ma: review attack section
This commit is contained in:
jaseg
parent
278a0b727b
commit
cfcd5eafb2
2 changed files with 128 additions and 96 deletions
|
|
@ -1,4 +1,39 @@
|
|||
% Encoding: UTF-8
|
||||
|
||||
@article{pinto01,
|
||||
author = {Pinto, Sandro and Santos, Nuno},
|
||||
title = {Demystifying Arm TrustZone: A Comprehensive Survey},
|
||||
year = {2019},
|
||||
issue_date = {February 2019},
|
||||
publisher = {Association for Computing Machinery},
|
||||
address = {New York, NY, USA},
|
||||
volume = {51},
|
||||
number = {6},
|
||||
issn = {0360-0300},
|
||||
url = {https://doi.org/10.1145/3291047},
|
||||
doi = {10.1145/3291047},
|
||||
journal = {ACM Comput. Surv.},
|
||||
month = jan,
|
||||
articleno = {130},
|
||||
numpages = {36},
|
||||
keywords = {security, TEE, virtualization, Arm, TrustZone, survey}
|
||||
}
|
||||
|
||||
@inproceedings{kanonov01,
|
||||
title={Secure containers in Android: the Samsung KNOX case study},
|
||||
author={Kanonov, Uri and Wool, Avishai},
|
||||
booktitle={Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices},
|
||||
pages={3--12},
|
||||
year={2016}
|
||||
}
|
||||
|
||||
@inproceedings{rosenberg01,
|
||||
title={Qsee trustzone kernel integer over flow vulnerability},
|
||||
author={Rosenberg, Dan},
|
||||
booktitle={Black Hat conference},
|
||||
year={2014}
|
||||
}
|
||||
|
||||
@online{bnetza1,
|
||||
author = {Bundesnetzagentur},
|
||||
publisher = {Bundesnetzagentur},
|
||||
|
|
|
|||
|
|
@ -522,7 +522,7 @@ interoperability. In particular in the area of transport security it becomes evi
|
|||
engineering standards body stretched their area of expertise and resorting to established standard protocols would have
|
||||
improved the situation\cite{weith01}. Compared to industry-standard transport security the IEC standards provide
|
||||
a simplistic key management framework based on a static shared key with unlimited lifetime and provide sub-optimal
|
||||
transport security properties (e.g.\ lack of forward-secrecy).
|
||||
transport security properties (e.g.\ lack of forward-secrecy)\cite{khurana01,sato01}.
|
||||
% TODO maybe expand this?
|
||||
|
||||
\subsection{The regulatory situation in selected countries}
|
||||
|
|
@ -806,11 +806,10 @@ their implementation to alleviate the burden on firmware security.
|
|||
If we model the smart grid as a control system responding to changes in inputs by regulating outputs, on a very high
|
||||
level we can see two general categories of attacks: Attacks that directly change the state of the outputs, and attacks
|
||||
that try to influence the outputs indirectly by changing the system's view of its inputs. The former would be an attack
|
||||
such as one that shuts down a power plant to decrease generation capacity. The latter would be an attack such as one
|
||||
that forges grid frequency measurements where they enter a power plant's control systems to provoke increasing
|
||||
oscillation in the amount of power generated by the plant according to the control systems' directions.
|
||||
% FIXME cite
|
||||
% TODO expand
|
||||
such as one that shuts down a power plant to decrease generation capacity\cite{lee01}. The latter would be an attack
|
||||
such as one that forges grid frequency measurements where they enter a power plant's control systems to provoke
|
||||
increasing oscillation in the amount of power generated by the plant according to the control systems'
|
||||
directions\cite{kosut01,wu01,kim01}.
|
||||
|
||||
\subsubsection{Communication channel attacks}
|
||||
|
||||
|
|
@ -819,87 +818,86 @@ attacks on IP-connected parts of the core network or attacks on shared busses be
|
|||
substations. Generally, these attacks can be mitigated by securing the aforementioned communication links using modern
|
||||
cryptography. IP links can be protected using TLS, and more low-level busses can be protected using more lightweight
|
||||
Noise\cite{perrin01}-based protocols.
|
||||
|
||||
Cryptographic security transforms an attackers ability to manipulate communication contents into a mere denial of
|
||||
service attack. Thus, in addition to cryptographic security safety under DoS conditions must be ensured to ensure
|
||||
continued system performance under attacks. This safety property is identical with the safety required to withstand
|
||||
random outages of components, such as communications link outages due to physical damage from storms, flooding etc.
