apply clem comments
This commit is contained in:
Arthur Grisel-Davy
parent
272e230c57
commit
cf7d30e6a5
6 changed files with 23 additions and 21 deletions
|
|
@ -2058,6 +2058,7 @@ series = {UbiComp '10}
|
|||
year={2015},
|
||||
publisher={Springer}
|
||||
}
|
||||
|
||||
@inproceedings{van2018side,
|
||||
title={Side-channel based intrusion detection for industrial control systems},
|
||||
author={Van Aubel, Pol and Papagiannopoulos, Kostas and Chmielewski, {\L}ukasz and Doerr, Christian},
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ To enable further analysis, a set of algorithms is required for both runtime onl
|
|||
The full range of capabilities remains to be discovered.
|
||||
Successful runtime monitoring enables the detection of activity policy violations, anomalous activity detection, machine failure detection or distributed attacks.
|
||||
On the other hand, pre-OS monitoring enables the detection of boot process violation at a level where common \glspl{ids} are not enabled yet.
|
||||
These are just some of the possible applications of this technology, with many more to be discovered.
|
||||
These are just some of the possible applications of this technology, with many more to discovered.
|
||||
|
||||
This proposal presents some problems to study that enable the development of physics-based security.
|
||||
|
||||
|
|
|
|||
|
|
@ -109,12 +109,12 @@ Supervisor: \> Sebastian Fischmeister \\
|
|||
\begin{center}\textbf{Abstract}\end{center}
|
||||
|
||||
Most current Intrusion Detection Systems (IDSs) share the flaw of requiring the cooperation of the system to protect --- the target.
|
||||
Whether the IDS is a software or hardware component, they don't perform the detection independently and require the target to execute a programm, use a component, or transmit resuts.
|
||||
Whether the IDS is a software or hardware component, it does not perform the detection independently and requires the target to execute a programm, use a component, or transmit resuts.
|
||||
In the case of a compromised target, this critical flaw allows attackers to avoid detection by forging input data, forging detection results, or bypassing the IDS altogether.
|
||||
This design makes the result of the detection trustworthy only when the target is not compromised.
|
||||
|
||||
This observation leads to the conclusion that we cannot entrust machines to assess their own integrity.
|
||||
To remain trustworthy, the IDS must be independent of the target and require no cooperation to perform the detection.
|
||||
To remain trustworthy, the IDS must be independent of the target and not require cooperation to perform the detection.
|
||||
The main challenge with such a system is collecting relevant data.
|
||||
The main example of such a system are Network-based IDSs (NIDSs).
|
||||
NIDSs exhibit complete independence, but their input data --- network communication from the machine --- is only relevant for a small subset of attacks.
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
|
||||
|
||||
|
||||
A wide variety of solutions are available to protect embedded.
|
||||
A wide variety of solutions are available to protect embedded systems.
|
||||
No solution can claim to protect against all possible attacks, and multiple layers of prevention, detection, and mitigation mechanisms are often required to protect a system as best as possible.
|
||||
Each solution presents different domains of application, requirements, and capabilities that are important to understand to reduce the attack surface.
|
||||
|
||||
|
|
@ -25,26 +25,26 @@ If the \gls{ids} only considers local resources (e.g. CPU load, RAM data, disks
|
|||
\glspl{hids} have access to relevant local data, but they require to install software on the target --- either for collection only or for local analysis --- or dedicated components in communication with the target.
|
||||
This requirement represents a flaw for two main reasons.
|
||||
First, the host machine may be compromised, allowing the attacker to bypass the detection by feeding forged data to the \gls{ids}, shutting it down, or forging the detection result.
|
||||
Second, the operation of the \gls{hids} may interfere with the critical operation of the system (for example, if the \gls{hids} misbehave and block other operations).
|
||||
For these reasons, \gls{hids} may be challenging to implement on a wide range of embedded systems and lack the reliability of an external solution.
|
||||
Second, the operation of the \gls{hids} may interfere with the critical operation of the system (for example, if the \gls{hids} misbehaves and blocks other operations).
|
||||
For these reasons, \glspl{hids} may be challenging to implement on a wide range of embedded systems and lack the reliability of an external solution.
|
||||
|
||||
One other main class of \gls{ids} takes a different approach to solving some of these issues.
|
||||
\gls{nids} consider the communication between machines in a network to detect intrusions.
|
||||
\glspl{nids} consider the communication between machines in a network to detect intrusions.
|
||||
This solution does not require installing individual software on each machine and can detect network-level intrusions.
|
||||
However, \gls{nids} present their own drawbacks.
|
||||
However, \glspl{nids} present their own drawbacks.
|
||||
First, machine-specific attacks can remain undetected as only network information is accessible.
