Attacks on Secure Embedded Systems

At the top level, attacks are classified into three main categories based on their functional objectives.

• Privacy attacks: The objective of these attacks is to gain knowledge of sensitive information stored,
  communicated, or manipulated within an embedded system.
• Integrity attacks: These attacks attempt to change data or code associated with an embedded system.
• Availability attacks: These attacks disrupt the normal functioning of the system by mis-appropriating
  system resources so that they are unavailable for normal operation.

A second level of classification of attacks on embedded systems is based on the agents or means used to
launch the attacks. These agents are typically grouped into three main categories as shown in Figure 1:

Figure 1: Taxonomy of attacks on embedded systems

1. Software attacks : which refer to attacks launched through software agents such as viruses,
   trojan horses, worms, etc.
2. Physical or Invasive attacks : which refer to attacks that require physical intrusion into the system
   at some level (chip, board, or system level).
3. Side-channel attacks : which refer to attacks that are based on observing properties of the system
   while it performs cryptographic operations, e.g., execution time, power consumption, or behavior in the
   presence of faults.

The agents used to launch attacks may either be passive in the sense that they do not interfere in any
manner with system execution (e.g., merely probe or observe certain properties), or may actively
interfere with the target system’s operation. Integrity and availability attacks require interference
with the system in some manner, and hence can be launched only through active agents.

It bears mentioning that, although we have classified attacks into various categories for the sake of
understanding. In practice, attackers often use a combination of various techniques to achieve their
objectives. For example, physical attacks may be used as a pre-cursor to side-channel attacks
(removing a chip’s packaging before observing the values on global wires within the chip). Our
classification is also by no means exhaustive, nor is it intended to be — the ingenuity of attackers
who invariably come up with new schemes to break security is arguably the greatest challenge to
tamper-resistant design.

Security a New Dimension in Embedded System Design

Embedded systems, which will be ubiquitously used to capture, store, manipulate, and access data of a
sensitive nature, pose several unique and interesting security challenges. Security has been the
subject of intensive research in the areas of cryptography, computing, and networking. However,
security is often mis-construed by embedded system designers as the addition of features, such as
specific cryptographic algorithms and security protocols, to the system. In reality, it is an entirely
new metric that designers should consider throughout the design process, along with other metrics
such as cost, performance, and power.security in one form or another is a requirement for an increasing
number of embedded systems, ranging from low-end systems such as PDAs, wireless handsets, networked
sensors, and smart cards, to high-end systems such as routers, gateways, firewalls, storage servers,
and web servers. Technological advances that have spurred the development of these electronic systems
have also ushered in seemingly parallel trends in the sophistication of security attacks. It has been
observed that the cost of insecurity in electronic systems can be very high. For example, it was
estimated that the “I Love You” virus caused nearly one billion dollars in lost revenues worldwide.
With an increasing proliferation of such attacks, it is not surprising that a large number of users in
the mobile commerce world (nearly 52% of cell phone users and 47% of PDA users, according to a survey
by Forrester Research) feel that security is the single largest concern preventing the successful
deployment of next-generation mobile services. With the evolution of the Internet, information and
communications security has gained significant attention. For example, various security protocols
and standards such as IPSec, SSL, WEP, and WTLS, are used for secure communications. While security
protocols and the cryptographic algorithms they contain address security considerations from a
functional perspective, many embedded systems are constrained by the environments they operate in, and
by the resources they possess. For such systems, there are several factors that are moving security
considerations from a functioncentric perspective into a system architecture (hardware/software) design issue.

• An ever increasing range of attack techniques for breaking security such as software, physical and
  side-channel attacks require that the embedded system be secure even when it can be logically or physically
  accessed by malicious entities. Resistance to such attacks can be ensured only if built into the system
  architecture and implementation.

• The processing capabilities of many embedded systems are easily overwhelmed by the computational demands of
  security processing, leading to undesirable tradeoffs between security and cost, or security and performance.

• Battery-driven systems and small form-factor devices such as PDAs, cell phones and networked sensors often
  operate under stringent resource constraints (limited battery, storage and computation capacities). These
  constraints only worsen when the device is subject to the demands of security.

• Embedded system architectures need to be flexible enough to support the rapid evolution of security mechanisms
  and standards.
• New security objectives, such as denial of service and digital content protection, require a higher degree of
  co-operation between security experts and embedded system architects.