grizzly/deneir
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

apply clem comments

Browse source
This commit is contained in:
Arthur Grisel-Davy 2023-10-03 05:26:50 -04:00
parent 272e230c57
commit cf7d30e6a5
6 changed files with 23 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

1
PhD/research_proposal/bibliography.bib
View file

@ -2058,6 +2058,7 @@ series = {UbiComp '10}
year={2015}, year={2015},
publisher={Springer} publisher={Springer}
} }
@inproceedings{van2018side, @inproceedings{van2018side,
title={Side-channel based intrusion detection for industrial control systems}, title={Side-channel based intrusion detection for industrial control systems},
author={Van Aubel, Pol and Papagiannopoulos, Kostas and Chmielewski, {\L}ukasz and Doerr, Christian}, author={Van Aubel, Pol and Papagiannopoulos, Kostas and Chmielewski, {\L}ukasz and Doerr, Christian},

3
PhD/research_proposal/conclusion.tex
View file

@ -12,7 +12,6 @@ To enable further analysis, a set of algorithms is required for both runtime onl
The full range of capabilities remains to be discovered. The full range of capabilities remains to be discovered.
Successful runtime monitoring enables the detection of activity policy violations, anomalous activity detection, machine failure detection or distributed attacks. Successful runtime monitoring enables the detection of activity policy violations, anomalous activity detection, machine failure detection or distributed attacks.
On the other hand, pre-OS monitoring enables the detection of boot process violation at a level where common \glspl{ids} are not enabled yet. On the other hand, pre-OS monitoring enables the detection of boot process violation at a level where common \glspl{ids} are not enabled yet.
These are just some of the possible applications of this technology, with many more to be discovered. These are just some of the possible applications of this technology, with many more to discovered.
This proposal presents some problems to study that enable the development of physics-based security.

4
PhD/research_proposal/frontpages.tex
View file

@ -109,12 +109,12 @@ Supervisor: \> Sebastian Fischmeister \\
\begin{center}\textbf{Abstract}\end{center} \begin{center}\textbf{Abstract}\end{center}
Most current Intrusion Detection Systems (IDSs) share the flaw of requiring the cooperation of the system to protect --- the target. Most current Intrusion Detection Systems (IDSs) share the flaw of requiring the cooperation of the system to protect --- the target.
Whether the IDS is a software or hardware component, they don't perform the detection independently and require the target to execute a programm, use a component, or transmit resuts. Whether the IDS is a software or hardware component, it does not perform the detection independently and requires the target to execute a programm, use a component, or transmit resuts.
In the case of a compromised target, this critical flaw allows attackers to avoid detection by forging input data, forging detection results, or bypassing the IDS altogether. In the case of a compromised target, this critical flaw allows attackers to avoid detection by forging input data, forging detection results, or bypassing the IDS altogether.
This design makes the result of the detection trustworthy only when the target is not compromised. This design makes the result of the detection trustworthy only when the target is not compromised.
This observation leads to the conclusion that we cannot entrust machines to assess their own integrity. This observation leads to the conclusion that we cannot entrust machines to assess their own integrity.
To remain trustworthy, the IDS must be independent of the target and require no cooperation to perform the detection. To remain trustworthy, the IDS must be independent of the target and not require cooperation to perform the detection.
The main challenge with such a system is collecting relevant data. The main challenge with such a system is collecting relevant data.
The main example of such a system are Network-based IDSs (NIDSs). The main example of such a system are Network-based IDSs (NIDSs).
NIDSs exhibit complete independence, but their input data --- network communication from the machine --- is only relevant for a small subset of attacks. NIDSs exhibit complete independence, but their input data --- network communication from the machine --- is only relevant for a small subset of attacks.

