/j.ijcip.2013.04.004},
url = {https://www.sciencedirect.com/science/article/pii/S1874548213000231},
author = {Zachry Basnight and Jonathan Butts and Juan Lopez and Thomas Dube},
keywords = {Industrial control systems, Programmable logic controllers, Firmware, Modification attacks, Reverse engineering}
}
@INPROCEEDINGS{9065145,
author = {Gao, Chao and Luo, Lan and Zhang, Yue and Pearson, Bryan and Fu, Xinwen},
booktitle={2019 IEEE International Conference on Industrial Internet (ICII)},
title={Microcontroller Based IoT System Firmware Security: Case Studies},
year={2019},
volume={},
number={},
pages={200-209},
doi={10.1109/ICII.2019.00045}
}
@article{thrangrycats,
title={Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear},
author={Cimpanu, C},
journal={Accessed: Sep},
volume={15},
pages={2019},
year={2019}
}
@article{hidden,
title={Source Hidden for Double Blind Review},
author={Jhon Doe},
journal = {Journal},
year = {2022},
}
@INPROCEEDINGS{blockchain1,
author={Dhakal, Samip and Jaafar, Fehmi and Zavarsky, Pavol},
booktitle={2019 IEEE 19th International Symposium on High Assurance Systems Engineering (HASE)},
title={Private Blockchain Network for IoT Device Firmware Integrity Verification and Update},
year={2019},
volume={},
number={},
pages={164-170},
doi={10.1109/HASE.2019.00033}}
@inproceedings{sca_attack,
author = {Liu, Yannan and Wei, Lingxiao and Zhou, Zhe and Zhang, Kehuan and Xu, Wenyuan and Xu, Qiang},
title = {On Code Execution Tracking via Power Side-Channel},
year = {2016},
isbn = {9781450341394},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/2976749.2978299},
doi = {10.1145/2976749.2978299},
booktitle = {Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security},
pages = {10191031},
numpages = {13},
keywords = {code execution tracking, power side-channel, embedded system, hardware security},
location = {Vienna, Austria},
series = {CCS '16}
}
@INPROCEEDINGS{7928948, author={Krishnankutty, Deepak and Robucci, Ryan and Banerjee, Nilanjan and Patel, Chintan}, booktitle={2017 IEEE 35th VLSI Test Symposium (VTS)}, title={Fiscal: Firmware identification using side-channel power analysis}, year={2017}, volume={}, number={}, pages={1-6}, doi={10.1109/VTS.2017.7928948}}
@inproceedings{ssd_firmware,
author = {Brown, Dane and Walker, Owens and Rakvic, Ryan and Ives, Robert W. and Ngo, Hau and Shey, James and Blanco, Justin},
title = {Towards Detection of Modified Firmware on Solid State Drives via Side Channel Analysis},
year = {2018},
isbn = {9781450364751},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3240302.3285860},
doi = {10.1145/3240302.3285860},
booktitle = {Proceedings of the International Symposium on Memory Systems},
pages = {315320},
numpages = {6},
keywords = {firmware, security, classification, embedded systems},
location = {Alexandria, Virginia, USA},
series = {MEMSYS '18}
}
@article{timing,
title = {Using timing-based side channels for anomaly detection in industrial control systems},
journal = {International Journal of Critical Infrastructure Protection},
volume = {15},
pages = {12-26},
year = {2016},
issn = {1874-5482},
doi = {https://doi.org/10.1016/j.ijcip.2016.07.003},
url = {https://www.sciencedirect.com/science/article/pii/S1874548216301111},
author = {Stephen Dunlap and Jonathan Butts and Juan Lopez and Mason Rice and Barry Mullins},
}
@INPROCEEDINGS{DTU, author={Xu, Aidong and Jiang, Yixin and Cao, Yang and Zhang, Guoming and Ji, Xiaoyu and Xu, Wenyuan}, booktitle={2019 IEEE 3rd Conference on Energy Internet and Energy System Integration (EI2)}, title={ADDP: Anomaly Detection for DTU Based on Power Consumption Side-Channel}, year={2019}, volume={}, number={}, pages={2659-2663}, doi={10.1109/EI247390.2019.9062014}}
@inproceedings {wud,
author = {Shane S. Clark and Benjamin Ransford and Amir Rahmati and Shane Guineau and Jacob Sorber and Wenyuan Xu and Kevin Fu},
title = {{WattsUpDoc}: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices},
booktitle = {2013 USENIX Workshop on Health Information Technologies (HealthTech 13)},
year = {2013},
address = {Washington, D.C.},
url = {https://www.usenix.org/conference/healthtech13/workshop-program/presentation/clark},
publisher = {USENIX Association},
month = aug,
}
@misc{dataset,
author = {Arthur Grisel-Davy},
title = {Dataset of bootup power consumption traces for four networking equipment \url{https://doi.org/10.5281/zenodo.6419214}},
month = apr,
year = 2022,
publisher = {Zenodo},
doi = {10.5281/zenodo.6419214},
}
@book{han2011data,
title={Data mining: concepts and techniques},
author={Han, Jiawei and Pei, Jian and Kamber, Micheline},
year={2011},
publisher={Elsevier}
}
@article{zimmering2021generating,
title={Generating Artificial Sensor Data for the Comparison of Unsupervised Machine Learning Methods},
author={Zimmering, Bernd and Niggemann, Oliver and Hasterok, Constanze and Pfannstiel, Erik and Ramming, Dario and Pfrommer, Julius},
journal={Sensors},
volume={21},
number={7},
pages={2397},
year={2021},
publisher={Multidisciplinary Digital Publishing Institute}
}
@misc{xLED,
doi = {10.48550/ARXIV.1706.01140},
url = {https://arxiv.org/abs/1706.01140},
author = {Guri, Mordechai and Zadov, Boris and Daidakulov, Andrey and Elovici, Yuval},
keywords = {Cryptography and Security (cs.CR), FOS: Computer and information sciences, FOS: Computer and information sciences},
title = {xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs},
publisher = {arXiv},
year = {2017},
copyright = {arXiv.org perpetual, non-exclusive license}
}
@MISC{CVE-2019-19642,
title = {{CVE}-2019-19642.},
howpublished = "MITRE, {CVE-ID} CVE-2019-19642.",
year = {2019},
url={https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19642 },
urldate={30 May 2022}
}
@MISC{CVE-2020-15046,
title = {{CVE}-2020-15046.},
howpublished = "MITRE, {CVE-ID} CVE-2020-15046.",
year = {2020},
url={https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15046},
urldate={30 May 2022}
}
@article{ismail2019deep,
title={Deep learning for time series classification: a review},
author={Ismail Fawaz, Hassan and Forestier, Germain and Weber, Jonathan and Idoumghar, Lhassane and Muller, Pierre-Alain},
journal={Data mining and knowledge discovery},
volume={33},
number={4},
pages={917--963},
year={2019},
publisher={Springer}
}

