Our power grid is rapidly changing. Gone are the days in which both production and consumption of power has been relatively easy to predict. With renewable energy as a producer and ubiquitous high-power equipment in many households, we now face a landscape in which the grid frequency stability is more difficult to maintain. While previously all this high-power equipment was in the control of network operators and energy suppliers, it now has decentralized and moved into the control of consumers. Without Demand Response Capabilities, these devices are out of reach and grid operators can only passively react to whatever is happening downstream. Therefore, it is our position that Demand Response Capabilities is a welcome and inevitable evolution of our power grids – while at the same time we see greater risks than ever before when part of critical infrastructure is now in physical control of consumers, with unlimited time to attempt to tamper with them. We support Demand Response Capabilities, but argue that if they are implemented, it is imperative they be implemented securely.

With security set as a design goal, a different conundrum arises at the same time: what constitutes an appropriate security for the level of risk involved? This is not just a technical question, but also a question that goes into lifecycles of products and their maintenance. New vulnerabilities are discovered in an alarming rate for even the most sophisticated systems. It would be naı̈ve to assume that new systems can be built which do not have any of these issues. Therefore, the question of proper handling and mitigation is one that needs to be answered to allow for secure ongoing operation of a smart grid.

We usually scrutinize security of embedded systems under an extraordinarily sophisticated attacker model: the adversary has physical possession of the target and unlimited time to break it. For the defensive side, this forms an exceptionally challenging scenario. This thesis studies fortification of systems against such adversaries. The principal contributions lie in the field of embedded security, where we explore methods of building secure systems in a resource-efficient manner. This allows implementation of our countermeasures on resource-constrained microcontrollers. While these have a detrimental effect on runtime performance, the cost of the hardware itself remains unaffected, thereby providing an attractive and inexpensive alternative to hardware countermeasures. Next, we will briefly outline our contributions.

Attacks such as Differential Power Analysis (DPA) enable adversaries to exploit even the most minute differences in data dependent energy consumption. To make it more difficult for attackers to gain access to secrets within a chip, effective countermeasures need to be employed. One technique, implemented using only software, is described by us as a first contribution. We use binary recompilation to achieve binary code polymorphism. This causes different characteristic emission patterns for each call of a protected cryptographic primitive. Due to extensive and sophisticated pre-calculations which we perform at compile time, execution is extremely fast during runtime.

Since not only power consumption but also timing differences are something that attackers can exploit with great accuracy, we studied detection of timing leaks. Considering the architecture of today's increasingly complex microcontrollers, manual estimation of runtime has become virtually infeasible. Therefore, as a second contribution, we developed a behavioral Cortex-M core emulator which permits cycle-accurate simulation. We show how to incorporate such an emulator in a semi-automatic vetting process. After compilation, all security-relevant routines within the code are analyzed and checked for timing discrepancies.

The complexity of modern microcontroller units (MCUs) is shown from a different angle when considering attackers who can manipulate firmware. Since the reduction of electromagnetic interference (EMI) is an important goal of system designers, many recent MCUs already include software-tunable EMI countermeasures. In our third contribution, we show how these anti-EMI peripherals can be abused to construct covert channels. Unfortunately for the defensive side, these channels operate in the radio frequency domain and thus could be used for wireless transmission of data — even when the benign application was never intended to perform such communication. We describe how changes in parasitic electromagnetic emission can be used to encode data and what hardware is necessary to recover this data.

To increase the resistance of embedded systems against physical attacks, it is common to use special semiconductors which employ hardware countermeasures. The downside of such integration is that the specialized device usually dictates the exact cryptographic construction. How such hardware can be used nevertheless to augment general-purpose microcontrollers is something we focus on with our fourth contribution. As a demonstration, we incorporate a hardware security module in the handshake of the transport layer security (TLS) protocol. We do so without the need to create a custom cipher suite and without modifying the TLS handshake itself; instead, we use a generic approach by relying on implementation-specific protocol invariants and therefore get around the limitations which would be imposed by nonstandard protocol modifications.

When processors make use of external peripherals, such as dynamic random access memory (DRAM), another attack vector arises: Due to parasitic effects of the physical construction of modern high-density RAM, it is possible that the hardware cannot guarantee data integrity for all bit patterns. To counteract this, a technique commonly used by memory controllers is the scrambling of data to gain an effectively bias-free bitstream on the RAM chip. With our fifth contribution, we show how one such scrambling scheme by Intel works in-depth and how scrambled memory can be descrambled to reveal the original memory content. In the field of forensics, this is highly relevant: When physical memory acquisition, for example by cold-boot attacks, is used to capture a memory image, descrambling of that image is required before it can be analyzed meaningfully. We furthermore discuss how knowledge about scrambler-internal workings may open up possibilities for an attacker to deliberately cause disturbances in RAM.

Leakage of information through timing side channels is a problem for all sorts of computing machinery, but the impact of such channels is especially dramatic on embedded systems. The reason for this is that these environments allow attackers to exploit small timing differences down to clock cycle accuracy. On the defensive side it is therefore advisable to evaluate cautiously if security-critical code contains data dependent timing discrepancies. When working with real hardware, testing for such vulnerabilities is a tedious process. In order to reduce the burden of vetting, we study approaches that allow cycle-accurate behavioral emulation of relevant CPU behavior such as instruction pipeline flushes and bus contention. We show that our approach is feasible and efficient by implementing an emulator of the popular ARM Cortex-M core. Then we give an overview about the problems of cycle-accurate emulation and demonstrate our approach towards a cycle-accurate ARM Thumb-2 simulator. Finally, we show how this simulator can be integrated into the build process of firmware to check for the presence of timing side channels before the system is deployed.

We present a new class of covert channels which can be created by utilizing common hardware but that cannot be detected by such. Our idea is to abuse anti-EMI features of a processor to create a covert channel on the physical layer. Thus, the sender uses the invariants in how digital signals are encoded over analog channels to covertly transport information. This leaked data is present on the wire bound connections of the compromised device, but is also by definition present in the vicinity of the device and can be picked up by radio equipment. As the covert channel is present only on the physical layer, the data on all layers above, as well as the timing behavior on those layers is indistinguishable from uncompromised devices.

We present a new class of covert channels which can be created by utilizing common hardware but that cannot be detected by such. Our idea is to abuse anti-EMI features of a processor to create a covert channel on the physical layer. Thus, the sender uses the invariants in how digital signals are encoded over analog channels to covertly transport information. This leaked data is present on the wire bound connections of the compromised device, but is also by definition present in the vicinity of the device and can be picked up by radio equipment. As the covert channel is present only on the physical layer, the data on all layers above, as well as the timing behavior on those layers is indistinguishable from uncompromised devices. We present two example implementations of such channels using RS-232 as the carrier and use a common oscilloscope to decode the resulting covert channel. Using this setup, we observed symbol rates of around 5 baud. We derive the theoretical upper bound of the covert channels bandwidth and discuss the factors by which it is influenced.

As hard disk encryption, RAM disks, persistent data avoidance technology and memory-only malware become more widespread, memory analysis becomes more important. Cold-boot attacks are a software-independent method for such memory acquisition. However, on newer Intel computer systems the RAM contents are scrambled to minimize undesirable parasitic effects of semiconductors. We present a descrambling attack that requires at most 128 bytes of known plaintext within the image in order to perform full recovery. We further refine this attack using the mathematical relationships within the key stream to at most 50 bytes of known plaintext for a dual memory channel system. We therefore enable cold-boot attacks on systems employing Intel’s memory scrambling technology.

Im Kontext von kleinsten eingebetteten Geräten und Machine-to-Machine-Kommunikationsprotokollen innerhalb des Internet of Things werden zumeist Sicherheitsprotokolle auf Basis symmetrischer Kryptografie verwendet, da diese relativ einfach durch stark ressourcenbeschränkte Geräte handhabbar sind. Die dazu notwendigen geheimen kryptografischen Schlüssel werden aber typischerweise im Flash eines Microcontrollers abgelegt und sind durch physische Angriffe wie Power Analysis oder Decapping gefährdet. Die zur Abwehr derartiger Angriffe notwendigen Hardware-Sicherheitsmodule (HSM) werden üblicherweise nicht in Betracht gezogen weil sie als teuer gelten und häufig über proprietäre Schnittstellen verfügen, die nur schwer in gängige Protokolle integriert werden können. Diese Arbeit beschreibt einen effizienten und generischen Ansatz, wie man ein kostengünstiges HSM, das lediglich symmetrische Kryptografie auf Basis des SHA-256-Hashalgorithmus verwendet, zur Absicherung des weit verbreiteten und akzeptierten Sicherheitsprotokollrahmens TLS verwenden kann. Konkret zeigen wir die Integration eines symmetrischen HSM Atmel ATSHA204A in den Handshake von datagram TLS (DTLS).

In order to efficiently reverse engineer code tools are necessary which perform significantly more than simple disassembly. Such tools should aid the reverse engineer in the areas in which manual work is known to be tedious and error-prone. The engineer on his part aids the tool in the areas where automatic disassembly fails due to code obfuscation. This way the reverse engineer can concentrate on the actual work and can delegate the tedious parts to the utility at hand. To show how such an utility could look like and of what it could be capable of, a camera driver for an astronomical CCD camera is reverse engineered in the process of this work. The second part focuses on the reimplementation and astrophysical problems which need to be solved in order to create good imaging results.

Embedded real time systems often need to be optimized for high availability and deterministic runtime- and scheduling behavior. The OSEK-OS operating system standard is quite fit for this purpose: by means of the priority ceiling protocol many actions and properties of the system are already known ahead of runtime allowing for a customized generation of the actual operating system code. For testing of functional properties of an OSEK-OS-conform operating system it is useful to test on a platform which has sophisticated debugging utilities available. A Linux system is suitable as most Linux distributions already innately include versatile tools. This study thesis will evaluate the possibility of simulation of an OSEK-OS-conform operating system and it’s mapping onto a UNIX-process.

After a brief explanation of how a OSEK operating system works the developed code generator called josek will be introduced. The method of operation and particularities of josek will be discussed, paying special attention to the scheduler – the integral component of any operating system. It will be explained how a specially crafted stack is used in order to perform task switching and how this stack can be protected with userland means provided by any Linux-process. Problem cases which will appear during development of such an operating system are illuminated and their solution is presented. This includes cases where special compiler optimizations might cause malfunction of the generated code. After the study thesis has shown that and how it is possible to have functional components of an OSEK operating system emulated by a UNIX-process, the study thesis will be completed by a detailed performance review. Not only will the code generated by different configurations of josek be compared against itself, but it will also compare against Trampoline, another open source implementation of an OSEK operating system.