PREVENTING IOT EDGE DEVICE VULNERABILITIES JEFF MILLER, PRODUCT MARKETING & STRATEGY, MENTOR, A SIEMENS BUSINESS

Similar documents
ADDRESSING THE CHALLENGES OF IOT DESIGN JEFF MILLER, PRODUCT MARKETING MANAGER, MENTOR GRAPHICS

RAPID SOC PROOF-OF-CONCEPT FOR ZERO COST JEFF MILLER, PRODUCT MARKETING AND STRATEGY, MENTOR GRAPHICS PHIL BURR, SENIOR PRODUCT MANAGER, ARM

DESIGNING MEMS MICROPHONES FROM CONCEPT TO FINISHED GDSII IN ABOUT TWO WEEKS

Designing for the Internet of Things with Cadence PSpice A/D Technology

Co-simulation Techniques for Mixed Signal Circuits

RF Testing of A Single FPIX1 for BTeV

ECE 2274 Pre-Lab for Experiment Timer Chip

ELEC 4609 IC DESIGN TERM PROJECT: DYNAMIC PRSG v1.2

7 DESIGN ASPECTS OF IoT PCB DESIGNS JOHN MCMILLAN, MENTOR GRAPHICS

International Research Journal of Engineering and Technology (IRJET) e-issn: Volume: 03 Issue: 07 July p-issn:

System Quality Indicators

Adding Analog and Mixed Signal Concerns to a Digital VLSI Course

IoT and the Implications for Security Inside and Outside the Enterprise. Richard Boyer CISO & Chief Architect, Security

Chapter 5 Flip-Flops and Related Devices

7 SEGMENT LED DISPLAY KIT

LAX_x Logic Analyzer

Sharif University of Technology. SoC: Introduction

Bell. Program of Study. Accelerated Digital Electronics. Dave Bell TJHSST

Report on 4-bit Counter design Report- 1, 2. Report on D- Flipflop. Course project for ECE533

What is sync? Why is sync important? How can sync signals be compromised within an A/V system?... 3

Designs with Multiple Clock Domains: Avoiding Clock Skew and Reducing Pattern Count Using DFTAdvisor tm and FastScan tm

UVM Testbench Structure and Coverage Improvement in a Mixed Signal Verification Environment by Mihajlo Katona, Head of Functional Verification, Frobas

Experiment # 4 Counters and Logic Analyzer

Simulation Mismatches Can Foul Up Test-Pattern Verification

Practical considerations of accelerometer noise. Endevco technical paper 324

WiPry 5x User Manual. 2.4 & 5 GHz Wireless Troubleshooting Dual Band Spectrum Analyzer

Laboratory 10. Required Components: Objectives. Introduction. Digital Circuits - Logic and Latching (modified from lab text by Alciatore)

TV Synchronism Generation with PIC Microcontroller

Design of Fault Coverage Test Pattern Generator Using LFSR

nmos transistor Basics of VLSI Design and Test Solution: CMOS pmos transistor CMOS Inverter First-Order DC Analysis CMOS Inverter: Transient Response

Prototyping an ASIC with FPGAs. By Rafey Mahmud, FAE at Synplicity.

Summit Systems Sound Board Modification

Getting Started with the LabVIEW Sound and Vibration Toolkit

2.6 Reset Design Strategy

At-speed Testing of SOC ICs

RX40_V1_0 Measurement Report F.Faccio

Real-time Chatter Compensation based on Embedded Sensing Device in Machine tools

IC Layout Design of Decoders Using DSCH and Microwind Shaik Fazia Kausar MTech, Dr.K.V.Subba Reddy Institute of Technology.

At-speed testing made easy

WiPry 5x User Manual. 2.4 & 5 GHz Wireless Troubleshooting Dual Band Spectrum Analyzer

Testing Digital Systems II

Laboratory 7. Lab 7. Digital Circuits - Logic and Latching

456 SOLID STATE ANALOGUE TAPE + A80 RECORDER MODELS

Figure.1 Clock signal II. SYSTEM ANALYSIS

Scan. This is a sample of the first 15 pages of the Scan chapter.