27
BPV/emsoft2022/bibliog.bib Normal file
View file

@ -0,0 +1,27 @@
@misc{13456,
author = {Author Lastname},
title = {Title 3},
year = {2016},
url = {arXiv:1603.00001}
}
@article{article2,
title = {Title 2},
year = {2016},
journal = {Journal Name},
author = {Author Lastname},
DOI = {10.0001/002},
keywords = { }
}
@article{article1,
title = {Title 1},
year = {2016},
journal = {Journal Name},
author = {Author Lastname},
pages = {000--100},
volume = {00},
publisher = { },
doi = {10.0001/001},
keywords = {}
}

BIN
BPV/emsoft2022/images/Bootup_traces_TPLINK.pdf Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/SDSP_algorithm.pdf Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/Synthetic_vs_Normal_TPLINK.pdf Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/UniversityOfWaterloo_logo_vert_cmyk.eps Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/bootup.pdf Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/illustration.pdf Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/illustration_Page 1.pdf Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/illustration_Page 2.pdf Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/illustration_Page 3.pdf Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/main_illustration.pdf Normal file
View file

Binary file not shown.

1239
BPV/emsoft2022/images/main_illustration.svg Normal file
View file

File diff suppressed because it is too large Load diff
Side by side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
BPV/emsoft2022/images/main_illustration_p1.pdf Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/main_illustration_p2.pdf Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/main_illustration_p3.pdf Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/main_illustration_p4.pdf Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/schematic.pdf Normal file
View file

Binary file not shown.

BIN
BPV/emsoft2022/images/schematic.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 102 KiB

BIN
BPV/emsoft2022/images/seed_evaluation.pdf Normal file
View file

Binary file not shown.

