24.10.2019 | Security Engineering Group | TU Darmstadt | Dr. Tolga Arul | 1

Kick-Off, 23.10.2019

Security Engineering Lab

Dr. Tolga Arul

Security Engineering Group

Technische Universität Darmstadt

arul@seceng.informatik.tu-darmstadt.de

24.10.2019 | Security Engineering Group | TU Darmstadt | Dr. Tolga Arul | 2

General Information: Goals & Requirements

Goal: Hands-on work in research topics of the Security Engineering group

• Should resemble software engineering process in teams (think of it as an

“Advanced Bachelorpraktikum” without the overhead)

• “Open” format, no strict meetings!

• Grade is based on implementation and final presentation

Requirements:

• Interest in security and related topics!

• Knowledge: some lectures in Trusted Systems

• Skills in this semester: various: low level (C/C++) and high level (Matlab, Python,

Java) programming skills

24.10.2019 | Security Engineering Group | TU Darmstadt | Dr. Tolga Arul | 3

General Information: Procedure

Programming task for groups of two up to four persons

Every group has one supervisor

This course is has 6 CP

The final grade is composed of the following parts:

Implementation (80%)

Documentation (15%)

Final Presentation (5%)

Please contact the supervisor now or later in case you are interested in a

specific topic

You can deliberate on which topic is interesting to you until 31.10. and contact the corresponding supervisor

24.10.2019 | Security Engineering Group | TU Darmstadt | Dr. Tolga Arul | 4

TOPICS

24.10.2019 | Security Engineering Group | TU Darmstadt | Dr. Tolga Arul | 5

Topics

1. Memory Characterization

2. Broadcasting Lab

3. Low Latency Streaming

24.10.2019 | Security Engineering Group | TU Darmstadt | Dr. Tolga Arul | 6

Implementation of a composite IoT system

• We have multiple STM32F429 Discovery DISC1 IoT boards and multiple

external SRAMs and NVRAMs.

• We also have proof-of-concept code that can connect the external SRAMs

to these IoT boards, which currently does work.

• We want to modify this code, so that it also works correctly with some

NVRAMs, in order to perform tests using the composite IoT system.

• Goal: Implement a working connection between the board, complete

measurement SW and perform experiment with the external SRAM and

NVRAMs.

Tasks:

• Modify the provided code so that it works correctly with SRAMs (parallel)

and NVRAMs (parallel | SPI | I2C), based on the provided documentation.

• Expand capabilities or rewrite measurement SW

• Perform tests

Requirements:

• Good working skills

• Experience with C

Documentation and proof-of-concept code are available.

24.10.2019 | Security Engineering Group | TU Darmstadt | Dr. Tolga Arul | 7

Broadcast Security

Development of a

broadcasting test

environment:

24.10.2019 | Security Engineering Group | TU Darmstadt | Dr. Tolga Arul | 8

Broadcast Security

Goals: Develop necessary components or adapt available components so that

they work together (Development/Integration)

1. STB:

1. Continous Integration and build environment for multi-os code

(Linux/Android/Windows)

2. Linux: Creation of bitbake recipes to extend to all available OE architectures

3. Implement Channel Change Signaling Protocol

2. Head-End

1. Port to C++ or Integration of C components using JNI

3. Subscriber Management/Subscriber Authorization/Billing (Kamalio)

1. Interfacing to User via web application for deployment and billing

2. Billing Backend and interfacing with user DB

4. Intermediate Network Components (Registrar, Proxy):

1. IMS: Extension of Kamalio to support billing for IPTV over SIP

1. Support for Postpaid and Prepaid

2. Creation of Call Data Records

2. Deployment of Multicast Architecture

1. VLANs, PIM-SSM and MPLS

24.10.2019 | Security Engineering Group | TU Darmstadt | Dr. Tolga Arul | 9

Broadcast Security

Head-End

Core

Distribution

Access

Core, Distribution and

Access Network

Current Architecture

STB

24.10.2019 | Security Engineering Group | TU Darmstadt | Dr. Tolga Arul | 10

Low Latency Streaming

• Low latency streaming has many interesting applications

• So far available solutions and evaluation are proprietary and solution-centric

Goal:

• Develop low latency environment consisting of available

implementations (sender receiver)

• Develop evaluation test setup for consistent comparison

• Deploy solution on an appropriate embedded device

Design space:

• Codecs: h264, h265, jpeg2000, av1

• Coding techniques: intra-only coding, (adaptive) intra refresh,

slice-based encoding (sliced-threads, slice-parallel)

• Transport protocols: RTP, SCTP

• Transmission: EthernetAVB (TSN), DVB-T

• HW-support on SBCs

Requirements:

• Interest in topic

• Experience with C++ is beneficial

Topics

1

T1: Physical side channels on mobile devices

T2: Defenses against attacks on sensors

T3: CLKSCREW PUF

T1: Physical side channels

2

Hardware components of an iPhone X (source: iFixit)

Modern smartphones consist of numerous hardware components

Due to physical proximity, components affect each other!

