Homework answers / question archive / Abstract As the value of data on computing systems increases and operating systems become more secure, physical attacks on computing systems to steal or modify assets become more likely

Abstract As the value of data on computing systems increases and operating systems become more secure, physical attacks on computing systems to steal or modify assets become more likely

Computer Science

Share With

Abstract As the value of data on computing systems increases and operating systems become more secure, physical attacks on computing systems to steal or modify assets become more likely. This technology requires constant review and improvement, just as other competitive technologies need review to stay at the leading edge. This paper describes known physical attacks, ranging from simple at-tacks that require little skill or resource, to complex attacks that require trained, technical people and considerable resources. Physical security methods to deter or prevent these attacks are presented. The intent is to match protection methods with the attack methods in terms of com-plexity and cost. In this way cost e ective protection can be produced across a wide range of systems and needs. Speci c technical mechanisms now in use are shown, as well as mecha-nisms proposed for future use. Common design problems and solutions are discussed with consideration for manufacturing. - Introduction o Traditionally the term 'physical security' has been used to describe protection ofmaterial assets from re, water damage, theft, or similar perils. However, recentconcerns in computer security have caused physical security to take on a newmeaning: Technologies used to safeguard information against physical attack. o in this new sense, physical security is a barrier placed around a computingsystem to deter unauthorized physical access to the computing system itself.This concept is complementary to logical security, the mechanisms by which op-erating systems and other software prevent unauthorized access to data. Bothphysical and logical security are complementary to environmental security. En-vironmental security is the protection the system receives by virtue of locationsuch as guards, cameras, badge readers, access policies, etc. The reason for sep-arating physical and environmental security is partly due to the change in thenature of the assets being protected. o In the past the assets to be protected were nominally physical items: cash, jewelry, bonds, etc. Now the assets are often information, which can be stolen without being physically removed from where they are kept. If information can be seen, it can simply be copied. This informa-tion can be anything from a spreadsheet work le to cryptographic keys. It may be reasonable for an individual to have access to a location (environmental se-curity) and not to have access to the information stored on a computing systemin that environment (physical security).Physical security is also becoming more important because computing sys-tems are moving out of environmentally secure computer rooms and into lessenvironmentally secure offices and homes. At the same time, the value of the data on these computing systems is increasing. Logical security has also been improved so that a physical attack may become more easily performed than a logical attack [1]. We can see that the motivation to attack computing systems is increasing because the rewards for doing so are increasing. o For physical security to be e ective the following criteria must be met: in theevent of an attack, there should be a low probability of success and a high prob-ability of detection either during the attack, or subsequent to penetration [17].It is possible to build physical security systems to protect sensitive data[12,5,6,15] These systems can make unauthorized access to the data dicult, asa bank vault makes stealing cash a daunting task (tamper resistant). They cantrigger mechanisms to thwart the attack, much like an alarm system (tamperresponding). They can make an attempted attack apparent so that subsequentinspection will show an attack had been attempted (tamper evident). o Physical security technology is a relatively recent addition to computing sys-tem design. This paper attempts to describe and catalog the currently knowndesign and implementation techniques. E ort is made to di erentiate betweensimple methods, which are applicable in areas of low criticality vs. the sophisti-cated methods required for protecting very critical data. https://link.springer.com/content/pdf/10.1007/3-540-44499-8_24.pdf - What Do We Mean by Physical Protection? Physical protection as applied to cryptographic equipment does not necessitate locking devices within mechanical safes or enclosing their electronics within thick steel or concrete shields, i.e. making them tamper-proof. It does, however, involve using sound design practices to construct a system capable of attack detection by a comprehensive range of sensors, i.e. tamper resistant. Few documents are available covering tamper resistant requirements and standards, among them are the Code of Practice for Cryptographic Equipment Security( and the U. S. Federal Standard( tamper-resisting, tamperindicating, tamper-detecting and tamper- responding physical security measures. The level of physical security suggested should be such that unauthorised attempts at access or use will either be unsuccessful or will have a high probability of being detected during or after the event. Additionally, the standards recommend that cryptographic equipment should be prominently situated in operation so that its condition (outward appearance, indicators, controls etc.) is easily visible to minimise the possibility of undetected penetration. They both require the incorporation of tamper-resisting, tamper- indicating, tamper-detecting and tamper- responding physical security measures. The level of physical security suggested should be such that unauthorised attempts at access or use will either be unsuccessful or will have a high probability of being detected during or after the event. Additionally, the standards recommend that cryptographic equipment should be prominently situated in operation so that its condition (outward appearance, indicators, controls etc.) is easily visible to minimise the possibility of undetected penetration. - Why Do We Need It? https://link.springer.com/content/pdf/10.1007/3-540-39118-5_9.pdf Tamper physical attacks techniques: Attackers Today, due to advances in technology, lower cost of products and easier access by the public to once-specialized tools, attacks against hardware are becoming more prevalent. There are basically three classes of attackers, depending on their expected abilities and strengths. The classification[4] shown1 in Table 1 is based on Abraham et al’s