SlideShare una empresa de Scribd logo

Tools for Practical Attacks on Analog-to-Digital Conversion

Descargar como PPTX, PDF
A
Alexander Bolshev

Mine presentation from S4 on attacks against ADCs and around

Ingeniería
1 de 75
Tools for Practical Attacks on Analog-to-Digital Conversion Alexander ‘dark_k3y’ Bolshev With a help from: Marina Krotofil Gabriel Gonzalez Andrey Dolgikh
; CAT /DEV/USER Alexander ‘dark_k3y’ Bolshev Ph.D., security consultant @ IOActive Madrid HW Lab Distributed systems researcher “the more complex & strange is the system -> the better”
Important Disclaimer The whole presentation is mostly discussed on the first lections of ‘Control theory’ and ‘Digital Signal Processing’ university courses, so in fact it won’t be about something new.
Quick intro to ICS + ADC problems
Dialog with (some) ICS engineer during pentest Me: You have …vulns……vulns……vulns… and as a result I could compromise your PLC! Engineer: You will achieve nothing with it, because my monitoring system will stop you when the analog signal that is generated by this PLC will be out of 10% range. After it, backup PLC will be launched in a very short time Me: Okay... (went away crying) (some time passed) Me: But I will be back!
From Michael Ossmann:
Correct interpretation of data is important, because embedded and industrial control systems uses analog inputs to create the picture of controlled system’s state. ICS field level Actuators Control system Sensors Measure process state Computes control commands for actuators Adjust themselves to influence process behavior Physical Process ADCDAC
Consider the following architecture Analog control loop Control PLC Actuator Monitoring PLC/ Logger/DAQ/Safety PLC HMI Attacker
Consider the following architecture Analog control loop Control PLC Actuator Monitoring PLC/ Logger/DAQ/Safety PLC HMI 0V (actuator is OFF) MV – Manipulated Variable What if MV value on actuator will be different from MV value on logger? 1.5V (actuator is ON) Attacker
Proof-of-Concept demo from the past “HMI Panel” “Control PLC” (arduino) “Actuator” (motor) “Monitoring PLC” (S7 1200) See v1_motor_arduino_vs_plcadc.m4v video
How is it possible at all? MV is represented by analog signal! Because we’re talking not about altering the analog signal, but about altering its digital representation (conversion).
Analog-to-Digital converter [2]
• A device that converts a continuous physical quantity (usually voltage) to a digital number that represents the quantity's amplitude.[3] • An ADC is defined by its bandwidth (the range of frequencies it can measure) and its signal to noise ratio (how accurately it can measure a signal relative to the noise it introduces). • Bandwidth of an ADC is characterized primarily by its sampling rate, and to a lesser extent by how it handles errors such as aliasing. What is ADC? ADC Input Signal Reference Digital Representation
Types of ADCs There are many types of ADCs, the most common are three: • Successive-approximation ADC (SAR) • Sigma-delta ADC • Pipeline (usually based on flash)
Aliasing • Sampling frequency should follow Nyquist rule ( fs > 2f ) • Otherwise the signal will appear of false (alias) frequency
Anti-aliasing filters: “input validation” in ADC world • Anti-aliasing filter (AAF) is a filter that is used before sampling device (e.g. ADC) to attenuate the power of signal in high frequency ranges for approximate or complete satisfying the sampling theorem (fs > 2f) • As a representative of low-pass filters (LPF) family, AAF could be characterized by cut-off frequency (fc) and stop-band frequency (fsb) [4]
Attacks against ADCs • Frequency and phase: • Arbitrary Waveform signal, i.e. signal with waveform that could be somehow misinterpreted by ADC. (see ep.1) • High-Frequency function signal, i.e. generating sine wave with kHz or MHz frequency that could somehow be misinterpreted by ADC. • OverSampling attack against SAR (see ep.1) • Special-frequency attack against ΔΣ (see ep. 2) • Amplitude (out-of-voltage-range signal) (see ep.1)
Attacks: AWG against “ADC()” call
But how…? “HMI Panel” “Control PLC” (arduino) “Actuator” (motor) “Monitoring PLC” (S7 1200)
…Easy! 3.3V 100 ms … while (1) { pinOutput(tip120PIN, 200); delay(395); for(i = 0; i < 20; i++){ pinOutput(tip120PIN, 0); delay(2); pinOutput(tip120PIN, 200); delay(2); } pinOutput(tip120PIN, 200); delay(495); } 2,5ms
Siemens S7 1200 analog I/O ADC
Siemens S7 1200 analog I/O ADC N=8.3ms N=9ms N=7ms N=4.5ms N=2.5ms
Siemens S7 1200 analog I/O ADC N=8.3ms N=9ms N=7ms N=4.5ms N=2.5ms
AWG signal against “lazy-call” ADC Val = readADC(); Sleep(Timeout); /* or doSmth(Timeout) */ Output(Val);
But this is just Arduino, not real controller! Ok, let’s try without Arduino…
Ok, let’s try something more real… SIMATIC S7-1200, ANALOG OUTPUT SB 1232, 1 AO, +/- 10VDC (12 BIT RES.) OR 0 - 20 MA (11 BIT RES) Problem: no public information on real SPS for these module… 
Ok, what’s inside? Logic buffer EEPROM OpAmp XTR300
XTR300?
Let’s test for max stable SPS…
Proof-of-Concept demo with real stuff “HMI Panel” “Control PLC” (S7 1200) “Actuator” (motor) “Monitoring PLC” (S7 1200) See v2_motor_plc_vs_plcadc.m4v video
Signal generation SCL code https://support.industry.siemens.com/cs/document/67295964/how-in-step-7-v5-x-do-you-program-signal-generation-(rectangle-sawtooth-triangle-sinus)-using-the-cyclic-interrupts-?dti=0&lc=en-WW
Pure frequency/phase attacks
ΔΣ Modulation • Delta-sigma (ΔΣ; or sigma-delta, ΣΔ) modulation is a method for encoding analog signals into digital signals as found in an ADC. [7] • In Δ-modulation the change in the signal (its delta) is encoded, rather than the absolute value. The result is a stream of pulses. In ΔΣ-modulation, the accuracy of the modulation is improved by passing the digital output through a 1-bit DAC and adding (sigma) the resulting analog signal to the input signal, thereby reducing the error introduced by the Δ-modulation. [7]
Delta-sigma ADC • ΔΣ ADCs are based on ΔΣ-modulation and consist of two parts: analog and digital: • analog part generates a very high-frequency bitstream; • digital part creates the real number output by filtering it with digital filter and decimating it to the output samples per second value. ΔΣ Modulator Digital Low-Pass filter Decimation Filter Analog input 1-bit stream N-bit stream Output data 0 1 1 0 0 3.3 3.4 3.4 3.4 2.7 2.2 … Digital partAnalog part
Modulation process [6]