T1: Physical side channels: examples

3

0 2 4 6 8 10Time (s)

-2

-1

0

1

2

3

Sign

alam

plitu

de(m

T)

Facebook Messenger, magnetometer data

0 2 4 6 8 10Time (s)

-2

-1

0

1

2

3

Sign

alam

plitu

de(m

T)

TripAdvisor, magnetometer data

0 2 4 6 8 10Time (s)

0

10

20

30

40

50

60

CPU

load

(%)

Facebook Messenger, CPU data

0 2 4 6 8 10Time (s)

0

10

20

30

40

50

60C

PUlo

ad(%

)

TripAdvisor, CPU data

Example: CPU affects magnetometer Attack: identification of running applications

Example of magnetometer correlating with the CPU activity

T1: Physical side channels: examples (2)

4

Example: speaker affects gyroscope Attack: gyroscope as microphones for acoustic signals

Example of gyroscope susceptibility to resonance ultrasonic sounds

T1: Physical side channels: task

5

Project: automatically identify new physical side channels on mobile devices

We have:• unified evaluation framework• cloud module (testing on 100+ devices)

Your task: discover new reactions • triggering activities in affecting components• tracing of reacting components• performing experiments, analyze data

CPU

GPS

Bluetooth

Power

Screen

NFC

Speaker

CPUAccelerometer

Gyroscope

CameraSpeaker Microphone

?

T2: Defenses against attacks on sensors

6

Project: Defenses against sensor-based attacks

Idea:• use physical relation between sensors


(magnetometer + gyroscope + accelerometer)• use input from other sensors to correct the

measurements

Your task: • reproduce two existing works• evaluate the relations between sensors on devices• model the correct sensor behavior


(with Signal Processing or Machine Learning)

T3: CLKSCREW PUF: original attack

Original idea: changing CPU voltage/frequency introduces errors! Attack: inject faults to attack crypto-algorithms

7

0 0

Basic idea of the CLKSCREW fault injection Source: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/tang

T3: CLKSCREW PUF: task

8

Project: CLKSCREW as a Physically Unclonable Function (hardware fingerprint)

We have:• original PoC code 


(C Kernel module + Python scripts)

Your task:• reproduce the original attack (faults)• test if faults are unique and random • extensive evaluation

22.10.2019 | Praktikum Security Engineering | Kick-Off | Markus Heinrich

Railway Signalling Security – Research

22.10.2019 | Praktikum Security Engineering | Kick-Off | Markus Heinrich

Railway Signalling Security – Lab

• Signal Box

• Control Trains

• Field Elements:

• Signals

• Points

• Tracks

• Object Controllers:

• Control FEs

• RPIs, G22

• Ethernet Network

Functional model of real-world train operation

22.10.2019 | Praktikum Security Engineering | Kick-Off | Markus Heinrich

Railway Signalling Security – Your Tasks

• Implement an anomaly detection system for railway signalling

• Anomaly detection architecture is based on a preprint publication

• Integrate the anomaly detection into our signalling lab

• Demonstrate your implementation by performing and defending

network attacks

Make railway transportation more secure!

22.10.2019 | Praktikum Security Engineering | Kick-Off | Markus Heinrich

Railway Signalling Security – Your Skills

• A programming language suited to compile for ARM and amd64

• Experience with C/C++ (existing features)

• Experience with Raspberry Pi of advantage

• Experience with Git version control of advantage

• Experience with railway signalling of advantage

• Experience with networking of advantage

• You can talk German or English with me

22.10.2019 | Praktikum Security Engineering | Kick-Off | Markus Heinrich

Railway Signalling Security – Contact

Markus Heinrich

TU Darmstadt

Mornewegstraße 32

D-64293 Darmstadt

+49 6151 16-25631

heinrich@seceng.informatik.tu-darmstadt.de

mailto:heinrich@seceng.informatik.tu-darmstadt.de

24.10.2019 | Security Engineering Group | TU Darmstadt | Dr. Tolga Arul | 11

General Information: Contact

Markus Heinrich

heinrich@seceng.infomatik.tu-darmstadt.de

06151 / 16 - 25631

S4|14 4.3.29

Nikolay Matyunin

matyunin@seceng.informatik.tu-darmstadt.de

06151 / 16 – 25623

S4|14 4.3.27

Tolga Arul

arul@seceng.informatik.tu-darmstadt.de

06151 / 16 – 25649

S4|14 4.3.17

mailto:heinrich@seceng.infomatik.tu-darmstadt.demailto:matyunin@seceng.informatik.tu-darmstadt.demailto:arul@seceng.informatik.tu-darmstadt.de