Transaction Security System[5] and is an industry standard for describing attackers in an academic fashion. Additionally we will describe four main security threat classes, which are defined by J. Grand[4] as follows: – Interception (or eavesdropping) Gaining access to protected information without opening the product. A silent interceptor may leave no traces by which the interception can be readily detected. nterruption (or fault generation) - An asset of a product becomes unavailable, unusable, or removed. An example is malicious destruction of a hardware device, intentional erasure of program or data contents, or a Denialof-Service network attack. Fault generation, which consists of intentionally provoking malfunctions, which may lead to the bypassing of certain security measures, also falls into this class. – Modification style - Tampering with an asset of a product. Modification is typically an invasive technique for both hardware, such as circuit modifications or micro-probing, and software/firmware, such as changing the values of data or altering a program so that it performs a different computation. – Fabrication style - Creating counterfeit assets in a product or system. Fabrication can come in many forms, including adding data into a device, inserting spurious transactions into a bus or interface, or a Man-in-the-Middle attack on a network. Sometimes these additions can be detected as forgeries, but if skillfully done, they may be indistinguishable from the real thing. Attackers usually exploit a targeted system in order either to make a copy of (a part of) the technology, to bypass a service such as copy protection or a payment system, to spoof user authentication, or for privilege escalation and feature unlocking. These attacks fall into one of three categories. The attack can be a focused attack, in which the attacker takes the time to sit down and plan the attack without a high risk of being discovered while actually doing it. If there is a strict time constraint, the attack is referred to as a Lunchtime attack meaning that the attacker has anywhere from a few seconds to a few hours to do the attack. Such attacks are usually riskier than focused attacks. The third type of attack is an insider attack. Insider attacks are attacks that are done by someone that was in the development and supply chain of the device. Attack overview The type of attack that an attacker choses to do depends a lot on the goal of the attack and which class of attacker he is. The type of attack also depends onexactly which kind of embedded device it is, and which security methods were implemented during the devices construction. 3.1 Invasive attacks Invasive attacks are the simplest way to learn a large amount of information about an embedded device, however most invasive attacks require very expensive equipment while non-invasive attacks can often be done with tools that are available to an advanced hobby enthusiast[3]. Additionally invasive attacks tend to destroy the packaging and in some cases the entire device. This means that invasive attacks are only feasible in situations where destruction of the device doesn’t really matter, or where the damage to the device can be reconstructed so that there is little to no evidence of the attack. Below we give a classification of the most common types of invasive attacks. Note that this list is incomplete and that an attack can fall in multiple categories. Probe attacks - The purpose of a probe attack is to directly attach a conductor to the circuit being protected so that information can be obtained from and changes can be injected into the system under attack. Attack probes can be either passive or active and may not actually be a physical object. Passive probes are simple oscilloscope or logic analyzer leads that are attached to the embedded device and are set to record the information at that point of the circuit. Passive probes are often terminated in active circuitry, which gives them a very high input impedance which in turn may help to avoid detection or interference with the circuit being attacked[6]. Probe attacks[3] are also commonly used as the first step for more advanced attacks. Once an attacker has probes in place they can then attempt to do a number of different attacks such as timing attacks[7], cache-based attacks[8], power monitoring attacks[3, 7, 2, 9] such as simple power analysis (SPA) and differential power analysis(DPA), and differential fault analysis (DFA)[1, 2, 9] attacks. Machining methods - Another invasive attack on a smart card or embedded device is to simply cut away parts of the chip, piece by piece until the attacker understands the construction of the device. Often integrated circuits are packaged in a cover or other tamper resistant coating thus ensuring that a probe attack cannot be done. By machining the chip and removing the cover and coatings, it becomes possible to reach the actual circuit and proceed using a probe attack. Machining can be done manually usually with the attacker using a knife of other tool to remove material from the device. Mechanical machining is the automated process of removing material from a chip. Even though mechanical machining is usually faster and more precise than manual machining, mechanical machining is often less accurate than manual machining as there is little to no feedback and often too much material is removed. Extremely precise machining can also be done using either (demineralized/deionized/pure-) water or a laser.Water machining has the advantage of being extremely precise and is difficult to detect if pure water is used as it is non-conductive, however, water machining equipment is usually very large and generally only available to some class II en class III attackers. Laser machining has most of the same advantages as water machining, in that the laser is non-conductive and thus hard to detect. The equipment for laser machining is generally also smaller than for water machining, but a large disadvantage of laser machining is the heat that is generated by the laser. The last general type of machining is by using chemicals. Chemical machining is similar to water machining, except that instead of water corrosive chemicals are used to quickly and efficiently dissolve the material. The biggest disadvantage of chemical machining is that the chemical agents are often conductive and thus they are easier to detect and may even cause unintended short circuits[6]. Shaped charge technology - A shaped charge is an explosive charge shaped to focus the effect of the explosive’s energy. Using tiny explosives, it is possible to penetrate an integrated circuit so quickly that circuits that detect intrusions can be disabled before they have a chance to respond. As the explosions cause the cuts to be done at hypersonic speeds of up to over 7 km/s there