|
||||
% FIXME cite papers on attack impact, on coutermeasures and on attack realization
|
||||
In general, attacks at the meter level may be hard to weaponize % may be -> weak statement?
|
||||
since meters are used mostly for billing and forecasting purposes % FIXME cite
|
||||
and for more critical grid control purposes there exist several additional layers of sensors above smart meters that
|
||||
limit how much an attacker can falsify smart meter readings without the manipulation being obvious. In order for an
|
||||
random outages of components, such as communications link outages due to physical damage from storms, flooding
|
||||
etc\cite{sato01}. In general attacks at the meter level are hard to weaponize. Meters primarily serve billing purposes.
|
||||
The use of smart meter data for load forecasting is not yet common practice. Additionally smart meter data will only be
|
||||
used to refine existing forecasting models based on aggregate data collected at higher vantage points in the
|
||||
distribution grid. This combination of smart metering data with more trusted aggregate data from sensors within the grid
|
||||
infrastructure limits the potential impact of a data falsification attack on smart meters. It also allows the utility to
|
||||
identify potentially corrupt meter readings and thus detect manipulation above a certain threshold. In order for an
|
||||
attack to have more far-reaching consequences the attacker would need to compromise additional grid
|
||||
infrastructure\cite{kim01,kosut01}.
|
||||
|
||||
\subsubsection{Exploiting centralized control systems}
|
||||
|
||||
The type of smart grid attack most often cited in popular discourse, and to the author's knowledge % FIXME verify, cite
|
||||
the only type that has so far been conducted in practice, is a direct attack on centralized control systems. In this
|
||||
attack, computer components of control systems are compromised by the same techniques used to compromise any other kind
|
||||
of computer system such as exploiting insecure services running on internet-exposed ports and using one compromised
|
||||
system to compromised other systems connected with it through an ostensably secure internal network. These attacks are
|
||||
very powerful as they yield the attacker direct control over whatever outputs the control systems are controlling. If an
|
||||
attacker manages to compromise a power stations control computers, they may be able to influence generation output or
|
||||
even cause an emergency shutdown. % FIXME
|
||||
The type of smart grid attack most often cited in popular discourse, and to the author's knowledge the only type that
|
||||
has so far been conducted in practice, is a direct attack on centralized control systems. In this attack, computer
|
||||
components of control systems are compromised by the same techniques used to compromise any other kind of computer
|
||||
system such as spearfishing, exploiting insecure services running on internet-exposed ports and using one compromised
|
||||
system to compromise other systems on the same ostensably secure internal network. These attacks are very powerful as
|
||||
they yield the attacker direct control over whatever outputs the control systems are controlling. If an attacker manages
|
||||
to compromise the right set of control computers, they may even be able to cause a blackout\cite{lee01}.
|
||||
|
||||
Despite their potentially large impact, these attacks are only moderately interesting from a scientific perspective. For
|
||||
one, their mitigation mostly consists of a straightforward application of security practices well-known for decades.
|
||||
Though there is room for the implementation of genuinely new, application-specific security systems in this field, the
|
||||
general state of the art is lacking behind the rest of the computer industry such that the low-hanging fruit should take
|
||||
priority. % FIXME cite this bold claim very properly
|
||||
general state of the art is lacking behind other fields of embedded security. From this background low-hanging fruit
|
||||
should take priority\cite{heise02}.
|
||||
|
||||
In addition, given political will these systems can readily be secured since there is only a comparatively small number
|
||||
of them and driving a technician to every one of them in turn to install some security update is perfectly feasible.
|
||||
Given political will these systems can readily be secured. There is only a comparatively small number of them and
|
||||
having a technician drive to every one of them in turn to install a firmware security update is feasible.
|
||||
|
||||
\subsubsection{Control function exploits}
|
||||
|
||||
Control function exploits are attacks on the mathematical control loops used by the centralized control system. One
|
||||
example of such an attack would be resonance attacks as described in \textcite{wu01}.
|
||||
In this kind of attack, inputs from peripheral sensors indicating grid load to the centralized control system are
|
||||
carefully modified to cause a disproportionally large oscillation in control system action. This type of attack relies
|
||||
on complex resonance effects that arise when mechanical generators are electrically coupled. These resonances,
|
||||
coloquially called ``modes'' are well-studied in power system engineering\cite{rogers01,grebe01,entsoe01}.
