From cfcd5eafb21194e9f05016c8ae8767f8e97d8cd3 Mon Sep 17 00:00:00 2001 From: jaseg Date: Fri, 22 May 2020 15:26:50 +0200 Subject: ma: review attack section --- ma/safety_reset.bib | 35 +++++++++ ma/safety_reset.tex | 203 ++++++++++++++++++++++++++-------------------------- 2 files changed, 135 insertions(+), 103 deletions(-) diff --git a/ma/safety_reset.bib b/ma/safety_reset.bib index c3fc239..609ea00 100644 --- a/ma/safety_reset.bib +++ b/ma/safety_reset.bib @@ -1,4 +1,39 @@ % Encoding: UTF-8 + +@article{pinto01, + author = {Pinto, Sandro and Santos, Nuno}, + title = {Demystifying Arm TrustZone: A Comprehensive Survey}, + year = {2019}, + issue_date = {February 2019}, + publisher = {Association for Computing Machinery}, + address = {New York, NY, USA}, + volume = {51}, + number = {6}, + issn = {0360-0300}, + url = {https://doi.org/10.1145/3291047}, + doi = {10.1145/3291047}, + journal = {ACM Comput. Surv.}, + month = jan, + articleno = {130}, + numpages = {36}, + keywords = {security, TEE, virtualization, Arm, TrustZone, survey} +} + +@inproceedings{kanonov01, + title={Secure containers in Android: the Samsung KNOX case study}, + author={Kanonov, Uri and Wool, Avishai}, + booktitle={Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices}, + pages={3--12}, + year={2016} +} + +@inproceedings{rosenberg01, + title={Qsee trustzone kernel integer over flow vulnerability}, + author={Rosenberg, Dan}, + booktitle={Black Hat conference}, + year={2014} +} + @online{bnetza1, author = {Bundesnetzagentur}, publisher = {Bundesnetzagentur}, diff --git a/ma/safety_reset.tex b/ma/safety_reset.tex index a308910..97a6f93 100644 --- a/ma/safety_reset.tex +++ b/ma/safety_reset.tex @@ -522,7 +522,7 @@ interoperability. In particular in the area of transport security it becomes evi engineering standards body stretched their area of expertise and resorting to established standard protocols would have improved the situation\cite{weith01}. Compared to industry-standard transport security the IEC standards provide a simplistic key management framework based on a static shared key with unlimited lifetime and provide sub-optimal -transport security properties (e.g.\ lack of forward-secrecy). +transport security properties (e.g.\ lack of forward-secrecy)\cite{khurana01,sato01}. % TODO maybe expand this? \subsection{The regulatory situation in selected countries} @@ -806,11 +806,10 @@ their implementation to alleviate the burden on firmware security. If we model the smart grid as a control system responding to changes in inputs by regulating outputs, on a very high level we can see two general categories of attacks: Attacks that directly change the state of the outputs, and attacks that try to influence the outputs indirectly by changing the system's view of its inputs. The former would be an attack -such as one that shuts down a power plant to decrease generation capacity. The latter would be an attack such as one -that forges grid frequency measurements where they enter a power plant's control systems to provoke increasing -oscillation in the amount of power generated by the plant according to the control systems' directions. -% FIXME cite -% TODO expand +such as one that shuts down a power plant to decrease generation capacity\cite{lee01}. The latter would be an attack +such as one that forges grid frequency measurements where they enter a power plant's control systems to provoke +increasing oscillation in the amount of power generated by the plant according to the control systems' +directions\cite{kosut01,wu01,kim01}. \subsubsection{Communication channel attacks} @@ -819,87 +818,86 @@ attacks on IP-connected parts of the core network or attacks on shared busses be substations. Generally, these attacks can be mitigated by securing the aforementioned communication links using modern cryptography. IP links can be protected using TLS, and more low-level busses can be protected using more lightweight Noise\cite{perrin01}-based protocols. + Cryptographic security transforms an attackers ability to manipulate communication contents into a mere denial of service attack. Thus, in addition to cryptographic security safety under DoS conditions must be ensured to ensure continued system performance under attacks. This safety property is identical with the safety required to withstand -random outages of components, such as communications link outages due to physical damage from storms, flooding etc. -% FIXME cite papers on attack impact, on coutermeasures and on attack realization -In general, attacks at the meter level may be hard to weaponize % may be -> weak statement? -since meters are used mostly for billing and forecasting purposes % FIXME cite -and for more critical grid control purposes there exist several additional layers of sensors above smart meters that -limit how much an attacker can falsify smart meter readings without the manipulation being obvious. In order for an +random outages of components, such as communications link outages due to physical damage from storms, flooding +etc\cite{sato01}. In general attacks at the meter level are hard to weaponize. Meters primarily serve billing purposes. +The use of smart meter data for load forecasting is not yet common practice. Additionally smart meter data will only be +used to refine existing forecasting models based on aggregate data collected at higher vantage points in the +distribution grid. This combination of smart metering data with more trusted aggregate data from sensors within the grid +infrastructure limits the potential impact of a data falsification attack on smart meters. It also allows the utility to +identify potentially corrupt meter readings and thus detect manipulation above a certain threshold. In order for an attack to have more far-reaching consequences the attacker would need to compromise additional grid infrastructure\cite{kim01,kosut01}. \subsubsection{Exploiting centralized control systems} -The type of smart grid attack most often cited in popular discourse, and to the author's knowledge % FIXME