Method of Attack, Physical Access

Method of Attack, Physical Access • Attacker has physical possession of the device • Many devices are small and portable • Assume that attacker has only external access • Short access time • Lacks knowledge about internals • Attack through external interface • Normal user interface • USB, SD card interface Slides created by: Professor Ian G. Harris

Physical Access Attacks • Attacker can do what user can do • Read numbers from a phone • Examine digital pictures, etc. • USB/SD card allows large, fast data theft • USB may be “bootable” • Device may automatically run code on USB key • Attacker can rewrite Flash memory • Install arbitrary malware Slides created by: Professor Ian G. Harris

Defenses Against Physical Attacks • Do not lose physical control of your device • Enable password protection on the device • Can be inconvenient Slides created by: Professor Ian G. Harris

Intrusive Physical Attacks • Attacker gains extended physical access to the device • Attacker knows about the design of the device • Attacker opens the device and accesses internal signals • Requires unusual sophistication • Normal users do not need to worry Slides created by: Professor Ian G. Harris

Reading Internal Signals CPU RAM Logic Analyzer • Attacker can view data transferred between ICs • Intellectual property (songs, videos, etc.) • Secret keys, etc. Slides created by: Professor Ian G. Harris

Reading Internal Signals, Defenses • Encrypt all data in transit between ICs • Expensive and time consuming • Make device tamper-proof • Very expensive • Use internal board layers for routing • Layers can be sanded down • Epoxy over ICs to hide part numbers • Epoxy is removable Slides created by: Professor Ian G. Harris

Reprogramming FLASH Memory CPU Flash JTAG • Attacker can reprogram the entire device though its JTAG interface Slides created by: Professor Ian G. Harris

Reprogramming FLASH Defenses • Make flash unprogrammable • Blow an internal fuse • Updates become impossible • Require secret key to access JTAG • Costly Slides created by: Professor Ian G. Harris

“Super” Intrusive Attacks • Attacker gains access to the design of the ICs inside the device • Requires time, knowledge, and access • Only large organizations could launch this type of attack Slides created by: Professor Ian G. Harris

Hardware Trojans CPU ASIC Trojan Trojan • Attacker modifies IC design before fabrication • Spy at the design and/or fabrication site • IC includes altered functionality Slides created by: Professor Ian G. Harris

Side-Channel Attacks • Examine “information leakage” via power and delay analysis if (key[I]) then { . . . } • If key[i] == 1 then power will be higher and delay will be longer • Requires precise knowledge of IC algorithm and implementation Slides created by: Professor Ian G. Harris

IP Watermarking • Attacker steals IP design and sells it as his own • Need to prove that a stolen design is actually stolen • Insert “markers” into the design which can be recognized later • Add extra logic that has no real function • Markers must not be apparent to the attacker Slides created by: Professor Ian G. Harris

ATmega Assembly a = b + c; Compiler Load b from memory Load c from memory Add b and c Store result a in memory lw $r1, ($s1) lw $r2, ($s2) add $r3, $r2, $r1 sw $r3, ($s3) Assembler 10010001000000110000001000000001 add $r3 $r2 $r1 Slides created by: Professor Ian G. Harris

Assembly Instructions ADD R0, R1 0000110000000001 • Assembly instructions are a readable mnemonic for machine instructions • One-to-one mapping from assembly instructions to machine instructions • Except macros Slides created by: Professor Ian G. Harris

Slides created by: Professor Ian G. Harris ATmega Instruction Formats ADD instruction • Rd <- Rd + Rr OOOO11RDDDDDRRRR • 16-bit machine instructions • 6-bit opcode • 2 5-bit register arguments (32 registers) • Direct Register Addressing mode used

Slides created by: Professor Ian G. Harris Instruction Format, 1 register ANDI instruction • Rd <- Rd && K 0111KKKKDDDDKKKK • 4-bit opcode • 1 4-bit register argument (only 16registers) • 8-bit constant

Slides created by: Professor Ian G. Harris Instruction Format, 1 register ASR (arithmetic shift right) instruction • Rd <- Rd >> 1 1001010DDDDD0101 • 11-bit opcode • 1 5-bit register argument