Whole House Lighting Controller

Decade Counters Mod-5 counter: Decade Counter:

MULTIPLE TPS REHOST FROM GENRAD 2235 TO S9100

How to Categorize Risk in IoT

Design and Simulation of a Digital CMOS Synchronous 4-bit Up-Counter with Set and Reset

EEC 116 Fall 2011 Lab #5: Pipelined 32b Adder

Understanding Compression Technologies for HD and Megapixel Surveillance

EECS150 - Digital Design Lecture 3 - Timing

PCIe: EYE DIAGRAM ANALYSIS IN HYPERLYNX

BER MEASUREMENT IN THE NOISY CHANNEL

Name Of The Experiment: Sequential circuit design Latch, Flip-flop and Registers

Integration of Virtual Instrumentation into a Compressed Electricity and Electronic Curriculum

EL302 DIGITAL INTEGRATED CIRCUITS LAB #3 CMOS EDGE TRIGGERED D FLIP-FLOP. Due İLKER KALYONCU, 10043

Using on-chip Test Pattern Compression for Full Scan SoC Designs

(Refer Slide Time 1:58)

LFSRs as Functional Blocks in Wireless Applications Author: Stephen Lim and Andy Miller

PESIT Bangalore South Campus

CS/EE 6710 Digital VLSI Design CAD Assignment #3 Due Thursday September 21 st, 5:00pm

Lab experience 1: Introduction to LabView

A 5-Gb/s Half-rate Clock Recovery Circuit in 0.25-μm CMOS Technology

ECE 372 Microcontroller Design

ELECTRICAL ENGINEERING DEPARTMENT California Polytechnic State University

Lecture 23 Design for Testability (DFT): Full-Scan (chapter14)

STB Front Panel User s Guide

CHAPTER 3 SEPARATION OF CONDUCTED EMI

Digital to Mixed-Signal Verification of Power Management SOCs Using Questa-ADMS. M. Behaghel

An Efficient IC Layout Design of Decoders and Its Applications

The Micropython Microcontroller

Powerful Software Tools and Methods to Accelerate Test Program Development A Test Systems Strategies, Inc. (TSSI) White Paper.

A Transaction-Oriented UVM-based Library for Verification of Analog Behavior

RFSOI and FDSOI enabling smarter and IoT applications. Kirk Ouellette Digital Products Group STMicroelectronics

AN4184 Application note

Integrated Circuit for Musical Instrument Tuners

ECE 5765 Modern Communication Fall 2005, UMD Experiment 10: PRBS Messages, Eye Patterns & Noise Simulation using PRBS

DIFFERENTIAL CONDITIONAL CAPTURING FLIP-FLOP TECHNIQUE USED FOR LOW POWER CONSUMPTION IN CLOCKING SCHEME

The BAT WAVE ANALYZER project

Automatic Projector Tilt Compensation System


Dual Slope ADC Design from Power, Speed and Area Perspectives

AppNote - Managing noisy RF environment in RC3c. Ver. 4

Lab 1 Introduction to the Software Development Environment and Signal Sampling

LMH0340/LMH0341 SerDes EVK User Guide

ELEN Electronique numérique

4. Formal Equivalence Checking

EMI/EMC diagnostic and debugging

Gyrophone: Recognizing Speech From Gyroscope Signals

Experiment 7: Bit Error Rate (BER) Measurement in the Noisy Channel

The BBC micro:bit: What is it designed to do?

DIGITAL ELECTRONICS: LOGIC AND CLOCKS

Digital Audio Design Validation and Debugging Using PGY-I2C

Noise Detector ND-1 Operating Manual

HU8550 SMART UHD TV 50" 55" 60" 65" 75" 85" SPEC SHEET PRODUCT HIGHLIGHTS. Ultra High Definition 4K (3840 x 2160) UHD Upscaling

16 Stage Bi-Directional LED Sequencer

Hello and welcome to this presentation of the STM32L4 Analog-to-Digital Converter block. It will cover the main features of this block, which is used

Low Power VLSI Circuits and Systems Prof. Ajit Pal Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Transcription:

PREVENTING IOT EDGE DEVICE VULNERABILITIES JEFF MILLER, PRODUCT MARKETING & STRATEGY, MENTOR, A SIEMENS BUSINESS A M S D E S I G N & V E R I F I C A T I O N W H I T E P A P E R w w w. m e n t o r. c o m

