A Framework to Evaluate Embedded Security Implementations on the Basis of Common Implementation Mistakes and Vulnerabilities
Abstract
Modern embedded devices are under attack at an unprecedented rate. These devices exist in every facet of society from mobile phones to hard drives and use encryption to protect their data, but attackers may still be able to defeat these protection mechanisms. This is a result of vulnerabilities in the implementation of the encryption algorithm. Our contribution is a set of methods to detect the existence of a particular set of vulnerabilities in a chosen embedded device based on power analysis. This work focuses specifically on Solid State Drives (SSDs) that protect data with the Advanced Encryption Standard and a vulnerability within the SSDs ATA Security Unlock command that has been exploited in previous work. This work analyzes three commonly implemented versions of the SSDs ATA Security Unlock command: (1) a string comparison of the passwords, (2) a hash comparison of the passwords, and (3) a key derivation function that generates a decryption key based on the password. The first two methods are known to have weaknesses in authentication implementations, while the key derivation method is recognized as providing stronger protection of authentication credentials This work implements these three SSD unlock functions on an open source SSD board (Jasmine OpenSSD) and demonstrates the feasibility of detection and classification of these vulnerabilities through power analysis. This work also analyses and detects these vulnerabilities through firmware analysis. Applying these findings to proprietary devices, this work also demonstrates the ability to classify drives based on the specific SSD unlock function implemented in the Crucial family of SSDs.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jul 12, 2021
- Accession Number
- AD1149671
Entities
People
- Philip C. Gatbonton
Organizations
- United States Naval Academy