verify, cite -the only type that has so far been conducted in practice, is a direct attack on centralized control systems. In this -attack, computer components of control systems are compromised by the same techniques used to compromise any other kind -of computer system such as exploiting insecure services running on internet-exposed ports and using one compromised -system to compromised other systems connected with it through an ostensably secure internal network. These attacks are -very powerful as they yield the attacker direct control over whatever outputs the control systems are controlling. If an -attacker manages to compromise a power stations control computers, they may be able to influence generation output or -even cause an emergency shutdown. % FIXME +The type of smart grid attack most often cited in popular discourse, and to the author's knowledge the only type that +has so far been conducted in practice, is a direct attack on centralized control systems. In this attack, computer +components of control systems are compromised by the same techniques used to compromise any other kind of computer +system such as spearfishing, exploiting insecure services running on internet-exposed ports and using one compromised +system to compromise other systems on the same ostensably secure internal network. These attacks are very powerful as +they yield the attacker direct control over whatever outputs the control systems are controlling. If an attacker manages +to compromise the right set of control computers, they may even be able to cause a blackout\cite{lee01}. Despite their potentially large impact, these attacks are only moderately interesting from a scientific perspective. For one, their mitigation mostly consists of a straightforward application of security practices well-known for decades. Though there is room for the implementation of genuinely new, application-specific security systems in this field, the -general state of the art is lacking behind the rest of the computer industry such that the low-hanging fruit should take -priority. % FIXME cite this bold claim very properly +general state of the art is lacking behind other fields of embedded security. From this background low-hanging fruit +should take priority\cite{heise02}. -In addition, given political will these systems can readily be secured since there is only a comparatively small number -of them and driving a technician to every one of them in turn to install some security update is perfectly feasible. +Given political will these systems can readily be secured. There is only a comparatively small number of them and +having a technician drive to every one of them in turn to install a firmware security update is feasible. \subsubsection{Control function exploits} Control function exploits are attacks on the mathematical control loops used by the centralized control system. One -example of such an attack would be resonance attacks as described in \textcite{wu01}. -In this kind of attack, inputs from peripheral sensors indicating grid load to the centralized control system are -carefully modified to cause a disproportionally large oscillation in control system action. This type of attack relies -on complex resonance effects that arise when mechanical generators are electrically coupled. These resonances, -coloquially called ``modes'' are well-studied in power system engineering\cite{rogers01,grebe01,entsoe01}. -% FIXME: refer to section on stability control above here -Even disregarding modern attack scenarios, for stability electrical grids are designed with measures in place to dampen -any resonances inherent to grid structure. Still, requiring an accurate grid model these resonances are hard to analyze -and unlikely to be noiticed under normal operating conditions. - -Mitigation of these attacks is most easily done by on the one hand ensuring unmodified sensor inputs to the control -systems in the first place, and on the other hand carefully designing control systems not to exhibit exploitable -behavior such as oscillations. -% FIXME cite mitigation approaches +example of this type of attack are resonance attacks as described in \textcite{wu01}. In this kind of attack, inputs +from peripheral sensors indicating grid load to the centralized control system are carefully modified to cause a +disproportionally large oscillation in control system action. This type of attack relies on complex resonance effects +that arise when mechanical generators are electrically coupled. These resonances, coloquially called ``modes'' are +well-studied in power system engineering\cite{rogers01,grebe01,entsoe01,crastan03}. Even disregarding modern attack +scenarios, for stability electrical grids are designed with measures in place to dampen any resonances inherent to grid +structure. Still, requiring an accurate grid model these resonances are hard to analyze and unlikely to be noiticed +under normal operating conditions. + +Mitigation of these attacks can be achieved by ensuring unmodified sensor inputs to the control systems in the first +place. Carefully designing control systems not to exhibit exploitable behavior such as oscillations is also possible but +harder. \subsubsection{Endpoint exploits} One rather interesting attack on smart grid systems is one exploiting the grid's endpoint devices such as smart -electricity meters\footnote{ - Though potentially this could also aim at other kinds of devices distributed on a large scale such as sensors in - unmanned substations. % FIXME cite verify -} -These meters are deployed on a massive scale, with several thousand meters deployed for every substation. -% FIXME cite (this should be straightforward) -Thus, once compromised restoration to an uncompromised state can be potentially very difficult if it requires physical -access to thousands of devices hidden inaccessible in private homes. +electricity meters. These meters are deployed on a massive scale, with at least one meter per household on +average\footnote{Some households may have a separate meter for detached properties such as a detached garage or +basement.