As an EDA toolchain provider, Mentor keeps a close eye on security issues that occur in the world of electronics. We see volumes of research centered on protecting complex SoCs from attacks and interesting studies about detecting malicious logic in these ICs. There are studies on preventing recycling of old chips that are sold as new by using odometer circuits, adding co-processors on board to monitor suspicious activity, and techniques to hide chip activity from outside monitoring. Also of concern are the potential touch points along the supply chain in which some security vulnerability could be added to the IC. But, security issues around IoT edge devices are rarely mentioned in the literature. However, the projected billions of IoT edge devices out in the wild makes for a vast attack surface. Should hardware designers be concerned about security for IoT edge devices? And, is it worth the effort and cost to ensure security at this level? We are starting to see a few news reports of actual malicious attacks on IoT edge hardware committed by hackers intending to steal data or wreak havoc. There was a recent attack that occurred through IoT video cameras using a botnet that exploited one particular brand of device whose firmware did not allow the user to change the password. However, there are many reports of serious vulnerabilities uncovered by researchers, universities, and folks intent on publicly exposing the risk: Samsung Smart Home System: researchers at University of Michigan hacked the PIN code to open a locked door and to reset the vacation mode. In a separate hack, a Samsung Smart Fridge was shown to allow the intercept of Gmail credentials when synching to Google Calendar. Jeep Cherokee: security researchers disabled transmission and brakes. This event caught the most attention in the press. Tesla : a DefCon hacker discovered vulnerabilities in the Model S that allowed him to start the car. But, he had to physically connect his laptop to a system bus. Pacemaker: University of Alabama students wirelessly hacked a pacemaker installed in a dummy and sped up and slowed down the device. Mattel Hello Barbie and child monitors: Wi-Fi connectivity allowed interception of conversations between a child and the Barbie doll. And, there are several reports of hacking into child monitors to post live video online. Sniper rifle: a hacker demonstrated to Wired magazine that he could re-direct the aim of a Wi-Fi enabled TrackingPoint sniper rifle. Vulnerabilities in IoT edge hardware fall into 2 major categories (Figure 1): 1. Design: somewhere during the design or fabrication process, someone inserts extra logic that establishes a back-channel to the device. 2. 3 rd -party: an externally-exploitable vulnerability is discovered by a 3 rd -party entity that is used to gain access to the device. 2

DESIGN VULNERABILITIES Figure 1: Design and 3 rd -party vulnerabilities. Design vulnerabilities take place during the IC design flow where someone inserts extra logic in order to create a hidden method of taking control of the chip. Finding extra RTL code, gates, or transistors has always been very difficult. Even matching requirements to implemented logic does not mean that there are some gates or transistors that do not belong. Legitimate extra logic is often inserted by tools to decrease power or to improve timing. And, just because every gate is touched during simulation, does not mean it is part of the official design. EDA tools can play a role in this space, but they cannot exhaustively prevent a determined employee from adding malicious logic. In fact, a paper from the University of Michigan entitled A2: Analog Malicious Hardware 1 shows how tiny and undetectable malicious logic can be. The authors of the paper established very tough requirements for themselves, as they attempted to create a backdoor attack circuit that would be undetectable and deployable by a person at fabrication time. Meaning, someone at a foundry could insert the circuit into a GDSII file after the design team submitted the IC for fabrication. However, the technique that they invented could also be deployed during the design of the IC before handoff to the foundry. All it takes is one person on the inside, determined to open up the IC for attacks. In a novel attack insertion strategy, the authors invented a single gate, analog trigger circuit that is extremely low power and had negligible timing impact (Figure 2). 1 K. Yang, M. Hicks, Q. Dong, T. Austin, D. Sylvester, A2: Analog Malicious Hardware, University of Michigan 3

Figure 2: Analog trigger circuit (Source: University of Michigan). The attack is based on capacitive charge accumulation and the circuit is attached to a wire of a processor register. The capacitor accumulates voltage until a threshold is hit and then triggers the output to deploy the attack payload. The leakage current drains off the charge to disable the trigger (Figure 3). Figure 3: Behavior of the trigger circuit (Source: University of Michigan). By simulating the design using several benchmarks, a victim signal is selected in the design to attach the analog trigger circuit. They look for a signal that is not very active during normal operation based on toggling rates. The circuit is then attached to a supervision register of the processor in order to take control of it and deliver a payload that grants privilege escalation. The circuit was placed into the layout in an unused area of the chip. The team actually fabricated the design and performed extensive testing on the chip. The scary results? All known detection techniques failed to detect the attack circuit. As a result of the authors work, we can see that a single gate, analog circuit can be employed in a design to pull off an inside job (or an outside job at the foundry) with no real means of detecting it. Does this give any hope of detecting malicious design from the inside? The authors offer some ideas, such as splitting the manufacturing of 4

