Types of attack and counter-measures
Achieving layered security that protects the whole attack surface
Achieving layered security involves implementing technologies, processes and measures that are designed to protect systems, networks, and data from a range of attacks. Effective security reduces the risk of attacks and protects entities, organizations and individuals from the deliberate exploitation of systems, networks, and technologies.
In the industry, the term security is used to refer to many things that range from hardware blocks to software modules. A better way to look at the concept of security is from the point of view of the attack we are trying to secure against.
At Arm we split the types of attack into four main categories: communication attacks, physical attacks, lifecycle attacks and software attacks. This page will give you some insight into these attacks and how you can protect against them.
Physical attack technologies are often split into two main categories - non-invasive and invasive.
Non-invasive attacks come in a variety of forms and are often referred to as side-channel attacks, which attempt to observe the chip in different ways to gain information. One class of non-invasive attacks include perturbation techniques, which cause unintended behaviour in the silicon (altering the power supply voltage and clock signal). Another possible non-invasive attack is side-channel attack, hackers may measure fluctuations in the current consumed or the electromagnetics radiated by the device. Distinguishable power and electromagnetic signatures of instructions often allow code to be reconstructed and so can be combined with other techniques to support an attack.
Non-invasive attacks can be particularly dangerous for two reasons:
The owner of the compromised device might not notice that secret keys have been stolen, so it makes it difficult for compromised keys to be revoked before they are abused.
Some types of non-invasive attacks can be scalable, as the necessary equipment can usually be reproduced and updated at low cost.
Invasive attacks can include the removal of the chip package. After the chip is opened, it is possible to perform probing or modification attacks by etching drilling or laser cutting at least part of the passivation layer. In the past, invasive attacks generally meant significant investment – they required days, or weeks, in a specialized laboratory with highly qualified specialists. Nowadays, the option to rent this equipment (and even the knowledge) is making this attack more accessible.
IoT is about connectivity which means the device will be sending messages back to a server.
An attacker can use multiple means to intercept, spoof or disrupt those messages. Embedded devices need to deploy best-practice cryptographic defenses to match the increasing value of the assets they communicate.
A device changes hands many times as it goes from the factory to the user and to end of life. We need to somehow protect the integrity of the device as it goes through this cycle. The lifecycle also describes maintenance cycles: is the object repairable, who is repairing it, and what is the process to handle confidential data when it’s being repaired?
It also addresses the response to unplanned or forbidden paths:
What happens if devices are stolen within a warehouse before being instantiated?
What happens if a factory produces more devices than allowed (for example to sell illegally)?
What happens if a device that is in a fixed location, (for example in a factory), connects in a different place with a completely new internet route?
Robust defenses depend on trusted firmware and trusted servers which in turn rely on a key set of hardware features.
These are the most common attacks where someone finds a way of using existing code to get access to restricted resources.
It could be due to a software bug or to unexpected call sequences that are open to whole classes of exploits such as Return-Orientated-Programming.
|Tamper mitigation and side-channel attack mitigation (Physical attacks)|
|Analysis and specification||PSA
|Counter-measure||Arm Arm Mbed Pelion Device Platform
||Arm Mbed Pelion Device Platform||-||-|
|Arm CryptoCell||Arm CryptoCell||-||-|
|Arm CryptoIsland||Arm CryptoIsland||-||-|
|-||-||Arm TrustZone for Armv8-A||-|
|-||-||Arm TrustZone for Armv8-M||-|
|Arm security IP with side-channel attack mitigation
The term cryptography refers to a broad set of techniques which aim to secure communication against adversaries seeking to learn about the communicated content or to alter it. Cryptographic defense methods have several goals:
Assuring the confidentiality of the content to be kept.
Assuring the integrity of the exchanged information, so no one can make undetected changes.
Assuring the authenticity of the exchanged information, so the receiving party can be assured of the origin of the content.
Assuring non-repudiation, so certain actions are non-deniable.
These goals are achieved by cryptographic algorithms employing pieces of secret data known as “keys”. These keys can be of varying length, which determines the "strength" of the cryptographic system. Exposure of a secret key means that the assurances described above cannot be provided. Cryptographic algorithms need to be computationally complex enough that it is infeasible to “break them” (that is, to expose the used secret key) through any practical means.
The Arm CryptoCell and the Arm CryptoIsland families provide software and hardware implementations of several cryptographic algorithms.
The primary method of protection against software attacks is to establish isolation between the various system components. Sensitive data and resources are isolated from general access which limits the amount of damage during an attack. Isolation can also reduce recovery time following an attack by maintaining the integrity of system recovery code. Isolation is achieved by employing mechanisms to control levels of access to data, firmware, and peripherals:
A memory protection unit (MPU).
An IC (and later a device) passes through many stages in its production lifecycle. Starting with silicon fabrication and device assembly before moving on to the distribution chain where further value may be added in several deployment contexts (for example, consumer, enterprise or infrastructure usage scenarios, potentially as part of a managed service), re-purposing, decommissioning, diagnostic and more.
For a device to be trusted by stakeholders such as users and service operators, trust has to be established as early as possible in the lifecycle and maintained throughout. For services to thrive, trust between entities in the device production value chain must be maximized.
Arm addresses the need for early trust establishment and continued maintenance through technology, allowing the chain of trust to be established as early as pre-silicon and for it to be kept throughout the various stages of the production lifecycle.
Anti-tampering safeguards provide resilience to physical attacks. Anti-tampering methods include:
Write the secure portion of the software to be resilient, avoiding information leakage from timing and providing resistance to fault injection.
Securely disable the secondary interfaces.
Protect the cryptography block against side-channel attacks, by using IP such as Arm CryptoCell-312P and Arm CyrptoIsland-300P, which have side-channel attack mitigation.
Secure the memory system using obfuscation and redundancy.
Employ sensors to monitor and report attacks to the server.