A Taxonomy of Side Channel Attacks on Critical Infrastructures and Relevant Systems

Information disclosure leads to serious exploits, disruption or damage of critical operations and privacy breaches, both in Critical Infrastructures (CIs) and Industrial Control Systems (ICS) and in traditional IT systems. Side channel attacks in computer security refer to attacks on data confidentiality through information gained from the physical implementation of a system, rather an attack on the algorithm or software itself. Depending on the source and the type of information leakage, certain general types of side channel attacks have been established: power, electromagnetic, cache, timing, sensor-based, acoustic and memory analysis attacks. Given the sensitive nature of ICS and the vast amount of information stored on IT systems, consequences of side channel attacks can be quite significant. In this paper, we present an extensive survey on side channel attacks that can be implemented either on ICS or traditional systems often used in Critical Infrastructure environments. Presented taxonomies try to take into consideration all major publications of the last decade and present them using three different classification systems to provide an objective form of multi-level taxonomy and a potentially profitable statistical approach. We conclude by discussing open issues and challenges in this context and outline possible future research directions.

[1]  Christophe Clavier,et al.  Simple Power Analysis on AES Key Expansion Revisited , 2014, CHES.

[2]  Hua Liu,et al.  Watch Me, but Don't Touch Me! Contactless Control Flow Monitoring via Electromagnetic Emanations , 2017, CCS.

[3]  Edward W. Knightly,et al.  The Spy Next Door: Eavesdropping on High Throughput Visible Light Communications , 2015, VLCS@MobiCom.

[4]  Igor Bilogrevic,et al.  (Smart)watch your taps: side-channel keystroke inference attacks using smartwatches , 2015, SEMWEB.

[5]  Gorka Irazoqui Apecechea,et al.  CacheZoom: How SGX Amplifies The Power of Cache Attacks , 2017, CHES.

[6]  Dimitris Gritzalis,et al.  Exiting the Risk Assessment Maze , 2018, ACM Comput. Surv..

[7]  Xiangyu Liu,et al.  When Good Becomes Evil: Keystroke Inference with Smartwatch , 2015, CCS.

[8]  Adi Shamir,et al.  RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis , 2014, CRYPTO.

[9]  Michael A. Temple,et al.  Radio-frequency-based anomaly detection for programmable logic controllers in the critical infrastructure , 2012, Int. J. Crit. Infrastructure Prot..

[10]  Jong-Gwan Yook,et al.  Measurement and analysis of the electromagnetic emanations from video display interface , 2015, 2015 IEEE Electrical Design of Advanced Packaging and Systems Symposium (EDAPS).

[11]  Michael Backes,et al.  2008 IEEE Symposium on Security and Privacy Compromising Reflections –or– How to Read LCD Monitors Around the Corner , 2022 .

[12]  Matthew Peacock,et al.  Timing attack detection on BACnet via a machine learning approach , 2015 .

[13]  Timothy X. Brown,et al.  Exploiting the GOOSE protocol: A practical attack on cyber-infrastructure , 2012, 2012 IEEE Globecom Workshops.

[14]  Wenyao Xu,et al.  My Smartphone Knows What You Print: Exploring Smartphone-based Side-channel Attacks Against 3D Printers , 2016, CCS.

[15]  Carl A. Gunter,et al.  Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX , 2017, CCS.

[16]  Stefan Mangard,et al.  Systematic Classification of Side-Channel Attacks: A Case Study for Mobile Devices , 2016, IEEE Communications Surveys & Tutorials.

[17]  Ramesh Karri,et al.  Process-Aware Covert Channels Using Physical Instrumentation in Cyber-Physical Systems , 2018, IEEE Transactions on Information Forensics and Security.

[18]  Xun Gong,et al.  Timing side channels for traffic analysis , 2013, 2013 IEEE International Conference on Acoustics, Speech and Signal Processing.

[19]  Manfred Pinkal,et al.  Acoustic Side-Channel Attacks on Printers , 2010, USENIX Security Symposium.

[20]  Dimitris Gritzalis,et al.  Side Channel Attacks over Encrypted TCP/IP Modbus Reveal Functionality Leaks. , 2018 .

[21]  Theodore Tryfonas,et al.  A pilot study on the security of pattern screen-lock methods and soft side channel attacks , 2013, WiSec '13.

