Keysight IT Security & Compliance

Bare Metal ForensicsDoug CarsonBig Data in Cyber Security

10th May 2016

Page

1

The Evolving Cyber Threat LandscapeBare Metal Forensics 210/5/2016

The consequences of innovation and increased reliance on information technology in the next few years will probably be far greater in scope and impact than ever. Devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and US Government systems.

Senate Armed Service Committee Feb 9th 2016James R. Clapper Director National Intelligence

Current perimeter based approaches of IT enterprise security cannot address such highly connected and diverse Cyber Physical Systems

Page

2

Who Protects Cyber Physical Systems?Bare Metal Forensics 310/5/2016

Page

Measuring Endpoint DevicesBare Metal ForensicsBare Metal Forensics410/5/2016

Exploit industry interconnect standards to gain visibility into devicesExploit manufacturing test ports to control execution of deviceUse precision analog measurements to detect side channel leakage

Highly embedded, highly diverse connected devicesImpossible to embed scanning agent Uncertain supply chain with custom SoCsNo compliance regime in placeMinimal testing to meet market windows and costs

Page

Bare Metal Forensics PrincipleBare Metal Forensics

510/5/2016Cyber SystemPhysical ImplementationUsing Standard Components

Observed Phenomena

Inferred operationAnalyse BussesSpoof BussesPower & EM channels

DataAnalysis

PageComponent StandardisationBare Metal ForensicsBare Metal Attack Surface610/5/2016

PageInfiniium Bus Analysis Support

Power rails8B/10BCANDigRF v4DVIHDMI FlexRayI2C/SPIJTAG LINMIPI CSI-3MIPI D-PHY MIPI LLI MIPI RFFE MIPI UniPro MIPI UFSPCI e Gen1 and Gen2 RS-232/UART SATA/SAS SPISVID USB 2.0 USB 3.0Super Speed Inter-Chip 710/5/2016Bare Metal Forensics

Page

Presentation Title5/9/2016Confidentiality Label7

The Big Data AngleBare Metal Forensics

810/5/2016160GSa/s = 1.28Tbps

NoisyPartialTraining data

Gigabytes!

PageData Science on Measurement TracesBare Metal ForensicsPrevious Research910/5/2016

400 tracesof 25K points

2 hours on 256 cores at UK National Supercomputing Centre

Correlation matrix of behavioural tracesBehavioural similarity network

Page

Bare Metal Forensics ProjectBare Metal Forensics10 High speed signal capture and generationSignal analysis softwareDevice measurement scienceWorld class cyber forensics research, teaching and trainingAccredited MScPrivate and public sector partnershipsLocal cyber industryPublic bodies

10/5/2016

Page

10

Side Channel AttackBare Metal Forensics

1110/5/2016

PlaintextMessageEncrypted MessageCryptographic FunctionSecret KeyPowerHeat Time Sound

Side Channel MonitoringA side channel attack is carried out by monitoring the physical outputs of a device (e.g. power consumption, time taken to carry out an operation, emission of heat, light and sound).

Side channel signal

PageExploiting Side ChannelsBare Metal Forensics

1210/5/2016

PageSide Channel Attack DemonstrationBare Metal Forensics1310/5/2016

PageSummaryInsecure embedded devices in the IoT will lead to widespread vulnerabilities in critical infrastructureCurrent OS agent based techniques do not address these devicesDevice operation clues can be inferred from electronic measurement tracesData science research underway to develop analytics to detect vulnerabilities from measurement traces

Bare Metal Forensics10/5/201614

Page