skip to main content

Title: Low-Cost and Secure Firmware Obfuscation Method for Protecting Electronic Systems from Cloning
The continuous growth of the cloning of electronic devices poses a severe threat to our critical infrastructure that uses the Internet, as cloned devices can transmit secret information and cause security concerns. Cloned devices can also be unreliable as they may be manufactured with inferior quality materials, and they may have many defects as they may not be tested properly. It is thus extremely important to protect these electronic devices from cloning. An efficient way to prevent a device being cloned is to prevent the firmware from being copied because, without the proper firmware, the device will not function like the original. In this paper, we present a novel firmware obfuscation method without encrypting the entire memory. The firmware is obfuscated by swapping a subset of instructions. The instructions to be swapped are specifically chosen so that an attacker cannot discover their location. During operation, the hardware reconstructs the original program using a PUF-generated identifier (ID) and a small memory that stores the swapped instructions. An adversary cannot make a program work completely without knowing which instructions have been swapped, as the program will execute in the wrong sequence and produce the incorrect result. Our proposed solution requires only a more » small overhead to reconstruct the firmware, making it practical for devices with strict resource constraints. This solution also allows remote updates of new obfuscated firmware without any modification and is practical for the rising trend of ubiquitous computing. « less
; ;
Award ID(s):
Publication Date:
Journal Name:
IEEE Internet of Things Journal
Page Range or eLocation-ID:
1 to 1
Sponsoring Org:
National Science Foundation
More Like this
  1. In modern healthcare, smart medical devices are used to ensure better and informed patient care. Such devices have the capability to connect to and communicate with the hospital's network or a mobile application over wi-fi or Bluetooth, allowing doctors to remotely configure them, exchange data, or update the firmware. For example, Cardiovascular Implantable Electronic Devices (CIED), more commonly known as Pacemakers, are increasingly becoming smarter, connected to the cloud or healthcare information systems, and capable of being programmed remotely. Healthcare providers can upload new configurations to such devices to change the treatment. Such configurations are often exchanged, reused, and/or modified to match the patient's specific health scenario. Such capabilities, unfortunately, come at a price. Malicious entities can provide a faulty configuration to such devices, leading to the patient's death. Any update to the state or configuration of such devices must be thoroughly vetted before applying them to the device. In case of any adverse events, we must also be able to trace the lineage and propagation of the faulty configuration to determine the cause and liability issues. In a highly distributed environment such as today's hospitals, ensuring the integrity of configurations and security policies is difficult and often requires amore »complex setup. As configurations propagate, traditional access control and authentication of the healthcare provider applying the configuration is not enough to prevent installation of malicious configurations. In this paper, we argue that a provenance-based approach can provide an effective solution towards hardening the security of such medical devices. In this approach, devices would maintain a verifiable provenance chain that would allow assessing not just the current state, but also the past history of the configuration of the device. Also, any configuration update would be accompanied by its own secure provenance chain, allowing verification of the origin and lineage of the configuration. The ability to protect and verify the provenance of devices and configurations would lead to better patient care, prevent malfunction of the device due to malicious configurations, and allow after-the-fact investigation of device configuration issues. In this paper, we advocate the benefits of such an approach and sketch the requirements, implementation challenges, and deployment strategies for such a provenance-based system.« less
  2. The increased ubiquitousness of small smart devices, such as cell- phones, tablets, smart watches and laptops, has led to unique user data, which can be locally processed. The sensors (e.g., microphones and webcam) and improved hardware of the new devices have al- lowed running deep learning models that 20 years ago would have been exclusive to high-end expensive machines. In spite of this progress, state-of-the-art algorithms for facial expression recognition (FER) rely on architectures that cannot be implemented on these devices due to computational and memory constraints. Alternatives involving cloud-based solutions impose privacy barriers that prevent their adoption or user acceptance in wide range of applications. This paper proposes a lightweight model that can run in real-time for image facial expression recognition (IFER) and video facial expression recognition (VFER). The approach relies on a personalization mechanism locally implemented for each subject by fine-tuning a central VFER model with unlabeled videos from a target subject. We train the IFER model to generate pseudo labels and we select the videos with the highest confident predictions to be used for adaptation. The adaptation is performed by implementing a federated learning strategy where the weights of the local model are averaged and used bymore »the central VFER model. We demonstrate that this approach can improve not only the performance on the edge device providing personalized models to the users, but also the central VFER model. We implement a federated learning strategy where the weights of the local models are averaged and used by the central VFER. Within corpus and cross-corpus evaluations on two emotional databases demonstrate that edge models adapted with our personalization strategy achieve up to 13.1% gains in F1-scores. Furthermore, the federated learning implementation improves the mean micro F1-score of the central VFER model by up to 3.4%. The proposed lightweight solution is ideal for interactive user interfaces that preserve the data of the users.« less
