Title of the paper: A survey of electromagnetic side-channel attacks and discussion on their case-progressing potential for digital forensics
Introduction
Digital forensics is the field where legal investigations are assisted by analyzing digital sources of evidence.
In contrast, cybersecurity is the domain where the concern is to ensure the security of digital data and the privacy of their owners.
Electromagnetic (EM) Side-channel Attack requires minimum physical manipulations to the device being inspected.
EM emissions of a device can be passively observed to infer both the internal operations being performed and the data being handled.
The contribution of this work can be summarized as follows:
A comprehensive literature review and a comparative study of the research that has been carried out in EM side-channel analysis is provided and recent advances are summarized.
The scenarios where different EM side-channel attacks in the literature are relevant and applicable in digital forensic investigations are identified.
Light is shined on several new avenues of research that are possible to achieve in digital forensic investigations and cybersecurity through the adoption of EM side-channel analysis techniques
The shortage of reliable tools and frameworks available to utilize EM side-channel analysis for digital forensic investigations on IoT devices is identified and the recommendations are made to overcome it.
Side-channel attacks
Some of information leaking side-channels on a computer system are:
The memory and cache spaces shared between different software.
In environments where multiple virtual machines (VMs) run on the same hardware, such as cloud infrastructure, cache-based side-channel attacks are possible. An attacker running a VM on a virtualized environment can spy on a victim VM through the shared cache storage.
The amount of time a program takes to respond to different inputs.
Computer programs contain conditional branches and loops in order to handle inputs and produce the intended output. Depending on the input values, the execution path of a program can differ, which may result in a different program execution time.
The sounds different components of computer hardware make.
The amount of electricity a computer system draws.
Simple Power Analysis (SPA)
SPA collects power consumption variation (in mA) over time with a high sample rate, such as twice the clock frequency of target cryptographic device-referred to as Nyquist frequency.
The waveform of the power consumption, when plotted against time, contained patterns that corresponded to the instructions of the data encryption standard cryptographic algorithm (DES).
Differential Power Analysis (DPA)
This technique can be custom tailored for specific encryption algorithms.
The EM radiation a computer hardware emits.
It is possible to increase the advantages achievable by combining multiple side-channels that leak different kinds of information together.
Unintentional electromagnetic emissions
Electronic devices generate EM radiation on unintended frequencies as a side effect of their internal operations.
Such unintended EM radiation are regulated by government agencies, such as Federal Communications Commission (FCC) in the USA, due to the possible interference they can make on legitimate wireless communication and the potential health issues they can cause to the users of these devices.
Hardware that causes electromagnetic emissions
How EM signals are generated from different components of a computer system?
As derived from Maxwell's equations, EM waves can be generated by electric currents varying over time.
Modern digital computer systems have a large number of components that depend on electric pulses or alternating currents for their operations, such as the CPU and RAM.
What kind of information they may carry?
EM emission signals from these two components contain a significant amount of side-channel information regarding the events related to software execution and data handling.
On most IoT devices, the CPU and RAM are included in microcontroller (MCU) chips making it the most important EM source on-board.
Sampling electromagnetic emissions
The EM emission frequencies of a target device is unpredictable due to its dependability on various hardware characteristics. Therefore, it is difficult to have a universal purpose device that can be used to observe EM emissions from a target device and interpret side-channel information.
What types of methods and tools can be used to capture these signals?
Small magnetic loop antennas can be used for the purpose of detecting EM emissions.
The most commonly used equipment to capture EM signals are oscilloscopes and spectrum analyzers with high sample rates.
The digitized data these devices capture can be subsequently analyzed in signal analysis software.
Other hardware components that can be used to detect and digitize EM signals are Software defined radios (SDRs)
Connection between CPU instructions and electromagnetic emission
In order to identify unintentional EM emissions of a computer processor, the most practical method is scanning a large frequency spectrum for suspected EM signals and subsequently trying to interpret these identified signals for potential side-channel information.
SAVAT (Signal AVailability for an ATtacker) is a metric that measures the EM signal power emitted when a CPU is executing a specific pair of instructions.
An improvement to the SAVAT technique is a method called Finding Amplitude-modulated Side-channel
Emanations (FASE).
While it is evident from existing studies that EM side-channel leakage is available across various type of CPUs, further studies are necessary to identify the effect of different CPU architectures to the produced EM emissions.
Electromagnetic emissions as a signature
It has been identified that EM emission patterns are associated with both the hardware and software characteristics of the source device.
The target device's system clock is the main source of EM radiation.
The design of the printed circuit board (PCB), and characteristics of the electronic components provide
variations to this strong signal.The instruction sequence, i.e., the program being executed on the CPU, has a significant influence to the EM emission pattern.