is almost no time for the circuit to signal its alarms. One disadvantage of this method is the fact that it is purely destructive and relatively inaccurate. Glitching - Changing the inputs of a microchip in an unexpected way can cause the chip to glitch, which means that the chip starts doing erratic operations. Glitching can be caused by changing the input voltage (Vcc) thus causing instructions to be misinterpreted and circuitry to fail. Doing so at the correct moment can cause advantages to the attacker such as memory not getting cleared or instructions being garbled. A similar effect can be achieved by lengthening and shortening the clock pulses going to the IC. The timings in the chip desynchronize and erratic behavior results. A third way of introducing glitches is through electromagnetic interference, as such fields can cause disruptions in diodes and transistor circuits[3, 6]. Note that glitching can also be caused by environmental factors and thus it is not strictly an invasive attack. Scanning electron microscopes - Class III attackers that have access to scanning electron microscopes can use their equipment to read and possibly write bits to ROMs or RAM on a molecular level. This technique requires that the chips’ surface is exposed, but once exposed the scanning electron microscope can access and read almost any part of the chip to obtain and possibly modify the secrets stored there. Non-invasive attacks Non-invasive attacks are often more sophisticated in their design than invasive attacks, and their implementation often depends on tiny design vulnerabilities inthe embedded device. Non-invasive attacks require detailed knowledge of both the processor and software used, in contrast to an invasive attack where the attacker can simply probe the logic to see what does what. A large amount of work might be necessary to first design a non-invasive attack, but once such a technique has become available for a specific device and software version, it can often be reproduced reliably within seconds on another device of the same type[3]. Energy and Radiation attacks - Energy and radiation attacks can be used to ’lock’ or ’freeze’ certain parts of a circuit into a certain state. Energy and radiation attacks can be done both with (invasive) and without (non-invasive) actual contact and usually require close access to the device. One such attack, called Radiation imprinting is the process of radiating parts of the IC, such as the CMOS RAM, such that the values of the bits are ’burned’ into the memory. This means that a normal clear or write operation will not change the value of the bits in that ROM. This allows an attacker to read the ROM at a later moment without having to worry about the data accidentally being lost. Similarly Temperature imprinting is a method that literally ’freezes’ the bits in ROM so that they can be read minutes or even hours after power has been removed from the chip. An IR laser can be used to read and write to the cells of a ROM or RAM. Silicon is transparent to infrared frequencies, so it is possible to read or write a bit value by focusing an IR laser beam on a certain location on the chip without requiring it to be machined or otherwise invaded.[3, 6] Imaging technologies - Almost any imaging technology available can be used to make images of a chip. Microscopes with recording devices, X-ray equipment, ultrasound, and other tomographic equipment. These devices can help an attacker visualize the internals of a chip without needing to physically open or tamper with the device. Software attacks - Software attacks are attacks done by simply communicating with the embedded device over the normal channels, and attempting to learn more about the device by exploiting security vulnerabilities in the software[9]. Fault generation techniques - Fault generation techniques usually use external environmental factors to cause glitches and other malfunctions in the embedded device. This is basically a combination of both Glitching and Energy/Radiation style attacks and can be used in combination with either softwarebased attacks or probe-based attacks. tamper_resistance_evidence.pdf (aarts.info) High Technology Attacks This section deals with mechanisms that used to be considered unusual. The attacks described in this section, and the defenses described in the following section, far exceed the typical levels of skills and resources available to the common attacker. However, the skill level of the common attacker is increasing. These attacks and defenses are presented to meet the requirements of markets such as banking. However as data value increases, as is occurring now with the rise of Internet commerce, these defensive techniques should become a standard part of common business practice. These techniques have are now required to meet certain government requirements [9]. The business community is also beginning to embrace these standards as a means of assurance Probe Attacks: The purpose of a probe attack is to directly attach conductors to the circuit(s) being protected so that information can be obtained from, and/or changes injected into, the system under attack. Passive Probes: These are common oscilloscope or logic analyser probes. They may be used to watch and record information contained in circuits. When used with a logic analyser, a trigger condition may be set such that the attacker waits for a predetermined event and then begins recording. The term passive probe is somewhat of a misnomer in that so-called passive probes may be terminated in active circuitry, which gives them very high input impedance. This may prevent their detection by, or interference with, the circuit being attacked. Active or Injector Probes: Active probes are generally used in conjunction with passive probes. Using a pattern generator or similar device, these probes can inject signals or information into an active system. Pico-Probes: Pico-probes can be used in either of the capacities described above. Pico-probes are very tiny and are used to directly probe the surfaces of integrated circuits. Energy Probes: Energy probes can be electron beams, ion beams, or focused beams of light. Depending on the technology being attacked, energy probes can read or write the contents of semiconductor storage or change control signals. Ion beam deposition has been used to successfully reconnect fuse links, to return product level smart cards to their debug-state where the output of key registers, etc., was permitted. Machining Methods: The purpose of machining is to cut or remove mate-rial. In this context, a cover or potting material is machined to access circuitry beneath the potting or cover. Once the covering is removed, a probe attack asdescribed above can proceed.If the system is protected by physical security, the intent is to perform themachining operation