Defending against cache-based side-channel attacks

Cache-based side-channel analysis is a new technique that uses the application-specific behaviour of cache memory to leak secret information about a running algorithm to the attacker. Two complementary methods have been proposed that describe how such attacks could be mounted, but there has been little work on how one might defend devices against the resulting security breaches. This paper surveys a number of hardware- and software-based approaches to defending against such methods of attack and evaluates each using simulated results.     

A new countermeasure against side-channel attacks based on hardware-software co-design

This paper aims at presenting a new countermeasure against Side-Channel Analysis (SCA) attacks, whose implementation is based on a hardware-software co-design. The hardware architecture consists of a microprocessor, which executes the algorithm using a false key, and a coprocessor that performs several operations that are necessary to retrieve the original text that was encrypted with the real key. The coprocessor hardly affects the power consumption of the device, so that any classical attack based on such power consumption would reveal a false key. Additionally, as the operations carried out by the coprocessor are performed in parallel with the microprocessor, the execution time devoted for encrypting a specific text is not affected by the proposed countermeasure. In order to verify the correctness of our proposal, the system was implemented on a Virtex 5 FPGA. Different SCA attacks were performed on several functions of AES algorithm. Experimental results show in all cases that the system is effectively protected by revealing a false encryption key.     

Security distributed state estimation for nonlinear networked systems against DoS attacks

This paper is concerned with security distributed state estimation for nonlinear networked systems against denial‐of‐service attacks. By taking the effects of resource constraints into consideration, an event‐triggered scheme and a quantization mechanism are employed to alleviate the burden of network. A mathematical model of distributed state estimation is constructed for nonlinear networked systems against denial‐of‐service attacks. Sufficient conditions ensuring the exponential stability of the estimation error systems are obtained by utilizing the Lyapunov stability theory. The explicit expressions of the designed state estimators are acquired in terms of the linear matrix inequalities. Finally, a numerical example is used to testify the feasibility of the proposed method.     

SpyDetector: An approach for detecting side-channel attacks at runtime

International Journal of Information Security - In this work, we first present a low-cost, anomaly-based semi-supervised approach, which is instrumental in detecting the presence of ongoing...     

Security enhancements against UMTS–GSM interworking attacks

In this paper we first present three new attacks on Universal Mobile Telecommunication System (UMTS) in access domain. We exploit the interoperation of UMTS network with its predecessor, Global System for Mobile communications (GSMs). Two attacks result in the interception of the entire traffic of the victim UMTS subscriber in the GSM access area of UMTS network. These attacks are applicable, regardless of the strength of the selected GSM encryption algorithm. The third attack is an impersonation attack and allows the attacker to impersonate a genuine UMTS subscriber to a UMTS network and fool the network to provide services at the expense of the victim subscriber. Then, we propose some countermeasures to strengthen the UMTS network against the mentioned attacks with emphasis on the practicality in present networks. The proposed solutions require limited change of the network elements or protocols, insignificant additional computational load on the network elements and negligible additional bandwidth consumption on the network links.     

High-level synthesis,cryptography, and side-channel countermeasures: A comprehensive evaluation

Side-channel attacks pose a severe threat to both software and hardware cryptographic implementations. Current literature presents various countermeasures against these kinds of attacks, based on approaches such as hiding or masking, implemented either in software, or on register–transfer level or gate level in hardware. However, emerging trends in hardware design lean towards a system-level approach, allowing for faster, less error-prone, design process, an efficient hardware/software co-design, or sophisticated validation, verification, and (co)simulation strategies. In this paper, we propose a Boolean masking scheme suitable for high-level synthesis of substitution–permutation network-based encryption. We implement both unprotected and protected PRESENT, AES/Rijndael and Serpent encryption in C language, utilizing the concept of dynamic logic reconfiguration, synthesize it for Xilinx FPGA, and we compare our results regarding time and area utilization. We evaluate the effectiveness of proposed countermeasures using both specific and non-specific t-test leakage assessment methodology. We discuss the leakage assessment results, and we identify and discuss the related limitations of the system-level approach and the high-level synthesis.     

Conventional and machine learning approaches as countermeasures against hardware trojan attacks

Every year, the rate at which technology is applied on areas of our everyday life is increasing at a steady pace. This rapid development drives the technology companies to design and fabricate their integrated circuits (ICs) in non-trustworthy outsourcing foundries to reduce the cost, thus, leaving space for a synchronous form of virus, known as Hardware Trojan (HT), to be developed. HTs leak encrypted information, degrade device performance or lead to total destruction. To reduce the risks associated with these viruses, various approaches have been developed aiming to prevent and detect them, based on conventional or machine learning methods. Ideally, any undesired modification made to an IC should be detectable by pre-silicon verification/simulation and post-silicon testing. The infected circuit can be inserted in different stages of the manufacturing process, rendering the detection of HTs a complicated procedure. In this paper, we present a comprehensive review of research dedicated to countermeasures against HTs embedded into ICs. The literature is grouped in four main categories; (a) conventional HT detection approaches, (b) machine learning for HT countermeasures, (c) design for security and (d) runtime monitor.     