  3. The vision of smart homes is rapidly becoming a reality, as the Internet of Things and other smart devices are deployed widely. Although smart devices offer convenience, they also create a significant management problem for home residents. With a large number and variety of devices in the home, residents may find it difficult to monitor, or even locate, devices. A central controller that brings all the home’s smart devices under secure management and a unified interface would help homeowners and residents track and manage their devices. We envision a solution called the SPLICEcube whose goal is to detect smart devices, locate them in three dimensions within the home, securely monitor their network traffic, and keep an inventory of devices and important device information throughout the device’s lifecycle. The SPLICEcube system consists of the following components: 1) a main cube, which is a centralized hub that incorporates and expands on the functionality of the home router, 2) a database that holds network data, and 3) a set of support cubelets that can be used to extend the range of the network and assist in gathering network data. To deliver this vision of identifying, securing, and managing smart devices, we introduce anmore »architecture that facilitates intelligent research applications (such as network anomaly detection, intrusion detection, device localization, and device firmware updates) to be integrated into the SPLICEcube. In this thesis, we design a general-purpose Wi-Fi architecture that underpins the SPLICEcube. The architecture specifically showcases the functionality of the cubelets (Wi-Fi frame detection, Wi-Fi frame parsing, and transmission to cube), the functionality of the cube (routing, reception from cubelets, information storage, data disposal, and research application integration), and the functionality of the database (network data storage). We build and evaluate a prototype implementation to demonstrate our approach is scalable to accommodate new devices and extensible to support different applications. Specifically, we demonstrate a successful proof-of-concept use of the SPLICEcube architecture by integrating a security research application: an "Inside-Outside detection" system that classifies an observed Wi-Fi device as being inside or outside the home.« less
  4. Resonant tunneling diodes (RTDs) have come full-circle in the past 10 years after their demonstration in the early 1990s as the fastest room-temperature semiconductor oscillator, displaying experimental results up to 712 GHz and fmax values exceeding 1.0 THz [1]. Now the RTD is once again the preeminent electronic oscillator above 1.0 THz and is being implemented as a coherent source [2] and a self-oscillating mixer [3], amongst other applications. This paper concerns RTD electroluminescence – an effect that has been studied very little in the past 30+ years of RTD development, and not at room temperature. We present experiments and modeling of an n-type In0.53Ga0.47As/AlAs double-barrier RTD operating as a cross-gap light emitter at ~300K. The MBE-growth stack is shown in Fig. 1(a). A 15-μm-diam-mesa device was defined by standard planar processing including a top annular ohmic contact with a 5-μm-diam pinhole in the center to couple out enough of the internal emission for accurate free-space power measurements [4]. The emission spectra have the behavior displayed in Fig. 1(b), parameterized by bias voltage (VB). The long wavelength emission edge is at  = 1684 nm - close to the In0.53Ga0.47As bandgap energy of Ug ≈ 0.75 eV at 300 K.more »The spectral peaks for VB = 2.8 and 3.0 V both occur around  = 1550 nm (h = 0.75 eV), so blue-shifted relative to the peak of the “ideal”, bulk InGaAs emission spectrum shown in Fig. 1(b) [5]. These results are consistent with the model displayed in Fig. 1(c), whereby the broad emission peak is attributed to the radiative recombination between electrons accumulated on the emitter side, and holes generated on the emitter side by interband tunneling with current density Jinter. The blue-shifted main peak is attributed to the quantum-size effect on the emitter side, which creates a radiative recombination rate RN,2 comparable to the band-edge cross-gap rate RN,1. Further support for this model is provided by the shorter wavelength and weaker emission peak shown in Fig. 1(b) around = 1148 nm. Our quantum mechanical calculations attribute this to radiative recombination RR,3 in the RTD quantum well between the electron ground-state level E1,e, and the hole level E1,h. To further test the model and estimate quantum efficiencies, we conducted optical power measurements using a large-area Ge photodiode located ≈3 mm away from the RTD pinhole, and having spectral response between 800 and 1800 nm with a peak responsivity of ≈0.85 A/W at  =1550 nm. Simultaneous I-V and L-V plots were obtained and are plotted in Fig. 2(a) with positive bias on the