389
BPV/emsoft2022/main_overview.svg Normal file
View file

@ -0,0 +1,389 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
width="234.87918mm"
height="135.10146mm"
viewBox="0 0 234.87918 135.10146"
version="1.1"
id="svg5"
inkscape:version="1.2 (1:1.2.1+202207142221+cd75a1ee6d)"
sodipodi:docname="main_overview.svg"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns="http://www.w3.org/2000/svg"
xmlns:svg="http://www.w3.org/2000/svg">
<sodipodi:namedview
id="namedview7"
pagecolor="#b4b4b4"
bordercolor="#eeeeee"
borderopacity="1"
inkscape:showpageshadow="0"
inkscape:pageopacity="0"
inkscape:pagecheckerboard="0"
inkscape:deskcolor="#505050"
inkscape:document-units="mm"
showgrid="false"
inkscape:zoom="1.5500842"
inkscape:cx="377.72142"
inkscape:cy="320.62775"
inkscape:window-width="1920"
inkscape:window-height="1043"
inkscape:window-x="1920"
inkscape:window-y="0"
inkscape:window-maximized="1"
inkscape:current-layer="layer1" />
<defs
id="defs2">
<marker
style="overflow:visible"
id="Arrow2"
refX="0"
refY="0"
orient="auto-start-reverse"
inkscape:stockid="Arrow2"
markerWidth="7.6999998"
markerHeight="5.5999999"
viewBox="0 0 7.7 5.6"
inkscape:isstock="true"
inkscape:collect="always"
preserveAspectRatio="xMidYMid">
<path
transform="scale(0.7)"
d="M -2,-4 9,0 -2,4 c 2,-2.33 2,-5.66 0,-8 z"
style="fill:context-stroke;fill-rule:evenodd;stroke:none"
id="arrow2L" />
</marker>
</defs>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-10.178387,-32.625157)">
<path
style="fill:none;stroke:#000000;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-dasharray:0.529166, 1.05833;stroke-dashoffset:0;stroke-opacity:1"
d="M 93.96714,115.66072 18.12102,94.275572"
id="path17577"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-dasharray:0.529166, 1.05833;stroke-dashoffset:0;stroke-opacity:1"
d="M 103.03608,106.32089 87.391482,70.956056"
id="path17579"
sodipodi:nodetypes="cc" />
<g
id="g5557"
inkscape:label="HIDS"
transform="translate(-3.4118596,-2.3218695)"
style="fill:none;fill-opacity:0.94117647;stroke:#0000ff;stroke-opacity:0.94117647">
<path
style="color:#000000;fill:#ff7f2a;fill-opacity:0.941176;stroke:none;stroke-linecap:round;stroke-opacity:1"
d="m 131.0293,92.353516 v 0.09961 11.482425 h 16.55273 V 92.353516 Z m 0.20117,0.201171 h 16.15234 v 11.181643 h -16.15234 z"
id="rect4653" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:4.34576px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#ff7f2a;fill-opacity:0.94117647;stroke:none;stroke-width:0.108644;stroke-opacity:0.94117647"
x="133.88654"
y="99.726807"
id="text5437"><tspan
sodipodi:role="line"
id="tspan5435"
style="stroke-width:0.108644;fill:#ff7f2a;fill-opacity:0.94117647;stroke:none;stroke-opacity:0.94117647"
x="133.88654"
y="99.726807">HIDS</tspan></text>
</g>
<g
id="g5578"
transform="translate(-1.9294991,1.0730993)"
inkscape:label="machine">
<g
id="g4651"
transform="translate(48.982069,16.024137)">
<path
style="fill:none;stroke:#000000;stroke-width:1;stroke-linecap:round;stroke-linejoin:miter;stroke-dasharray:none;stroke-opacity:1"
d="M 90.895966,68.975075 83.131269,55.526225"
id="path3189" />
<path
style="fill:none;stroke:#000000;stroke-width:1;stroke-linecap:round;stroke-linejoin:miter;stroke-dasharray:none;stroke-opacity:1"
d="m 117.92791,55.526225 -7.76469,13.44885"
id="path4647" />
</g>
<g
id="g3133"
transform="translate(25.18398,14.596898)">
<circle
style="fill:#000000;stroke:none;stroke-width:1;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:0.996078"
id="path1564"
cx="125.35074"
cy="90.069275"
r="1.0230608" />
<circle
style="fill:#000000;stroke:none;stroke-width:1;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:0.996078"
id="circle3128"
cx="129.51282"
cy="90.069275"
r="1.0230608" />
<circle
style="fill:#000000;stroke:none;stroke-width:1;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:0.996078"
id="circle3126"
cx="133.67491"
cy="90.069275"
r="1.0230608" />
</g>
<rect
style="fill:none;stroke:#000000;stroke-width:1;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:0.996078"
id="rect1510"
width="49.078674"
height="24.539337"
x="124.97232"
y="84.999214"
ry="3.3614676" />
<path
id="rect5655"
style="fill:none;stroke:#000000;stroke-width:0.2;stroke-linecap:round;stroke-opacity:0.996078;stroke-dasharray:none"