An evaluation of indirect attacks and countermeasures in fingerprint verification systems

Biometric recognition systems are vulnerable to numerous security threats. These include direct attacks to the sensor or indirect attacks, which represent the ones aimed towards internal system modules. In this work, indirect attacks against fingerprint verification systems are analyzed in order to better understand how harmful they can be. Software attacks via hill climbing algorithms are implemented and their success rate is studied under different conditions. In a hill climbing attack, a randomly generated synthetic template is presented to the matcher, and is iteratively modified based on the score output until it is accepted as genuine. Countermeasures against such attacks are reviewed and analyzed, focusing on score quantization as a case study. It is found that hill climbing attacks are highly effective in the process of creating synthetic templates that are accepted by the matcher as genuine ones. We also find that score quantization drastically reduces the attack success rate. We analyze the hill climbing approach over two state-of-the-art fingerprint verification systems: the NIST Fingerprint Image Software 2, running on a PC and a prototype system fully embedded in a smart card (Match-on-Card). Results of both systems are obtained using a sub corpus of the publicly available MCYT database.     

Quantum cloning attacks against PUF-based quantum authentication systems

With the advent of physical unclonable functions (PUFs), PUF-based quantum authentication systems have been proposed for security purposes, and recently, proof-of-principle experiment has been demonstrated. As a further step toward completing the security analysis, we investigate quantum cloning attacks against PUF-based quantum authentication systems and prove that quantum cloning attacks outperform the so-called challenge-estimation attacks. We present the analytical expression of the false-accept probability by use of the corresponding optimal quantum cloning machines and extend the previous results in the literature. In light of these findings, an explicit comparison is made between PUF-based quantum authentication systems and quantum key distribution protocols in the context of cloning attacks. Moreover, from an experimental perspective, a trade-off between the average photon number and the detection efficiency is discussed in detail.     

DoS攻击下电力网络控制系统脆弱性分析及防御

考虑DoS攻击对电力信息物理系统的影响,提出一种电力网络控制系统脆弱节点的检测方法和防御策略,采用分布式控制架构设计传感器和RTU的传输路径.通过求解最稀疏矩阵优化问题,提出一种识别并保护电力通信网脆弱节点和边的方法,保证系统实现安全稳定运行.进一步提出一种可以抵御DoS攻击的电力网络控制系统拓扑设计方法,研究系统遭受DoS攻击时能恢复稳定的电力网络控制系统拓扑连接方式. IEEE 9节点系统用于仿真验证,充分验证了算法的可行性和可靠性,并针对该9节点电力网络控制系统,给出了具体的网络攻击防御策略.     

抗侧信道攻击的安全有效椭圆加密算法

为防御椭圆曲线密码系统的侧信道攻击,针对椭圆曲线密码系统的侧信道攻击主要集中在对标量乘运算的攻击,提出了基于Width-w NAF的改进算法RWNAF(refined Width-wNAF)和FWNAF(fractional Width-w NAF),通过Masking技术隐藏密码算法的真实能量消耗信息,能有效地防御SPA、DPA、RPA与ZPA攻击;通过对密钥d的奇偶性分析,对预计算表进行优化,减少了存储需求和计算开销。FWNAF进一步利用碎片窗口技术,提高了存储资源的利用效率,同时也减少了由于系统资源急剧变化而引发的系统计算性能的抖动现象。     

基于ND的DoS攻击及其对策*

通过深入分析邻居发现协议运行机制,指出了链路可信这个默认前提是导致ND(neighbor discovery)存在安全缺陷的根本原因;随后具体分析了基于ND安全缺陷各种DoS攻击方法,并对ND的安全防护进行了阐述,为进一步研究安全ND奠定了基础.     

Label flipping attacks against Naive Bayes on spam filtering systems

Label flipping attack is a poisoning attack that flips the labels of training samples to reduce the classification performance of the model. Robustness is used to measure the applicability of machine learning algorithms to adversarial attack. Naive Bayes (NB) algorithm is a anti-noise and robust machine learning technique. It shows good robustness when dealing with issues such as document classification and spam filtering. Here we propose two novel label flipping attacks to evaluate the robustness of NB under label noise. For the three datasets of Spambase, TREC 2006c and TREC 2007 in the spam classification domain, our attack goal is to increase the false negative rate of NB under the influence of label noise without affecting normal mail classification. Our evaluation shows that at a noise level of 20%, the false negative rate of Spambase and TREC 2006c has increased by about 20%, and the test error of the TREC 2007 dataset has increased to nearly 30%. We compared the classification accuracy of five classic machine learning algorithms (random forest(RF), support vector machine(SVM), decision tree(DT), logistic regression(LR), and NB) and two deep learning models(AlexNet, LeNet) under the proposed label flipping attacks. The experimental results show that two label noises are suitable for various classification models and effectively reduce the accuracy of the models.