33
PhD/research_proposal/introduction.tex
View file

@ -14,7 +14,7 @@
A wide variety of solutions are available to protect embedded. A wide variety of solutions are available to protect embedded systems.
No solution can claim to protect against all possible attacks, and multiple layers of prevention, detection, and mitigation mechanisms are often required to protect a system as best as possible. No solution can claim to protect against all possible attacks, and multiple layers of prevention, detection, and mitigation mechanisms are often required to protect a system as best as possible.
Each solution presents different domains of application, requirements, and capabilities that are important to understand to reduce the attack surface. Each solution presents different domains of application, requirements, and capabilities that are important to understand to reduce the attack surface.
@ -25,26 +25,26 @@ If the \gls{ids} only considers local resources (e.g. CPU load, RAM data, disks
\glspl{hids} have access to relevant local data, but they require to install software on the target --- either for collection only or for local analysis --- or dedicated components in communication with the target. \glspl{hids} have access to relevant local data, but they require to install software on the target --- either for collection only or for local analysis --- or dedicated components in communication with the target.
This requirement represents a flaw for two main reasons. This requirement represents a flaw for two main reasons.
First, the host machine may be compromised, allowing the attacker to bypass the detection by feeding forged data to the \gls{ids}, shutting it down, or forging the detection result. First, the host machine may be compromised, allowing the attacker to bypass the detection by feeding forged data to the \gls{ids}, shutting it down, or forging the detection result.
Second, the operation of the \gls{hids} may interfere with the critical operation of the system (for example, if the \gls{hids} misbehave and block other operations). Second, the operation of the \gls{hids} may interfere with the critical operation of the system (for example, if the \gls{hids} misbehaves and blocks other operations).
For these reasons, \gls{hids} may be challenging to implement on a wide range of embedded systems and lack the reliability of an external solution. For these reasons, \glspl{hids} may be challenging to implement on a wide range of embedded systems and lack the reliability of an external solution.
One other main class of \gls{ids} takes a different approach to solving some of these issues. One other main class of \gls{ids} takes a different approach to solving some of these issues.
\gls{nids} consider the communication between machines in a network to detect intrusions. \glspl{nids} consider the communication between machines in a network to detect intrusions.
This solution does not require installing individual software on each machine and can detect network-level intrusions. This solution does not require installing individual software on each machine and can detect network-level intrusions.
However, \gls{nids} present their own drawbacks. However, \glspl{nids} present their own drawbacks.
First, machine-specific attacks can remain undetected as only network information is accessible. First, machine-specific attacks can remain undetected as only network information is accessible.
Then, they require the installation of dedicated equipment to collect network traffic. Then, they require the installation of dedicated equipment to collect network traffic.
Finally, modern traffic encryption practices will limit the \gls{nids} to sender-receiver pattern analysis unless traffic flows unencrypted, which can raise privacy issues. Finally, modern traffic encryption practices will limit \glspl{nids} to sender-receiver pattern analysis unless traffic flows unencrypted, which can raise privacy issues.
The current \gls{ids} scene appears to present a tradeoff between the granularity of detection and isolation from the protected machine. The current \gls{ids} scene appears to present a tradeoff between the granularity of detection and isolation from the protected machine.
What about the case of protecting a machine against a local intrusion without the possibility of installing additional software? What about the case of protecting a machine against a local intrusion without the possibility of installing additional software?
How can an \gls{ids} protect a machine against attackers bypassing the secure boot verification and booting a completely different \gls{os}? How can an \gls{ids} protect a machine against attackers bypassing the secure boot verification and booting a completely different \gls{os}?
Following the discovery of a vulnerability on a \gls{scs}, how can the detection mechanism evolve without requiring the re-certification of the whole system? Following the discovery of a vulnerability on a \gls{scs}, how can the detection mechanism evolve without requiring the recertification of the whole system?
These use cases can seem niche, but they represent a reality for many purpose-built embedded systems with minimal \gls{os}. These use cases can seem niche, but they represent a reality for many purpose-built embedded systems with minimal \gls{os}.
Systems like network switches, \gls{rtu}, \gls{wap} rarely allow additional software installation and yet perform critical tasks. Systems like network switches, \gls{rtu}, \gls{wap} rarely allow additional software installation and yet perform critical tasks.
In these cases, neither local resources nor network information can be leveraged for local attack detection. In these cases, neither local resources nor network information can be leveraged for local attack detection.
Moreover, any industry that relies on \gls{scs} have strict regulations (e.g. DO-178C for aerospace systems in Canada, ISO 26262 for automotive system, ISO 16142 for medical devices) that guarantee the safety of every equipment. Moreover, any industry that relies on \gls{scs} have strict regulations (e.g. DO-178C for aerospace systems in Canada, ISO 26262 for automotive system, ISO 16142 for medical devices) that guarantee the safety of every equipment.
Modifying an existing system to add intrusion detection capabilities is expensive as it requires the re-validation of the whole system. Modifying an existing system to add intrusion detection capabilities is expensive as it requires the revalidation of the whole system.
A third under-exploited source of information for embedded systems activity is the side-channels. A third under-exploited source of information for embedded systems activity is the side-channels.
The side-channels are all the physical emissions that a machine involuntarily generates. The side-channels are all the physical emissions that a machine involuntarily generates.
@ -52,7 +52,7 @@ For example, the sound of a fan, the temperature of a CPU, or the power consumpt
\begin{figure}[H] \begin{figure}[H]
\centering \centering
\includegraphics[width=\linewidth]{images/side_channel} \includegraphics[width=0.95\linewidth]{images/side_channel.pdf}
\caption{Main side-channels from a typical embedded systems.} \caption{Main side-channels from a typical embedded systems.}
\label{fig:side_channel} \label{fig:side_channel}
\end{figure} \end{figure}
@ -70,16 +70,17 @@ This proposal is organized as follows: Section~\ref{sec:related-work} presents a
The idea of side-channel-based analysis traces back to the seminal work by Paul C. Kocher. The idea of side-channel-based analysis traces back to the seminal work by Paul C. Kocher.
He introduced \gls{dpa} to find secret keys used by cryptographic protocols in tamper-resistant devices~\cite{kocher1999differential}. He introduced \gls{dpa} to find secret keys used by cryptographic protocols in tamper-resistant devices~\cite{kocher1999differential}.
