Title | : | Automated Security Assessment for Fault Injection Attacks and Improper Realizations of Embedded Crypto Software |
Speaker | : | Ms. Keerthi (IIT-M) |
Details | : | Mon, 26 Aug, 2024 10:00 AM @ MR - I (SSB 233, Fir |
Abstract: | : | With the exponential growth of IoT devices, their susceptibility to cyber-attacks has become a significant concern, especially since they are often integrated into critical cyber-physical systems, such as smart grids, industrial control, and medical systems. In these systems, cryptography plays a crucial role in ensuring the security and privacy of communicated data and the authenticity of the firmware that is executed on the device. Even though the security guarantees of cryptographic algorithms are well-studied and investigated, the weakest link is often due to the implementation rather than the mathematical underpinning. The weaknesses can manifest in various attacks and are a serious concern, primarily because many IoT devices are deployed in critical cyber-physical systems where a compromised device could result in significant losses. We focus on two critical weaknesses in the crypto implementations, namely, Fault Injection Attacks and Improper Realizations. These weaknesses pose significant threats to the security and integrity of crypto software, necessitating the development of robust detection and mitigation strategies. We propose automated tools to enhance the security of embedded crypto-software by detecting and patching different Common Weaknesses and Enumerations (CWEs) associated with fault injection attacks and improper realizations. Fault Injection attacks are one of the most powerful forms of cryptanalytic attacks, where the attacker induces faults during the execution of the cipher to retrieve the secret key. Software implementations of ciphers need to be thoroughly evaluated for fault injection attacks. We proposed different automated frameworks to detect and patch fault attack vulnerabilities. The tools can introduce countermeasures appropriately to meet the target's requirement for security and performance. Improper realizations of cipher implementations occur when essential cryptographic steps are either omitted or incorrectly implemented. The complexity of crypto implementations and their huge search space makes detecting these flaws challenging. This vulnerability exposes the system to risks, even if the intended security measures are present. We leverage model-checking techniques to determine improper realizations of public key crypto-systems with respect to their formal specification. We demonstrate how the huge state space of an Elliptic Curve Cryptography library can be aptly verified using a hierarchical assume-guarantee verification strategy. |