without tripping a sensor or leaving evidence1.Afterthecovering material is removed, the sensor is then disabled or bypassed so that aprobing attack may proceed. If the system is protected by a tamper evident sys-tem, there may be an attempt to cover the evidence after the attack is complete.The list of machining methods include chemical and energy methods of ma-terial removal, as well as traditional machining methods. Manual Material Removal:Manual material removal is commonly referredto as the 'brain surgery' attack. In this scenario an attacker using a knife, orother tool, attempts to remove material from a potted or sealed container whilestopping short of tripping a sensor. This attack is much more e ective than mightbe thought. If the attacker is dexterous and has good hand-eye coordination,extremely delicate work can be accomplished. Mechanical Machining:This method removes much material, very precisely,in the shortest time. Its disadvantages lie in the fact that there is little or no feed-back. This frequently causes cuts that are too deep. If the cutter is conductive,it may be detected by the tamper detector. Water Machining: Water machining is a very precise method for materialremoval. The 'cutter' can be non-conductive (if the water is pure), does not dull,and is very e ective for all but very soft materials. Its chief disadvantage is thatwater machining equipment is typically very large. However, in situations wherecost and size are a concern, but time is not, a directed slow, steady, drip of waterwill e ectively cut through many materials given sufficient time. Laser Machining: This technique has many of the same advantages as water.One disadvantage of laser machining is that the process may generate a greatdeal of heat. The laser must be tuned for the material of interest, e.g. EXCIMER(U.V.) lasers are excellent for ablating organic materials (such as epoxy). Chemical Machining: Almost any material can be dissolved. Jet Etch2andsimilar commercial tools are very good for removing coatings and potting mate-rial cleanly. These techniques work by using a high-pressure, very precise spray of a solvent or acid to dissolve away the material. The solvent or acid may beheated to increase e ectiveness. The main disadvantage is the potentially high conductivity of highly ionic cutting liquids, which may cause short circuits. Shaped Charge Technology: Shaped charge technology has become com-monly available to the degree where that charge precision welding and cutting sample kits are available to universities to promote the technology. These tech-niques have the advantages of being very accurate and being extremely fast. The penetration speed can approach 25,000 ft/sec. At these hypersonic speeds, a package can be penetrated and circuits disabled before they can respond. For example, a memory zeroing circuit can be disabled before the energy can bere moved from the memory. This could give the attacker from a few seconds to aminute to nish entering a package and to reapply power to the memory before its contents decay. TEMPEST: This is a passive attack. Electromagnetic emanations from a com-puter, or other electronic device, can be detected at a distance and decodedto determine contents or behavior. The distance can be many hundreds to athousand feet or more. Power supply current pro les can also be measured to determine circuit activity. Most information on TEMPEST is government classi ed in the interests of national security. However it is well known, and has been demonstrated, that avideo display or serial communication line can be tapped at distances of hundreds of feet. Recently more aspects of TEMPEST technology have been independently invented/discovered in the commercial sector. Smart cards have been successfully attacked by means of studying their power supply current [10,4], and others [11] have developed new approaches to using this method. Energy Attacks: These attacks are both of the contact and non-contact va-riety. However even the non-contact attacks usually require close access to thesystem. Radiation Imprinting:By irradiating CMOS RAM in the X-Ray band (andpossibly other bands), the contents can be 'burned in' such that power down orover-write will fail to erase the contents.The basic imprinting attack uses radiation to imprint the CMOS RAM usedto store cryptographic keys or other secret data, then the unit is physicallybreached without regard for power down or rewrite mechanisms. The RAM maythen be read at leisure. Temperature Imprinting: CMOS RAM will retain its contents with thepower removed for seconds to hours when the temperature of the RAM is low-ered. This e ect starts at just below freezing. Over-writing will erase the con-tents. High Voltage Imprinting: By 'spiking' CMOS RAM with short duration,high-voltage pulses, it may be possible to imprint the contents in a mannersimilar to radiation imprinting. This technique has not been veri ed by theauthor. High or Low Voltage: By changing Vcc to abnormally high or low values,erratic behavior may be induced in many circuits. The erratic behaviour mayinclude the processor misinterpreting instructions, erase or over-write circuitryfailing, or memory retaining its data when not desired. Clock Glitching: By lengthening or shortening the clock pulses to a clockedcircuit such as a microprocessor, it's operation can be subverted. Instructions ortests can be skipped or generally erratic operation can be induced [2]. Circuit Disruption:This area has not yet been studied in depth by the au-thor, however it is known that strong electromagnetic interference may causedisruption in noise-diode type random number generators and computing cir-cuits. Electron Beam Read/Write:The electron beam of a conventional scanningelectron microscope can be used to read, and possibly write, individual bits inan EPROM, EEPROM, or RAM. To do this the surface of the chip must beexposed rst, usually via chemical machining. This is a very powerful attackonce the chip is exposed since buried, normally non-readable, keys and secretscan possibly be stolen and/or modi ed. IR LASER Read/Write:Silicon is transparent at IR frequencies. Becauseof this, it is possible to read and write storage cells in a computing device byusing an IR LASER directed through the bulk silicon side of the chip. By goingthrough the bulk side there is no need to jet etch or otherwise remove the device'spassivation. Imaging Technologies:Any of the current imaging technologies including X-Ray, tomography, ultrasound, etc. can all be used to visualize the contents ofa sealed or potted package. This can assist the attacker by pinpointing areasof vulnerability, identifying printed circuit card layout, showing part placement,and possibly identifying speci c parts. https://link.springer.com/content/pdf/10.1007/3-540-44499-8_24.pdf tamper attacks