[22]  François-Xavier Standaert,et al.  Stealthy Compromise of Wireless Sensor Nodes with Power Analysis Attacks , 2010, MOBILIGHT.

[23]  Bo Luo,et al.  I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators , 2018, ACSAC.

[24]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[25]  Arquimedes Canedo,et al.  Confidentiality Breach Through Acoustic Side-Channel in Cyber-Physical Additive Manufacturing Systems , 2017, ACM Trans. Cyber Phys. Syst..

[26]  Carsten Willems,et al.  Practical Timing Side Channel Attacks against Kernel Space ASLR , 2013, 2013 IEEE Symposium on Security and Privacy.

[27]  Rakesh Agrawal,et al.  Keyboard acoustic emanations , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[28]  Mehdi Tibouchi,et al.  Side-Channel Attacks on BLISS Lattice-Based Signatures: Exploiting Branch Tracing against strongSwan and Electromagnetic Emanations in Microcontrollers , 2017, CCS.

[29]  Arquimedes Canedo,et al.  KCAD: Kinetic Cyber-attack detection method for Cyber-physical additive manufacturing systems , 2016, 2016 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[30]  Daniel Genkin,et al.  Stealing Keys from PCs Using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation , 2015, CHES.

[31]  Roberto Guanciale,et al.  Cache Storage Channels: Alias-Driven Attacks and Verified Countermeasures , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[32]  Éliane Jaulmes,et al.  Side-Channel Attack against RSA Key Generation Algorithms , 2014, CHES.

[33]  Rui Wang,et al.  Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow , 2010, 2010 IEEE Symposium on Security and Privacy.

[34]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[35]  Adam Wierman,et al.  Exploiting a Thermal Side Channel for Power Attacks in Multi-Tenant Data Centers , 2017, CCS.

[36]  Naomi Benger,et al.  "Ooh Aah... Just a Little Bit" : A Small Amount of Side Channel Can Go a Long Way , 2014, CHES.

[37]  Wenyuan Xu,et al.  WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[38]  Ganesh Kumar Venayagamoorthy,et al.  Side channel analysis of multiple PMU data in electric power systems , 2015, 2015 Clemson University Power Systems Conference (PSC).

[39]  Xun Gong,et al.  Quantifying the Information Leakage in Timing Side Channels in Deterministic Work-Conserving Schedulers , 2016, IEEE/ACM Transactions on Networking.

[40]  David A. Umphress,et al.  Information leakage from optical emanations , 2002, TSEC.

[41]  Anku Adhikari,et al.  Leave Your Phone at the Door: Side Channels that Reveal Factory Floor Secrets , 2016, CCS.

[42]  Ross J. Anderson,et al.  PIN skimmer: inferring PINs through the camera and microphone , 2013, SPSM '13.

[43]  David Cash,et al.  Side-Channel Attacks on Shared Search Indexes , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[44]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[45]  Roshni Shende,et al.  A side channel based power analysis technique for hardware trojan detection using statistical learning approach , 2016, 2016 Thirteenth International Conference on Wireless and Optical Communications Networks (WOCN).

[46]  Jaime A. Camelio,et al.  Trojan Detection and Side-channel Analyses for Cyber-security in Cyber-physical Manufacturing Systems , 2015 .

[47]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[48]  Lucjan Hanzlik,et al.  Thermal Imaging Attacks on Keypad Security Systems , 2016, SECRYPT.

[49]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[50]  Mehdi Tibouchi,et al.  Side-Channel Analysis of Weierstrass and Koblitz Curve ECDSA on Android Smartphones , 2016, CT-RSA.

[51]  Hae Yong Kim,et al.  Identification of pressed keys by time difference of arrivals of mechanical vibrations , 2016, Comput. Secur..

[52]  Stefan Savage,et al.  Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks , 2011, WOOT.

[53]  Lee M. Hively,et al.  Theorem-based, data-driven, cyber event detection , 2013, CSIIRW '13.

[54]  Feng Zhou,et al.  Keyboard acoustic emanations revisited , 2009 .

[55]  Yuval Yarom,et al.  May the Fourth Be With You: A Microarchitectural Side Channel Attack on Several Real-World Applications of Curve25519 , 2017, CCS.

[56]  Florian Alt,et al.  Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication , 2017, CHI.

[57]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[58]  Daniel Genkin,et al.  ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs , 2016, CT-RSA.