|
||||
Then, they require the installation of dedicated equipment to collect network traffic.
|
||||
Finally, modern traffic encryption practices will limit the \gls{nids} to sender-receiver pattern analysis unless traffic flows unencrypted, which can raise privacy issues.
|
||||
Finally, modern traffic encryption practices will limit \glspl{nids} to sender-receiver pattern analysis unless traffic flows unencrypted, which can raise privacy issues.
|
||||
|
||||
The current \gls{ids} scene appears to present a tradeoff between the granularity of detection and isolation from the protected machine.
|
||||
What about the case of protecting a machine against a local intrusion without the possibility of installing additional software?
|
||||
How can an \gls{ids} protect a machine against attackers bypassing the secure boot verification and booting a completely different \gls{os}?
|
||||
Following the discovery of a vulnerability on a \gls{scs}, how can the detection mechanism evolve without requiring the re-certification of the whole system?
|
||||
Following the discovery of a vulnerability on a \gls{scs}, how can the detection mechanism evolve without requiring the recertification of the whole system?
|
||||
These use cases can seem niche, but they represent a reality for many purpose-built embedded systems with minimal \gls{os}.
|
||||
Systems like network switches, \gls{rtu}, \gls{wap} rarely allow additional software installation and yet perform critical tasks.
|
||||
In these cases, neither local resources nor network information can be leveraged for local attack detection.
|
||||
Moreover, any industry that relies on \gls{scs} have strict regulations (e.g. DO-178C for aerospace systems in Canada, ISO 26262 for automotive system, ISO 16142 for medical devices) that guarantee the safety of every equipment.
|
||||
Modifying an existing system to add intrusion detection capabilities is expensive as it requires the re-validation of the whole system.
|
||||
Modifying an existing system to add intrusion detection capabilities is expensive as it requires the revalidation of the whole system.
|
||||
|
||||
A third under-exploited source of information for embedded systems activity is the side-channels.
|
||||
The side-channels are all the physical emissions that a machine involuntarily generates.
|
||||
|
|
@ -52,7 +52,7 @@ For example, the sound of a fan, the temperature of a CPU, or the power consumpt
|
|||
|
||||
\begin{figure}[H]
|
||||
\centering
|
||||
\includegraphics[width=\linewidth]{images/side_channel}
|
||||
\includegraphics[width=0.95\linewidth]{images/side_channel.pdf}
|
||||
\caption{Main side-channels from a typical embedded systems.}
|
||||
\label{fig:side_channel}
|
||||
\end{figure}
|
||||
|
|
@ -70,16 +70,17 @@ This proposal is organized as follows: Section~\ref{sec:related-work} presents a
|
|||
The idea of side-channel-based analysis traces back to the seminal work by Paul C. Kocher.
|
||||
He introduced \gls{dpa} to find secret keys used by cryptographic protocols in tamper-resistant devices~\cite{kocher1999differential}.
|
||||
This led to a field of research focusing on side-channel analysis that has grown ever since.
|
||||
A wide variety of side-channels have since been leveraged to recover information from a system such as power consumption \cite{brier2004correlation,mangard2008power}, electromagnetic fields~\cite{sayakkara2019survey}, acoustic emanations~\cite{7479068, alevi2015keyboard}, thermal dissipations~\cite{9727162} or, on the non-physical side, cache~\cite{page2003defending}.
|
||||
A wide variety of side-channels have since been leveraged to recover information from a system such as power consumption \cite{brier2004correlation,mangard2008power}, electromagnetic fields~\cite{sayakkara2019survey}, acoustic emanations~\cite{7479068, halevi2015keyboard}, thermal dissipations~\cite{9727162} or, on the non-physical side, cache~\cite{page2003defending}.
|
||||
|
||||
|
||||
Among them, power consumption is the most common and widely studied side-channel because of its numerous advantages.
|
||||
Power consumption leaks information about the activity of an embedded system with little inertia --- i.e., it can transmit high-frequency information contrary to thermal ---, is easy to measure with low-cost equipment at specific points in a machine --- contrary to electromagnetic fields or sound --- and is guaranteed to be present in any system.
|
||||
Power consumption leaks information about the activity of an embedded system with little inertia --- i.e., it can transmit high-frequency information contrary to thermal ---, is easy to reliably measure with low-cost equipment --- contrary to electromagnetic fields or sound --- and is guaranteed to be present in any system.
|
||||
This combination of properties allows for a granular detection of a system activity, even at the instruction level.
|
||||
%Quisquater et al.~\cite{quisquater2002automatic} present an approach to identify instructions with the use of self-organizing maps, power analysis and analysis of electromagnetic traces.\agd{this citation comes out of nowhere}
|
||||
%Eisenbarth et al.~\cite{eisenbarth2010building} propose a methodology for recovering the instruction flow of microcontrollers using its power consumption.\agd{this citation comes out of nowhere}
|
||||
|
||||
|
||||
Even though the information potential of side-channel analysis enables powerful attacks, it also enables defensive capabilities.
|
||||
Even though the information-gathering capability of side-channel analysis enables powerful attacks, it also enables defensive capabilities.
|
||||
Zhai et al.~\cite{zhai2015method} propose a self-organizing maps approach that uses features extracted from an embedded processor to detect abnormal behaviour in embedded devices.
|
||||
Different teams at Georgia Tech University leveraged power and electromagnetic backscattering \cite{8701559, jorgensen2022efficient} to detect hardware trojans and counterfeit integrated circuits.
|
||||
Due to its non-intrusive and architecture-agnostic nature, power fingerprinting has a wide range of applications from energy production systems \cite{6378346}, Software Defined Radio compliance assessments \cite{5379826}, or applications activity on mobile devices \cite{8057232}.
|
||||
|
|
@ -90,12 +91,12 @@ In this work, they use the power consumption of a given embedded system to ident
|
|||
The team builds on their previous technique and presents a new one~\cite{Moreno2018} using the power consumption of embedded systems for non-intrusive online run-time monitoring through anomaly detection.
|
||||
They use a signals and systems analysis approach to identify anomalies using the power consumption of a system and showcase this by identifying buffer overflow attacks on their system.
|
||||
Msgna et al.~\cite{msgna2014verifying} propose a technique for using the instruction-level power consumption of a system to verify the integrity of the software components of a system with no prior knowledge of the software code.
|
||||
In~\cite{kur2009improving}, Kur et al. perform power analysis of smart cards based on the JavaCard platform to help identify vulnerable operations, obtain bytecode instruction information, and also propose a framework to replace vulnerable operations with safe alternatives.\\
|
||||
In~\cite{kur2009improving}, Kur et al. perform power analysis of smart cards based on the JavaCard platform to help identify vulnerable operations, obtain bytecode instruction information, and also propose a framework to replace vulnerable operations with safe alternatives.
|
||||
|
||||
Side-channel information's non-intrusiveness and difficult-to-forge nature make it an ideal input for \gls{ids} systems.
|
||||
Van Aubel et al.~\cite{van2018side} proposed using electromagnetic information to protect \gls{ics} by detecting changes in software flow.
|
||||
Side-channel information's non-intrusiveness and difficult-to-forge nature makes it an ideal input for \glspl{ids}.
|
||||
Van Aubel et al.~\cite{van2018side} proposed using electromagnetic information to protect \glspl{ics} by detecting changes in software flow.
|
||||
Xun et al.~\cite{10016748} use the voltage signal of a vehicle CAN bus to detect anomalies without extensive documentation from the manufacturer.
|
||||
On a different kind of embedded systems, Liang et al. propose a framework to leverage side-channel information in additive manufacturing where traditional \gls{ids} would fail.
|
||||
On a different kind of embedded systems, Liang et al. propose a framework to leverage side-channel information in additive manufacturing where traditional \glspl{ids} would fail.
|
||||
|
||||
In more recent literature, there is a trend towards using \gls{ml} for side-channel analysis to enhance the security of systems.
|
||||
Michele Giovanni Calvi~\cite{calvi2019runtime} offers a solution for run-time monitoring of an entire cyber-physical system treated as a black box.
|
||||
|
|
|
|||
|
|
@ -136,6 +136,7 @@
|
|||
\usepackage{multirow}
|
||||
\usepackage{booktabs}
|
||||
\usepackage[acronyms]{glossaries} % Exception to the rule of hyperref being the last add-on package
|
||||
\glsdisablehyper
|
||||
% If glossaries-extra is not in your LaTeX distribution, get it from CTAN (http://ctan.org/pkg/glossaries-extra),
|
||||
% although it's supposed to be in both the TeX Live and MikTeX distributions. There are also documentation and
|
||||
% installation instructions there.
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ In any case, the design and prototyping of this new measurement system is an imp
|
|||
\section{Winter 2024}
|
||||
Winter 2024 will be dedicated to designing and evaluating the single-source multi-measure system.
|
||||
This work's challenge is enabling the processing of multi-variate time series to yield better results.
|
||||
The system's performances will be put in perspective with the capabilities of the DSD (single-source single-measure).
|
||||
The system's performances will be put in perspective with the capabilities of the \gls{dsd} (single-source single-measure).
|
||||
A series of experiments will also provide a complementary evaluation of the performances of these new techniques.
|
||||
The experiments will be collected in a paper with a publication aimed at the next term.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue