vishwakarma18exploiting

Abstract

JTAG is an IEEE standard that has been defined to test proper mounting of components on PCBs (printed circuit boards) and has been extensively used by PCB manufacturers to date. This JTAG interface can be used as a backdoor entry to access and exploit devices, also defined as a physical attack. This attack can be used to make products malfunction, modify data, or, in the worst case, stop working. This paper reviews previous successful JTAG exploitations of well-known devices operating online and also reviews some proposed possible solutions to see how they can affect IoT products in a broader sense.

Introduction

IoT framework mainly comprises:

• sensing,

• communication,

• data collection in the cloud and processing, and

• delivery of data back to the user

Node devices (sensor devices) are unintelligent devices with:

• less hardware complexity,

• high power efficiency (i.e., battery operated),

• and often lower cost

Importantly, the vast majority of these devices are physically available to the public, thus illegitimate parties could influence:

• data,

• firmware binary file and

• memory footprints.

Skorobogatov [1] already evaluated possible physical attack scenarios, as explained below for embedded devices:

• Theft of Service could be significant as malicious users could get access to sensitive data within the chip. For example, Satellite TV is a kind of IoT node that is directly connected to the service provider. An attacker could modify security to gain free services, which could cause huge losses to the service provider.

• In addition, cloning and IP Piracy is a notorious challenge faced by the electronic industry today. Various gadgets get cloned in the industry through physical attacks by getting internal memory contents such as device ID, unique keys, etc. This practice is unlawful since they use the intellectual property of a company who already invested time and money.

• Denial of Service can be used as an attack by devices to satisfy selfish motives. For example, IoT nodes can be easily reverse-engineered to send fake data to deceive the destination server.

Now, these physical attacks can happen through standard hardware interfaces such as USB, JTAG, LAN, WLAN, Serial interface, etc.

JTAG is an IEEE standard developed in the 1990s for debugging, updating and storing firmware on the chip and still this standard is widely used in the industry.

Usually, IoT nodes are small embedded devices that have a program that runs continuously in a loop called firmware. These application programs are directly written into the chip through either serial or JTAG debugging interface.

Manufacturers keep JTAG port on PCB board to test/validate if every single electronic part is appropriately mounted or not, as well as for upgrading the firmware in the future.

This paper:

• studies how JTAG port access to hardware could be severe and huge in terms of IoT endpoints nodes

• covers both various exploitation of products through JTAG port and previous proposed solutions that make JTAG access secured.

JTAG Background

JTAG consists of:

• Test Access Port (TAP): This port gives easy access to test functions built into a component. It has four input ports and one output port.

• TAP Controller: The TAP controller is a finite state machine which is responsible for the behavior of JTAG boundary scan logic in the chip.

• Instruction Register: The “Instruction register” decides on the operation mode of the Boundary Scan IC.

• One or more data register(s): These registers are used to read-out information in the component.

JTAG specification enables testing of all components which are not time critical such as resistors, crystals, driverICs, logic gates, reset ICs and even RAM ICs or Flash ICs (parallel as well as serial).

JTAG Exploitations

1. Exploitation of JTAG Using Physical Pin Modification

2. Exploitation Using JTAGulator Tool

   1. Open

      

      JTAGulator device

3. Exploitation of Tiny OS and Mantis OS Using Open Source Software Available on Internet

   1. TinyOS (an event-based operating system) and Mantis OS (a multi-threaded operating system)

   2. Since these tiny OSs are used in many devices; such computing-feasible devices can be used as the bot to execute malicious code, or to scan to find other vulnerable devices. In comparison to this, recently, a self propagating botnet malware known as “Mirai” became very popular in industry and researchers community. The Mirai malware attacked website of “Krebbs; a software security consultant company”, with 620 Gbps of traffic in September 2016, which was one of the huge DDoS attacks (Distributed denial-of-service). This Mirai botnet code infects devices such as routers and IP cameras that are still using their factory default username and password.

4. Exploitation Using Interrupt-Oriented Bugdoor Programming Method

5. Exploitation of Modern Game Console

6. Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks

7. Attacks on Programmable Logic Controllers (PLC)

   1. the Supervisory control and data acquisition (SCADA) systems is dominantly used to monitor and control huge system infrastructure such as electric power transmission lines, water distribution systems, gas and oil pipelines, etc.

   2. The programmable logic controller (PLCs) gathers data and interacts with sensors and valves for streamlining huge industrial process.

8. Attacks on Android OS

JTAG Security Solutions

1. Based on Physical Unclonable Functions (PUF)

   1. The PUF is not only lightweight and unique but also ideal for extremely resource constraint platform such as RFID and IOT nodes.

   2. Another advantage of PUF is that it does not require any special manufacturing process or programming and testing steps.

   3. This experiment proposed challenge response-based solution also known as Ring Oscillator (RO) PUF to provide JTAG security. → maybe we can benefit from SCuM’s oscillators !

2. Based on Public Key Cryptography

   1. an Elliptic Curve Cryptosystem (ECC) approach is used over other public PKC schemes (such as RSA) due to small key size, reduced storage requirement, and transmission requirement.

   2. man in middle attack is also prevented by a Elliptic Curve Digital Signature Algorithm (ECDSA)

3. Based on Challenge Response

   1. using SHA256 secure hash and a true random number generator (TRNG)

   2. This method increases hardware complexities since challenge is generated at IC for which a random
      generator is required on chip.

4. Security Level Based Approach

   1. the authors proposed a separate hardware protecting mechanism that guarantees reliable authorization

   2. They offered VHDL implementation of JTAG architecture with four levels of privilege access modes

5. Credential Based Approach

   1. server issues credential and password to user through Internet connection for secure JTAG interface

   2. this method uses Hash and XOR calculation for interaction between host (computer) and JTAG device, which makes this solution less expensive.

6. Exploitation Using Statistical Machine Learning

   1. The authors proposed statistical learning in chip (SLIC-J) scheme for JTAG protection.

   2. the same authors implemented another two-layered approach to secure JTAG attacks based on machine learning methods, results are compared with other previously published protection schemes such as encryption, signature detection, anomaly detection, and SLIC-J statistical learning and showed overall 94% accuracy.

   3. physical security is enhanced up to 94% with machine learning techniques, and improved by 50%
      on average compared to previous work.

7. JoKER, Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface

   1. the JTAG hardware debugging standard is the most trusted debugging technique at hardware level in the industry

   2. Kernel level attacks can grant permissions to hide virus/malware from antivirus programs so that authors used well known JTAG hardware debugging techniques to get low level memory screenshots.

Discussion

There has always been a trade-off between product security and all other resources, such as hardware complexity, cost of product, etc.

We cannot escape from the fact that small-sized operating systems are prone to malware botnets such as Mirai. These kinds of botnets usually reside in DRAM memory of the device, which is volatile. Thus, updating the firmware/OS eliminates such malware from the system. Thus, JTAG access port must be available on PCB board in worst case to debug and update software.

Let us evaluate the JTAG solutions above:

1. First, it seems unrealistic to add extra JTAG security circuitry into the resource-constrained IoT nodes. This extra circuitry could be added to products that are not battery operated, such as game consoles, PLC machines, set top boxes, etc.

2. Second, a credential-based solution looked promising couple of years back but exponential growth rate in the number of IoT devices will make it difficult. Usually, JTAG debugging is used by technicians in the field either to debug circuit or upgrade firmware. Thus, in practical case, technicians use common password on the field and employees sometimes move to other companies (Job change). This makes products vulnerable over time, since it would be expensive to configure each device with new password.

3. Third, If we take secured JTAG key methods, then the database of unique keys has to be well protected and maintained. Moreover, extra protected access has to be granted to technicians, which increases system dependency. However, note that, currently, SSL or TLS secure transport is affordable and cheap in server client protocol. The main advantage of this architecture is offloading processing on server side. Thus, global unique ID for each node can strengthen overall security.

4. Fourth, recently machine learning techniques are coming forth to provide prevention against physical threats. The solutions that are provided with learning methods are mostly based on sample lab datasets. Hence, realistic datasets with all corner cases can only improve the accuracy of threat detection.

References

1. Tehranipoor, M.; Sergei, S.; Wang, C. Introduction to Hardware Security and Trust; Springer Publishing Company, Incorporated: Berlin, Germany, 2011. (https://link.springer.com/content/pdf/10.1007/978-1-4419-8080-9.pdf)

New Terms

• JTAG: Joint Test Action Group

• UART: Universal Asynchronous Receiver Transmitter

• GSM: Global Systems for Mobile

  • The GSM is a type of cellular standard for communication over mobile phones

• GPRS: General Packet Radio Service

Questions:

1. what OS is used on SCuM?

   1. ans: in the current applications, no OS is used, bare-metal programming is used.