[59]  Michael K. Reiter,et al.  Cross-Tenant Side-Channel Attacks in PaaS Clouds , 2014, CCS.

[60]  Hae Yong Kim,et al.  Identification of Pressed Keys From Mechanical Vibrations , 2013, IEEE Transactions on Information Forensics and Security.

[61]  Andrew Hintz,et al.  Fingerprinting Websites Using Traffic Analysis , 2002, Privacy Enhancing Technologies.

[62]  Feng Cao,et al.  Vulnerability analysis and best practices for adopting IP telephony in critical infrastructure sectors , 2006, IEEE Communications Magazine.

[63]  Hyunsoo Kim,et al.  I'm Listening to your Location! Inferring User Location with Acoustic Side Channels. , 2018, WWW.

[64]  Zhuoran Ma,et al.  NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers , 2017, Frontiers of Information Technology & Electronic Engineering.

[65]  Richard R. Brooks,et al.  Side-Channels in Electric Power Synchrophasor Network Data Traffic , 2015, CISR.

[66]  Chowdhury Sajadul Islam,et al.  Timing SCA against HMAC to investigate from the execution time of algorithm viewpoint , 2015, 2015 International Conference on Informatics, Electronics & Vision (ICIEV).

[67]  Wouter Joosen,et al.  The Clock is Still Ticking: Timing Attacks in the Modern Web , 2015, CCS.

[68]  Wenyuan Xu,et al.  WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices , 2013, HealthTech.

[69]  Georg Sigl,et al.  On Cache Timing Attacks Considering Multi-core Aspects in Virtualized Embedded Systems , 2014, INTRUST.

[70]  Erik Tews,et al.  Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks , 2014, USENIX Security Symposium.

[71]  Arquimedes Canedo,et al.  Acoustic Side-Channel Attacks on Additive Manufacturing Systems , 2016, 2016 ACM/IEEE 7th International Conference on Cyber-Physical Systems (ICCPS).

[72]  Gorka Irazoqui Apecechea,et al.  S$A: A Shared Cache Attack That Works across Cores and Defies VM Sandboxing -- and Its Application to AES , 2015, 2015 IEEE Symposium on Security and Privacy.

[73]  Karthikeyan Lingasubramanian,et al.  Efficient static power based side channel analysis for Hardware Trojan detection using controllable sleep transistors , 2015, SoutheastCon 2015.

[74]  Mason Rice,et al.  Using timing-based side channels for anomaly detection in industrial control systems , 2016, Int. J. Crit. Infrastructure Prot..

[75]  Daniel Genkin,et al.  Get your hands off my laptop: physical side-channel key-extraction attacks on PCs , 2015, Journal of Cryptographic Engineering.

[76]  Dengguo Feng,et al.  Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing , 2005, IACR Cryptol. ePrint Arch..

[77]  Sibin Mohan,et al.  Schedule-Based Side-Channel Attack in Fixed-Priority Real-time Systems , 2015 .

[78]  Anindya Maiti,et al.  Smartwatch-Based Keystroke Inference Attacks and Context-Aware Protection Mechanisms , 2016, AsiaCCS.

[79]  Michael A. Temple,et al.  Detecting anomalous programmable logic controller behavior using RF-based Hilbert transform features and a correlation-based verification process , 2015, Int. J. Crit. Infrastructure Prot..

[80]  Xiangyu Liu,et al.  No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[81]  Hao Chen,et al.  TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion , 2011, HotSec.

[82]  Yuval Yarom,et al.  ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels , 2016, IACR Cryptol. ePrint Arch..

[83]  Mani B. Srivastava,et al.  LightSpy: Optical eavesdropping on displays using light sensors on mobile devices , 2017, 2017 IEEE International Conference on Big Data (Big Data).

[84]  Todd R. Andel,et al.  Rootkit detection through phase-space analysis of power voltage measurements , 2017, 2017 12th International Conference on Malicious and Unwanted Software (MALWARE).

[85]  Herbert Bos,et al.  Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[86]  Jimmy C. Chau,et al.  Utilizing electromagnetic emanations for out-of-band detection of unknown attack code in a programmable logic controller , 2018, Defense + Security.

[87]  Pepe Vila,et al.  Loophole: Timing Attacks on Shared Event Loops in Chrome , 2017, USENIX Security Symposium.