d="m 165.82302,103.09199 c -0.16059,0 -0.28997,0.1291 -0.28997,0.28968 v 1.30204 c 0,0.16059 0.12938,0.28967 0.28997,0.28967 h 0.27789 v 0.33745 c 0,0.16058 0.12939,0.28998 0.28998,0.28998 h 1.59654 c 0.16059,0 0.28998,-0.1294 0.28998,-0.28998 v -0.33745 h 0.27789 c 0.16058,0 0.28967,-0.12908 0.28967,-0.28967 v -1.30204 c 0,-0.16058 -0.12909,-0.28968 -0.28967,-0.28968 z" />
<path
style="fill:none;stroke:#000000;stroke-width:0.264583px;stroke-linecap:round;stroke-linejoin:miter;stroke-opacity:1"
d="m 167.18901,104.3464 v 3.46615 h 37.1965"
id="path5662"
sodipodi:nodetypes="ccc" />
<rect
style="fill:#000000;stroke:#000000;stroke-width:0.2;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:0.996078"
id="rect7120"
width="3.0657613"
height="6.1315222"
x="121.90689"
y="100.09375"
ry="0.49539155" />
<g
id="g10934"
inkscape:label="power cord">
<path
style="fill:none;stroke:#000000;stroke-width:1.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-dasharray:none;stroke-opacity:1"
d="m 121.90689,103.15951 c -8.69759,0 -5.54831,6.87904 -14.26822,6.87904 l -16.767178,0 c -2.88853,0 -5.884301,-6.87904 -12.872753,-6.87904"
id="path7125"
sodipodi:nodetypes="cssc" />
<g
id="g10927"
inkscape:label="plug"
transform="translate(0,-0.15895194)">
<path
id="path10187"
style="fill:#000000;stroke:#000000;stroke-width:1.5;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:0.996078"
d="m 75.103043,100.16896 a 3.1902952,3.1902952 0 0 0 -0.600997,0.0584 v 6.26422 a 3.1902952,3.1902952 0 0 0 0.600997,0.0584 3.1902952,3.1902952 0 0 0 3.190503,-3.1905 3.1902952,3.1902952 0 0 0 -3.190503,-3.19051 z" />
<rect
style="fill:#000000;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:0.996078"
id="rect10192"
width="3.4497054"
height="0.43121317"
x="71.116219"
y="102.1939"
ry="0.21560659" />
<rect
style="fill:#000000;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:0.996078"
id="rect10922"
width="3.4497054"
height="0.43121317"
x="71.116219"
y="104.28693"
ry="0.21560659" />
</g>
</g>
</g>
<g
id="g10942"
inkscape:label="HIDS"
transform="translate(53.366829,-2.3218695)">
<path
style="color:#000000;fill:#ff7e29;fill-opacity:0.94117647;stroke-linecap:round;-inkscape-stroke:none"
d="m 131.0293,92.353516 v 0.09961 11.482425 h 16.55273 V 92.353516 Z m 0.20117,0.201171 h 16.15234 v 11.181643 h -16.15234 z"
id="rect10936" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:4.34576px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#ff7e29;fill-opacity:0.94117647;stroke:none;stroke-width:0.108644"
x="133.88654"
y="99.726807"
id="text10940"><tspan
sodipodi:role="line"
id="tspan10938"
style="stroke-width:0.108644;fill:#ff7e29;fill-opacity:0.94117647"
x="133.88654"
y="99.726807">NIDS</tspan></text>
</g>
<circle
style="fill:#000000;stroke:#000000;stroke-width:0.499999;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:0.996078"
id="path10944"
cx="192.67282"
cy="109.01794"
r="0.65305161" />
<path
style="fill:none;stroke:#000000;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="m 192.67282,109.01794 v -7.50386"
id="path10946" />
<g
id="g10954"
transform="translate(0,-0.33136428)">
<circle
style="fill:#000000;stroke:#000000;stroke-width:0.499999;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:0.996078"
id="circle10948"
cx="-96.154388"
cy="151.67415"
r="0.65305161"
transform="rotate(-90)" />
<path
style="fill:none;stroke:#000000;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="M 151.67416,96.15439 H 144.1703"
id="path10950" />
</g>
<text
xml:space="preserve"
style="font-size:1.90136px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;stroke-width:0.285204"
x="172.62149"
y="108.53922"
id="text11686"><tspan
sodipodi:role="line"
id="tspan11684"
style="stroke-width:0.285204"
x="172.62149"
y="108.53922"> 00101001110101...</tspan></text>
<g
id="g20431"
style="fill:#ff0000">
<path
style="color:#000000;fill:#ff0000;fill-opacity:0.998598;stroke:none;stroke-linecap:round"
d="m 90.931581,90.031646 v 0.09961 11.482424 H 107.48431 V 90.031646 Z m 0.20117,0.201171 H 107.28509 V 101.41446 H 91.132751 Z"
id="rect11688" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:4.34576px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#ff0000;fill-opacity:0.998598;stroke:none;stroke-width:0.108644"
x="94.112411"
y="97.404938"
id="text11692"><tspan
sodipodi:role="line"
id="tspan11690"
style="fill:#ff0000;fill-opacity:0.998598;stroke:none;stroke-width:0.108644"
x="94.112411"
y="97.404938">PIDS</tspan></text>
</g>