examples: Signal eavesdropping attack We defeated the Ingenico PED with a simple ‘tapping attack’ thanks to a succession of design flaws. Its rear has a user-accessible compartment, shown in Figure 2(a), for the insertion of optional SIM-sized cards to expand its functionality. This space is not intended to be tamper-proof, and when covered it cannot be inspected by the cardholder even if she handles the PED. This compartment gives access to the circuit board and many signals that are routed on its bottom layer, though the sensor mesh layer mentioned earlier prevents the attacker from drilling the PCB to access more sensitive routes, such as the smartcard’s data line. Curiously, however, the PED’s designers opted to provide the attacker 1 mm diameter holes and other vias through the PCB2 , from which a simple metal hook can tap the serial data line. This tap is easy to place between the microprocessor and the card interface chip. We preferred, however, to tap the signal before the interface chip, and found that a 1 mm diameter via, carrying the data signal, is easily accessed using a bent paperclip. This can be inserted through a hole in the plastic surrounding the internal compartment and does not leave any external marks. Having tested this attack in the laboratory, we repeated it in the field for the BBC ‘Newsnight’ programme; we tapped a terminal in a London shop and, during a transaction, extracted the card and PIN details for a journalist’s card without triggering the tamper detection system. The Dione PED does not provide a concealed compartment to hide the wiretap, but is still vulnerable. By drilling a 0.8 mm hole from the rear, we can insert a 4 cm needle into a flat ribbon connector socket shown in Figure 2(b). Figure 3 shows the full Dione attack, with the PED mounted, as it would be in a shop, with a thin wire connected to an FPGA board that translates the data and sends it to a laptop; the scope and laptop screen show an ‘answer to reset’ (ATR) initial exchange intercepted using the tap. What should have required $25,000 needed just a bent paperclip, a needle, a short length of wire and some creative thinking; attaching them to the data line takes minutes with some practice. A small FPGA or microcontroller board with some non-volatile memory can easily fit inside the Ingenico PED’s compartment and record transaction details without the cardholder’s knowledge, while a wire routed from the back of a mounted Dione PED to a recorder under the counter will not be detected unless the cardholder conducts a very close inspection – and knows what to look for. The recording circuit can be very small and either battery operated or attached to the PED’s power supply; with a full transaction requiring about 1 kB of storage, even a small memory can record thousands of transactions. Detecting such a tap from within the PED is extremely difficult, since high inputimpedance probes do not significantly distort signals, and proper termination suppresses reflections; Bond [11] has shown that even without these measures a tap outside the terminal is not detected, while Drimer and Murdoch [21] showed that PEDs can drive 2 m cables placed between the card slot and a card. Shim-in-the-middle attack We postulate, but have yet to implement, an attack of inserting a thin, flexible circuit board into the card slot, so that it lodges between the reader and the card’s contacts. This ‘shim-in-the-middle’ attack is illustrated in Figure 4; a very basic circuit that can transmit the signal on the data line to a nearby receiver would not be easily detected by a cursory inspection, because it is within the PED itself. The fraudster can create an ‘inserter card’ with the shim attached to it so that, when inserted into a particular device, the shim locks into place as the carrier card is removed. A receiver is then placed nearby to record card details and PINs; this receiver could easily include a mobile phone to SMS the proceeds back to the fraudster. This attack completely bypasses all tamper protections and does not even require the participation of anyone in the store; and given that cardholders who complain are typically told they must be mistaken or lying, it could be a long time before the device is found (if ever). None of the PEDs we examined appeared to contain any countermeasures to the shim attack, and it’s rather hard to imagine what they might be. If the PED vendor included a LED and a photocell, for example, the shim vendor would just use a transparent material. One option is to make the card slot transparent – though this means dumping liability on unsuspecting cardholders. (A better, but not infallible, option is PIN encryption, as we’ll discuss later.) Note that a corrupt merchant may also prefer this type of attack, as he can indignantly deny all knowledge of it in the unlikely event that the police find the shim. https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf Tamper Protection process: Tamper resistance Tamper resistance relies on restricting physical access to the smart card or embedded device, such that the only interaction has to be done through the software embedded on the device. Of all security methods, tamper resistant security is usually the easiest to apply, as tamper resistant systems usually take the so called bank vault approach and ensconce the microchip in a protective cover that protects it against invasive attacks. There are many different ways to restrict physical access to an embedded device. Below we have a list of such methods, each with a brief description of what the method details and the types of attacks it helps protect against. “Bank vault technology” - By simply making the embedded device too big or heavy to steal can significantly decrease the probability of an attacker stealing the device. The device can also be permanently attacked to an object such that the embedded device is destroyed before it can be detached from the object. Note that this is not very convenient for portable devices and thus other technologies have been developed. Tamper response Whereas tamper resistant systems used a bank vault approach, tamper response systems are more like a burglar alarm. These systems specialize in detecting an intrusion, and if such a detection takes place the chip will instantly attempt to stop the attacker from learning anything else about the system. Such responses can vary from simply sounding an alarm, to clearing the ROMs, to destroying the physical device itself. Tamper response technology consists of two important parts, the first is detection of an attack, and the second is the actual response if an attack is detected. Detection of an attack can be done by installing sensors on the embedded device. In Steve Weingart’s paper Physical Security Devices for Computer Subsystems: A survey of Attacks and Defenses [6], he describes a complete list of sensors that can be used to detect a multitude of attacks. The exact shape and type of sensor depends on what it is built to detect, but regardless of the type of sensor it gives an output when an attack is detected. Such an output is caught by the logic that handles the response part of the tamper-response module. These mechanisms fall mainly into four groups: – Switches - devices that detect mechanical movement. – Sensors - devices that detect an environmental change. – Circuitry - wires and/or fiber-optics that are wrapped around and throughout the embedded device. These materials are used to detect a break, puncture or attempted modification of the wrapper. – Electronic - detection and monitoring of changes in frequencies, clock pulses or voltages leading in and out of the chip. The circuitry that handles the output of the tamper-response sensors is usually used to ensure that an attacker cannot obtain the secret data on the device. Often an attack is detected before the attacker has finished obtaining all the necessary data from the device, and in such cases it is essential that the device attempts to keep the attacker from obtaining the rest of the data. In most embedded devices and smart cards, the secrets are stored in either RAM or ROM memory modules. While RAM is relatively easy to clear during an attack, ROM is significantly harder. The simplest way to erase the secrets in RAM is to do a RAM Power Drop. This means that power to the RAM modules is removed which effectively clears the contents. A slightly more difficult way to clear RAM (or ROM) is by doing a RAM Overwrite (or ROM Overwrite respectively). A RAM overwrite repeatedly overwrites the memory module with all zeros and all ones alternatively. This process ensures that there is no residual information left that could be caused by imprinting, but it requires power and time to do the actual overwriting. This method is most accepted by governmental standards, but its success cannot be guaranteed in attack scenarios as a reliable source of power is needed while it is overwriting the memory modules. The third and most effective way of ensuring that an attacker does not obtain the secrets on the device is by completely destroying the device itself it an attack is detected. Physical destruction of the device can be done by shorting certain parts of the circuit and thus rendering the device inoperable. It can be done with little to no violence, and in some cases may not even be detectable until the attacker notices that the device ceased functioning. Tamper evidence Tamper evident systems are designed to ensure that if a break-in occurs that evidence of the break-in is left behind. These systems do not protect against the attack itself, but only prove that an attack occurred after the fact. Tamper evident systems often use chemical or mechanical means to show evidence that an attack has taken place. As tamper evident systems themselves do not activate an alarm or otherwise notify the owner that a break-in attempt has occurred, it is important for an effective audit policy to be established and adhered to that visually checks the device frequently to ensure that there is no evidence of an attack [6]. As such tamper evident systems are often combined with a tamper response system to alert the owner of an attack, and to prove that an attack indeed took place. As with the tamper resistance techniques there are a large number of different possibilities to ensure that tampering becomes evident. Again we will enumerate a number of possible methods. This list is incomplete as new materials are developed daily that can be used as a tamper evident layer. The use of cuttingedge materials can also help ensure that an attacker cannot easily replicate the material and reconstruct the tamper-evidence layer. tamper_resistance_evidence.pdf (aarts.info) Tamper Resistance Tamper resistance consists of using specialized materials to make tampering of a device or module difficult. This can include such features as hardened steel enclosures, locks, encapsulation, or security screws. Implementing tight airflow channels (that is, tightly packing the components and circuit boards within the enclosure) will increase the difficulty of optical probing of the product internals using fiber optics. A side benefit of many tamper resistant mechanisms is that they are often tamper evident, meaning that physical changes can be visually observed and it becomes obvious that the product has been tampered with. If designing a housing that requires screws, or when retrofitting a design that is already using screws, consider implementing one-way screws that will offer additional tamper resistance. Although an adversary can likely drill through such screws, they raise the difficulty of attack over an industry-standard screwdriver or Torx driver bit. The Thomas Register Directory provides a large listing of security- and tamperproof-screw manufacturers and suppliers. Sealing both sides of the housing together in a way that requires the destruction of the device in order to open it should be considered. Many plastics are sensitive to heat and melt at fairly low temperatures. Consider sealing the housing with high-temperature glue or ultrasonic welding to reduce tampering. If using high-temperature glue, choose one with a higher softening point than the plastic housing in order to increase visible tamper evidence. Serviceability may be an issue if the product is intended to be opened by authorized personnel. However, if a legitimate user can open the device, so can an adversary can. An entire circuit board with resistant resin or epoxy compound can protect the circuitry. However, it is more common for such encapsulation to be done on only specific critical components. Conformal coatings and encapsulates are typically used to protect an assembled circuit board from moisture, fungus, dust, corrosion, or tampering. It can also reduce mechanical stress on components and protect them from thermal shock. Urethane provides a hard, durable coating that offers excellent abrasion and solvent resistance. It shrinks significantly during coating, however, which may stress components. Epoxies also offer excellent resistance to moisture and solvents. Usually consisting of a two-part thermosetting resin, the coating also shrinks during curing, leaving a hard, difficult-to-remove film. Conformal coatings are provided by a large number of manufacturers, including GE Silicones, Dow Corning, and MG Chemicals. Chemicals such as methylene chloride, sulfuric acid, and fuming nitric acid can remove protective coatings, so be sure to evaluate that your chosen compound is suitable for your desired protection level. To protect against a chemical attack that removes the encapsulation, aluminum powder can be added to