Slides created by: Professor Ian G. Harris Instruction Format, Branch BREQ (branch if equal) instruction • Z == 1 then PC <- PC + K + 1 111100KKKKKKK001 • Assumes that comparison (sub) already performed • 9-bit opcode • 11 constant, PC offset addressing • Branch distance is limited

Assembly Code Structure An input line may take one of the four following forms: 1. [label:] directive [operands] [Comment] 2. [label:] instruction [operands] [Comment] 3. Comment 4. Empty line • Label is an alias for a line of code • Used for jumps/branches Slides created by: Professor Ian G. Harris

Example Assembly Program label: .EQU var1=100 ; Set var1 to 100 (Directive) .EQU var2=200 ; Set var2 to 200 test: rjmp test ; Infinite loop (Instruction) ; Pure comment line • .EQU assigns a string to a constant • Semicolon (;) sets off comments Slides created by: Professor Ian G. Harris

Some Arithmetic Operations • Some instructions take immediate (constant) arguments • Some instructions use carry from previous operations Slides created by: Professor Ian G. Harris

Some Logical Operations • Logical operations are bitwise • Some instructions take only one argument Slides created by: Professor Ian G. Harris

Accessing Registers/Memory • All registers are memory mapped • Special instructions are used to access non-register memory Slides created by: Professor Ian G. Harris

General Purpose Registers • General-purpose registers are written using: • LDI - Load Immediate LDI R16, 0xFF R16 <- 0xFF • MOV - Copy Register MOV R0, R1 R0 <- R1 • SBR - Set Bits in Register SBR R0, 0xFF R0 <- R0 | 0xFF • CBR - Clear Bits in Register CBR R0, 0xAA R0 <- R0 & (0xFF - 0xAA) Slides created by: Professor Ian G. Harris

LDI Instruction LDI Rd, K • 8-bits for the immediate, K • 4-bits for the register, Rd • Can only access 16 registers (R16 - R31) • SBR and CBR have the same limitation Slides created by: Professor Ian G. Harris

MOV Instruction MOV Rd, Rr • 5-bits for each register, can access all registers • Can move from high regs to low regs Slides created by: Professor Ian G. Harris

I/O Registers • I/O registers are written/read using: • IN - In Port IN R0, PORTB R0 <- PINB • OUT - Out Port OUT R0, PORTB PORTB <- R0 • SBI - Set Bit in I/O Register SBI PORTB, 3 PORTB <- PORTB | 1<<3 • CBI - Clear Bits in I/O Register CBI PORTB, 3 PORTB <- PORTB & !(1<<3) Slides created by: Professor Ian G. Harris

SBI Instruction SBI A, b • 5 bits specify register, 3 bits specify bit to set Slides created by: Professor Ian G. Harris

Addressing SRAM (Ext. I/O) • Instructions are 16-bits long • SRAM addresses are 16-bits long • Address cannot fit in the instruction • Memory addresses are stored in special-purpose registers • X, Y, and Z registers are each 2 bytes • LD, ST instructions are used to access SRAM Slides created by: Professor Ian G. Harris

Data Indirect Addressing LDI XH HIGH(0x01A8) LDI XL HIGH(0x01A8) LD R0, X ST X, R0 • Registers X, Y, and Z can be used to address SRAM • XH (YH, ZH) and XL (YL, ZL) are low and high bytes Slides created by: Professor Ian G. Harris

Branching • PC typically advances by 2 after each instruction • Instructions are 2 bytes long • Branching changes the PC counter to a new location • Unconditional Branches always occur • Conditional Branches occur only if a condition is true • Needed to implement conditional control flow (if, then) and loops (while, for, etc.) • Labels are used to name branch destination Slides created by: Professor Ian G. Harris

Unconditional Branching JMP k • 32-bit instruction • Need 22-bits to address 4M memory space • Assembler substitutes label with address Slides created by: Professor Ian G. Harris

Relative Jump (RJMP) RJMP k • Only 16-bit instruction, address is 12 bits long (4K range) • PC relative addressing used • Destination is PC + k + 1 • Restricted to close jumps (+/- 2K) • Not usually a problem (especially on small processors) Slides created by: Professor Ian G. Harris