|
||||
% FIXME: refer to section on stability control above here
|
||||
Even disregarding modern attack scenarios, for stability electrical grids are designed with measures in place to dampen
|
||||
any resonances inherent to grid structure. Still, requiring an accurate grid model these resonances are hard to analyze
|
||||
and unlikely to be noiticed under normal operating conditions.
|
||||
example of this type of attack are resonance attacks as described in \textcite{wu01}. In this kind of attack, inputs
|
||||
from peripheral sensors indicating grid load to the centralized control system are carefully modified to cause a
|
||||
disproportionally large oscillation in control system action. This type of attack relies on complex resonance effects
|
||||
that arise when mechanical generators are electrically coupled. These resonances, coloquially called ``modes'' are
|
||||
well-studied in power system engineering\cite{rogers01,grebe01,entsoe01,crastan03}. Even disregarding modern attack
|
||||
scenarios, for stability electrical grids are designed with measures in place to dampen any resonances inherent to grid
|
||||
structure. Still, requiring an accurate grid model these resonances are hard to analyze and unlikely to be noiticed
|
||||
under normal operating conditions.
|
||||
|
||||
Mitigation of these attacks is most easily done by on the one hand ensuring unmodified sensor inputs to the control
|
||||
systems in the first place, and on the other hand carefully designing control systems not to exhibit exploitable
|
||||
behavior such as oscillations.
|
||||
% FIXME cite mitigation approaches
|
||||
Mitigation of these attacks can be achieved by ensuring unmodified sensor inputs to the control systems in the first
|
||||
place. Carefully designing control systems not to exhibit exploitable behavior such as oscillations is also possible but
|
||||
harder.
|
||||
|
||||
\subsubsection{Endpoint exploits}
|
||||
|
||||
One rather interesting attack on smart grid systems is one exploiting the grid's endpoint devices such as smart
|
||||
electricity meters\footnote{
|
||||
Though potentially this could also aim at other kinds of devices distributed on a large scale such as sensors in
|
||||
unmanned substations. % FIXME cite verify
|
||||
}
|
||||
These meters are deployed on a massive scale, with several thousand meters deployed for every substation.
|
||||
% FIXME cite (this should be straightforward)
|
||||
Thus, once compromised restoration to an uncompromised state can be potentially very difficult if it requires physical
|
||||
access to thousands of devices hidden inaccessible in private homes.
|
||||
electricity meters. These meters are deployed on a massive scale, with at least one meter per household on
|
||||
average\footnote{Some households may have a separate meter for detached properties such as a detached garage or
|
||||
basement.}. Once compromised, restoration to an uncompromised state can potentially be very difficult if it requires
|
||||
physical access to thousands of devices hidden inaccessible in private homes.
|
||||
|
||||
By compromising smart electricity meters, an attacker can trivially forge the distributed energy measurements these
|
||||
devices perform. In a best-case scenario, this might only affect billing and lead to customers being under- or
|
||||
over-charged if the attack is not noticed in time. However, in a less ideal scenario the energy measurements taken by
|
||||
these devices migth be used to inform the grid centralized control systems % FIXME cite
|
||||
and a falsification of these measurements might lead to inefficiency.
|
||||
over-charged if the attack is not noticed in time. In a less ideal scenario falsified energy measurements reported by
|
||||
these devices could impede the correct operation of centralized control systems.
|
||||
|
||||
In some countries and for some customers, these smart meters have one additional function that is highly useful to an
|
||||
attacker: They contain high-current load switches to disconnect the entire household or business in case electricity
|
||||
bills are left unpaid for a certain period. In countries that use these kinds of systems, the load disconnect is often
|
||||
simply hooked up to one of the smart merter's central microcontroller's general-purpose IO pins, allowing anyone
|
||||
compromising this microcontroller's firmware to actuate the load switch at will. % FIXME validate cite add pictures
|
||||
In some countries such as the UK smart meters have one additional function that is highly useful to an attacker: They
|
||||
contain high-current load switches to disconnect the entire household or business in case electricity bills are left
|
||||
unpaid for a certain period. In countries that use these kinds of systems on a widespread level, the load disconnect
|
||||
switch is controlled by the smart meter's central microcontroller. This allows anyone compromising this
|
||||
microcontroller's firmware to actuate the load switch at will. Given control over a large number of network-connected
|
||||
smart meters, an attacker might thus be able to cause large-scale disruptions of power consumption\cite{anderson01}.
|
||||
Combined with an attack method such as the resonance attack from \textcite{wu01} that was mentioned above, this scenario
|
||||
poses a serious danger to grid stability.