     

Event-triggered robust MPC of nonlinear cyber-physical systems against DoS attacks

This paper proposes an event-triggered robust nonlinear model predictive control (NMPC) frame-work for cyber-physical systems (CPS) in the presence of denial-of...     

Security analysis for cyber‐physical systems under undetectable attacks: A geometric approach

In this paper, the security issues of cyber‐physical systems under undetectable attacks are studied. The geometric control theory is used to investigate the design, implementation, and impact evaluation of undetectable attacks. First, a feedforward‐feedback structure for undetectable attacks is proposed, which provides a designable form for an attack to be undetectable. The corresponding attack strategy is designed via pole placement in the weakly unobservable subspace of the attacked system. Then, the security analysis of several common undetectable attacks injected from actuators, sensors, and the coordinated of the two is discussed. Finally, the simulations on the quadruple‐tank process demonstrate the effectiveness of the proposed methods.     

缓存侧信道攻击与防御

近年来,随着信息技术的发展,信息系统中的缓存侧信道攻击层出不穷.从最早利用缓存计时分析推测密钥的想法提出至今,缓存侧信道攻击已经历了10余年的发展和演进.研究中梳理了信息系统中缓存侧信道攻击风险,并对缓存侧信道攻击的攻击场景、实现层次、攻击目标和攻击原理进行了总结．系统分析了针对缓存侧信道攻击的防御技术,从缓存侧信道攻击防御的不同阶段出发,分析了攻击检测和防御实施2部分研究工作,并基于不同防御原理对防御方法进行分类和分析.最后,总结并讨论了互联网生态体系下缓存侧信道攻击与防御的研究热点,指出缓存侧信道攻击与防御未来的研究方向,为想要在这一领域开始研究工作的研究者提供参考.

     

Stealthy switching attacks on sensors against state estimation in cyber-physical systems

This article focuses on designing sensor attacks to deteriorate the state estimation in cyber-physical systems. The scenario that the malicious attack signals can be injected into different but limited number of sensor communication channels is considered. The state estimation error variations and innovation variations are adopted to measure attack performance and attack stealthiness, respectively. A switching attack strategy is proposed, under which the estimation error variations are driven to the predesigned target value and the norm of innovation variations remains at a small level. The switching attack design problem is formulated as a discrete switched optimal control problem which can be solved by dynamic programming, while the computational burden is heavy. To overcome this difficulty, by using pruning technique to remove the redundant matrices generated in dynamic programming, the quadratic optimization problem becomes numerically tractable. In this way, the suboptimal attack signal sequence and switching sequence can be acquired. Finally, a simulation example is provided to illustrate the effectiveness of the proposed attack strategy.     

Binary-centric defense of production operating systems against kernel queue injection attacks

Kernel callback queues (KQs) are the established mechanism for event handling in modern kernels. Unfortunately, real-world malware has abused KQs to run malicious logic, through an attack called kernel queue injection (KQI). Current kernel-level defense mechanisms have difficulties with KQI attacks, since they work without necessarily changing legitimate kernel code or data. In this paper, we present the design, implementation, and evaluation of KQguard, an efficient and effective protection mechanism of KQs. KQguard employs static and dynamic analysis of kernel and device drivers to learn specifications of legitimate event handlers. At runtime, KQguard rejects all the unknown KQ requests that cannot be validated. We implement KQguard on the Windows Research Kernel (WRK), Windows XP, and Linux, using source code instrumentation or binary patching. Our extensive experimental evaluation shows that KQguard is effective (i.e., it can have zero false positives against representative benign workloads after enough training and very low false negatives against 125 real-world malware), and it incurs a small overhead (up to ~5%). We also present the result of an automated analysis of 1,528 real-world kernel-level malware samples aiming to detect their KQ Injection behaviors. KQguard protects KQs in both Windows and Linux kernels, can accommodate new device drivers, and can support closed source device drivers through dynamic analysis of their binary code.

     

北京市大学生网络安全风险判断现状调查与对策研究

大学生网民作为我国网民的主力军,其网络安全风险判断不容忽视。文章以北京市部分高校大学生为例,运用基于场景的调查问卷法,实证调研北京市大学生网络安全风险判断的现状。结果表明,北京市大学生的网络安全风险判断能力整体较高,对于不同性别、专业与网龄的大学生,其网络安全风险判断存在显著差异。最后根据研究结论提出提升大学生网络安全风险判断能力的对策。