the compound. A solvent capable of dissolving the aluminum will corrode the underlying components or circuitry, rendering the device useless. https://www.cl.cam.ac.uk/~rja14/Papers/SE-14.pdf Tamper Evidence The goal of tamper evidence is to ensure that visible evidence is left behind when tampering occurs. Tamper evident mechanisms are a major deterrent for minimal risk takers (e.g., nondetermined attackers). Hundreds of tamper evident materials and devices are available, mostly consisting of special seals and tapes to make it obvious that there has been physical tampering. Tamper evidence features are only successful if a process is in place to check whether tampering has occurred or if a legitimate owner of the device notices a deformity. Generally speaking, if an adversary purchases a product with the specific intention of attacking it, tamper evident mechanisms by themselves will not prevent the attack. Weingart's "Physical Security Devices for Computer Subsystems: A Survey of Attacks and Defenses" [2] provides dozens of potential tamper evident mechanisms to employ. Most (if not all) of the available tamper evident seals can be bypassed. In Johnston and Garcia's "Vulnerability Assessment of Security Seals," [3] the authors show how 94 different security seals (including adhesive tape, plastic, wire loop, metal cable, metal ribbon, bolt type, secure container, passive fiber optic, and electronic) were defeated using low-cost tools and readily available supplies. Holdtite manufactures Secure 42, superglue intended to provide evidence of tampering. Brittle plastics or enclosures that crack or shatter upon an attempted penetration may be suitable in certain environments. "Bleeding" paint, where paint of one color is mixed with tiny spheres of a contrasting color paint that rupture when the surface is scratched, is a novel solution. https://www.cl.cam.ac.uk/~rja14/Papers/SE-14.pdf Tamper Detection Tamper detection mechanisms enable the hardware device to be aware of tampering and typically fall into one of three groups: • Switches such as microswitches, magnetic switches, mercury switches, and pressure contacts to detect the opening of a device, the breach of a physical security boundary, or the movement of a particular component. • Sensors such as temperature and radiation sensors to detect environmental changes, voltage and power sensors to detect glitch attacks, radiation sensors for X-rays (used for seeing what is inside of a sealed or encapsulated device) and ion beams (often used for advanced attacks to focus on specific electrical gates within an integrated circuit). • Circuitry such as flexible circuitry, nichrome wire, and fiber optics wrapped around critical circuitry or specific components on the board. These materials are used to detect a puncture, break, or attempted modification of the wrapper. For example, if the resistance of the nichrome wire changes or the light power traveling through the optical cable decreases, the system can assume there has been physical tampering. Again, Weingart's "Physical Security Devices for Computer Subsystems: A Survey of Attacks and Defenses" [2] provides a comprehensive list of specific mechanisms that could be employed. https://www.cl.cam.ac.uk/~rja14/Papers/SE-14.pdf Tamper Response Tamper response mechanisms are the countermeasures taken upon the detection of tampering. Chaum's 1983 "Design Concepts for Tamper Responding Systems" [4] presents concepts for implementing sensors into tamper responsive systems. Most often, the response consists of completely shutting down or disabling the device, or erasing critical portions of memory to prevent an attacker from accessing secret data. Physical destruction of a device using a small explosive charge may be an option for extremely secure devices, but is not practical for most (if any) consumer electronics. Response mechanisms may also be simpler, such as just logging the type of attack detected and the time it occurred, which can provide useful audit information and help with forensic analysis after an attack. Simply erasing critical portions of memory (also known as "zeroizing") is usually not enough, however, as shown by Gutmann's "Secure Deletion of Data from Magnetic and Solid-State Memory" [5] and "Data Remanence in Semiconductor Devices," [6] along with Skorobogatov's "Low Temperature Data Remanence in Static RAM." [7] Gutmann observes that "contrary to conventional wisdom, volatile semiconductor memory does not entirely lose its contents when power is removed. Both static (SRAM) and dynamic (DRAM) memory retains some information." W.L. Gore's D3 electronic security enclosures are designed to protect the physical security boundary of a module and combine a number of tamper evidence and detection features. The sensor comes as a foldable sheet that is to be wrapped around the product. Conductive ink crisscrosses through the sheet with a maximum distance between traces of 200 to 300 microns (a pitch too small to be drilled through without detection). The electrical state of the sensor changes if the field is broken, which will trigger the product to enable its tamper respondent mechanisms. Gore claims that the device is transparent to X-rays (which may be used to determine the location of the sensor within the product) and that it has been tested against a wide range of reagents and solvents. The outer layer has an opaque resin coating, which conceals all surface details of the sensor and prevents an attacker from seeing any traces. This product also meets the requirements of FIPS 140 Level 4 Specification for Cryptographic Modules. [8] Tamper response mechanisms are unlikely to trigger accidentally. Still, the legitimate user will need to understand the environmental and operational conditions and keep the device within those limits. Many tamper-responsive devices are designed and manufactured with the stipulation that they will never be opened—legitimately or not. https://www.cl.cam.ac.uk/~rja14/Papers/SE-14.pdf - Defence Strateqy ( together with Tamper detection) clearly, as already stated, the major criterion is to design defence mechanisms that provide a very high confidence of intruder detection either during or after the attack, and in doing so make the cost of mounting such an attack greater than the intruder's potential gains. Naturally, since different systems have different levels of potential gain, a "layered" approach to tamper resistance where varying levels of protection are available, is flexible and by its nature affords effective solutions in a cost conscious environment. Defence mechanisms are broadly split into three main areas:i) Access control - for normal operator activity to ensure that unauthorised personnel may not operate the equipment. Since operational requirements will dictate that from time to time audit logs of