<path
style="fill:#ffff00;stroke:none;stroke-width:0.163149px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="m 65.657361,100.00478 -2.75439,4.77074 1.94214,0.0135 -1.07535,3.75186 3.18416,-4.27494 h -2.4177 z"
id="path16011"
sodipodi:nodetypes="ccccccc" />
<circle
style="fill:#000000;stroke:#000000;stroke-width:0.79584;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:0.996078"
id="circle11696"
cx="99.208275"
cy="111.05854"
r="1.0394511" />
<path
style="fill:none;stroke:#000000;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="m 99.208275,111.12769 -3e-6,-9.61361"
id="path11698"
sodipodi:nodetypes="cc" />
<rect
style="fill:none;fill-opacity:0.998598;stroke:#1a1a1a;stroke-width:0.499999;stroke-linecap:round;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:0.941176"
id="rect17575"
width="46.657166"
height="22.956734"
x="18.271282"
y="71.206055" />
<g
id="g22100"
transform="translate(-6.360005)">
<path
style="fill:none;stroke:#000000;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="m 33.329795,86.242273 h 12.62701"
id="path19037" />
<rect
style="fill:none;fill-opacity:0.998598;stroke:#1a1a1a;stroke-width:0.499999;stroke-linecap:round;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:0.941176"
id="rect19039"
width="25.367178"
height="11.56183"
x="35.276279"
y="77.554665"
ry="2.1023586" />
<path
style="fill:none;stroke:#000000;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="m 49.962935,86.242273 h 12.62701"
id="path19045" />
<g
id="g20333"
transform="matrix(1.4182675,0,0,1.4182675,-146.91836,-103.20884)">
<path
id="rect19099"
style="fill-opacity:0.998598;stroke-width:0.320097;stroke-linecap:round;stroke-opacity:0.941176"
d="m 135.55699,134.2813 a 0.83468487,0.83468487 0 0 1 -0.83469,-0.83469 0.83468487,0.83468487 0 0 1 0.83469,-0.83469 0.83468487,0.83468487 0 0 1 0.67158,0.33977 h 2.01178 a 0.83468487,0.83468487 0 0 1 0.67159,-0.33977 0.83468487,0.83468487 0 0 1 0.83468,0.83469 0.83468487,0.83468487 0 0 1 -0.83468,0.83469 0.83468487,0.83468487 0 0 1 -0.67126,-0.33944 h -2.01177 a 0.83468487,0.83468487 0 0 1 -0.67192,0.33944 z" />
<rect
style="fill:#ff7f2a;fill-opacity:0.998598;stroke:none;stroke-width:0.499999;stroke-linecap:round;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:0.941176"
id="rect19243"
width="0.17105964"
height="0.99017334"
x="138.06104"
y="-133.94186"
ry="0"
transform="scale(1,-1)" />
<rect
style="fill:#552200;fill-opacity:0.998598;stroke:none;stroke-width:0.499999;stroke-linecap:round;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:0.941176"
id="rect19301"
width="0.19248895"
height="0.99017334"
x="137.80635"
y="-133.94186"
ry="0"
transform="scale(1,-1)" />
<rect
style="fill:#552200;fill-opacity:0.998598;stroke:none;stroke-width:0.499999;stroke-linecap:round;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:0.941176"
id="rect19359"
width="0.19248895"
height="0.99017334"
x="137.55856"
y="-133.94186"
ry="0"
transform="scale(1,-1)" />
<rect
style="fill:#d40000;fill-opacity:0.998598;stroke:none;stroke-width:0.499999;stroke-linecap:round;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:0.941176"
id="rect19361"
width="0.19248895"
height="0.99017334"
x="137.31079"
y="-133.94186"
ry="0"
transform="scale(1,-1)" />
</g>
<g
id="g20337"
transform="translate(-88.997898,-47.204337)">
<path
style="fill:none;stroke:#000000;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="m 131.41504,133.44661 v -4.13836 h 1.87461"
id="path19363" />
<path
style="fill:none;stroke:#000000;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="m 142.0144,133.44661 v -4.13836 h -1.87461"
id="path19365" />
</g>
<text
xml:space="preserve"
style="font-size:4.76864px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;stroke-width:0.715294"
x="46.30579"
y="83.275551"
id="text19369"><tspan
sodipodi:role="line"
id="tspan19367"
style="stroke-width:0.715294"
x="46.30579"
y="83.275551">v</tspan></text>
<path
style="fill:none;stroke:#000000;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-end:url(#Arrow2)"
d="m 47.716825,79.072883 v -5.19128"
id="path19371" />
</g>
<rect
style="fill:none;fill-opacity:0.998598;stroke:#000000;stroke-width:0.3;stroke-linecap:round;stroke-dasharray:0.89999993,0.89999993;stroke-dashoffset:0;stroke-opacity:0.941176"
id="rect20517"
width="8.9973946"
height="9.3270578"
x="94.017403"
y="106.32088" />
</g>
</svg>
Side by side