|
||||
|
||||
Given control over a large number of network-connected smart meters, an attacker might thus be able to cause large-scale
|
||||
disruptions of power consumption by repeatedly disconnecting and re-connecting a large number of consumers.
|
||||
% FIXME cite some analysis of this
|
||||
Combined with an attack method such as the resonance attack from \textcite{wu01}
|
||||
that was mentioned above, this scenario poses a serious danger to grid stability.
|
||||
|
||||
% FIXME add small-scale load shedding for heaters etc.
|
||||
In places where Demand-Side Management (DSM) is common this functionality may be abused in a similar way. In DSM the
|
||||
smart metering system directly controls power to certain devices such as heaters. The utility can remotely control the
|
||||
turn-on and turn-off of these devices to smoothen out the load curve. In exchange the customer is billed a lower price
|
||||
for the energy consumed by these loads. DSM was traditionally done with de-centralized systems mostly through
|
||||
low-frequency PLC over the distribution grid. Smart metering systems no longer require large, resource-intensive
|
||||
transmitters in substations and thus potentially allow the rollout of such technology on a much wider scale than before.
|
||||
This leads to a potentially significant role of DSM systems in the impact calculation of an attack on a smart metering
|
||||
system. DSM does not control as much load capacity as remote disconnect switches do. The attacks cited in the above
|
||||
paragraph still fundamentally apply.
|
||||
|
||||
\subsection{Attacker models in the smart grid}
|
||||
% FIXME
|
||||
|
|
@ -924,53 +922,52 @@ smart electricity meter implementations mostly stems from the large list of requ
|
|||
with. Additionally, standards have already been written and changes that reduce scope or functionality have become
|
||||
exceedingly unlikely at this point.
|
||||
|
||||
A general observation with smart grid systems of any kind is that they comprise a zealous departure of the decentralized
|
||||
A general observation with smart grid systems of any kind is that they comprise a departure from the decentralized
|
||||
control structure of yesterday's dumb grid and the advent of centralization at an enormous scale. This modern,
|
||||
centralized infrastructure has been carefully designed to defend against malicious actors%FIXME cite
|
||||
and all involved parties have an interest in keeping it secure. Still, like in any other system this centralization also
|
||||
makes a very attractive target for attackers since an attacker can likewise employ this centralized control to their
|
||||
goals. Fundamentally, decentralized systems tend to make attacks of any kind a lot more costly and one might question
|
||||
whether security has truly been gained during smart grid rollout. % FIXME hot take maybe
|
||||
makes for a very attractive target to attackers. An attacker can employ this centralized control to their advantage.
|
||||
Decentralized systems tend to make attacks more costly while centralized systems aid their efficiency. From this
|
||||
perspective the centralization of smart metering control sytems--sometimes at a national level\cite{anderson01}--poses a
|
||||
security risk.
|
||||
|
||||
\chapter{Restoring endpoint safety in an age of smart devices}
|
||||
If as layed out in the previous paragraph we cannot rule out a large-scale compromise of smart energy meters, we have to
|
||||
rephrase our claim to security. If we cannot rule out exploitation, we have to limit its impact. If we assume that we
|
||||
cannot strip any functionality from smart meters since it may be required by standards or for enormous social
|
||||
benefits\cite{mcdaniel01} % FIXME is sarcasm ok here?
|
||||
all we can do is to flush out an attacker once they are in.
|
||||
|
||||
In a worst-case scenario an attacker would gain unconstrained code execution e.g. by exploiting a flaw in a network
|
||||
protocol implentation. Since smart meters use standard microcontrollers that do not have advanced memory protection
|
||||
functions (see pg. \ref{sm-cpu}), at this point we can assume the attacker has full control over the main
|
||||
microcontroller. With this control they can actuate the load switch if present, transmit data through the device's
|
||||
As laid out in the previous paragraph we cannot fully rule out a large-scale compromise of smart energy meters at some
|
||||
point in the long-term future. We have to rephrase our claim to security. We cannot rule out exploitation: We have to
|
||||
limit its impact. Assuming that we cannot strip any functionality from smart meters (it may be required by standards or
|
||||
for enormous social benefits\cite{mcdaniel01}). All we can do is to flush out an attacker once they are in, i.e.\
|
||||
mitigation instead of prevention.