Delta-Sigma ADCs [6] [6]
Demo: The mystery of the ΔΣ AD7706 ADC… See v3_mystery_sdadc1.mp4 video
Possible explanation from the datasheet? • Expecting to have some noise there than, but possibly not the clear sin signal • It explains just partly, and we need some good hypothesis for all these things. In our case fCLKIN = 2.00MHz, so fs = 31250
LP & Decimation (sinc3) filter D = N = 64 for AD7706
USB UART Atmega328 AD7706 & Vref Signal generator Demo: The second mystery of the ΔΣ AD7706 ADC… See v4_mystery_various_signals.mov video
Hypothesis and frustrations • Digital filter corner frequency/noise? • No, sinus too clear for it • sinc3 filter implemented in MCU and has integer overflow? • ”Artificial gain” (No PGA), but just multiplication on digital output? • That’s wrong according to chip decap image.
• Dynamic compression? • Overflow in logic circuit? • Pole-zero cancelation in filter? Still mystery
31.25kHz looks too much for a successful attack DAC with s/r up to 100kHz
Implementation Renesas R5F100bG RL78/G13 27352 bytes firmware size => 4 – 36+kB for payload
Ok, I got it, but what else I could use for attack? Line coupling circuit (usually OpAmp/Transformer) Signal/Function Generator Two most common industrial analog line loops: • Voltage (0-10V, 0-24(28)V, 0-48V • Current (0-20mA) Aka ADC research kit for Joseph FitzPatrick 
Voltage Signal/Function Generator: -> Si5351 + any MCU via I2C Coupling circuit: Buffer RtR OpAmp + H-V OpAmp Gain = 1 + (R2/R1) TI OPA551/OPA552 Fairchild LM358N Buffering requirement depends on signal source
Current (0-20mA) -> Cypress PSoC http://www.planetanalog.com/author.asp?section_id=3066&doc_id=563262 CY8CKIT-049-42XX ~<10EUR MAX15006 Any suitable and cheap transistor for such current
Other ΔΣ ADCs: ADS1015
Cypress PSoC5 built-in ADC* What’s this? What’s that? [5] *default configuration
Ok, let’s look at real device with behavior like ΔΣ ADC: Allen-Bradley 1794AENT + 1794-IE4XOE2 Flex I/O + Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
Very weird results for real industrial PLC: 1 -> 24Hz Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
25Hz Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
And… 24.9Hz!!! Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
And… 24.9Hz!!! Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
*Без обид Андрей, просто действительно забавно! *
Flex I/O vs. PowerFlex Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
Do we have at least one “normal” ΔΣ ADC?! Yes, e.g. MAX11205 • Sinc4 filter with no visible mistakes + postfiltering(?) • Looks very reliable Postfiltering?
Attacks summary: what you can and what you cannot
Summary ADC First ”attackable” f Required AAF fc Required AAF fsb Complexity SAR ADC S/H frequency (S/H frequency)/2 - easy/medium -- MCP3201 14.3kHz 7.1kHz - easy S7 1200 PLC 121Hz 60Hz 120Hz easy AB 1794-IE4XOE2* 24.9Hz 10Hz 20Hz very easy AD7705/AD7706 31250/38400 Hz - 30kHz easy ADS1015 ~86kHz 10-20kHz 50kHz medium/hard MAX11205 n/a any reasonable any reasonable ~impossible PSoC5 LP** ~1kHz 1kHz 2kHz easy * research data by Andrey Dolgikh ** incorrectly configured (default configuration) PSoC module
What could you do?
Mitigations • As hardware developers/vendors: • Implement correct AA-filters in accordance to REAL characteristics of your ADC (read latest/hidden datasheets, test you ADC manually) • Remember: digital filters won’t help • As software developers (incl. firmware and PLC program development): • Introduce sampling frequency randomization in software that works with ADC • Avoid “sleepy” code • As engineer: • Implement same AA-filters all over your analog network in accordance with your OT process
Vendors Sceptic’s replica: • We already have correct AA-filters everywhere! Are you sure?
Reference design of industrial sensor “We included AA LPF in our design" ADC with fs ~ 2kSPS LPF with fc near 79 kHz
Reference design of industrial transmitter “We included AA LPF in our design" ADC with fs ~ 470sps LPF with fc near 79 kHz
But we have … AA filters... Everywhere...
2Vendor: also remember: digital filter won’t help • The signal is already ”compromised” by ”ADC features”, so any digital filtering after ADC won’t help you. • If you want full control, install ΔΣ modulator and implement digital part of ΔΣ-ADC manually in FPGA Analog signal Digital representation 1-bit stream
Developer: introduce sampling frequency randomization • Certain randomness in sampling frequency will make attacker’s job much harder • Many of the discussed attacks will be much more challenging to execute • Small variation of 𝒇 𝑠 won’t degrade signal understanding process. On the contrary, it will produce a signal sample of better quality. 𝒇 𝑠 = 𝑓 + rand(△) Time V 0 http://www.sixsigma4service.com/evaluation-considerations-for-data-sampling.html
Developer: Avoid sleepy code Avoid writing/using the following code (if you don’t completely understand your process): Val = readADC(); Output(Val); Sleep(Timeout);
• When adding LPF into an individual device, make sure that all related devices have the same cut-off frequencies • E.g. if PLC input is buffered with LPF 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 and actuator equipped with LPF with 𝒇 𝒄 = 𝟓𝒌𝑯𝒛, the attack not only possible, but the probability of success increases! Engineer: Use SAME AA-filters across all analog line Control PLC 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 𝒇 𝒄 = 𝟓𝒌𝑯𝒛 Monitoring PLC
Thanksgiving service • Marina Krotofil for being a co-researcher in ep. 1 and many bright ideas • Andrey ‘@c4f3t13r3’ Dolgikh from Binghamton University, for information on Allen Bradley PLC behavior vs. different frequencies. • Guys from IOA hw lab (especially Gabriel, Ruben and Alfredo) for help and support • Fedor Savelyev for ideas and help with DSP (digital signal processing) analysis • Dmitry Nedospasov for many useful advices
Conclusions
Any questions? http://ioactive.com/ @ioactive @dark_k3y
1. https://en.wikipedia.org/wiki/Control_theory , Picture by Orzetto - Own work, GFDL, https://commons.wikimedia.org/w/index.php?curid=5000019 2. Picture from: http://maxembedded.com/2011/06/the-adc-of-the-avr/ 3. Wikipedia: https://en.wikipedia.org/wiki/Analog-to-digital_converter 4. Picture from http://studentweb.niu.edu/7/~Z063757/lowpass2.bmp 5. Picture from: http://www.hdwallpaperpc.com/show-wallpaper/surprised_kitten_animal_cats_kitty_little_cat_136064.html References

Recomendados

Never Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCNever Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCAlexander Bolshev
 
M-TECH 4th SEM PRESENTATION
M-TECH 4th SEM PRESENTATIONM-TECH 4th SEM PRESENTATION
M-TECH 4th SEM PRESENTATIONSubhajit Shaw
 
Real Number Modeling (RNM) 超・初級編
Real Number Modeling (RNM) 超・初級編Real Number Modeling (RNM) 超・初級編
Real Number Modeling (RNM) 超・初級編Wataru Yamamoto
 
Crittografia1
Crittografia1Crittografia1
Crittografia1Natalia Visalli
 
PyParis2017 / Circuit simulation using Python, by Fabrice Salvaire
PyParis2017 / Circuit simulation using Python, by Fabrice SalvairePyParis2017 / Circuit simulation using Python, by Fabrice Salvaire
PyParis2017 / Circuit simulation using Python, by Fabrice SalvairePôle Systematic Paris-Region
 
Verilog Test Bench
Verilog Test BenchVerilog Test Bench
Verilog Test BenchDr.YNM
 
Asic design flow
Asic design flowAsic design flow
Asic design flowyogeshwaran k
 
An Introductory course on Verilog HDL-Verilog hdl ppr
An Introductory course on Verilog HDL-Verilog hdl pprAn Introductory course on Verilog HDL-Verilog hdl ppr
An Introductory course on Verilog HDL-Verilog hdl pprPrabhavathi P
 

Recomendados

Never Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCNever Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCAlexander Bolshev
 
M-TECH 4th SEM PRESENTATION
M-TECH 4th SEM PRESENTATIONM-TECH 4th SEM PRESENTATION
M-TECH 4th SEM PRESENTATIONSubhajit Shaw
 
Real Number Modeling (RNM) 超・初級編
Real Number Modeling (RNM) 超・初級編Real Number Modeling (RNM) 超・初級編
Real Number Modeling (RNM) 超・初級編Wataru Yamamoto
 
Crittografia1
Crittografia1Crittografia1
Crittografia1Natalia Visalli
 
PyParis2017 / Circuit simulation using Python, by Fabrice Salvaire
PyParis2017 / Circuit simulation using Python, by Fabrice SalvairePyParis2017 / Circuit simulation using Python, by Fabrice Salvaire
PyParis2017 / Circuit simulation using Python, by Fabrice SalvairePôle Systematic Paris-Region
 
Verilog Test Bench
Verilog Test BenchVerilog Test Bench
Verilog Test BenchDr.YNM
 
Asic design flow
Asic design flowAsic design flow
Asic design flowyogeshwaran k
 
An Introductory course on Verilog HDL-Verilog hdl ppr
An Introductory course on Verilog HDL-Verilog hdl pprAn Introductory course on Verilog HDL-Verilog hdl ppr
An Introductory course on Verilog HDL-Verilog hdl pprPrabhavathi P
 
Behavioral modeling
Behavioral modelingBehavioral modeling
Behavioral modelingdennis gookyi
 
Hdl
HdlHdl
HdlAreeba Gill
 
Verilog Lecture4 2014
Verilog Lecture4 2014Verilog Lecture4 2014
Verilog Lecture4 2014Béo Tú
 
Fire detection system using arduino
Fire detection system using arduino Fire detection system using arduino
Fire detection system using arduino UT-028
 
VLSI Technology
VLSI TechnologyVLSI Technology
VLSI TechnologyHasib Hossen
 
VLSI routing
VLSI routingVLSI routing
VLSI routingNaveen Kumar
 
Signal and power integrity challenges in VLSI circuits and strategies for the...
Signal and power integrity challenges in VLSI circuits and strategies for the...Signal and power integrity challenges in VLSI circuits and strategies for the...
Signal and power integrity challenges in VLSI circuits and strategies for the...Pushpak Dagade
 
The Verification Methodology Landscape
The Verification Methodology LandscapeThe Verification Methodology Landscape
The Verification Methodology LandscapeDVClub
 
THE VLSI INDUSTRY - An Overview of Market, Job Functions And Product Developm...
THE VLSI INDUSTRY - An Overview of Market, Job Functions And Product Developm...THE VLSI INDUSTRY - An Overview of Market, Job Functions And Product Developm...
THE VLSI INDUSTRY - An Overview of Market, Job Functions And Product Developm...Edureka!
 
Heart rate monitoring system using arduino
Heart rate monitoring system using arduinoHeart rate monitoring system using arduino
Heart rate monitoring system using arduinosoundaryasheshachala
 
A Practical Look at SystemVerilog Coverage
A Practical Look at SystemVerilog CoverageA Practical Look at SystemVerilog Coverage
A Practical Look at SystemVerilog CoverageDVClub
 
Password Base Door Lock
Password Base Door LockPassword Base Door Lock
Password Base Door LockMd Rezaul Karim Palash
 
Low power VLSI design
Low power VLSI designLow power VLSI design
Low power VLSI designSaravanan Siddhan
 
Verilog HDL
Verilog HDLVerilog HDL
Verilog HDLMantra VLSI
 
Logic Synthesis
Logic SynthesisLogic Synthesis
Logic SynthesisVandanaPagar1
 
Fingerprint base security system
Fingerprint base security systemFingerprint base security system
Fingerprint base security systempraful borad
 
Data Encryption Standard
Data Encryption StandardData Encryption Standard
Data Encryption StandardAdri Jovin
 
MIXED SIGNAL VLSI TECHNOLOGY BASED SoC DESIGN FOR TEMPERATURE COMPENSATED pH...
MIXED SIGNAL VLSI TECHNOLOGY BASED SoC DESIGN FOR TEMPERATURE COMPENSATED pH...MIXED SIGNAL VLSI TECHNOLOGY BASED SoC DESIGN FOR TEMPERATURE COMPENSATED pH...
MIXED SIGNAL VLSI TECHNOLOGY BASED SoC DESIGN FOR TEMPERATURE COMPENSATED pH...Abhijeet Powar
 
Driving large capacitive loads
Driving large capacitive loadsDriving large capacitive loads
Driving large capacitive loadsRavi Selvaraj
 
Logic synthesis using Verilog HDL
Logic synthesis using Verilog HDLLogic synthesis using Verilog HDL
Logic synthesis using Verilog HDLanand hd
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your InputsAlexander Bolshev
 

Más contenido relacionado

La actualidad más candente

Verilog Lecture4 2014
Verilog Lecture4 2014Verilog Lecture4 2014
Verilog Lecture4 2014Béo Tú
 
Fire detection system using arduino
Fire detection system using arduino Fire detection system using arduino
Fire detection system using arduino UT-028
 
Signal and power integrity challenges in VLSI circuits and strategies for the...
Signal and power integrity challenges in VLSI circuits and strategies for the...Signal and power integrity challenges in VLSI circuits and strategies for the...
Signal and power integrity challenges in VLSI circuits and strategies for the...Pushpak Dagade
 
The Verification Methodology Landscape
The Verification Methodology LandscapeThe Verification Methodology Landscape
The Verification Methodology LandscapeDVClub
 
THE VLSI INDUSTRY - An Overview of Market, Job Functions And Product Developm...
THE VLSI INDUSTRY - An Overview of Market, Job Functions And Product Developm...THE VLSI INDUSTRY - An Overview of Market, Job Functions And Product Developm...
THE VLSI INDUSTRY - An Overview of Market, Job Functions And Product Developm...Edureka!
 
Heart rate monitoring system using arduino
Heart rate monitoring system using arduinoHeart rate monitoring system using arduino
Heart rate monitoring system using arduinosoundaryasheshachala
 
A Practical Look at SystemVerilog Coverage
A Practical Look at SystemVerilog CoverageA Practical Look at SystemVerilog Coverage
A Practical Look at SystemVerilog CoverageDVClub
 
Fingerprint base security system
Fingerprint base security systemFingerprint base security system
Fingerprint base security systempraful borad
 
Data Encryption Standard
Data Encryption StandardData Encryption Standard
Data Encryption StandardAdri Jovin
 
MIXED SIGNAL VLSI TECHNOLOGY BASED SoC DESIGN FOR TEMPERATURE COMPENSATED pH...
MIXED SIGNAL VLSI TECHNOLOGY BASED SoC DESIGN FOR TEMPERATURE COMPENSATED pH...MIXED SIGNAL VLSI TECHNOLOGY BASED SoC DESIGN FOR TEMPERATURE COMPENSATED pH...
MIXED SIGNAL VLSI TECHNOLOGY BASED SoC DESIGN FOR TEMPERATURE COMPENSATED pH...Abhijeet Powar
 