}. Once compromised, restoration to an uncompromised state can potentially be very difficult if it requires +physical access to thousands of devices hidden inaccessible in private homes. By compromising smart electricity meters, an attacker can trivially forge the distributed energy measurements these devices perform. In a best-case scenario, this might only affect billing and lead to customers being under- or -over-charged if the attack is not noticed in time. However, in a less ideal scenario the energy measurements taken by -these devices migth be used to inform the grid centralized control systems % FIXME cite -and a falsification of these measurements might lead to inefficiency. - -In some countries and for some customers, these smart meters have one additional function that is highly useful to an -attacker: They contain high-current load switches to disconnect the entire household or business in case electricity -bills are left unpaid for a certain period. In countries that use these kinds of systems, the load disconnect is often -simply hooked up to one of the smart merter's central microcontroller's general-purpose IO pins, allowing anyone -compromising this microcontroller's firmware to actuate the load switch at will. % FIXME validate cite add pictures - -Given control over a large number of network-connected smart meters, an attacker might thus be able to cause large-scale -disruptions of power consumption by repeatedly disconnecting and re-connecting a large number of consumers. -% FIXME cite some analysis of this -Combined with an attack method such as the resonance attack from \textcite{wu01} -that was mentioned above, this scenario poses a serious danger to grid stability. - -% FIXME add small-scale load shedding for heaters etc. +over-charged if the attack is not noticed in time. In a less ideal scenario falsified energy measurements reported by +these devices could impede the correct operation of centralized control systems. + +In some countries such as the UK smart meters have one additional function that is highly useful to an attacker: They +contain high-current load switches to disconnect the entire household or business in case electricity bills are left +unpaid for a certain period. In countries that use these kinds of systems on a widespread level, the load disconnect +switch is controlled by the smart meter's central microcontroller. This allows anyone compromising this +microcontroller's firmware to actuate the load switch at will. Given control over a large number of network-connected +smart meters, an attacker might thus be able to cause large-scale disruptions of power consumption\cite{anderson01}. +Combined with an attack method such as the resonance attack from \textcite{wu01} that was mentioned above, this scenario +poses a serious danger to grid stability. + +In places where Demand-Side Management (DSM) is common this functionality may be abused in a similar way. In DSM the +smart metering system directly controls power to certain devices such as heaters. The utility can remotely control the +turn-on and turn-off of these devices to smoothen out the load curve. In exchange the customer is billed a lower price +for the energy consumed by these loads. DSM was traditionally done with de-centralized systems mostly through +low-frequency PLC over the distribution grid. Smart metering systems no longer require large, resource-intensive +transmitters in substations and thus potentially allow the rollout of such technology on a much wider scale than before. +This leads to a potentially significant role of DSM systems in the impact calculation of an attack on a smart metering +system. DSM does not control as much load capacity as remote disconnect switches do. The attacks cited in the above +paragraph still fundamentally apply. \subsection{Attacker models in the smart grid} % FIXME @@ -924,53 +922,52 @@ smart electricity meter implementations mostly stems from the large list of requ with. Additionally, standards have already been written and changes that reduce scope or functionality have become exceedingly unlikely at this point. -A general observation with smart grid systems of any kind is that they comprise a zealous departure of the decentralized +A general observation with smart grid systems of any kind is that they comprise a departure from the decentralized control structure of yesterday's dumb grid and the advent of centralization at an enormous scale. This modern, centralized infrastructure has been carefully designed to defend against malicious actors%FIXME cite and all involved parties have an interest in keeping it secure. Still, like in any other system this centralization also -makes a very attractive target for attackers since an attacker can likewise employ this centralized control to their -goals. Fundamentally, decentralized systems tend to make attacks of any kind a lot more costly and one might question -whether security has truly been gained during smart grid rollout. % FIXME hot take maybe +makes for a very attractive target to attackers. An attacker can employ this centralized control to their advantage. +Decentralized systems tend to make attacks more costly while centralized systems aid their efficiency. From this +perspective the centralization of smart metering control sytems--sometimes at a national level\cite{anderson01}--poses a +security risk. \chapter{Restoring endpoint safety in an age of smart devices} -If as layed out in the previous paragraph we cannot rule out a large-scale compromise of smart energy meters, we have to -rephrase our claim to security. If we cannot rule out exploitation, we have to limit its impact. If we assume that we -cannot strip any functionality from smart meters since it may be required by standards or for enormous social -benefits\cite{mcdaniel01} % FIXME is sarcasm ok here? -all we can do is to flush out an attacker once they are in. - -In a worst-case scenario an attacker would gain unconstrained code execution e.g. by exploiting a flaw in a network -protocol implentation. Since smart meters use standard microcontrollers that do not have advanced memory protection -functions (see pg. \ref{sm-cpu}), at this point we can assume the attacker has full control over the main -microcontroller. With this control they can actuate the load switch if present, transmit data through the device's + +As laid out in the previous paragraph we cannot fully rule out a large-scale compromise of smart energy meters at some +point in the long-term future. We have to rephrase our claim to security. We cannot rule out exploitation: We have to +limit its impact. Assuming that we cannot strip any functionality from smart meters (it may be required by standards or +for enormous social benefits\cite{mcdaniel01}). All we can do is to flush out an attacker once they are in, i.e.