the IC between two foundries to prevent fabrication-time attacks, but research will have to continue in order to address this attack technique. 3 RD -PARTY VULNERABILITIES After the IoT device has been sold and deployed, a 3 rd -party attacker can attempt to find and exploit vulnerabilities in the hardware. If the attack is successful, this could mean that the original IC design team overlooked one or more vulnerabilities during the design and verification of the chip. A different team at the University of Michigan (plus a team member from University of South Carolina) completed a project to see if they could gain control of a MEMS accelerometer already out in the wild. This culminated in the paper WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks. 2 The team investigated if they could find a way to gain control over the MEMS sensor output using sound waves. This is a fascinating study of a third-party vulnerability in a capacitive MEMS accelerometer which is a common device in smartphones. A capacitive MEMS accelerometer typically contains a sensing mass suspended by springs and connected to a variable capacitor. When the device is accelerated, the mass moves, creating an electrical signal due to capacitance change (Figure 4). Using Newton s second law of motion and Hooke s law to form an equation, the measured acceleration can be calculated. Figure 4: How a capacitive MEMS accelerometer works (Source: University of Michigan). Of course, an accelerometer is not just the MEMS component. The MEMS capacitive voltage is typically fed to an amplifier which is low-pass filtered, and then converted to a digital signal using an analog-to-digital converter (ADC). This signal is typically an input to a processor which takes the data and performs the calculation to determine acceleration (Figure 5). That value is then used as a variable in a software program running on the processor that performs some action or presents data to the user. For example, in an RC car that is controlled with a smartphone app, the x-axis accelerometer data created by tilting the phone forward or back, causes the car to move forward or back. 2 T. Trippel, O. Weisse, W. Xu, P. Honeyman, K. Fu, WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks, University of Michigan & University of South Carolina 5

Figure 5: A typical accelerometer system. The university team set out to determine if they could use sound waves to resonate with the moving structures of the MEMS accelerometer to create an out-of-spec pathway through the design in order to attack the processor and take control of it. Initially, the team set up a testing apparatus to check a wide range of commercial accelerometers. And, just to see if the results differed due to process variations in the IC fabrication, they tested two of each. Using a tweeter, they found the resonating frequency of the MEMS component that achieves the maximum displacement of the mass. By hitting this frequency, they noticed two affects: Improperly-designed low-pass filters did not fully suppress the sensor output signals, causing fluctuating output values, which means the sensor thought it was under high vibration. Improperly-designed amplifiers clipped the output signals, causing constant-shifted output, which means the sensor thought it was attached to a rocket with constant acceleration. The devices with improper low-pass filters were designed with a cut-off frequency that was too close to the resonant frequency of the MEMS sensor and the signal slips through to the ADC. A proper low-pass filter completely attenuates the signal. The devices with improper amplifiers showed that the external acoustic trigger displaced the sensing mass to create a signal that exceeded the dynamic range of the amplifier (Figure 6). Figure 6: Responses to sound (Source: University of Michigan). The team found that 75% of the 25 accelerometer devices tested where vulnerable to taking control of the sensor output. The team then set up an experiment to see if they could take control of an RC car driven by a smartphone application. With knowledge of the smartphone accelerometer resonate frequency (from the previous testing of the ICs in the experiments above), they created a malicious music file with the resonating frequency that uses the smartphone speaker for the acoustic attack. The software on the smartphone allows the user to tilt the phone in 6

the direction that they want to move the car, which employs the accelerometer. The music file contained a signal that simulated the output signal to drive the car forward and back (Figure 7). Figure 7: Taking control of an RC car (Source: University of Michigan). Some scary implications of this experiment should be jumping to mind at this point. For example, what if this was a military drone? This project points out several IoT edge device security ideas that should be considered during design and verification of the accelerometer: Designers should not assume that the sensor signal input to a processor is 100% legitimate, without any checking of the signal path. The analog elements of the signal conditioning path can provide an attack surface: The low-pass filter should be designed such that the resonant frequency of the MEMS device does not lie within the transition band, so that the interference signal is fully attenuated. The amplifier should be designed to account for high-amplitude interference noise to prevent signal clipping. Designers should consider an additional filter before the amplifier to filter out the acoustic noise. Why is the team s paper called WALNUT? In another experiment, they took control of an accelerometer output to spoof the sensor to spell out WALNUT (Figure 8). Figure 8: Spoofing the sensor (Source: University of Michigan). 7