Driving large capacitive loads
Driving large capacitive loadsDriving large capacitive loads
Driving large capacitive loadsRavi Selvaraj
 
Logic synthesis using Verilog HDL
Logic synthesis using Verilog HDLLogic synthesis using Verilog HDL
Logic synthesis using Verilog HDLanand hd
 

La actualidad más candente (20)

Behavioral modeling
Behavioral modelingBehavioral modeling
Behavioral modeling
 
Hdl
HdlHdl
Hdl
 
Verilog Lecture4 2014
Verilog Lecture4 2014Verilog Lecture4 2014
Verilog Lecture4 2014
 
Fire detection system using arduino
Fire detection system using arduino Fire detection system using arduino
Fire detection system using arduino
 
VLSI Technology
VLSI TechnologyVLSI Technology
VLSI Technology
 
VLSI routing
VLSI routingVLSI routing
VLSI routing
 
Signal and power integrity challenges in VLSI circuits and strategies for the...
Signal and power integrity challenges in VLSI circuits and strategies for the...Signal and power integrity challenges in VLSI circuits and strategies for the...
Signal and power integrity challenges in VLSI circuits and strategies for the...
 
The Verification Methodology Landscape
The Verification Methodology LandscapeThe Verification Methodology Landscape
The Verification Methodology Landscape
 
THE VLSI INDUSTRY - An Overview of Market, Job Functions And Product Developm...
THE VLSI INDUSTRY - An Overview of Market, Job Functions And Product Developm...THE VLSI INDUSTRY - An Overview of Market, Job Functions And Product Developm...
THE VLSI INDUSTRY - An Overview of Market, Job Functions And Product Developm...
 
Heart rate monitoring system using arduino
Heart rate monitoring system using arduinoHeart rate monitoring system using arduino
Heart rate monitoring system using arduino
 
A Practical Look at SystemVerilog Coverage
A Practical Look at SystemVerilog CoverageA Practical Look at SystemVerilog Coverage
A Practical Look at SystemVerilog Coverage
 
Password Base Door Lock
Password Base Door LockPassword Base Door Lock
Password Base Door Lock
 
Low power VLSI design
Low power VLSI designLow power VLSI design
Low power VLSI design
 
Verilog HDL
Verilog HDLVerilog HDL
Verilog HDL
 
Logic Synthesis
Logic SynthesisLogic Synthesis
Logic Synthesis
 
Fingerprint base security system
Fingerprint base security systemFingerprint base security system
Fingerprint base security system
 
Data Encryption Standard
Data Encryption StandardData Encryption Standard
Data Encryption Standard
 
MIXED SIGNAL VLSI TECHNOLOGY BASED SoC DESIGN FOR TEMPERATURE COMPENSATED pH...
MIXED SIGNAL VLSI TECHNOLOGY BASED SoC DESIGN FOR TEMPERATURE COMPENSATED pH...MIXED SIGNAL VLSI TECHNOLOGY BASED SoC DESIGN FOR TEMPERATURE COMPENSATED pH...
MIXED SIGNAL VLSI TECHNOLOGY BASED SoC DESIGN FOR TEMPERATURE COMPENSATED pH...
 
Driving large capacitive loads
Driving large capacitive loadsDriving large capacitive loads
Driving large capacitive loads
 
Logic synthesis using Verilog HDL
Logic synthesis using Verilog HDLLogic synthesis using Verilog HDL
Logic synthesis using Verilog HDL
 

Similar a Tools for Practical Attacks on Analog-to-Digital Conversion

[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
 
Embedded systems optimization memory requirments.pptx
Embedded systems optimization memory requirments.pptxEmbedded systems optimization memory requirments.pptx
Embedded systems optimization memory requirments.pptxsatheeshKumar750
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
Adam_Mcconnell_Revision3
Adam_Mcconnell_Revision3Adam_Mcconnell_Revision3
Adam_Mcconnell_Revision3Adam McConnell
 
AVR_Course_Day6 external hardware interrupts and analogue to digital converter
AVR_Course_Day6 external hardware interrupts and analogue to digital converterAVR_Course_Day6 external hardware interrupts and analogue to digital converter
AVR_Course_Day6 external hardware interrupts and analogue to digital converterMohamed Ali
 
Instrumentation: Test and Measurement Methods and Solutions - VE2013
Instrumentation: Test and Measurement Methods and Solutions - VE2013Instrumentation: Test and Measurement Methods and Solutions - VE2013
Instrumentation: Test and Measurement Methods and Solutions - VE2013Analog Devices, Inc.
 
Lect2 up360 (100329)
Lect2 up360 (100329)Lect2 up360 (100329)
Lect2 up360 (100329)aicdesign
 
Boundary scan for support engineers and technicians
Boundary scan for support engineers and techniciansBoundary scan for support engineers and technicians
Boundary scan for support engineers and techniciansInterlatin
 
Library Characterization Flow
Library Characterization FlowLibrary Characterization Flow
Library Characterization FlowSatish Grandhi
 
20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Joris20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Jorisimec.archive
 
Design of CMOS operational Amplifiers using CADENCE
Design of CMOS operational Amplifiers using CADENCEDesign of CMOS operational Amplifiers using CADENCE
Design of CMOS operational Amplifiers using CADENCEnandivashishth
 
Netzer ds 247-128-specsheet
Netzer ds 247-128-specsheetNetzer ds 247-128-specsheet
Netzer ds 247-128-specsheetElectromate
 
Degital 1
Degital 1Degital 1
Degital 1hnaita
 

Similar a Tools for Practical Attacks on Analog-to-Digital Conversion (20)

[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your Inputs
 
presentation_sas2016_V3
presentation_sas2016_V3presentation_sas2016_V3
presentation_sas2016_V3
 
Intro_to_Arduino_-_v30.pptx
Intro_to_Arduino_-_v30.pptxIntro_to_Arduino_-_v30.pptx
Intro_to_Arduino_-_v30.pptx
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
 
Analog to digital converters, adc
Analog to digital converters, adcAnalog to digital converters, adc
Analog to digital converters, adc
 
Embedded systems optimization memory requirments.pptx
Embedded systems optimization memory requirments.pptxEmbedded systems optimization memory requirments.pptx
Embedded systems optimization memory requirments.pptx
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
 
Adam_Mcconnell_Revision3
Adam_Mcconnell_Revision3Adam_Mcconnell_Revision3
Adam_Mcconnell_Revision3
 
AVR_Course_Day6 external hardware interrupts and analogue to digital converter
AVR_Course_Day6 external hardware interrupts and analogue to digital converterAVR_Course_Day6 external hardware interrupts and analogue to digital converter
AVR_Course_Day6 external hardware interrupts and analogue to digital converter
 
Instrumentation: Test and Measurement Methods and Solutions - VE2013
Instrumentation: Test and Measurement Methods and Solutions - VE2013Instrumentation: Test and Measurement Methods and Solutions - VE2013
Instrumentation: Test and Measurement Methods and Solutions - VE2013
 
Lect2 up360 (100329)
Lect2 up360 (100329)Lect2 up360 (100329)
Lect2 up360 (100329)
 
Boundary scan for support engineers and technicians
Boundary scan for support engineers and techniciansBoundary scan for support engineers and technicians
Boundary scan for support engineers and technicians
 
Library Characterization Flow
Library Characterization FlowLibrary Characterization Flow
Library Characterization Flow
 
20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Joris20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Joris
 
Bidirect visitor counter
Bidirect visitor counterBidirect visitor counter
Bidirect visitor counter
 
Design of CMOS operational Amplifiers using CADENCE
Design of CMOS operational Amplifiers using CADENCEDesign of CMOS operational Amplifiers using CADENCE
Design of CMOS operational Amplifiers using CADENCE
 
Netzer ds 247-128-specsheet
Netzer ds 247-128-specsheetNetzer ds 247-128-specsheet
Netzer ds 247-128-specsheet
 
Lab3
Lab3Lab3
Lab3
 
Degital 1
Degital 1Degital 1
Degital 1
 

Último

Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...SUHANI PANDEY
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptNANDHAKUMARA10
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationBhangaleSonal
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.Kamal Acharya
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfRagavanV2
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projectssmsksolar
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfRagavanV2
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startQuintin Balsdon
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 

Último (20)

Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdf
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 

