# Types of Cybersecurity Attacks #### **Malware Focus** Inserting malicious code into the computer's program memory and tricking the processor into executing it. # Background # The Malware Cybersecurity Challenge - The nation's cyber infrastructure consists of a massive number of identical computer systems. - This homogeneity is advantageous because a single piece of software can be deployed across millions of systems to increase capacity. # The attacker's advantages become greater as we move to Embedded Computing. **Personal Computers** 400 Million sold in 2018 **Smart Phones** • 1.5 Billion sold in 2018 #### **Embedded Computers** 25 Billion Computers **Embedded Computers need Protection from Cyber Attacks as well** ### **Hardware Diversity** - Homogenous hardware give attackers of embedded systems advantages when injecting code. - These attacks can be defeated by using Heterogenous hardware, but at the loss of single architecture development. ### **Hardware Diversity** - Hardware is fixed and takes months/years to fabricate. - There has been some prior work in the area of randomization of instructions sets in Virtual Machines, with promising results. #### **Embedded Computer Characteristics** - Dedicated software, not general-purpose. - Smaller (sometimes 8-pin packages) - Lower Clock Frequencies (1MHz 16MHz) - Smaller memories (256k to 1M) - Often no OS other than real-time scheduler. Missiles (Left: RMD SM-6, Right: RMD Patriot) Radar (Left: RMD GhostEye® Radar, Right: RMD SPY-6) # Our Approach (FPGAs!) ### **FPGA Design** Field Programmable Gate Arrays (FPGAs) allow hardware to be designed using a Hardware Description Language (HDL) #### **Diversification** Once an embedded computer is designed in HDL scripts can be written to create alterations of the computer. ### **Compile Time Diversification** The scripts that alter the HDL design can be executed as part of the code generation from a C compiler # Our Approach (Three Cores) Once we control the HDL generation, we can make modifications to the design & and even replicate it. # Our Approach (Under Attack) The three cores share input ports, meaning they cannot be individually targeted The computers with randomized opcodes don't recognize the malware. We can either throw an exception or run a pre-defined routine to remove the malware. A Malware attack will insert execution binaries into each of the 3x cores' program memory on the FPGA. Synthesis / Implementation > But since the attacker compiled the malware for the publiclyavailable Baseline computer's opcodes, it is the only one that executes the malware. But how do we map the original source code opcode assignments used by the compiler into the two heterogenous cores? HDL Description of 3x Computers & Attack Detect Voter **VHDL Files** Program Source Code Memory 1 Machine Code (main.c) (object file) Opcode Def 1 Compiler Processor Definition Disassembly (header file) Program Opcode Memory 2 Translator Opcode Def 2 The synthesis step creates 3x, functionallyequivalent, heterogeneous computers running the same software, just with different Opcode assignments. Since the different Opcodes alter the control reas unit synthesis, it results in different hardware. FPGA Design Tools Synthesis & Implementation Core 2 Attack Detect Voter Core 3 The translator produces VHDL files for the Computer Malware Resistant Computer VHDL files for the Program Memory & Opcode Definition for the other two computers. Sin # Testbed for Demonstration We built a fully functional MSP430 in Standard Eclipse Programming Environment We used the DE0-CV FPGA board with an intel Cyclone V FPGA. The computer periodically sends the stepper motor its setpoint angle. The send frequency is dictated by a timer that triggers and interrupt. The computer continuously reads the <u>actual angle</u> of the missile from the sensor and compares it to the setpoints. It adjusts motor accordingly. New setpoints are received asynchronously from a user over UART. A Rx on the UART link triggers an IRQ. ``` for(index=0xFFFF;index!