This led to a field of research focusing on side-channel analysis that has grown ever since. This led to a field of research focusing on side-channel analysis that has grown ever since.
A wide variety of side-channels have since been leveraged to recover information from a system such as power consumption \cite{brier2004correlation,mangard2008power}, electromagnetic fields~\cite{sayakkara2019survey}, acoustic emanations~\cite{7479068, alevi2015keyboard}, thermal dissipations~\cite{9727162} or, on the non-physical side, cache~\cite{page2003defending}. A wide variety of side-channels have since been leveraged to recover information from a system such as power consumption \cite{brier2004correlation,mangard2008power}, electromagnetic fields~\cite{sayakkara2019survey}, acoustic emanations~\cite{7479068, halevi2015keyboard}, thermal dissipations~\cite{9727162} or, on the non-physical side, cache~\cite{page2003defending}.
Among them, power consumption is the most common and widely studied side-channel because of its numerous advantages. Among them, power consumption is the most common and widely studied side-channel because of its numerous advantages.
Power consumption leaks information about the activity of an embedded system with little inertia --- i.e., it can transmit high-frequency information contrary to thermal ---, is easy to measure with low-cost equipment at specific points in a machine --- contrary to electromagnetic fields or sound --- and is guaranteed to be present in any system. Power consumption leaks information about the activity of an embedded system with little inertia --- i.e., it can transmit high-frequency information contrary to thermal ---, is easy to reliably measure with low-cost equipment --- contrary to electromagnetic fields or sound --- and is guaranteed to be present in any system.
This combination of properties allows for a granular detection of a system activity, even at the instruction level. This combination of properties allows for a granular detection of a system activity, even at the instruction level.
%Quisquater et al.~\cite{quisquater2002automatic} present an approach to identify instructions with the use of self-organizing maps, power analysis and analysis of electromagnetic traces.\agd{this citation comes out of nowhere} %Quisquater et al.~\cite{quisquater2002automatic} present an approach to identify instructions with the use of self-organizing maps, power analysis and analysis of electromagnetic traces.\agd{this citation comes out of nowhere}
%Eisenbarth et al.~\cite{eisenbarth2010building} propose a methodology for recovering the instruction flow of microcontrollers using its power consumption.\agd{this citation comes out of nowhere} %Eisenbarth et al.~\cite{eisenbarth2010building} propose a methodology for recovering the instruction flow of microcontrollers using its power consumption.\agd{this citation comes out of nowhere}
Even though the information potential of side-channel analysis enables powerful attacks, it also enables defensive capabilities. Even though the information-gathering capability of side-channel analysis enables powerful attacks, it also enables defensive capabilities.
Zhai et al.~\cite{zhai2015method} propose a self-organizing maps approach that uses features extracted from an embedded processor to detect abnormal behaviour in embedded devices. Zhai et al.~\cite{zhai2015method} propose a self-organizing maps approach that uses features extracted from an embedded processor to detect abnormal behaviour in embedded devices.
Different teams at Georgia Tech University leveraged power and electromagnetic backscattering \cite{8701559, jorgensen2022efficient} to detect hardware trojans and counterfeit integrated circuits. Different teams at Georgia Tech University leveraged power and electromagnetic backscattering \cite{8701559, jorgensen2022efficient} to detect hardware trojans and counterfeit integrated circuits.
Due to its non-intrusive and architecture-agnostic nature, power fingerprinting has a wide range of applications from energy production systems \cite{6378346}, Software Defined Radio compliance assessments \cite{5379826}, or applications activity on mobile devices \cite{8057232}. Due to its non-intrusive and architecture-agnostic nature, power fingerprinting has a wide range of applications from energy production systems \cite{6378346}, Software Defined Radio compliance assessments \cite{5379826}, or applications activity on mobile devices \cite{8057232}.
@ -90,12 +91,12 @@ In this work, they use the power consumption of a given embedded system to ident
The team builds on their previous technique and presents a new one~\cite{Moreno2018} using the power consumption of embedded systems for non-intrusive online run-time monitoring through anomaly detection. The team builds on their previous technique and presents a new one~\cite{Moreno2018} using the power consumption of embedded systems for non-intrusive online run-time monitoring through anomaly detection.
They use a signals and systems analysis approach to identify anomalies using the power consumption of a system and showcase this by identifying buffer overflow attacks on their system. They use a signals and systems analysis approach to identify anomalies using the power consumption of a system and showcase this by identifying buffer overflow attacks on their system.
Msgna et al.~\cite{msgna2014verifying} propose a technique for using the instruction-level power consumption of a system to verify the integrity of the software components of a system with no prior knowledge of the software code. Msgna et al.~\cite{msgna2014verifying} propose a technique for using the instruction-level power consumption of a system to verify the integrity of the software components of a system with no prior knowledge of the software code.
In~\cite{kur2009improving}, Kur et al. perform power analysis of smart cards based on the JavaCard platform to help identify vulnerable operations, obtain bytecode instruction information, and also propose a framework to replace vulnerable operations with safe alternatives.\\ In~\cite{kur2009improving}, Kur et al. perform power analysis of smart cards based on the JavaCard platform to help identify vulnerable operations, obtain bytecode instruction information, and also propose a framework to replace vulnerable operations with safe alternatives.
Side-channel information's non-intrusiveness and difficult-to-forge nature make it an ideal input for \gls{ids} systems. Side-channel information's non-intrusiveness and difficult-to-forge nature makes it an ideal input for \glspl{ids}.
Van Aubel et al.~\cite{van2018side} proposed using electromagnetic information to protect \gls{ics} by detecting changes in software flow. Van Aubel et al.~\cite{van2018side} proposed using electromagnetic information to protect \glspl{ics} by detecting changes in software flow.
Xun et al.~\cite{10016748} use the voltage signal of a vehicle CAN bus to detect anomalies without extensive documentation from the manufacturer. Xun et al.~\cite{10016748} use the voltage signal of a vehicle CAN bus to detect anomalies without extensive documentation from the manufacturer.
On a different kind of embedded systems, Liang et al. propose a framework to leverage side-channel information in additive manufacturing where traditional \gls{ids} would fail. On a different kind of embedded systems, Liang et al. propose a framework to leverage side-channel information in additive manufacturing where traditional \glspl{ids} would fail.
In more recent literature, there is a trend towards using \gls{ml} for side-channel analysis to enhance the security of systems. In more recent literature, there is a trend towards using \gls{ml} for side-channel analysis to enhance the security of systems.
Michele Giovanni Calvi~\cite{calvi2019runtime} offers a solution for run-time monitoring of an entire cyber-physical system treated as a black box. Michele Giovanni Calvi~\cite{calvi2019runtime} offers a solution for run-time monitoring of an entire cyber-physical system treated as a black box.