Tools for Practical Attacks on Analog-to-Digital Conversion

  • 1. Tools for Practical Attacks on Analog-to-Digital Conversion Alexander ‘dark_k3y’ Bolshev With a help from: Marina Krotofil Gabriel Gonzalez Andrey Dolgikh
  • 2. ; CAT /DEV/USER Alexander ‘dark_k3y’ Bolshev Ph.D., security consultant @ IOActive Madrid HW Lab Distributed systems researcher “the more complex & strange is the system -> the better”
  • 3. Important Disclaimer The whole presentation is mostly discussed on the first lections of ‘Control theory’ and ‘Digital Signal Processing’ university courses, so in fact it won’t be about something new.
  • 4. Quick intro to ICS + ADC problems
  • 5. Dialog with (some) ICS engineer during pentest Me: You have …vulns……vulns……vulns… and as a result I could compromise your PLC! Engineer: You will achieve nothing with it, because my monitoring system will stop you when the analog signal that is generated by this PLC will be out of 10% range. After it, backup PLC will be launched in a very short time Me: Okay... (went away crying) (some time passed) Me: But I will be back!
  • 7. Correct interpretation of data is important, because embedded and industrial control systems uses analog inputs to create the picture of controlled system’s state. ICS field level Actuators Control system Sensors Measure process state Computes control commands for actuators Adjust themselves to influence process behavior Physical Process ADCDAC
  • 8. Consider the following architecture Analog control loop Control PLC Actuator Monitoring PLC/ Logger/DAQ/Safety PLC HMI Attacker
  • 9. Consider the following architecture Analog control loop Control PLC Actuator Monitoring PLC/ Logger/DAQ/Safety PLC HMI 0V (actuator is OFF) MV – Manipulated Variable What if MV value on actuator will be different from MV value on logger? 1.5V (actuator is ON) Attacker
  • 10. Proof-of-Concept demo from the past “HMI Panel” “Control PLC” (arduino) “Actuator” (motor) “Monitoring PLC” (S7 1200) See v1_motor_arduino_vs_plcadc.m4v video
  • 11. How is it possible at all? MV is represented by analog signal! Because we’re talking not about altering the analog signal, but about altering its digital representation (conversion).
  • 13. • A device that converts a continuous physical quantity (usually voltage) to a digital number that represents the quantity's amplitude.[3] • An ADC is defined by its bandwidth (the range of frequencies it can measure) and its signal to noise ratio (how accurately it can measure a signal relative to the noise it introduces). • Bandwidth of an ADC is characterized primarily by its sampling rate, and to a lesser extent by how it handles errors such as aliasing. What is ADC? ADC Input Signal Reference Digital Representation
  • 14. Types of ADCs There are many types of ADCs, the most common are three: • Successive-approximation ADC (SAR) • Sigma-delta ADC • Pipeline (usually based on flash)
  • 15. Aliasing • Sampling frequency should follow Nyquist rule ( fs > 2f ) • Otherwise the signal will appear of false (alias) frequency
  • 16. Anti-aliasing filters: “input validation” in ADC world • Anti-aliasing filter (AAF) is a filter that is used before sampling device (e.g. ADC) to attenuate the power of signal in high frequency ranges for approximate or complete satisfying the sampling theorem (fs > 2f) • As a representative of low-pass filters (LPF) family, AAF could be characterized by cut-off frequency (fc) and stop-band frequency (fsb) [4]
  • 17. Attacks against ADCs • Frequency and phase: • Arbitrary Waveform signal, i.e. signal with waveform that could be somehow misinterpreted by ADC. (see ep.1) • High-Frequency function signal, i.e. generating sine wave with kHz or MHz frequency that could somehow be misinterpreted by ADC. • OverSampling attack against SAR (see ep.1) • Special-frequency attack against ΔΣ (see ep. 2) • Amplitude (out-of-voltage-range signal) (see ep.1)
  • 19. But how…? “HMI Panel” “Control PLC” (arduino) “Actuator” (motor) “Monitoring PLC” (S7 1200)
  • 20. …Easy! 3.3V 100 ms … while (1) { pinOutput(tip120PIN, 200); delay(395); for(i = 0; i < 20; i++){ pinOutput(tip120PIN, 0); delay(2); pinOutput(tip120PIN, 200); delay(2); } pinOutput(tip120PIN, 200); delay(495); } 2,5ms
  • 21. Siemens S7 1200 analog I/O ADC
  • 22. Siemens S7 1200 analog I/O ADC N=8.3ms N=9ms N=7ms N=4.5ms N=2.5ms
  • 23. Siemens S7 1200 analog I/O ADC N=8.3ms N=9ms N=7ms N=4.5ms N=2.5ms
  • 24. AWG signal against “lazy-call” ADC Val = readADC(); Sleep(Timeout); /* or doSmth(Timeout) */ Output(Val);
  • 25. But this is just Arduino, not real controller! Ok, let’s try without Arduino…
  • 26. Ok, let’s try something more real… SIMATIC S7-1200, ANALOG OUTPUT SB 1232, 1 AO, +/- 10VDC (12 BIT RES.) OR 0 - 20 MA (11 BIT RES) Problem: no public information on real SPS for these module… 
  • 27. Ok, what’s inside? Logic buffer EEPROM OpAmp XTR300
  • 29. Let’s test for max stable SPS…
  • 30. Proof-of-Concept demo with real stuff “HMI Panel” “Control PLC” (S7 1200) “Actuator” (motor) “Monitoring PLC” (S7 1200) See v2_motor_plc_vs_plcadc.m4v video
  • 31. Signal generation SCL code https://support.industry.siemens.com/cs/document/67295964/how-in-step-7-v5-x-do-you-program-signal-generation-(rectangle-sawtooth-triangle-sinus)-using-the-cyclic-interrupts-?dti=0&lc=en-WW
  • 33. ΔΣ Modulation • Delta-sigma (ΔΣ; or sigma-delta, ΣΔ) modulation is a method for encoding analog signals into digital signals as found in an ADC. [7] • In Δ-modulation the change in the signal (its delta) is encoded, rather than the absolute value. The result is a stream of pulses. In ΔΣ-modulation, the accuracy of the modulation is improved by passing the digital output through a 1-bit DAC and adding (sigma) the resulting analog signal to the input signal, thereby reducing the error introduced by the Δ-modulation. [7]
  • 34. Delta-sigma ADC • ΔΣ ADCs are based on ΔΣ-modulation and consist of two parts: analog and digital: • analog part generates a very high-frequency bitstream; • digital part creates the real number output by filtering it with digital filter and decimating it to the output samples per second value. ΔΣ Modulator Digital Low-Pass filter Decimation Filter Analog input 1-bit stream N-bit stream Output data 0 1 1 0 0 3.3 3.4 3.4 3.4 2.7 2.2 … Digital partAnalog part
  • 37. Demo: The mystery of the ΔΣ AD7706 ADC… See v3_mystery_sdadc1.mp4 video
  • 38.