\ +mitigation instead of prevention. + +In a worst-case scenario an attacker would gain unconstrained code execution (e.g.\ by exploiting a flaw in a network +protocol implentation). Smart meters use standard microcontrollers that do not have advanced memory protection functions +(cf.\ Section \ref{sm-cpu}). We can assume the attacker has full control over the main microcontroller given any such +flaw. With this control they can actuate the load switch if present. They can transmit data through the device's communication interfaces or use the user interface components such as LEDs and the LCD. Using the self-programming -capabilities of modern flash microcontrollers, an attacker may even gain persistency without much trouble. Note that in -systems separating cryptographic functions into some form of cryptographic module such as systems used in Germany - % TODO list other countries as well? FIXME cite BSI standard requiring this -we can be optimistic and assume the attacker has not in fact compromised this cryptographic co-processor yet and does -not have access to any cryptographic secrets yet. - -Given that the attacker has complete control over the meter's core microcontroller and given that due to cost -constraints we are bound to use whatever microcontroller the meter OEM has chosen for their design, we cannot rely on -software running on the core mircocontroller to restore system integrity. - -Our solution to this problem is to add another, very small microcontroller to the smart meter design. This -microcontroller will contain a small piece of software to receive cryptographically authenticated commands from utility -companies and on demand reset the meter's core microcontroller to a known-good state. We have to assume the code in the -core controller's flash memory has been compromised, so our only option to flush out an attacker is to re-program the -core microcontroller in its entirety. We propose using JTAG to re-program the core microcontroller - % TODO get terminology consistent. Is "core microcontroller" a good term here? -with a known-good firmware image read from a sufficiently large SPI flash connected to the reset controller. JTAG is -supported by most microcontrollers complex enough to end up in a smart meter design % TODO colloquialism -and given adequate documentation JTAG programming functionality can be ported to new microcontrollers with relatively -little work. - -On the microcontroller side our solution requires the JTAG interface to be activated (i.e. not fused-shut) and for our -solution to work core microcontroller firmware must not be able to permanently disable the JTAG interface from within. -In microcontrollers that do not yet provide this functionality this is a minor change that could be added to a custom +capabilities of flash microcontrollers an attacker may even gain persistency. Note that in systems separating +cryptographic functions into some form of cryptographic module\footnote{such as systems used in +Germany\cite{bsi-tr-03109}.} we can be optimistic and assume the attacker has not yet compromised this cryptographic +co-processor. + +With the meter's core microcontroller under attacker control we cannot use this microcontroller to restore control over +the system. We have no way of ensuring the attacker does not simply delete a security mechanism we include in the core +microcontroller's firmware. + +Our solution to this problem is to add another smaller microcontroller to the smart meter design. This microcontroller +will contain a small piece of software that receives cryptographically authenticated commands from utility companies. On +demand it can reset the meter's core microcontroller to a known-good state. To reliably flush out an attacker from a +compromised core microcontroller we re-program the core microcontroller in its entirety. We propose using JTAG to +re-program the core microcontroller with a known-good firmware image read from a sufficiently large SPI flash connected +to the reset controller. JTAG is supported by most microcontrollers complex enough to be used in a smart meter design. +JTAG programming functionality can be ported to a new microcontroller with relatively little work. + +Our solution requires the core mircocontroller's JTAG interface to be activated (i.e. not fused-shut). For our solution +to work the core microcontroller firmware must not be able to permanently disable the JTAG interface by itself. In +microcontrollers that do not yet provide this functionality this is a minor change that could be added to a custom microcontroller variant at low cost. On most microcontrollers keeping JTAG open should not interfere with code readout -protection. Code secrecy should be of no concern\cite{schneier01} here but besides security manufacturers have strong -preferences about this due to fear of copyright infringement. +protection\footnote{Readout protection usually forces a device erase before allowing JTAG access.}. Code secrecy should +be of no concern\cite{schneier01} here but some manufacturers have strong preferences due to a fear of copyright +infringement. \section{The theory of endpoint safety} \label{sec_criteria} -- cgit