Hack in the Box Conference April 10 -13, 2005, Bahrain 1 Toward Architectural Challenges of Secured Mobile Devices Manzur Ashraf BRAC University, Bangladesh

Hack in the Box Conference April 10 -13, 2005, Bahrain

1

Toward Architectural Challenges of Secured Mobile Devices

Manzur AshrafBRAC University, Bangladesh

Email: [email protected]


2

Agenda / classification

Energy-efficient Mobile Device & Applications

Energy-efficient Security Protocols

Tamper Resistance

Flexibility

Designing (Modeling) & Verifying Security Protocols


3

Energy-efficient Mobile Device & Applications

Device physics

Software-based approach


4

Energy constraints dominate ‘Algorithm’ and ‘system-design trade-offs for small devices

Lithium batteries offer higher energy density with fewer memory effects but longer recharge times.

Rechargeable lithium

(1080 j/cm3 ) & non-re (2880 j/cm3 )

Device Physics


5

Contd..

Zinc-based batteries have higher energy densities but possess high leakage, so are best for high usage over short duration.Recent polymer-based batteries have excellent energy densities (manufactured in a range of form factors) but expensive.


6

Researchers have fabricated tiny, 1-mm3 lead-acid batteries. We can expect to package energy storage directly with logic.

Fuel cells (based on methanol, 8900 J/cm3)have 10 times the energy densities than batteries but additional volume of membrane, storage and housing lowers this by a factor of two to five.

Contd..


7

Solar (outdoors midday): 15 mW/cm2

Solar (indoor office lightings): 10 uW/cm2

Vibrations (from microwave oven casing): 200 uW/cm3

Temperature gradient” 15 uW/cm3 (from 10 deg C temp grad)

With existing tech, a cubic mm of battery space has enough energy to perform roughly 1 billion 32-bit computations, take 100 million sensor samples or send and receive 10 million bits. (L. Doherty et.al, 2001)

Sample scavenging energy ratings


8

Ideal battery properties

Depth of discharge

0% 100%

voltage

Charge capacity

Rate of load

Non-ideal case


9

Non-ideal battery

In practice, the voltage and capacity both varies widely. The voltage drops over the course of a discharge.

The shape of voltage discharge curve depends on –

materials used to construct the battery

size of the load.

For example, NiCd batteries have a relatively FLAT discharge curve. Most types of Li-ion batteries has a SLOPPED discharge curve.

Two more pointers:

A) Loss of capacity with increasing load

B) Recovery: A reduction of the load for periods of time results in an increase in battery capacity. (Thomas et al 03)


10

Better indicator of battery capacity?- Peak or Average power (Thomas et. Al. 2003)

Waveform modification

Peak power W/.Kg

Average powerW/Kg

Battery life form from simulation (min)

Est battery life using rated capacity of 151 Wh/Kg, min

Diff between simulation %

Est battery life using capacity at peak power, min

Diff between simulation %

NONE 300 120 51 76 +48 45 -12

A 180 96 83 94 +14 74 -11

B 300 96 67 94 +41 56 -16

C 300 96 68 94 +39 56 -17

NONE 200 80 87 113 +30 85 -2

A 120 64 132 142 +7 120 -9

B 200 64 117 142 +21 106 -9

C 200 64 117 142 +20 106 -10

NONE 100 40 202 227 +12 200 -1

A 60 32 268 283 +6 261 -3

B 100 32 253 283 +12 250 -1

C 100 32 268 283 +6 250 -7


11

Non-ideal properties of Battery1. Battery capacity will vary with load power.

2. Peak power is a better indicator for battery capacity than average power.

3. Peak power should be reduced whenever possible, which means background operations should be performed serially than concurrently. Serial operation is better than concurrent operation when each consumes roughly the same energy.

4. Reducing active energy is more important than reducing idle energy.

5. Because of non-ideal battery behavior, reducing average power or energy per operation may not increase the amount of computation completed in a battery life.


12

– Aims to collect ambient energy to help power systems, possibly storing energy when it is not required

Solar energy

Transducers that convert vibrating energy into electrical one- ( source: energy from floors,stairs & equipment housings)

Harvesting mechanical energy (such as energy produced by a person walking and an object’s movement- for example, self-winding watches, hybrid cars that transfer energy from engine to battery during braking)

Temperature & pressure gradient.

Energy harvesting (energy scavenging)


13

Mostly Applicable: Demand for small amount of continuous power or short periods of high power usage.

Can supplement conventional energy source-

(To what extent?)

when a mobile device is in a low power sleep state or charging its battery; for instance, if a mobile user extensively uses the device for short periods, an energy harvesting system might be able to ensure that battery is always topped up during the standby period.

Why Needed? Due to significant manufacturing complexity sizing in VLSI circuitry is slow. It may benefits its ‘switching’ power at the cost of current leakage.


14

Research in energy harvesting

Improving existing energy transducers with more efficient components or in searching for fundamentally new materials with improved energy conversion properties.

Example: Solar cells with greater than 20-30% efficiency can be achieved based non-silicon solution or a better piezoelectric material than commonly used PZT (lead zirconate titrate)

Better understanding of solid-state physics.


15

Software-based approach

Energy Dependant Mobile Application Adaptation

Task Partitioning


16

Applications can dynamically modify their behavior to conserve energy.

Hardware only Power management:

a) Powering down as many h/w components (disk in standby mode after 10 sec of inactivity).

b) Placing wireless network interface in standby mode except during RPC calls or bulk transfer.

c) Turning off display during speech recognition ,for example & disable bios-based power mgmt.

Hardware power mgmt 34% reduction in energy usage

Energy Dependant Mobile Application Adaptation


17

Lowering data-fidelity (low resolution/color reduction/compression) yields significant energy savings.

Lowering fidelity can be combined with h/w power mgmt.

[ Ref: Jason et al, 1999]


18


19

1. There is a significant variation in the effectiveness of fidelity reduction

a) across data objects.

b) across applications.

2. Combining h/w power mgmt with lowered fidelity can sometimes reduce energy usage below the product of their individual reductions. Intuitively this is because reducing fidelity decreases h/w utilization, thereby decreasing h/w power mgmt.


20

Task Partitioning

Cyber Foraging /Surrogate Computing Proxy-based task partitioning


21

Cyber Foraging /Surrogate Computing

Challenges:

1) Develop mechanism whereby a potential surrogate can make some of its resources available to mobile devices.

2) Provide a means for surrogates to advertise their availability and clients to locate surrogates with appropriate available resources

3) Develop a mechanism whereby clients can transfer tasks to surrogate

4) Make the remote execution of surrogate tasks be largely transparent & easy to program

5) Develop security and trust management so that surrogates can be assured that they will not be abused.


22

Features

Share a common file systemmiddleware (heavy-weight)different file system (surrogate connected to internet will locate

and download client applications)• Highly coupled client and surrogate will increase network

overhead and thus energy consumption. ( Messer 2002)• Application writers will partition application at dev. time in a

way (for example considering clients’ limited resource and IO interfaces) to mitigate above problem rather than automatic partition. (sachin et al 2004). It is useful for data mining, distillation proxies and home applications, etc.


23

Proxy-based task partitioning

Proxy servers compression, trans-code videos in real-time, access/provide directory services, provide service on a rule base for specific devices.Mobile devices thus negotiate with proxy servers for security, QoS and content delivery. It may also create and send data through proxy servers to other mobile devices in the network. (Arun et al. 2004)


24

Proxy-based partitioning of watermarking algorithm for reducing energy consumption

The mobile device (PDA) & proxy (intel cel 1.7 GHz) is connected (over 802.11 wireless LAN) using SSL connection. (Arun et al 2004)

Energy savings was 42J to a high of 236 J (for different watermarking & partitioning algorithm)


25

Energy-efficient Security Protocols


26

Analyzing the Energy Consumption of Security Protocols

Ref: Nachiketh et al. 2003


27


28


29

Discussion

AES has the least energy cost and BLOWFISH has the greatestEnergy cost of IDEA for both encryption/decryption and key-setup compare well with those of AES,however the crypt analytical strength of AES is better than that of IDEA.SHA and SHA1 have better collision resistance (prob of two inputs mapped to same value) than MD4 & 5. This benefit comes as the cost of slightly higher energy cost.RSA performs signature verification efficiently, while ECDSA imposes smaller cost. (choose based on scenario/importance!)


30

Energy analysis of SSL protocol

Step 1: HANDSHAKE1) Server authentication: client verifies digital sig. of trusted CA on the server cert. through public key of CA followed by integrity check.2) Client authentication: client generates digital sig. by hashing some data, concatenating digest & encrypting with private key.3) Key exchange: clients pre-master secret is encrypted using public key of server.Step 2: DATA TRANSMISSION


31


32


33


34

DiscussionWith respect to client energy cost,

RSA-based handshake is much more efficient than ECC-based handshake when there is no client authentication in the SSL handshake stage.

In the presence of client authentication in SSL handshake, ECC-based handshake consumes less energy than RSA-based handshake. Thus, depending on whether client authentication is performed or not, either RSA-based handshake or ECC-based handshake should be chosen by the client for optimizing its energy consumption.

ENERGY cost (highest to lowest) : 1st) Asymmetric algorithms (The energy cost of asymmetric

algorithms is very much dependent on the key size )2nd) Symmetric algorithms (The cost of the key set-up (key

expansion) and encryption/decryption cost)3rd) hash algorithms. .


35

Impact of cipher suite choice on SSL


36

Discussion

For data sizes smaller than 21 KB, ECC-3DES-SHA is more energy-efficient because ECC is simpler than RSA (and asymmetric energy consumption dominates that of small data transactions).

For transactions of bulk data (greater than 21 KB) to encrypt, RSA-RC5 SHA consumes less energy, because for large data transfers energy consumption of symmetric ciphers dominates the total energy spent, and RC5 is much simpler than 3DES.

This shows that a judicious choice of cryptographic algorithms can greatly reduce the amount of energy consumed.


37

summary

The energy consumption of SSL protocol depends on: (i) use of client authentication in handshake, (ii) asymmetric algorithm used in handshake, (iii) key size of the asymmetric algorithm,(iv) symmetric algorithm used in the record stage, (v) hash algorithm used in the record stage, (vi) size of the data to be transmitted, etc.

The cost function can be used to decide the best performing amongpossible alternatives, depending on the input conditions. Such high-levelmacro-models are the subject of future work, and would allowstatic, as well as dynamic, optimization of the SSL protocol for energyefficiency.


38

Tamper Resistance


39

Overview

Brute Force & Factoring Attack( Mathematical) Easy-to-understand but futile attack Undesirable functionalityExample: A mobile network should prevent

unauthorized calls to placed (at handshaking). But an undocumented test-mode or buffer-flow may bypass functions and make calls??


40

Case 1:Physical (invasive) & side-channel (non-invasive) attacks

Ref: Ravi et al 04, Quisquater et al 02Invasive attacks involve getting access to appliances, manipulate & interfere with system-internals. (Hard to deploy)

TYPES: a) Microprobing b) Design reverse engineering


41

Microprobing


42

Non-Invasive attack:A) Timing analysisB) Fault induction techniquesC) Power & electro-magnetic analysis based

attack


43

Fault Induction

Hardware may fail to make correct computations security at stack!Example: RSA modulo-computationsTo deter this specific attack RSA implementations can check their answers by performing public key operation on the result and verifying it generates the original message (Boneh 01)


44

Timing analysis

Keys could be determined by analyzing small variations in time required to perform cryptographic computations. [Statistical techniques to predict] (Paul 96)

Instruction execution time variations (divide/mult instructions take number of cycles based on data)


45

Power analysis attack

Power consumption of h/w circuit is a function of switching activity (hence data).Key used in a crypt alg. can be inferred from power consumption statistics gathered over a wide range of input data.Simple power Analysis (SPA) determines crypto. alg. used, number of operations performed.