=0;index--){ NOP(); temp = RXBUF[0]; if(temp == '1'){ set angle = 47; }else if (temp=='2'){ set angle = 79; set angle = 61; if(rx_index == 1){ rx index=0; temp = decode_array[P1IN]; if(temp<set angle){</pre> P2OUT &=~(BIT2); //enable stepper motor P20UT |=(BIT1); //set direction P20UT &=~(BIT5); //set direction temp = set angle-temp; }else if (temp>set angle){ P2OUT &=~(BIT2); //enable stepper motor P20UT &=~(BIT1); //set direction P20UT |=(BIT5); //set direction temp = temp-set_angle; P20UT |=BIT2; //Disable stepper motor frequency = 4000 - 63*(temp); #pragma vector = TIMER0 B0 VECTOR; interrupt void Timer ISR(){ TBOCCR0+=frequency; P2OUT ^=BIT4; //frequency+=1; TB0CCTL0 &=~ CCIFG: // Service UART #pragma vector = EUSCI A1 VECTOR interrupt void ISR_EUSCI_A1(void) { RXBUF[rx index++] = UCA1RXBUF; UCA1IFG &= ~UCRXIFG; ``` 2. But the developer introduced a vulnerability by adding a delay loop in the main program to allow the UART to complete before resetting the input buffer size back to 0. > 1. When user sends new setpoint over UART, an IRQ triggers, stacks return address, and retrieves new value for RXBUF. **Program Vulnerabilities** (Classic Buffer Overflow Attack) Data Memory Address x2000 > Global riables This allows the attacker to stream in malicious code and replace the correct ISR return address. x3000 ### MSP430 Attack - How it looks in data memory... ``` 1800 3728 0018 3427 3908 0000 0017 0D24 0078 3629 0000 3500 0007 0000 1314 127D 6968 0000 6A19 0026 3A00 0000 0000 0E25 7677 0000 6B00 0000 0004 0003 6C6D 0102 7574 0000 0073 0000 5E5D 005C 5F72 0071 4748 4400 0049 1D00 4600 4500 0000 2223 0079 007A 004A 1E00 0006 007B 0000 117C 0000 4300 001A 1C1B 3B00 0000 0000 0F00 000 534D 4145 354C 4000 5162 504F 6061 0070 The vulnerability 0x002100 0x002102 set angle 0x002102 0x002104 0x002104 0x002106 0x002106 0x002108 The Inserted Malware A NOP Sled is used so that the exact ISR return address isn't needed. UART ISR Return Address ``` ### The same attack made on our system But as soon as the starts reading the inserted code in the CPU, it detects that all opcodes are the same!!! The Malware Still Gets Inserted via Buffer Overflow Address Data Memory decode array frequency set angle rx index NOP NOP NOP Malware Malware Malware Malware NOP NOP NOP New ISR Return Addr Global Variables Stack x2000 **x**3000 We can see how CyberShield Responds by Measuring the Instruction Registers in the CPU with a Logic Analyzer. All Opcodes are Different by Design The attack is detected when all three CPUs see the same Opcode. CyberShield Halts Operation and Initiates a Recovery Procedure. After flushing out the malware, CyberShield resumes normal operation. The rapid nature of hardware recovery allows low latency and the ability to operate-through-attack. | + Lowlife h0 | h2 | hF | h2 | h7 | h0 | hF | h2 | hŻ | h0 | h2 | |-----------------|----|----|----|----|----|----|----|----|----|----| | + Baseline h0 | h4 | h1 | h4 | h9 | h2 | h1 | h4 | h9 | h2 | h4 | | + Highroller h0 | h6 | h3 | h6 | hB | h4 | h3 | h6 | hB | h4 | h6 | Baseline h5 h1 h4 h5 h4 hC h4 h1 h4 h0 Lowlife h3 hF h2 h3 h2 hA h2 hF h2 h0 Highroller h7 h3 h6 h7 h6 hE h6 h3 h6 h0 hF8 CyberShield Halts Operation and Initiates a Recovery Procedure. + Baseline + Lowlife + Highroller + UART h0 ΔX: 1.602 ΔX: 32.78 ms 1/ΔX: 30.5046382 Hz After flushing out the malware, CyberShield resumes normal operation. + UART ### Conclusion - CyberShield is an approach to defeating malware by introducing hardware diversity at the hardware level. - This is enabled by real-time HDL generation at compile-time. - A buffer insertion attack was used to test CyberShield. - CyberShield was able to detect the malware, remove it, and continue operation while an MCU was not. ### Questions