Electromagnetic emissions as a hardware signature
EM emissions from an electronic device owned by a person can be used as an authentication token of the person instead of relying on conventional methods, such as Radio Frequency Identification (RFID) tags.
Electromagnetic emissions as a software signature
It has been shown that unintended EM emissions of the CPU can be used to inspect software execution
sequences without having to instrument the software.Even when the same program is running on different devices, the ability to identify the instruction execution sequence can help to uniquely identify the software itself.
This allows to identify when a computing device is running software code not intended by the manufacturer or the owner. One possible scenario can be software bugs or hardware faults.
Instead of directly using time-domain EM signal traces, one such alternative format is RF-DNA fingerprinting.
This is a technique to fingerprint the physical layer of RF transmitting devices, which includes WiFi, Bluetooth, Zigbee, GSM devices, and even RADAR antennas.
Information leaking electromagnetic emissions
Observable electromagnetic spectrum patterns
While there exists a wide variety of microcontroller chips used on IoT devices, it is still viable to perform EM side-channel attacks on them.
Visually inspecting the time-domain EM signal is the first observational technique. This approach is called simple electromagnetic analysis (SEMA), which evolved from the simple power analysis (SPA).
Another way of performing visual observations is by transforming the EM trace into the frequency domain. This enables observation of different signal patterns distributed over multiple frequencies.
Multiple published works have demonstrated the effectiveness of the SEMA approach in extracting critical data from computers, including cryptographic keys.
Differential electromagnetic analysis (DEMA)
When it is not possible to extract information from visual observation of a single EM trace, DEMA, a variant of Differential Power Analysis (DPA), uses the variation of EM emissions of a CPU to discover variables (e.g. by detecting bit flipping) used in an executing program, such as encryption algorithms.
For example, DEMA is used to identify the key of a simple XOR-cipher.
Some interesting works:
Quisquater et al. (2001) practically demonstrated that EM analysis is a viable option to the aforementioned power analysis attack on computer CPUs. By precisely moving the EM probe over a microcontroller, the authors were able to build an accurate 3-dimensional EM signature of the chip running an idle loop. It was shown that the radiation spectrum of each processor was sufficiently unique to use as a distinguishable
feature for processor identification. These experiments were performed in a Faraday cage to minimize the external noise effects and the EM emissions were captured using a small magnetic loop antenna (diameter ~ 3 mm).⚠️ Recently, Camurati et al. (2018) made an important discovery that extended the previously known capabilities of EM side-channel analysis of cryptographic operations on IoT devices. It was shown that mixed-signal processors, such as system-on-chips (SoCs), that contains a radio transceiver and a CPU on the same silicon die, can cause long distance EM leakages. This occurs when the CPU noise gets modulated into the radio transceiver's emission e extending the range of the CPU EM side-channel. As the usage of SoCs is getting increasingly popular on IoT devices, this latest type of EM side-channel leakage, called screaming channels, has significantly increased the potential attack surface.
Analysis on wireless-powered devices
This paragraph mainly RFID tags, refer to the paper for further details.
Countermeasures to electromagnetic side-channels
Software-based countermeasures:
Masking variables using random values alongside the operations (not effective enough against EM SCA)
randomization of the operation sequences or lookup tables of algorithms
avoiding instructions pairs executing adjacently that are known to emit distinguishable EM patterns
accessing critical data using pointers instead of value
Hardware-based countermeasures:
minimizing metal parts in a chip to reduce EM emissions
using Faraday cage like packaging
making the chip less power consuming (which leads to less unintentional emissions)
asynchronism (i.e., design the chip not to use a central system clock and instead operate asynchronously),
using dual line logic (i.e., using two lines that in combination of two bits represents a state instead of a single line that simply represent 0 or 1 states).
Furthermore, it has been shown that it is possible to mathematically model an electronic chip during the design phase to identify and avoid potential information leakages through EM side-channels.
Standards and tools
Refer to the paper for further details on standards and tools.
Multiple commercial and open source products exist that can be used to break encryption on microcontroller based IoT devices.
Such tools enable IoT system developers to test the robustness of their hardware against physical side-channel attacks and identify information leakage.
Discussion
The unintentional EM emissions from computing devices can cause interference to other radio signals in the vicinity. This phenomena is evident in laptop computers, which have been shown to modulate signals from commercial AM radio stations.
IoT devices already use this interference phenomena to communicate purposefully with other devices by modulating the ambient RF signals. This is called backscatter communication technology.
EM side-channel analysis techniques that previously required human intervention can be automated through the development of AI algorithms.