The university team went beyond discovering and showing how to prevent accelerometer hacks. They suggest a method to protect devices already deployed. They offer software update ideas to alter the sampling rates of the ADC (this does not help if the amplifier still demonstrates clipping). For example, sampling at random times within the resonant frequency period can prevent an attack on the sensor output. If you are worried by all the accelerometers in the wild being vulnerable to attack, the team did provide the results and potential solutions to the accelerometer vendors. And, some of those vendors have responded. Also, 25% of the tested accelerometers where not vulnerable to these particular attacks. MANAGING VULNERABILITIES WITH SIMULATION It is clear that teams must think about security when designing and verifying sensor-based IoT systems. While the industry has established design flows, standards, and techniques to help digital IC designers ensure complete simulation of the device, AMS designers do not have access to alike solutions. This often leads to incomplete verification of the analog portions of the design, which are prevalent in IoT edge devices. Usually, teams manage analog simulations manually or they use complex and expensive tools that require intricate setup and proprietary test plans before they can deploy a solution. However, the Tanner Designer flow (Figure 9) helps to address this problem by providing an easy way to manage analog verification to track the large number of simulations required to ensure that there are no vulnerabilities in the IC. Figure 9: The Tanner Designer Flow. Each team member creates the schematic, sets up simulations, and creates testbenches in S-Edit for their block. They can then run T-Spice and Eldo simulations that create results. The measurement data from the simulation runs is aggregated into a database and the results are presented in the Tanner Designer dashboard and detailed reports are kept in a Microsoft Excel workbook (Figure 10). As the lifecycle of the project progresses, the team can customize the dashboard and reports within Excel by adding database queries, graphs, and presenting custom information based on measurements. The team uses the power and flexibility of Excel instead of learning a proprietary language or a verification management environment. 8

Figure 10: Tanner Designer Dashboard, driven by Excel workbooks. The team can use Tanner Designer to automate design reviews in order to ensure that all simulations match the test plan and that the simulation runs have all been completed. The Tanner Designer dashboard shows the actual status of the design blocks and the team can interact with reports and the actual design elements like schematics and waveforms to review each block. This ensures that everyone is examining real design data that is always up to date, with no need to generate large review documents. Finally, if a new exploit technique is discovered, it is very easy to add additional tests or testbenches to evaluate if the current design is vulnerable. Tanner Designer automatically discovers new tests and testbenches in the project, re-simulates if necessary, and updates the reports to ensure that as the design evolves it remains invulnerable to attacks and that it stays within specification. 9

CONCLUSION Thanks to the university experiments summarized in this paper, we learn that design vulnerabilities might never be 100% preventable. But, IoT edge device designers do have control over security at the hardware level to protect against 3 rd -party vulnerabilities. Unfortunately, they cannot think of all the ways that the hardware can be exploited ahead of time, but IoT edge device designers need to formulate plausible use cases of attacks on their custom IC. They need a test plan that exercises their device using hostile input and should decide how the device should respond when subjected to these attacks. Tanner Designer can help teams manage all simulations including the additional tests necessary to check for vulnerabilities and assure complete simulation of the test plan. We also learn that security has to be considered by everyone on the design team from the lowest level sensor, to the entire system. To learn more about Tanner Designer, see the web page here. To learn more about creating the building block of an accelerometer, the resonator, using the Tanner flow, see this whitepaper. Experience Tanner AMS Virtual Lab - Immediate access from any current PC web browser Test-drive Tanner Tools and discover the power of its complete IC design flow, including schematic capture, analog simulation, physical layout, and verification. For the latest product information, call us or visit: w w w. m e n t o r. c o m 2017 Mentor Graphics Corporation, all rights reserved. This document contains information that is proprietary to Mentor Graphics Corporation and may be duplicated in whole or in part by the original recipient for internal business purposes only, provided that this entire notice appears in all copies. In accepting this document, the recipient agrees to make every reasonable effort to prevent unauthorized use of this information. All trademarks mentioned in this document are the trademarks of their respective owners. TFD 9-17 TECH16090-w

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback