Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Base Metal Forensics


Published on

A presentation by Doug Carson at The Cyber Academy

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Base Metal Forensics

  1. 1. Bare Metal Forensics Doug Carson Big Data in Cyber Security 10th May 2016
  2. 2. Page The Evolving Cyber Threat Landscape Bare Metal Forensics 2 10/5/2016 The consequences of innovation and increased reliance on information technology in the next few years will probably be far greater in scope and impact than ever. Devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and US Government systems. Senate Armed Service Committee Feb 9th 2016 James R. Clapper – Director National Intelligence Current perimeter based approaches of IT enterprise security cannot address such highly connected and diverse Cyber Physical Systems
  3. 3. Page Who Protects Cyber Physical Systems? Bare Metal Forensics 3 10/5/2016 Critical Infrastructure Protection • Ensuring a resilient communication and transport infrastructure • Assessing supply chain vulnerabilities, and how best to protect them Law Enforcement and Threat Intelligence Centres • Digital forensic evidence on serious & organised crime • Ensuring online safety of public from threat actors in cyber space Information Assurance Standards Bodies • Certifying data integrity & safety of devices connected to cyber space • Regulatory and standards framework development
  4. 4. Page Measuring Endpoint Devices Bare Metal Forensics Bare Metal Forensics 4 10/5/2016 • Exploit industry interconnect standards to gain visibility into devices • Exploit manufacturing test ports to control execution of device • Use precision analog measurements to detect side channel leakage Highly embedded, highly diverse connected devices • Impossible to embed scanning agent • Uncertain supply chain with custom SoCs • No compliance regime in place • Minimal testing to meet market windows and costs
  5. 5. Page Bare Metal Forensics Principle Bare Metal Forensics 5 10/5/2016 Cyber System Physical Implementation Using Standard Components Observed Phenomena Inferred operation Analyse Busses Spoof Busses Power & EM channels Data Analysis
  6. 6. Page Component Standardisation Bare Metal Forensics Bare Metal Attack Surface 6 10/5/2016
  7. 7. Page Infiniium Bus Analysis Support • Power rails • 8B/10B • CAN • DigRF v4 • DVI • HDMI • FlexRay • I2C/SPI • JTAG • LIN • MIPI CSI-3 • MIPI D-PHY • MIPI LLI • MIPI RFFE • MIPI UniPro • MIPI UFS • PCI e Gen1 and Gen2 • RS-232/UART • SATA/SAS • SPI • SVID • USB 2.0 • USB 3.0 • Super Speed Inter-Chip 7 10/5/2016Bare Metal Forensics
  8. 8. Page The Big Data Angle Bare Metal Forensics 8 10/5/2016 Volume Variety Velocity Veracity Big Data 160GSa/s = 1.28Tbps • Noisy • Partial • Training data Gigabytes!
  9. 9. Page Data Science on Measurement Traces Bare Metal Forensics Previous Research 9 10/5/2016 400 traces of 25K points 2 hours on 256 cores at UK National Supercomputing Centre Correlation matrix of behavioural traces Behavioural similarity network
  10. 10. Page Bare Metal Forensics Project Bare Metal Forensics 10 High speed signal capture and generation Signal analysis software Device measurement science World class cyber forensics research, teaching and training • Accredited MSc Private and public sector partnerships • Local cyber industry • Public bodies 10/5/2016
  11. 11. Page Side Channel Attack Bare Metal Forensics 11 10/5/2016 Plaintext Message Encrypted Message Cryptographic Function Secret Key Power Heat TimeSound Side Channel Monitoring A side channel attack is carried out by monitoring the physical outputs of a device (e.g. power consumption, time taken to carry out an operation, emission of heat, light and sound). Side channel signal
  12. 12. Page Exploiting Side Channels Bare Metal Forensics 12 10/5/2016
  13. 13. Page Side Channel Attack Demonstration Bare Metal Forensics 13 10/5/2016
  14. 14. Summary – Insecure embedded devices in the IoT will lead to widespread vulnerabilities in critical infrastructure – Current OS agent based techniques do not address these devices – Device operation ‘clues’ can be inferred from electronic measurement traces – Data science research underway to develop analytics to detect vulnerabilities from measurement traces Bare Metal Forensics 10/5/2016 14