After

Width:  |  Height:  |  Size: 17 KiB

242
BPV/emsoft2022/poster.tex Normal file
View file

@ -0,0 +1,242 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Cahnegs made from the paper:
% Changed the colors in the traces figure to be coloblind friendly
% Changes the labels in the traces figure to be accurate
% MUW Poster
% LaTeX Template
% Version 1.0 (31/08/2016)
% (Based on Version 1.0 (31/08/2015) of the Jacobs Portrait Poster
%
% License:
% CC BY-NC-SA 3.0 (http://creativecommons.org/licenses/by-nc-sa/3.0/)
%
% Created by:
% Nicolas Ballarini, CeMSIIS, Medical University of Vienna
% nicoballarini@gmail.com
% http://statistics.msi.meduniwien.ac.at/
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\def\footer#1{\def\insertfooter{#1}}
%--------------------------------------------------------------------------------------
% PACKAGES AND OTHER DOCUMENT CONFIGURATIONS
%--------------------------------------------------------------------------------------
\documentclass[final]{beamer}
\usepackage[size=a0]{beamerposter} % Use the beamerposter package
\usetheme{UWATposter}
\usepackage{multicol}
\usepackage{array}
\usepackage{pgf}
\usepackage{mathtools}
\usepackage{tikz}
\usetikzlibrary {arrows.meta,bending,positioning}
\usepackage{booktabs}
\usepackage[toc,acronym,abbreviations,nonumberlist,nogroupskip]{glossaries-extra}
\input{acronyms}
\usepackage{amsmath, amsthm, amssymb, amsfonts}
\usepackage{exscale}
\usepackage{xcolor}
\usepackage{ushort}
\usepackage{setspace}
\usepackage{numprint}
\usepackage{multirow}
\usepackage[square,numbers]{natbib}
\usepackage{url}
\bibliographystyle{abbrvnat}
%-----------------------------------------------
% START Set the colors
% Uncomment to apply colors you want to use.
%-----------------------------------------------
\colorlet{themecolor}{yellow_4_UW}
\usebackgroundtemplate{\includegraphics{background_poster_UWAT.pdf}}
%\colorlet{themecolor}{skinMUW}
%\colorlet{themecolor}{blueMUW}
%\usebackgroundtemplate{\includegraphics{MUW_skin.pdf}}
%%\colorlet{themecolor}{blueMUW}
%\colorlet{themecolor}{hellblauMUW}
%\usebackgroundtemplate{\includegraphics{MUW_hellblau.pdf}}
%-----------------------------------------------
% END Set the colors
%-----------------------------------------------
%-----------------------------------------------
% START Set the width of the columns
%-----------------------------------------------
\setlength{\paperwidth}{33.1in} % A0 width: 46.8in
\setlength{\paperheight}{46.8in} % A0 height: 33.1in
% % The following measures are used for 2 columns
% \setlength{\sepmargin}{0.05\paperwidth} % Separation width (white space) between columns
% \setlength{\sepwid}{0.03\paperwidth} % Separation width (white space) between columns
% \setlength{\onecolwid}{0.43\paperwidth} % Width of one column
% \setlength{\twocolwid}{0.9\paperwidth} % Width of two columns
%-----------------------------------------------------------
% The following measures are used for 3 columns
%\setlength{\sepmargin}{0.06\paperwidth} % Separation width (white space) between columns
%\setlength{\sepwid}{0.02\paperwidth} % Separation width (white space) between columns
%\setlength{\onecolwid}{0.28\paperwidth} % Width of one column
%\setlength{\twocolwid}{0.58\paperwidth} % Width of two columns
%\setlength{\threecolwid}{0.88\paperwidth} % Width of three columns
%\setlength{\columnsep}{30pt}
%-----------------------------------------------
% END Set the width of the columns
%-----------------------------------------------
%--------------------------------------------------------------------------------------
% TITLE SECTION
%--------------------------------------------------------------------------------------
%\setbeamertemplate{title}[right]
%\setbeamertemplate{frametitle}[default][left]
%\setmainfont{Georgia}
\title{Work-in-Progress: Boot Sequence Integrity Verification with Power Analysis} % Poster title
\author{Arthur Grisel-Davy, Amrita Milan Bhogayata, Srijan Pabbi, Apurva Narayan, Sebastian Fischmeister} % Author(s)
\institute{Embedded Software Group, University of Waterloo} % Institution(s)
%--------------------------------------------------------------------------------------
\begin{document}
%\addtobeamertemplate{block end}{}{\vspace*{1ex}} % White space under blocks
%\addtobeamertemplate{block alerted end}{}{\vspace*{0ex}} % White space under highlighted (alert) blocks
\setlength{\belowcaptionskip}{2ex} % White space under figures
\setlength\belowdisplayshortskip{1ex} % White space under equations
\begin{frame}[t] % The whole poster is enclosed in one beamer frame