top contact (emitter on the bottom). The I-V curve displays a pronounced NDR region having a current peak-to-valley current ratio of 10.7 (typical for In0.53Ga0.47As RTDs). The external quantum efficiency (EQE) was calculated from EQE = e∙IP/(∙IE∙h) where IP is the photodiode dc current and IE the RTD current. The plot of EQE is shown in Fig. 2(b) where we see a very rapid rise with VB, but a maximum value (at VB= 3.0 V) of only ≈2×10-5. To extract the internal quantum efficiency (IQE), we use the expression EQE= c ∙i ∙r ≡ c∙IQE where ci, and r are the optical-coupling, electrical-injection, and radiative recombination efficiencies, respectively [6]. Our separate optical calculations yield c≈3.4×10-4 (limited primarily by the small pinhole) from which we obtain the curve of IQE plotted in Fig. 2(b) (right-hand scale). The maximum value of IQE (again at VB = 3.0 V) is 6.0%. From the implicit definition of IQE in terms of i and r given above, and the fact that the recombination efficiency in In0.53Ga0.47As is likely limited by Auger scattering, this result for IQE suggests that i might be significantly high. To estimate i, we have used the experimental total current of Fig. 2(a), the Kane two-band model of interband tunneling [7] computed in conjunction with a solution to Poisson’s equation across the entire structure, and a rate-equation model of Auger recombination on the emitter side [6] assuming a free-electron density of 2×1018 cm3. We focus on the high-bias regime above VB = 2.5 V of Fig. 2(a) where most of the interband tunneling should occur in the depletion region on the collector side [Jinter,2 in Fig. 1(c)]. And because of the high-quality of the InGaAs/AlAs heterostructure (very few traps or deep levels), most of the holes should reach the emitter side by some combination of drift, diffusion, and tunneling through the valence-band double barriers (Type-I offset) between InGaAs and AlAs. The computed interband current density Jinter is shown in Fig. 3(a) along with the total current density Jtot. At the maximum Jinter (at VB=3.0 V) of 7.4×102 A/cm2, we get i = Jinter/Jtot = 0.18, which is surprisingly high considering there is no p-type doping in the device. When combined with the Auger-limited r of 0.41 and c ≈ 3.4×10-4, we find a model value of IQE = 7.4% in good agreement with experiment. This leads to the model values for EQE plotted in Fig. 2(b) - also in good agreement with experiment. Finally, we address the high Jinter and consider a possible universal nature of the light-emission mechanism. Fig. 3(b) shows the tunneling probability T according to the Kane two-band model in the three materials, In0.53Ga0.47As, GaAs, and GaN, following our observation of a similar electroluminescence mechanism in GaN/AlN RTDs (due to strong polarization field of wurtzite structures) [8]. The expression is Tinter = (2/9)∙exp[(-2 ∙Ug 2 ∙me)/(2h∙P∙E)], where Ug is the bandgap energy, P is the valence-to-conduction-band momentum matrix element, and E is the electric field. Values for the highest calculated internal E fields for the InGaAs and GaN are also shown, indicating that Tinter in those structures approaches values of ~10-5. As shown, a GaAs RTD would require an internal field of ~6×105 V/cm, which is rarely realized in standard GaAs RTDs, perhaps explaining why there have been few if any reports of room-temperature electroluminescence in the GaAs devices. [1] E.R. Brown,et al., Appl. Phys. Lett., vol. 58, 2291, 1991. [5] S. Sze, Physics of Semiconductor Devices, 2nd Ed. 12.2.1 (Wiley, 1981). [2] M. Feiginov et al., Appl. Phys. Lett., 99, 233506, 2011. [6] L. Coldren, Diode Lasers and Photonic Integrated Circuits, (Wiley, 1995). [3] Y. Nishida et al., Nature Sci. Reports, 9, 18125, 2019. [7] E.O. Kane, J. of Appl. Phy 32, 83 (1961). [4] P. Fakhimi, et al., 2019 DRC Conference Digest. [8] T. Growden, et al., Nature Light: Science & Applications 7, 17150 (2018). [5] S. Sze, Physics of Semiconductor Devices, 2nd Ed. 12.2.1 (Wiley, 1981). [6] L. Coldren, Diode Lasers and Photonic Integrated Circuits, (Wiley, 1995). [7] E.O. Kane, J. of Appl. Phy 32, 83 (1961). [8] T. Growden, et al., Nature Light: Science & Applications 7, 17150 (2018).« less
  5. In the recent past, there has been a rapid increase in attacks on consumer Internet-of-Things (IoT) devices. Several attacks currently focus on easy targets for exploitation, such as weak configurations (weak default passwords). However, with governments, industries, and organizations proposing new laws and regulations to reduce and prevent such easy targets in the IoT space, attackers will move to more subtle exploits in these devices. Memory corruption vulnerabilities are a significant class of vulnerabilities in software security through which attackers can gain control of the entire system. Numerous memory corruption vulnerabilities have been found in IoT firmware already deployed in the consumer market. This paper presents an approach for exploiting stack-based buffer-overflow attacks in IoT firmware, to hijack the device remotely. To show the feasibility of this approach, we demonstrate exploiting a common network software application, Connman, used widely in IoT firmware such as Samsung smart TVs. A series of experiments are reported on, including: crashing and executing arbitrary code in the targeted software application in a controlled environment, adopting the attacks in uncontrolled environments (with standard software defenses such as W⊕X and ASLR enabled), and installing publicly available IoT firmware that uses this software application on a Raspberry Pi.more »The presented exploits demonstrate the ease in which an adversary can control IoT devices.« less