Conditional Branches • Branch occurs is appropriate condition is satisfied • Conditions depend on results of previous arithmetic operations ADD R0, R1 BRVS dest . . dest: ADD R2, R3 • BRVS is Branch is Overflow is Set • Branch occurs if previous addition resulted in overflow Slides created by: Professor Ian G. Harris

Status Register (SREG) • Bit 5 – H: Half Carry Flag • Bit 4 – S: Sign Bit, S = N ⊕ V • Bit 3 – V: Two’s Complement Overflow Flag • Bit 2 – N: Negative Flag • Bit 1 – Z: Zero Flag • Bit 0 – C: Carry Flag • SREG contains information about the results of arithmetic/logic operations Slides created by: Professor Ian G. Harris

Conditional Branch Instructions • Test indicates the relationship between operands • Boolean shows values in SREG Slides created by: Professor Ian G. Harris

Branch Conditions • SREG must be set before conditional branch instruction • C code example: if x < y then x++; else y++; • Assume x is in R0 and y is in R1 CP R0, R1 BRLT then else: INC R1 RJMP done then: INC R0 done: … • Compare operation, CP, used to set SREG • Does not affect other regs Slides created by: Professor Ian G. Harris

Skip Instructions • “Skip” instructions skip the next instruction if a condition is satisfied • Can be used as a mini conditional branch • SBRC- Skip if bit in register is cleared (0) SBRS R0, 0 INC R0 • Rounds R0 up to nearest even number Slides created by: Professor Ian G. Harris

Subroutines • RCALL k calls a subroutine starting at label k • PC + 1 is pushed onto the stack • RET returns from a subroutine • PC is popped off of the stack • No other calling procedures are followed • Registers are not pushed/popped • Arguments are not pushed/popped • No local vars allocated on stack Slides created by: Professor Ian G. Harris

Using the Stack • PUSH Rd places contents of Rd on the stack • Decrements stack pointer (SP) • POP Rd places contents of stack in Rd • Increments (SP) • SP must be initialized to top of SRAM, RAMEND LDI R0, LOW(RAMEND) OUT SPL, R0 LDI R0, HIGH(RAMEND) OUT SPH, R0 Slides created by: Professor Ian G. Harris

Assembler Directives • Assembler directives give commands to the assembler • Do not generate machine code instructions .DSEG var1: .byte 1 var2: .byte 2 .CSEG ldi XL, LOW(var1) ldi XH, HIGH(var1) ld R0, X • .DSEG declares data segment • Placed in SRAM • .CSEG declares code segment • Placed in FLASH • .BYTE allocates space • Only in data segment Slides created by: Professor Ian G. Harris

EEPROM Segment .ESEG eeconsts:.db 0xff, 0x11 .CSEG fconsts: .dw 0xffff • .ESEG declares initialized data in EEPROM • .DB declares a data byte in program memory (CSEG) or EEPROM (ESEG) • .DW declares a word (16-bits) in CSEG or ESEG Slides created by: Professor Ian G. Harris

Other Assembler Directives • .DEF <symbol>=R<n> • Define a symbol to refer to a register • Ex. .DEF i=R9 • Placement in file should precede first use • .UNDEF undefines the symbol • .EQU <constant>=<expression> • Define a constant to refer to a constant value • Ex. .EQU ZERO = 0 • Constant cannot be redefined or undefined • .SET <variable>=<expression> • Same as .EQU except variables can be changed later Slides created by: Professor Ian G. Harris

Method of Attack, Physical Access

Method of Attack, Physical Access

Presentation Transcript

Virtual Storage Access Method

Attack

Physical Access, Seating and Positioning

ACCESS ARCHITECTURE the general method

Attack

Attack

Name: Attack method: Attacks:

Attack Attack !

ATTACK

Types of attack

The English Attack! Method for Learning English

Data Structure and access method

ISAM: Indexed-Sequential-Access-Method

Methods of Attack

Plan of attack

DDoS Attack Detection Method and Mitigation Using Pattern of the Flow

Data structure and access method (1)

ALMIS Distributed Access Method (ADAM)

Analyze proper physical access control/tutorialoutletdotcom

A Modified Method for Preventing Blackhole Attack in MANETS

Attack of Trust

RUM Conjecture of Database Access Method