  • 39. Possible explanation from the datasheet? • Expecting to have some noise there than, but possibly not the clear sin signal • It explains just partly, and we need some good hypothesis for all these things. In our case fCLKIN = 2.00MHz, so fs = 31250
  • 40. LP & Decimation (sinc3) filter D = N = 64 for AD7706
  • 41. USB UART Atmega328 AD7706 & Vref Signal generator Demo: The second mystery of the ΔΣ AD7706 ADC… See v4_mystery_various_signals.mov video
  • 42. Hypothesis and frustrations • Digital filter corner frequency/noise? • No, sinus too clear for it • sinc3 filter implemented in MCU and has integer overflow? • ”Artificial gain” (No PGA), but just multiplication on digital output? • That’s wrong according to chip decap image.
  • 43. • Dynamic compression? • Overflow in logic circuit? • Pole-zero cancelation in filter? Still mystery
  • 44. 31.25kHz looks too much for a successful attack DAC with s/r up to 100kHz
  • 45. Implementation Renesas R5F100bG RL78/G13 27352 bytes firmware size => 4 – 36+kB for payload
  • 46. Ok, I got it, but what else I could use for attack? Line coupling circuit (usually OpAmp/Transformer) Signal/Function Generator Two most common industrial analog line loops: • Voltage (0-10V, 0-24(28)V, 0-48V • Current (0-20mA) Aka ADC research kit for Joseph FitzPatrick 
  • 47. Voltage Signal/Function Generator: -> Si5351 + any MCU via I2C Coupling circuit: Buffer RtR OpAmp + H-V OpAmp Gain = 1 + (R2/R1) TI OPA551/OPA552 Fairchild LM358N Buffering requirement depends on signal source
  • 48. Current (0-20mA) -> Cypress PSoC http://www.planetanalog.com/author.asp?section_id=3066&doc_id=563262 CY8CKIT-049-42XX ~<10EUR MAX15006 Any suitable and cheap transistor for such current
  • 49. Other ΔΣ ADCs: ADS1015
  • 50. Cypress PSoC5 built-in ADC* What’s this? What’s that? [5] *default configuration
  • 51. Ok, let’s look at real device with behavior like ΔΣ ADC: Allen-Bradley 1794AENT + 1794-IE4XOE2 Flex I/O + Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  • 52. Very weird results for real industrial PLC: 1 -> 24Hz Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  • 53. 25Hz Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  • 54. And… 24.9Hz!!! Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  • 55. And… 24.9Hz!!! Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  • 56.
  • 57. *Без обид Андрей, просто действительно забавно! *
  • 58. Flex I/O vs. PowerFlex Part of research by Andrey Dolgikh, Binghamton University, @c4f3t13r3
  • 59. Do we have at least one “normal” ΔΣ ADC?! Yes, e.g. MAX11205 • Sinc4 filter with no visible mistakes + postfiltering(?) • Looks very reliable Postfiltering?
  • 60. Attacks summary: what you can and what you cannot
  • 61. Summary ADC First ”attackable” f Required AAF fc Required AAF fsb Complexity SAR ADC S/H frequency (S/H frequency)/2 - easy/medium -- MCP3201 14.3kHz 7.1kHz - easy S7 1200 PLC 121Hz 60Hz 120Hz easy AB 1794-IE4XOE2* 24.9Hz 10Hz 20Hz very easy AD7705/AD7706 31250/38400 Hz - 30kHz easy ADS1015 ~86kHz 10-20kHz 50kHz medium/hard MAX11205 n/a any reasonable any reasonable ~impossible PSoC5 LP** ~1kHz 1kHz 2kHz easy * research data by Andrey Dolgikh ** incorrectly configured (default configuration) PSoC module
  • 63. Mitigations • As hardware developers/vendors: • Implement correct AA-filters in accordance to REAL characteristics of your ADC (read latest/hidden datasheets, test you ADC manually) • Remember: digital filters won’t help • As software developers (incl. firmware and PLC program development): • Introduce sampling frequency randomization in software that works with ADC • Avoid “sleepy” code • As engineer: • Implement same AA-filters all over your analog network in accordance with your OT process
  • 64. Vendors Sceptic’s replica: • We already have correct AA-filters everywhere! Are you sure?
  • 65. Reference design of industrial sensor “We included AA LPF in our design" ADC with fs ~ 2kSPS LPF with fc near 79 kHz
  • 66. Reference design of industrial transmitter “We included AA LPF in our design" ADC with fs ~ 470sps LPF with fc near 79 kHz
  • 67. But we have … AA filters... Everywhere...
  • 68. 2Vendor: also remember: digital filter won’t help • The signal is already ”compromised” by ”ADC features”, so any digital filtering after ADC won’t help you. • If you want full control, install ΔΣ modulator and implement digital part of ΔΣ-ADC manually in FPGA Analog signal Digital representation 1-bit stream
  • 69. Developer: introduce sampling frequency randomization • Certain randomness in sampling frequency will make attacker’s job much harder • Many of the discussed attacks will be much more challenging to execute • Small variation of 𝒇 𝑠 won’t degrade signal understanding process. On the contrary, it will produce a signal sample of better quality. 𝒇 𝑠 = 𝑓 + rand(△) Time V 0 http://www.sixsigma4service.com/evaluation-considerations-for-data-sampling.html
  • 70. Developer: Avoid sleepy code Avoid writing/using the following code (if you don’t completely understand your process): Val = readADC(); Output(Val); Sleep(Timeout);
  • 71. • When adding LPF into an individual device, make sure that all related devices have the same cut-off frequencies • E.g. if PLC input is buffered with LPF 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 and actuator equipped with LPF with 𝒇 𝒄 = 𝟓𝒌𝑯𝒛, the attack not only possible, but the probability of success increases! Engineer: Use SAME AA-filters across all analog line Control PLC 𝒇 𝒄 = 𝟏𝒌𝑯𝒛 𝒇 𝒄 = 𝟓𝒌𝑯𝒛 Monitoring PLC
  • 72. Thanksgiving service • Marina Krotofil for being a co-researcher in ep. 1 and many bright ideas • Andrey ‘@c4f3t13r3’ Dolgikh from Binghamton University, for information on Allen Bradley PLC behavior vs. different frequencies. • Guys from IOA hw lab (especially Gabriel, Ruben and Alfredo) for help and support • Fedor Savelyev for ideas and help with DSP (digital signal processing) analysis • Dmitry Nedospasov for many useful advices
  • 75. 1. https://en.wikipedia.org/wiki/Control_theory , Picture by Orzetto - Own work, GFDL, https://commons.wikimedia.org/w/index.php?curid=5000019 2. Picture from: http://maxembedded.com/2011/06/the-adc-of-the-avr/ 3. Wikipedia: https://en.wikipedia.org/wiki/Analog-to-digital_converter 4. Picture from http://studentweb.niu.edu/7/~Z063757/lowpass2.bmp 5. Picture from: http://www.hdwallpaperpc.com/show-wallpaper/surprised_kitten_animal_cats_kitty_little_cat_136064.html References