Computer security compromised by hardware failure: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 22:37, 29 July 2021 edit Citation bot (talk \| contribs) Bots 5,867,275 edits Add: s2cid. \| Use this bot. Report bugs. \| Suggested by RoanokeVirginia \| Category:CS1 errors: unsupported parameter \| #UCB_Category 465/947 ← Previous edit		Latest revision as of 00:21, 21 January 2024 edit undo BD2412 (talk \| contribs) Autopatrolled, Administrators 2,527,851 edits m clean up spacing around commas and other punctuation fixes, replaced: ; → ; (12) Tag: AWB
(11 intermediate revisions by 6 users not shown)
Line 13: ==== Electromagnetic emanations ==== Video display units radiate: * narrowband harmonics of the digital clock signals ; * broadband harmonics of the various 'random' digital signals such as the video signal.<ref name="Eck1">[[#Eck1\|Eck, 1985, p.2]]</ref> Known as compromising emanations or [[Tempest (codename)\|TEMPEST]] radiation, a code word for a U.S. government programme aimed at attacking the problem, the electromagnetic broadcast of data has been a significant concern in sensitive computer applications. Eavesdroppers can reconstruct video screen content from radio frequency emanations.<ref name="Kuhn1">[[#Kuhn1\|Kuhn,1998, p.1]]</ref> Each (radiated) harmonic of the video signal shows a remarkable resemblance to a broadcast TV signal. It is therefore possible to reconstruct the picture displayed on the video display unit from the radiated emission by means of a normal television receiver.<ref name="Eck1"/> If no preventive measures are taken, eavesdropping on a video display unit is possible at distances up to several hundreds of meters, using only a normal black-and-white TV receiver, a directional antenna and an antenna amplifier. It is even possible to pick up information from some types of video display units at a distance of over 1 kilometer. If more sophisticated receiving and decoding equipment is used, the maximum distance can be much greater.<ref name="Eck2">[[#Eck1\|Eck, 1985, p.3]]</ref> ==== Compromising reflections ==== What is displayed by the monitor is reflected on the environment. The time-varying diffuse reflections of the light emitted by a CRT monitor can be exploited to recover the original monitor image.<ref name="[Back1]">[[#Back1\|Backes, 2010, p.4]]</ref> This is an eavesdropping technique for spying at a distance on data that is displayed on an arbitrary computer screen, including the currently prevalent LCD monitors. The technique exploits reflections of the screen's optical emanations in various objects that one commonly finds in close ~~proximity~~ to the screen and uses those reflections to recover the original screen content. Such objects include eyeglasses, tea pots, spoons, plastic bottles, and even the eye of the user. This attack can be successfully mounted to spy on even small fonts using inexpensive, off-the-shelf equipment (less than 1500 dollars) from a distance of up to 10 meters. Relying on more expensive equipment allowed to conduct this attack from over 30 meters away, demonstrating that similar attacks are feasible from the other side of the street or from a close by building.<ref name="[Back3]">[[#Back2\|Backes, 2008, p.1]]</ref> Many objects that may be found at a usual workplace can be exploited to retrieve information on a computer's display by an outsider.<ref name="[Back4]">[[#Back2\|Backes, 2008, p.4]]</ref> Particularly good results were obtained from reflections in a user's eyeglasses or a tea pot located on the desk next to the screen. Reflections that stem from the eye of the user also provide good results. However, eyes are harder to spy on at a distance because they are fast-moving objects and require high exposure times. Using more expensive equipment with lower exposure times helps to remedy this problem.<ref name="[Back5]">[[#Back2\|Backes, 2008, p.11]]</ref> Line 104: ==== Acoustic emanations ==== With acoustic emanations, an attack that recovers what a dot-matrix printer processing English text is printing is possible. It is based on a record of the sound the printer makes, if the microphone is close enough to it. This attack recovers up to 72% of printed words, and up to 95% if knowledge about the text are done, with a microphone at a distance of 10 cm from the printer.<ref name="[Back10]">[[#Back1\|Backes, 2010, p.1]]</ref> After an upfront training phase ("a" in the picture below), the attack ("b" in the picture below) is fully automated and uses a combination of machine learning, audio processing, and speech recognition techniques, including spectrum features, Hidden Markov Models and linear classification.<ref name="[Back1]"/> The fundamental reason why the reconstruction of the printed text works is that, the emitted sound becomes louder if more needles strike the paper at a given time.<ref name="[Back2]"/> There is a correlation between the number of needles and the intensity of the acoustic emanation.<ref name="[Back2]"/> Line 153: So, any device connected by FireWire can read and write data on the computer memory. For example, a device can : * Grab the screen contents ; * Just search the memory for strings such as login, passwords ; * Scan for possible key material ; * Search cryptographic keys stored in RAM ; * Parse the whole physical memory to understand logical memory layout. or * Mess up the memory ; * Change screen content ; * Change UID/GID of a certain process ; * Inject code into a process ; * Inject an additional process. Line 188: A simple and generic processor backdoor can be used by attackers as a means to privilege escalation to get to privileges equivalent to those of any given running operating system.<ref name="Dufl21">[[#Dufl2\|Duflot, 2008, p.1]]</ref> Also, a non-privileged process of one of the non-privileged invited ___domain running on top of a virtual machine monitor can get to privileges equivalent to those of the virtual machine monitor.<ref name="Dufl21"/> Loïc Duflot studied Intel processors in the paper "[[#Dufl2\|CPU bugs, CPU backdoors and consequences on security]]" ; he explains that the processor defines four different privilege rings numbered from 0 (most privileged) to 3 (least privileged). Kernel code is usually running in ring 0, whereas user-space code is generally running in ring 3. The use of some security-critical assembly language instructions is restricted to ring 0 code. In order to escalate privilege through the backdoor, the attacker must :<ref name="Dufl22">[[#Dufl2\|Duflot, 2008, p.5]]</ref> # activate the backdoor by placing the CPU in the desired state ; # inject code and run it in ring 0 ; # get back to ring 3 in order to return the system to a stable state. Indeed, when code is running in ring 0, system calls do not work : Leaving the system in ring 0 and running a random system call (exit() typically) is likely to crash the system. The backdoors Loïc Duflot presents are simple as they only modify the behavior of three assembly language instructions and have very simple and specific activation conditions, so that they are very unlikely to be accidentally activated. [[#Waks1\|Recent inventions]] have begun to target these types of processor-based escalation attacks. Line 200: === Acoustic === * {{cite book\| last1 = Asonov \| first1 =D. \| title =IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004 \| last2 = Agrawal \| first2 = R. ~~\| periodical = Proceedings 2004 IEEE Symposium on Security and Privacy~~ \| pages = 3–11 \| citeseerx = 10.1.1.89.8231 \| year = 2004 \| issn = 1081-6011 \| doi = 10.1109/SECPRI.2004.1301311 \| isbn = 978-0-7695-2136-7 \| ref = Aso1 \| chapter =Keyboard acoustic emanations \| s2cid =216795 }} * {{~~Citation~~Cite conference \| last1 = Zhuang \| first1 = Li \| last2 = Zhou \| first2 = Feng \| last3 = Tygar \| first3 = J.D. \| ~~title~~chapter = Keyboard acoustic emanations revisited \| ~~book-~~title = ACM Transactions on Information and System Security (TISSEC) \| ~~periodical~~journal = ACM Transactions on Information Systems \| conference = Proceedings of the 12th ACM Conference on Computer and Communications Security \| place = Alexandria, Virginia, USA \| volume = 13 \| issue = 1 \| pages = 373–382 \| publisher = ACM New York, NY, USA \| citeseerx = 10.1.1.117.5791 \| year = 2005 \| issn = 1094-9224 \| doi = 10.1145/1609956.1609959 \| isbn = 978-1-59593-226-6 \| ref = Zhu1 }} * {{cite book\| last1 = Berger \| first1 = Yigael \| title = Proceedings of the 13th ACM conference on Computer and communications security – CCS '06 \| last2 = Wool \| first2 = Avishai \| last3 = Yeredor \| first3 = Arie ~~\| periodical = Proceedings of the 13th ACM Conference on Computer and Communications Security~~ \| pages = 245–254 \| place = Alexandria, Virginia, USA \| citeseerx = 10.1.1.99.8028 \| publisher = ACM New York, NY, USA \| year = 2006 \| doi = 10.1145/1180405.1180436 \| isbn = 978-1-59593-518-2 \| ref = Ber1\| chapter = Dictionary attacks using keyboard acoustic emanations \| s2cid = 2596394 }} * {{Citation\| last1 = Backes \| first1 = Michael \| last2 = Dürmuth \| first2 = Markus \| last3 = Gerling \| first3 = Sebastian \| last4 = Pinkal \| first4 = Manfred \| last5 = Sporleder \| first5 = Caroline \| title = Acoustic Side-Channel Attacks on Printers \| periodical = Proceedings of the 19th USENIX Security Symposium \| place = Washington, DC\| url = http://www.usenix.org/events/sec10/tech/full_papers/Backes.pdf \| year = 2010 \| isbn = 978-1-931971-77-5 \| ref = Back1 }} === Cache attack === * {{cite book\| last1 = Osvik \| first1 = Dag Arne \| title = Topics in Cryptology – CT-RSA 2006 \| last2 = Shamir \| first2 = Adi \| last3 = Tromer \| first3 = Eran ~~\| book-title = Lecture Notes in Computer Science~~ \| volume = 3860 \| pages = 1–20 \| periodical = Topics in Cryptology CT-RSA \| publisher = Springer-Verlag Berlin, Heidelberg \| place = San Jose, California, USA \| citeseerx = 10.1.1.60.1857 \| year = 2006 \| issn = 0302-9743 \| doi = 10.1007/11605805_1 \| isbn = 978-3-540-31033-4 \| ref = Sha1\| chapter = Cache Attacks and Countermeasures: The Case of AES \| series = Lecture Notes in Computer Science }} * {{Citation\| last1 = Page \| first1 = Daniel \| title = Partitioned cache architecture as a side-channel defence mechanism \| periodical = Cryptology ePrint Archive \| url = http://eprint.iacr.org/2005/280.pdf \| year = 2005 \| ref = Pag1 }} * {{cite book\| last1 = Bertoni \| first1 = Guido \| title = International Conference on Information Technology: Coding and Computing (ITCC'05) – Volume II \| last2 = Zaccaria \| first2 = Vittorio \| last3 = Breveglieri \| first3 = Luca \| last4 = Monchiero \| first4 = Matteo \| last5 = Palermo \| first5 = Gianluca \| place = Washington, DC, USA \| volume = 1 \| pages = 586–591 ~~\| periodical = International Conference on Information Technology: Coding and Computing (ITCC'05)~~ \| publisher = IEEE Computer Society, Los Alamitos, California, USA \| chapter-url = http://home.dei.polimi.it/gpalermo/papers/ITCC05.pdf \| year = 2005 \| doi = 10.1109/ITCC.2005.62 \| isbn = 978-0-7695-2315-6 \| ref = Bert1 \| chapter = AES power attack based on induced cache miss and countermeasure \| citeseerx = 10.1.1.452.3319 \| s2cid = 9364961 }} === Chemical === Line 214: === Electromagnetic === * {{cite book\| last1 = Kuhn \| first1 = Markus G. \| title = Information Hiding \| volume = 1525 \| last2 = Anderson \| first2 = Ross J. \| pages = 124–142 ~~\| periodical = Lecture Notes in Computer Science~~ \| year = 1998 \| doi = 10.1007/3-540-49380-8_10 \| isbn = 978-3-540-65386-8 \| ref = Kuhn1\| chapter = Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations \| series = Lecture Notes in Computer Science \| citeseerx = 10.1.1.64.6982 }} * {{Citation\| last1 = Van Eck \| first1 = Wim \| last2 = Laborato \| first2 = Neher \| title = Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk? \| volume = 4 \| issue = 4 \| pages = 269–286 \| periodical = Computers & Security \| url = http://portal.acm.org/citation.cfm?id=7308 \| year = 1985 \| doi = 10.1016/0167-4048(85)90046-X \| ref = Eck1 \| citeseerx = 10.1.1.35.1695 }} * {{cite book\| last1 = Kuhn \| first1 = Markus G. \| title = Proceedings 2002 IEEE Symposium on Security and Privacy \| pages = 3– ~~\| periodical = Proceedings of the 2002 IEEE Symposium on Security and Privacy~~ \|chapter-url=http://portal.acm.org/citation.cfm?id=829514.830537 \| year = 2002 \| doi = 10.1109/SECPRI.2002.1004358 \| isbn = 978-0-7695-1543-4 \| ref = Kuhn2\| chapter = Optical time-___domain eavesdropping risks of CRT displays \| citeseerx = 10.1.1.7.5870 \| s2cid = 2385507 }} * {{Citation\| last1 = Vuagnoux \| first1 = Martin \| last2 = Pasini \| first2 = Sylvain \| title = Compromising electromagnetic emanations of wired and wireless keyboards \| pages = 1–16 \| periodical = In Proceedings of the 18th Conference on USENIX Security Symposium (SSYM'09) \| url = http://www.usenix.org/events/sec09/tech/full_papers/vuagnoux.pdf \| year = 2009 \| ref = Vuag1}} * {{cite book\| last1 = Backes \| first1 = Michael \| last2 = Dürmuth \| first2 = Markus \| last3 = Unruh \| first3 = Dominique \| title = ~~Compromising~~Proceedings ~~Reflections-or-How~~2002 toIEEE ~~Read~~Symposium ~~LCD~~on ~~Monitors~~Security ~~around~~and ~~the Corner~~Privacy \| pages = 158–169 \| ~~periodical~~year = ~~Proceedings of the IEEE Symposium on Security and Privacy~~2002 \| place = Oakland, California, USA \| chapter-url = http://crypto.m2ci.org/unruh/publications/reflections.pdf ~~\| year = 2008~~ \| doi = 10.1109/SECPRI.2002.1004358 \| isbn = 978-0-7695-3168-7 \| ref = Back2\| chapter = Optical time-___domain eavesdropping risks of CRT displays \| citeseerx = 10.1.1.7.5870 \| s2cid = 2385507 }} === FireWire === Line 231: === Temperature === * {{Citation\| last1 = Skorobogatov\| first1 = Sergei \| title = Low temperature data remanence in static RAM \| journal = Technical Report - University of Cambridge. Computer Laboratory \| publisher = University of Cambridge Computer Laboratory \| place = Cambridge, UK\| url = http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-536.pdf \| year = 2002 \| issn = 1476-2986 \| ref = Sko1}} * {{~~Citation~~Cite book \| last1 = Halderman \| first1 = J. Alex \| last2 = Schoen \| first2 = Seth D. \| last3 = Heninger \| first3 = Nadia \| author3-link = Nadia Heninger \| last4 = Clarkson \| first4 = William \| last5 = Paul \| first5 = William \| last6 = Calandrino \| first6 = Joseph A. \| last7 = Feldman \| first7 = Ariel J. \| last8 = Appelbaum \| first8 = Jacob \| last9 = Felten \| first9 = Edward W. \| title = Lest Wewe ~~Remember~~remember: Cold-boot ~~Boot Attacks~~attacks on ~~Encryption~~encryption ~~Keys~~keys \| ~~book-title~~ chapter= ~~Communications~~Lest ofWe ~~the~~Remember: ~~ACM~~Cold –Boot ~~Security~~Attacks inon ~~the~~Encryption ~~Browser~~Keys \| volume = 52 \| issue = 5 \| pages = 45–60 \| periodical = Proceedings of the USENIX Security Symposium \| date = 2009 \| publisher = ACM New York, New York, USA \| url = http://citp.princeton.edu/pub/coldboot.pdf ~~\| year = 2008~~ \| issn = 0001-0782 \| doi = 10.1145/1506409.1506429 \| isbn = 978-1-931971-60-7 \| s2cid = 7770695 \| ref = Hald1 \| url-status = dead \| archive-url = https://web.archive.org/web/20110904213748/http://citp.princeton.edu/pub/coldboot.pdf \| archive-date = 2011-09-04 }} === Timing attacks === * {{Citation\| last1 = Song \| first1 = Dawn Xiaodong \| last2 = Wagner \| first2 = David \| last3 = Tian \| first3 = Xuqing \| title = Timing analysis of keystrokes and timing attacks on SSH \| volume = 10 \| pages = 337–352 \| place = Washington, D.C., USA \| periodical = Proceedings of the 10th Conference on USENIX Security Symposium \| publisher = USENIX Association Berkeley, California, USA \| url = http://www.usenix.org/events/sec01/full_papers/song/song.pdf \| year = 2001 \| ref = Song1}} * {{cite book\| last1 = Kocher \| first1 = Paul C.\| title = Advances in Cryptology – CRYPTO '96\| volume = 1109 \| pages = 104–113 \| periodical = Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology – CRYPTO '96 \| series = Lecture Notes in Computer Science \| publisher = Springer-Verlag, London, UK \| place = Santa Barbara, California, USA \| citeseerx = 10.1.1.40.5024 \| year = 1996 \| doi = 10.1007/3-540-68697-5_9 \| isbn = 978-3-540-61512-5 \| ref = Koch1\| chapter = Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems\| s2cid = 15475583}} * {{Citation\| last1 = Brumley \| first1 = David \| last2 = Boneh \| first2 = Dan \| title = Remote timing attacks are practical \| volume = 12 \| issue = 5 \| pages = 701 \| periodical = Proceedings of the 12th Conference on USENIX Security Symposium SSYM'03 \| publisher = USENIX Association Berkeley, California, USA \| place = Washington, DC, USA \| url = http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf \| year = 2003 \| doi = 10.1016/j.comnet.2005.01.010 \| ref = Brum1\| citeseerx = 10.1.1.12.2615 }} === Other === * {{cite book\| last1 = Balzarotti \| first1 = D.\| title = 2008 IEEE Symposium on Security and Privacy (sp 2008)\| last2 = Cova\| first2 = M.\| last3 = Vigna\| first3 = G.\| pages = 170–183 ~~\| periodical = Security and Privacy, 2008. SP 2008. IEEE Symposium on~~ \| ___location = Oakland, CA \| year = 2008 \| issn = 1081-6011 \| doi = 10.1109/SP.2008.28 \| isbn = 978-0-7695-3168-7 \| ref = Balz1\| chapter = Clear ''Shot'': Eavesdropping on Keyboard Input from Video\| citeseerx = 10.1.1.219.239\| s2cid = 1498613}} * {{Citation\| language = fr \| last1 = Duflot \| first1 = Loïc \| title = Contribution à la sécurité des systèmes d'exploitation et des microprocesseurs \| url = http://www.ssi.gouv.fr/archive/fr/sciences/fichiers/lti/these-duflot.pdf \| year = 2007 \| ref = Dufl1}} {{Computer science}} [[Category:Computer security]] [[Category:Risk analysis]]