cryptographic module behaviour must be dumped, master key updates initiated etc., operator access to cryptographic devices must be carefully controlled. This is generally achieved by the fitting of physical keylocks of the appropriate standard( 2, requiring two or more trusted keyholders to initiate the top level security commands. For more stringent system operational requirements, these physical keylocks may be replaced with intelligent token interfaces, for example for smart cards or personal authenticators. (ii) Physical protection - generally mechanical, to ensure that casual substitution and non-invasive attack is difficult. Generally, cryptographic units should be designed to be unique in appearance to avoid the possibility of casual substitution by a lookalike device. Physically strong mounting methods may be provided, although no direct access should be provided to the inside of the crypto unit. Ideally, there should be no ventilation holes, although if these are unavoidable they should be so constructed that it is impossible to gain access to sensitive areas within the device. (iii) Electronics - mechanisms to detect intrusion - both invasive and non-invasive. In the majority of cases keys and other sensitive data are stored in Random Access Memory (RAM) with power supplied by independent battery sources, physically located close to the sensitive electronic devices. Alarm circuits are provided to detect intrusion and cause destruction of secret data. Some typical detector mechanisms are described in the next Section. (iiii) Detectors (i) Dismantlinq: A wide range of sensors is available including simple micro- switches to detect removal of external case screws or lid assemblies, these may be supplemented by magnetic reed switches and permanent magnet actuators on mating surfaces. Active techniques of ultrasonic or infra-red space signature may be utilised, although because of power constraints it may be necessary to pulse these detectors to conserve battery power. After an extended period on battery power, performance of these detection circuits may degrade and it is difficult to make them fail 'safe'. (ii) Physical Removal Unauthorised attempts at moving the device can be detected by tilt and jitter sensors which operate when the device is, for example, tilted more than 20° from the horizontal or subjected to the sort Of vibrations generated by a normal power tool. Additionally, to protect against illegal removal of the power or communications cables, closed-loop alarms should be connected through both security devices and peripherals via the connecting cable assemblies. (iii) Mains Power Variation/Monitoring In order to ensure that no vestigial signal representing secret data appears on the mains power interface to the device, filtering should be employed between the device mains input and the power supply input point, and the power supply low voltage outputs should be adequately filtered and decoupled. Passive transorbs and fuses provide protection against deliberate overvoltage and reverse- voltage attacks on the device while good design practices must be observed when implementing power up/down monitoring circuits designed to protect the integrity of secure data. (iv) Temperature Since the majority of electronic components perform within a temperature specification of, typically, -3OOC to +85OC and these would generally include the alarm detection and key destruction circuitry, rendering these circuits inactive by raising or, more generally accepted, lowering the unit temperature to, typically, - 80°C would render these circuits inactive. Hot and cold temperature attacks are relatively easily detected by the inclusion of temperature sensors within the alarm circuitry which operate at, say, -25OC and +7Ooc although the effect of thermal shock on these devices and the units themselves, due to sudden change in temperature (e.g. by immersion in liquid nitrogen (-195OC)), must be carefully calculated to ensure correct failsafe operation. The choice of temperature detection thresholds is important if false alarming of a device in transit (e.g. an aircraft hold or a car boot) is to be avoided. (v) EMI/RFI In considering the effects of electromagnetic and radio frequency interference, it is apparent that these effects are bi-directional i.e. radiation of signals from the device should not be capable of interpretation to reveal secret data, nor should any external interference source directed at the unit cause it to malfunction or 'latch-up' into a predictable state. This latter effect is particularly important in considering the behaviour of white noise seeded random number circuits which generate encryption keys. In designing device enclosures, material choice and bonding techniques which affect EM1 behaviour are naturally important. It is generally accepted that metal case construction is preferable, and good electro/mechanical designs should be employed to ensure minimum escape of radiated energy. Additional barriers around sensitive component areas may be provided using copper screening cans with modular 'onion skin' construction techniques. Recent advances in spray-on conductive graphite, nickel and silver coatings give EMI/RFI attenuation performance figures of typically greater than 70dB which approach good design objectives of, for example, 1OOdB. A combination of these spray techniques and metal case construction can lead to good EMI/RFI resilience and a reasonable level of physical strength. Drilling and Grinding Encapsulation of the sensitive electronic components holding secure data in a potting resin is a well-known process which certainly acts as a good physical barrier to an intruder wishing to probe the key storage electronics. The simplest method to gain access to the sensitive components is to drill, mill, grind or plane the potted area until sufficiently close to the target and then proceed more carefully using fine hand tools. In order to successfully attack in this way, knowledge of the layout of the PCB and the associated components is desirable and this is best accomplished using X-Rays, the drilling procedure may then be undertaken more accurately. Embedding a fine mesh of multiple layers of randomly located fine wires within the potting or, alternately, integrating a flexible PCB with multiple orientation alarm tracks on it, is a useful detection mechanism against these attacks. It is interesting to note that if the wires are fine enough, accurate detection of their location by X-Ray means is a relatively difficult task. Obviously, all components accessing secure data paths must be enclosed within this encapsulation. In a classical bus-oriented micro computer solution, this obviously applies to all devices having access to the main data and address busses. https://link.springer.com/content/pdf/10.1007/3-540-39118-5_9.pdf