Brute-force search space for a DES implementation on 8 bit processor with 7 bytes of key data can be reduced to 240 keys from 256 keys by SPA (Messergers 02)


46

Differential Power Analysis (DPA) uses difference between traces to overcome the measurement error & noise associated with SPA.It targeted to DES (Kocher 99 )but later used to break public keys ( Messerges 99 )


47

Case 2: Logical Attack

Buffer overflowFailure to secure code update processUse of insecure cryptographic algorithmCryptographic protocol flawsKey management failuresRandom number generator defectsUse of debug modes that bypass securityImproper error handling, incorrect algorithmsUse of weak passwords

1. Complexity

(sec.vulnerabilities)

1. Extensibility

(dynamically loadable modules)

1. Connectivity


48

Contd..

Improper reuse of keysPoor user interfaceOperator errorsPointer errorsOperating system weaknessesSequence counter overflowsSolving wrong problemsInability to reestablish security after compromises


49

Countermeasures for logical attacks

Privacy & integrity of sensitive code & data at every stage of execution Use of dedicated hardware to protect sensitive memory locations (Discretix), secure bootstraping (Arbaugh et al 97), use of cryptographic file system (Goh et al 03), sandboxing (Kiriansky 02)Verification methods for finding security flaws in trusted s/w, security protocols are important. (Chess 02)


50

Case 3:Biometric identification

Finger-print authentication is popular because fingerprint scanners can be produced inexpensively and require very little space.Fingerprint based sweep sensor (AT77C101B) is used at tablet Sharp Mebius Muramasa PC TN1-H1W.The sensor captures successive images while sweeping. Resolution: 500 dpi. Sweeping eradicates latent images left on sensor.


51

Flexibility


52

Concern

Need: Ability to interoperate in different environments. Devices thereby need to support distinct security protocols (of different network layers)Example: a single protocol standard support wide range of crypt. Alg. (like SSL)Another challenge: continuous evolution of secured protocol. (In June 02, TLS was revised to accommodate AES)


53

Many of the security protocols used in wireless domain are adaptations of wired security protocols. E.g., WTLS matches closely to SSL/TLS std.Future Wireless Protocols: tailored from the scratch for wireless environment considering power, performance, unique states of wireless environment only, etc.


54

Designing (Modeling) & Verifying Security Protocols


55

Overview

Modeling is the process of abstracting the functional specifications a minimal working specimen (to understand and analyze the system more

closely.) Verification means process of examining this specification for the presence of various errors that could lead to improper system operation.


56


57

Correctness

Checking of ‘Safety’ comprises two things: (1) checking local process assertions and invariants (if any), and (2) checking proper termination points of progress (end state levels – if any).

Validating ‘liveness’ comprises (1) looking for acceptance cycles, (2) looking for non-progress cycles, (3) using never claims – which defines an observer process that executes synchronously with the system, and (4) trace assertions – to reason about valid or invalid sequences of send or receive statements.


58

Related works

Adam D. Bradley Azer Bestavros Assaf J. Kfoury (2002)

Write Deadlock: C1.1 - S1.1Resembles a DoS attack


59

Proxy-2616-fixed handles this correctly


60

but

Problem:Imperfect knowledge beyond first hop


61

Sample Linear Temporal Logic Claim

It represents whenever a message is sent by the ‘Responder’, it will eventually accepted by the ‘Requester’.

!([](p -> X(<>q)))Where p corresponds to

“to_rcvr?[request(1)]”q corresponds to “to_sndr?[response(1)] OR to_sndr?[err(1)]”.


62

Simulation using –XSPIN tool


63

Verification in SuperTrace/ BitState mode


64

Questions

Documents

Hack in the Box Conference April 10 -13, 2005, Bahrain 1 Toward Architectural Challenges of Secured Mobile Devices Manzur Ashraf BRAC University, Bangladesh