1
PhD/research_proposal/proposal.tex
View file

@ -136,6 +136,7 @@
\usepackage{multirow} \usepackage{multirow}
\usepackage{booktabs} \usepackage{booktabs}
\usepackage[acronyms]{glossaries} % Exception to the rule of hyperref being the last add-on package \usepackage[acronyms]{glossaries} % Exception to the rule of hyperref being the last add-on package
\glsdisablehyper
% If glossaries-extra is not in your LaTeX distribution, get it from CTAN (http://ctan.org/pkg/glossaries-extra), % If glossaries-extra is not in your LaTeX distribution, get it from CTAN (http://ctan.org/pkg/glossaries-extra),
% although it's supposed to be in both the TeX Live and MikTeX distributions. There are also documentation and % although it's supposed to be in both the TeX Live and MikTeX distributions. There are also documentation and
% installation instructions there. % installation instructions there.

2
PhD/research_proposal/timetable.tex
View file

@ -15,7 +15,7 @@ In any case, the design and prototyping of this new measurement system is an imp
\section{Winter 2024} \section{Winter 2024}
Winter 2024 will be dedicated to designing and evaluating the single-source multi-measure system. Winter 2024 will be dedicated to designing and evaluating the single-source multi-measure system.
This work's challenge is enabling the processing of multi-variate time series to yield better results. This work's challenge is enabling the processing of multi-variate time series to yield better results.
The system's performances will be put in perspective with the capabilities of the DSD (single-source single-measure). The system's performances will be put in perspective with the capabilities of the \gls{dsd} (single-source single-measure).
A series of experiments will also provide a complementary evaluation of the performances of these new techniques. A series of experiments will also provide a complementary evaluation of the performances of these new techniques.
The experiments will be collected in a paper with a publication aimed at the next term. The experiments will be collected in a paper with a publication aimed at the next term.