Tamper-resistant design techniques that has been proposed to strengthen embedded systems against the various attacks described in the previous section. In order to better understand and compare approaches to tamper-resistant design, we decompose the objective of tamper resistance into more specific, narrower objectives, as shown in Figure 1.
Figure 1: Specific objectives of tamper-resistant design approaches
- Attack prevention techniques make it more difficult to initiate an attack on the embedded system. These techniques can include physical protection mechanisms (e.g., packaging), hardware design (e.g., circuit implementations whose timing and power characteristics are data independent), and software design(e.g., software authentication before execution).
- In the event that an attack is launched despite any employed prevention techniques, attack detection techniques attempt to detect the attack as soon as possible. The elapsed time interval between the launch of an attack and its detection (the detection latency) represents a period of vulnerability, and needs to be kept as low as possible. An example of attack detection is the run-time detection of illegal memory accesses to secure data from an untrusted software application.
- Once an attack is detected, the embedded system needs to take appropriate action. Attack recovery refers to techniques used to ensure that the attack is countered, and that the system returns to secure operation. Attack recovery techniques could include locking up the system and rendering it useless for further operation,zeroing out sensitive data in memory, or displaying a security warning and rebooting the system. The design of attack recovery schemes involves tradeoffs between the level of security and the inconvenience caused to users in the usage of the system after an attack.
- In some cases, it may be desirable to preserve an irrefutable,persistent record of the attack in the embedded system, for inspection at a later time. Tamper evident design techniques target this objective. Analogies of physical tamper evident design mechanisms abound: seals that have to be broken, wires that have to be cut, or coatings that have to be removed. In all cases,tamper evidence requires a mechanism that cannot be reversed by malicious entities.