|
||||
|
||||
In a worst-case scenario an attacker would gain unconstrained code execution (e.g.\ by exploiting a flaw in a network
|
||||
protocol implentation). Smart meters use standard microcontrollers that do not have advanced memory protection functions
|
||||
(cf.\ Section \ref{sm-cpu}). We can assume the attacker has full control over the main microcontroller given any such
|
||||
flaw. With this control they can actuate the load switch if present. They can transmit data through the device's
|
||||
communication interfaces or use the user interface components such as LEDs and the LCD. Using the self-programming
|
||||
capabilities of modern flash microcontrollers, an attacker may even gain persistency without much trouble. Note that in
|
||||
systems separating cryptographic functions into some form of cryptographic module such as systems used in Germany
|
||||
% TODO list other countries as well? FIXME cite BSI standard requiring this
|
||||
we can be optimistic and assume the attacker has not in fact compromised this cryptographic co-processor yet and does
|
||||
not have access to any cryptographic secrets yet.
|
||||
capabilities of flash microcontrollers an attacker may even gain persistency. Note that in systems separating
|
||||
cryptographic functions into some form of cryptographic module\footnote{such as systems used in
|
||||
Germany\cite{bsi-tr-03109}.} we can be optimistic and assume the attacker has not yet compromised this cryptographic
|
||||
co-processor.
|
||||
|
||||
Given that the attacker has complete control over the meter's core microcontroller and given that due to cost
|
||||
constraints we are bound to use whatever microcontroller the meter OEM has chosen for their design, we cannot rely on
|
||||
software running on the core mircocontroller to restore system integrity.
|
||||
With the meter's core microcontroller under attacker control we cannot use this microcontroller to restore control over
|
||||
the system. We have no way of ensuring the attacker does not simply delete a security mechanism we include in the core
|
||||
microcontroller's firmware.
|
||||
|
||||
Our solution to this problem is to add another, very small microcontroller to the smart meter design. This
|
||||
microcontroller will contain a small piece of software to receive cryptographically authenticated commands from utility
|
||||
companies and on demand reset the meter's core microcontroller to a known-good state. We have to assume the code in the
|
||||
core controller's flash memory has been compromised, so our only option to flush out an attacker is to re-program the
|
||||
core microcontroller in its entirety. We propose using JTAG to re-program the core microcontroller
|
||||
% TODO get terminology consistent. Is "core microcontroller" a good term here?
|
||||
with a known-good firmware image read from a sufficiently large SPI flash connected to the reset controller. JTAG is
|
||||
supported by most microcontrollers complex enough to end up in a smart meter design % TODO colloquialism
|
||||
and given adequate documentation JTAG programming functionality can be ported to new microcontrollers with relatively
|
||||
little work.
|
||||
Our solution to this problem is to add another smaller microcontroller to the smart meter design. This microcontroller
|
||||
will contain a small piece of software that receives cryptographically authenticated commands from utility companies. On
|
||||
demand it can reset the meter's core microcontroller to a known-good state. To reliably flush out an attacker from a
|
||||
compromised core microcontroller we re-program the core microcontroller in its entirety. We propose using JTAG to
|
||||
re-program the core microcontroller with a known-good firmware image read from a sufficiently large SPI flash connected
|
||||
to the reset controller. JTAG is supported by most microcontrollers complex enough to be used in a smart meter design.
|
||||
JTAG programming functionality can be ported to a new microcontroller with relatively little work.
|
||||
|
||||
On the microcontroller side our solution requires the JTAG interface to be activated (i.e. not fused-shut) and for our
|
||||
solution to work core microcontroller firmware must not be able to permanently disable the JTAG interface from within.
|
||||
In microcontrollers that do not yet provide this functionality this is a minor change that could be added to a custom
|
||||
Our solution requires the core mircocontroller's JTAG interface to be activated (i.e. not fused-shut). For our solution
|
||||
to work the core microcontroller firmware must not be able to permanently disable the JTAG interface by itself. In
|
||||
microcontrollers that do not yet provide this functionality this is a minor change that could be added to a custom
|
||||
microcontroller variant at low cost. On most microcontrollers keeping JTAG open should not interfere with code readout
|
||||
protection. Code secrecy should be of no concern\cite{schneier01} here but besides security manufacturers have strong
|
||||
preferences about this due to fear of copyright infringement.
|
||||
protection\footnote{Readout protection usually forces a device erase before allowing JTAG access.}. Code secrecy should
|
||||
be of no concern\cite{schneier01} here but some manufacturers have strong preferences due to a fear of copyright
|
||||
infringement.
|
||||
|
||||
\section{The theory of endpoint safety}
|
||||
\label{sec_criteria}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue