AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
Securing embedded systems (for share)
1. Close the Door!Securing Embedded Systemsv1.1 Witham Laboratories Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 1
2. Agenda Why Embedded Security Matters (Theoretical) Example System Timing Analysis Power and EM Analysis Encryption and Key Management Software Update Security Glitch Attacks Summary and Best Practice Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 2
3. Embedded Security Matters Processors are everywhere Often used to secure your information Form the foundation of business cases Payment, games, mobile phones, TV/video Required to maintain essential assets Crypto keys, passwords, firmware/code Drive economies (see above!) Phones, consoles, pay TV HW; sold at loss Profits come from content and lock-in Let’s talk economics for a second Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 3
4. Embedded Security Matters Systems development cost increasing More people, more equipment, more complexity, more requirements How much does a dev resource cost you? Hackers have the economic advantage Costs more to build than to break Time on market >> time to market Attacks only ever get cheaper / easier Financial gain often not the motivation Hackers share info, businesses do not Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 4
5. Embedded Security Matters Usually safe to assume hackers are: Better equipped More knowledgeable With greater motivation and resources Time to give up? Time to invest in security design 1st step: Understanding the vulnerabilities We’ve got an example system to hack ———————More resourceful No! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 5
6. (Theoretical) Example System GPG Embedded Encryption Key (‘GEEK’) HW token with support for TDES, AES, RSA 256k flash for code storage, 8GB flash for document storage (both AES encrypted) Verifies your GPG password/passphrase Keys stored and operated on device Firmware can be updated in the field Secure system uses HMACs for auth Marketed to industry and governments Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 6
7. Timing Analysis Timing of RSA modulo exp operations RSA most often uses ‘square and multiply’ Processing of a ‘1’ bit in the key requires more steps than processing a ‘0’ bit Therefore takes longer ‘Final reduction’ step will also leak information Password / (H)MAC verification Data dependant timing for compare Allows for ‘walking’ through correct values Correct guesses take longer to return than incorrect guesses Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 7
8. Timing Analysis - Eg Access password and HMAC Compared using standard memcmp() Work through all values of first byte Time to error > when first byte correct Once known, repeat for other bytes 8 byte password in 256 x 8 rather than 256^8 Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 8
9. Timing Analysis – Close the Door! Blinding of RSA operations Changes the actual values processed Therefore information gained through timing is not correlated to the data / key Data independent compare operations Ensure run time is same for all inputs Best implementation can depend on your processor / compiler … but try; XOR or bytewise compare across all bytes AND / OR results together to form return value AND TEST IT!!! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 9
10. Power and EM Analysis Every transistor is doing you damage … Embedded devices = lots of transistors Draw more current when switching states Transmitting data, performing computations Processing is deterministic & repeatable Each device & operation has a unique power / EM ‘signature’ Different when any processed bits are different Encryption processing depends on data & key Therefore, emissions leak secret info! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 10
11. Power and EM Analysis Selection function is vital Method to differentiate captures based on a finite number of possible secret values Eg Value of 1 bit based on part of key Work through all possible secret values Apply statistic analysis to the datasets Eg separate into captures where bit=1 or bit=0 Incorrect assumptions = no correlation Correct assumptions = correlation Decreased noise, increased signal Selection fns exist for AES,DES,RSA,ECC, … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 11
12. Power and EM Analysis - Eg GEEK AES power analysis Depends on accurate timing alignment Frequency domain or Integration analysis can compensate for poor alignment Still have to know roughly where crypto is AES Subkey = 0x11 - 100 samples Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 12
13. Power and EM Analysis – Close the Door! Random delays or round structure Frequency / windowed analysis may work Blinding or masking Requires higher order analysis Time / function limits on crypto Depends on level of side channel leakage Design to minimise use of secret data Unique key per operation Key management!! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 13
14. Encryption & Key Management Epic fail for many systems Use bad (non-standard) crypto algorithms Use good (standard) algorithms badly Good design, poor management One key to rule them all! (and in the darkness bind them) The algorithms are the easy part RSA, ECC, TDES, AES Don’t think proprietary / secret is better! The key is the secret! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS , Serpent Witham Laboratories Building Confidence in Payment Systems Slide No. 14
15. Encryption - Eg GPG password in external flash memory Encrypted with AES ECB Location of password can be determined Lots of other blocks have same value Probably 0x00 or 0xFF before encryption (depends) Swap with password location -> password now known! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS 0x696275c0eb3d6e6b8ceabaea4e279589 0xc2ff88de46aa82335d0182dc597e413e 0x19537682cfc5f228881c91712d0ac051 … 0x0da873169c2ee2d80a706eabeab638da 0x0da873169c2ee2d80a706eabeab638da 0x0da873169c2ee2d80a706eabeab638da … Witham Laboratories Building Confidence in Payment Systems Slide No. 15
16. Encryption – Eg (8GB) Encryption key ‘hidden’ in flash Cannot be visually / statistically differentiated from encrypted memory Location is random for each device Key location can be easily brute-forced 8 x 1024 x 1024 x 1024 = 8,589,934,592 Run through all possible 32 byte key values Decrypt known plaintext (eg unused flash) 1us per AES operation = all keys tried in ~ 8590 seconds (less than 2 ½ hours) Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 16
17. Encryption – Close the Door! Use your algorithms wisely Approved modes of operation (ISO, NIST) Industry standard padding (PKCS) Understand limitations to the algorithm / mode of operation Encryption ≠ authentication (usually) Beware dictionary / frequency analysis Beware transposition of encrypted data Understand your need for encryption Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 17
18. Encryption – Close the Door! Use suitable mode of operation Beware ECB or stream cipher modes (where contents change / may be known) Unique key per device, and per use Don’t use memory encryption key for encrypting system secrets Beware cryptographic errors May indicate an attack (see glitching!) Protect key storage Obfuscation at a minimum Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 18
19. Glitching Every transistor is doing you damage … Each instruction switches many transistors Usually all synchronised with a ‘clock’ No two transistors are the same Different locations, tolerances, I/O factors A glitch forces some transistors to (not)operate when they shouldn’t Can be applied many different ways Power, clock signal, EM, light Changes operation of only a few transistors Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 19
20. Glitching - Eg HMAC fails, system sits in tight loop Code executed on ‘good’ HMAC follows the machine code for the loop If(HMACisOK(image))!=1) {while(1)}; ExecuteNewlyDownloadedCode(); Glitch the clock, power, EM Some transistors don’t work properly Jump in test/while fails, or PC increments Hello ‘ExecuteNewlyDownloadedCode()’ ! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 20
21. Glitching – Close the Door! Check for function entry before exit Confirm crypto OK before output Eg perform twice, or encrypt then decrypt Use watchdog(s) Beware frequent watchdog activation Remember glitching produces ‘impossible’ processor operations! Code for errors which cannot happen Beware compiler optimisation Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 21
22. Software Updates Most systems will accept SW updates Remote and/or local, part replacement Avoid common authentication secrets Remember encryption ≠ authentication Be aware of local interfaces JTAG, ICE, ROM bootloader Disabled by SW, but maybe re-enabled … Ensure what you authenticate is what you execute! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 22
23. Software Updates - Eg Software written to flash before auth Code only executed if auth passes Unauth’d code stays in flash Execute through glitch, code exploit Software auth’d with RSA signature Bug in ASN.1 parsing allows stack overflow Expected as ASCII, uses strcmp() rather than memcmp(), terminates at nulls System wide symmetric key for auth Key exposed on one device … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 23
24. Software Updates – Close the Door! Authenticate what you want to execute Execute what you authenticate What prevents changes after auth? Beware parsing functions Do you authenticate before or after? What are the impacts of both options? Does the parse change / remove any data? Can the parse be exploited / compromised? Overflow / null exit / assumed data positions, etc Avoid system wide secrets Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 24
25. Theoretical Example Summary Many different vulnerabilities External flash exploitable even with AES Password checking could be bypassed Keys exposed through side channels Software update function insecure Is that important? Home user ≠ industry ≠ government Still more secure than encrypting on a PC What are your threat profile / compliance reqs? What’s the fix: Patch? Product recall? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Depends … Witham Laboratories Building Confidence in Payment Systems Slide No. 25
26. Summary Understand your risk and threat profile Depends on the market and product Build testing into your time/cost budget Greater threat -> greater dev time/cost Ensure product meets the security specs No implementation is perfect Plan for ifwhen vulnerabilities are found Remember product life-cycle security Key management, code signing, etc Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 26
27. Questions? For further information please contact Andrew Jamieson Technical Manager Witham Laboratories Email: andrew.jamieson@withamlabs.com Phone: +61 3 9846 2751 Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 27
Editor's Notes
I will be talking about the security of embedded systems Many of the areas will still be of interest to those more interested in PC based systems I know that although I think that this stuff is facinating, some people can find it a bit boring, so I will try to make it as fun as I can, and to that end I shall occasionally share my presentation with monsters, gnomes, and some gorillas … With that in mind I will provide some theme music for the first question of the topic to see where I should pitch the rest of the talk …
Of course, in 30 minutes or so I can’t go through everything on embedded security, so I have whittled down the presentation to these core topics
Requirements for product security is becoming the norm, not the exception Your devices are used to secure your information, as well as to protect other peoples information from you! Also protect business cases …
Perhaps “Better Equipped” is not quite the right term …
During the presentation I will be providing real world examples from this system, which we have produced in parts specifically for this presentation Plugs into your PC, and provides security for your GPG / PGP use MUCH more secure than just using GPG on your PC … or is it? Let’s test it to see what vulnerabilities it may have …
RSA is basically just plaintext (to the power of) your key (modulo) some key related number The ‘to the power of’ bit, is exponentiation, and most often calculated using an algorithm called ‘square and multiply’ I won’t go into the details of the math, as interesting as that is, but rest assured that it means that processing takes longer for each key bit which is a ‘1’ rather than a ‘0’ Timing attacks can also impact on any compare operations in the device (where the input is compared to a calculated or pre-stored value within the device)memcmp() is generally optimised to return as quickly as possible, which means that it will return quicker for an incorrect input, than for one that is correct But don’t take my word for it … let’s test it!
In our test system, memcmp() is used for both passwords (to allow for signing and decryption), and for HMACs (which are used to authenticate software updates) Hooked a CRO up to the output line of our system So when we get the first byte incorrect, the memcmp() returns a this point in time When we get the first byte correct, the time to return increases (by approx 0.5us on this system) Next byte correct, we get a return later again So, by working through all 256 values of each byte, we can brute force an 8 byte password in 2048 tries rather than 18.5 million trillion- So easy, let’s have cookie monster explain as we work through the remaining 6 bytes …
Blinding / masking involves changing the input data (plaintext) or key (exponent) during the operation, in such a way the changes can be removed at the end of the calculation to restore the correct ciphertext value Be sure when you are implementing blinding for RSA you are aware of why you are doing it – blinding only the data will protect against side channel analysis Create your own data independent compare procedure First rule of the day – test it, don’t assume
Many programmers don’t spend a lot of time thinking about the physical processes which make their programs work Fine most of the time, but this is a problem when it comes to security When I say lots, I mean thousands, millions, even billions Power analysis was first recorded in some recently declassified US government documents, which noted that the russians had installed current monitoring devices into US encrypting typewriters When your system does the same operations, it draws exactly the same current, and emits exactly the same radiation. When processing changes, so does the current draw and emissions Therefore by monitoring the current or EM, you can determine what the device is doing!
So, the selection function is absolutely vital It’s a way to differentiate between the many captures of power or EM you have, so that they can be correlated using statistical methods EG; The selection function could be a way to separate the data based on what would happen to a single bit of the input plaintext based on all possible values of only four bits of the key So, once you have a selection function, you separate the captures base on the chosen selection function, and apply your statistical model If you have a good selection function, one of the ways in which you have separated the captures is exactly correct, and will (hopefully) produce a correlation in your statistcal analysis For the other ways in which you have separated the captures, your model is incorrect, and therefore you will not get any correlation Many different selection functions exist, for different algorithms and methods of processing. Be aware that selection functions are not limited to cryptographic algorithms – don’t close the door just to have the attackers come in the window
So, enough talking, lets have an example Here we have a capture of the power waveform of AES processing on the GEEK hardware If we take some more samples, say 20, and process it through our selection function, we get the following output You can see that there is a lot of noise here which is caused by the 256 different outputs overlaid on each other, each representing a potential sub-value of the AES key. However, at this stage, there is no real outlying signal which has been correlated As we apply more and more captures to the statistical analysis, we increase the signal for the correct value, and decrease the noise caused by 255 other incorrect values [At 40 captures] Now we are starting to see some information peeking out of the noise floor, and I want to you keep an eye on [Click] this point as we increase the number of captures we are analysing, as we can already see a point which has started coming up out of the noise … [Click - It’s coming up] So, this peak tells us, through our analysis, and part of the AES key for this device is 11 hex. To reveal the whole key, we just have to repeat this process, using the same captures, focusing on different parts of the key. So, with a current probe and some software, we have broken the 128 bit AES encryption of this device after observing only 100 operations. [Click - Accurate timing]
Some vulnerabilities require the attacker to have physical access, some do notEven without physical access, an attacker could use malware to brute force password and use the token to sign / decrypt documents The GEEK is better than general purpose GPG on a PC, but it is not 100% secure What happens when these vulnerabilities are exposed, by hackers or academics? Can all of these problems be patched with software updates? What about the external memory? Is this an issue? What legals do you have around guarenteed performance of this device?
You need to understand what the threat model of your clients is – this may be as easy as looking at published standards (such as FIPS140-2, or PCI PTS), or it may be more difficult Be aware of the potential issues and make sure you have the resources to test for them Understand the potential impact if you are sacrificing testing for reduced initial development cost and quicker time to market – could this end up costing you more in the long term?If you have spent the time to outline security requirements from the outset, make sure the system meets these before release, many well designed products have failed through lack of ensuring they met their own specs Nothing is perfect, always have a plan B Don’t forget security once the product is released – ongoing maintenance may be required to prevent catastrophic failure (eg non-random K values in DSA signature)