\begin{columns}
\begin{column}{\sidemargin}\end{column}
\begin{column}{\onecolwidth}
\begin{block}{}
\begin{figure}
\centering
\includegraphics[width=0.9\onecolwidth]{images/main_illustration_p4.pdf}
\caption{Typical Intrusion Detection Systems (IDS) are Host-based (HIDS) or Network-Based (NIDS). This new Physics-Based IDS performs anomaly detection using global power consumption.}
\label{fig:main-illustration}
\end{figure}
\end{block}
\end{column}
\begin{column}{\sidemargin}\end{column}
\end{columns}
\begin{columns}[t] % The whole poster consists of two major columns
\begin{column}{\sidemargin}\end{column} % spacing between the first column and the side of the page
\begin{column}{\colwidth} % The first column
\begin{block}{Power Traces}
\begin{figure}
\includegraphics[width=0.9\linewidth]{images/Bootup_traces_TPLINK.pdf}
\caption{Power consumption of the bootup sequence of a TP-Link switch with two different firmware versions}
\label{fig:trace}
\end{figure}
\begin{itemize}
\item The power consumption offers an accurate and trusted representation of the systems state.
\item We measure the power consumption at the main power cable after the \gls{ac} to \gls{dc} conversion.
\item A script extracts and synchronizes the bootup sequences using the rising edge of the first power spike.
\end{itemize}
\end{block}
\end{column}
\begin{column}{\middlemargin}\end{column} % spacing between the two columns
\begin{column}{\colwidth} %The second column
\begin{block}{Boot Process Verifier (BPV)}
The BPV
\begin{itemize}
\item trains on a small training set of $\approx$10 normal traces.
\item does not require anomalous data to perform detection.
\item uses the IQR to set the distance threshold: $threshold = Q3 + 1.5\times (Q3-Q1)$~ \cite{han2011data}.
\item performs detection by comparing the Euclidean distance of a new trace to the average training trace.
\item detects as anomalous the bootup sequences that deviate from training. It can be due to malicious or wrong version firmware.
\end{itemize}
\vspace{2cm}
\begin{figure}
%\vspace*{-1cm}
\centering
\includegraphics[width=\linewidth]{images/illustration.pdf}
\caption{Overview of the BPV detection procedure}
\label{fig:illustration}
\end{figure}
\end{block}
\end{column}
\begin{column}{\sidemargin}\end{column}
\end{columns}
\Hrule[yellow_3_UW]{0.2cm}{1.5cm}{1.5cm}{\dimexpr 2\colwidth+\middlemargin}
\begin{columns}[t]
\begin{column}{\sidemargin}\end{column}
\begin{column}{\colwidth}
\begin{block}{Case Study: Networking devices}
\begin{itemize}
\item We selected four consumer-available networking devices.
\item We installed OpenWRT on routers and downgraded the firmware on switches to represent firmware attacks.
\item We extracted 500 bootup sequences ~\cite{dataset} per attack per machine.
\end{itemize}
\begin{table}[h]
\centering
\begin{tabular}{p{0.2\textwidth}|>{\centering}p{0.4\textwidth}|>{\centering\arraybackslash}p{0.3\textwidth}}
\textbf{Machine} & \textbf{Detection $F_1$ Score} & \textbf{Overall $F_1$ Score}\\
\midrule
TP-Link switch & 0.866 & \multirow{4}{*}{0.942}\\
HP switch & 0.983 &\\
Asus router & 1 &\\
Linksys router & 0.921 &\\
\bottomrule
\end{tabular}
\caption{Results of detection. $F_1$ scores are averaged per machine from 20 experiments.}
\label{tab:results}
\end{table}
\end{block}
\end{column}
\begin{column}{\middlemargin}\end{column}
\begin{column}{\colwidth}
\begin{block}{Conclusion}
The BPV:
\begin{itemize}
\item can reliably detect firmware tampering from the power consumption trace.
\item requires minimal training data and training time.
\item can be implemented with minimal downtime and hardware modification and applies to clientless equipment.
\end{itemize}
\end{block}
\begin{block}{Future Work}
\begin{itemize}
\item Application to a greater range of devices such as OT systems or general purpose computers.
\item Evaluation of data augmentation techniques to improve detection of low-impact attacks.
\end{itemize}
\end{block}
\end{column}
\begin{column}{\sidemargin}\end{column}
\end{columns}
\Hrule[yellow_3_UW]{0.2cm}{.5cm}{1.5cm}{\dimexpr 2\colwidth+\middlemargin}
\begin{columns}
\begin{column}{\sidemargin}\end{column}
\begin{column}{\onecolwidth}
\begin{block}{\large References}
\vspace*{-0.5cm}
%\nocite{*} % Insert publications even if they are not cited in the poster
{\footnotesize
%\bibliographystyle{plainurl}
\bibliography{bibli.bib}
}
\end{block}
\end{column}
\begin{column}{\sidemargin}\end{column}
\end{columns}
\end{frame} % End of the enclosing frame
\end{document}

BIN
BPV/emsoft2022/poster_bpv.pdf Normal file
View file

Binary file not shown.

91
BPV/emsoft2022/presentation.tex Normal file
View file

@ -0,0 +1,91 @@
\documentclass[aspectratio=169,10pt]{beamer}
\usetheme[progressbar=head,numbering=fraction,sectionpage=none]{metropolis}
\usepackage{graphicx}
\usepackage{ulem}
\usepackage{xcolor}
\usepackage[scale=2]{ccicons}
\usepackage{pgfplots}
\usepackage{booktabs}
\usepgfplotslibrary{dateplot}
\usepackage{hyperref}
\usepackage{multirow}
\usepackage{array}
\usepackage{xspace}
\title{WIP: Firmware Integrity Verification with Side-Channel Power Consumption Analysis}
\subtitle{}
\date{}
\author{Arthur Grisel-Davy, Amrita Milan Bhogayata, Srijan Pabbi, Apurva Narayan, Sebastian Fischmeister}
\institute{University of Waterloo, Canada}
\begin{document}
\maketitle
\begin{frame}{Introduction}
\begin{center}
\only<1>{\includegraphics[width=\textwidth]{images/main_illustration_p1.pdf}}
\only<2>{\includegraphics[width=\textwidth]{images/main_illustration_p2.pdf}}
\only<3>{\includegraphics[width=\textwidth]{images/main_illustration_p3.pdf}}
\only<4>{\includegraphics[width=\textwidth]{images/main_illustration_p4.pdf}}
\end{center}
\end{frame}
%
\begin{frame}{Power trace}
\begin{figure}[h]
\centering
\includegraphics[height=0.8\textheight]{images/Bootup_traces_TPLINK.pdf}
\caption{Power consumption for two firmware versions illustrating the impact of firmware change on the consumption pattern.}
\end{figure}
\end{frame}
\begin{frame}{Boot Process Verifier (BPV)}
Distance threshold = $1.5 \times IQR$
\only<1>{\includegraphics[width=\textwidth]{images/illustration_Page 1.pdf}}
\only<2>{\includegraphics[width=\textwidth]{images/illustration_Page 2.pdf}}
\only<3>{\includegraphics[width=\textwidth]{images/illustration_Page 3.pdf}}
\vfill
\end{frame}
\begin{frame}{Case Study: Networking Devices}
\begin{itemize}
\item Four devices
\item Attacks: firmware replacement, firmware downgrade.
\item 500 bootups sequences per device per attack.\footnote{dataset publicly available, see the paper.}
\item BPV trained with ten training samples.
\end{itemize}
\only<2>{
\begin{table}[h]
\centering
\begin{tabular}{p{0.2\textwidth}|>{\centering}p{0.4\textwidth}|>{\centering\arraybackslash}p{0.3\textwidth}}
\textbf{Machine} & \textbf{Detection $F_1$ Score} & \textbf{Overall $F_1$ Score}\\
\midrule
TP-Link switch & 0.866 & \multirow{4}{*}{0.942}\\
HP switch & 0.983 &\\
Asus router & 1 &\\
Linksys router & 0.921 &\\
\bottomrule
\end{tabular}
\caption{Results of detection.}
\label{tab:results}
\end{table}
}
\end{frame}
\begin{frame}{Future Work}
\begin{itemize}
\item Expand results to other types of machines.
\item Improve anomaly detector to make it less susceptible to outlier in training data.
\item Explore more sophisticated attacks.
\end{itemize}
Thank you for your attention.
\end{frame}
\end{document}

BIN
BPV/emsoft2022/presentation_bpv.pdf Normal file
View file

Binary file not shown.