Developing an electromagnetic noise generator to protect a Raspberry Pi from side channel analysis
- Frieslaar, I, Irwin, Barry V W
- Authors: Frieslaar, I , Irwin, Barry V W
- Date: 2018
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429511 , vital:72618 , https://ieeexplore.ieee.org/abstract/document/8531950
- Description: This research investigates the Electromagnetic (EM) side channel leakage of a Raspberry Pi 2 B+. An evaluation is performed on the EM leakage as the device executes the AES-128 cryptographic algorithm contained in the libcrypto++ library in a threaded environment. Four multi-threaded implementations are evaluated. These implementations are Portable Operating System Interface Threads, C++11 threads, Threading Building Blocks, and OpenMP threads. It is demonstrated that the various thread techniques have distinct variations in frequency and shape as EM emanations are leaked from the Raspberry Pi. It is demonstrated that the AES-128 cryptographic implementation within the libcrypto++ library on a Raspberry Pi is vulnerable to Side Channel Analysis (SCA) attacks. The cryptographic process was seen visibly within the EM spectrum and the data for this process was extracted where digital filtering techniques was applied to the signal. The resultant data was utilised in the Differential Electromagnetic Analysis (DEMA) attack and the results revealed 16 sub-keys that are required to recover the full AES-128 secret key. Based on this discovery, this research introduced a multi-threading approach with the utilisation of Secure Hash Algorithm (SHA) to serve as a software based countermeasure to mitigate SCA attacks. The proposed countermeasure known as the FRIES noise generator executed as a Daemon and generated EM noise that was able to hide the cryptographic implementations and prevent the DEMA attack and other statistical analysis.
- Full Text:
- Date Issued: 2018
- Authors: Frieslaar, I , Irwin, Barry V W
- Date: 2018
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429511 , vital:72618 , https://ieeexplore.ieee.org/abstract/document/8531950
- Description: This research investigates the Electromagnetic (EM) side channel leakage of a Raspberry Pi 2 B+. An evaluation is performed on the EM leakage as the device executes the AES-128 cryptographic algorithm contained in the libcrypto++ library in a threaded environment. Four multi-threaded implementations are evaluated. These implementations are Portable Operating System Interface Threads, C++11 threads, Threading Building Blocks, and OpenMP threads. It is demonstrated that the various thread techniques have distinct variations in frequency and shape as EM emanations are leaked from the Raspberry Pi. It is demonstrated that the AES-128 cryptographic implementation within the libcrypto++ library on a Raspberry Pi is vulnerable to Side Channel Analysis (SCA) attacks. The cryptographic process was seen visibly within the EM spectrum and the data for this process was extracted where digital filtering techniques was applied to the signal. The resultant data was utilised in the Differential Electromagnetic Analysis (DEMA) attack and the results revealed 16 sub-keys that are required to recover the full AES-128 secret key. Based on this discovery, this research introduced a multi-threading approach with the utilisation of Secure Hash Algorithm (SHA) to serve as a software based countermeasure to mitigate SCA attacks. The proposed countermeasure known as the FRIES noise generator executed as a Daemon and generated EM noise that was able to hide the cryptographic implementations and prevent the DEMA attack and other statistical analysis.
- Full Text:
- Date Issued: 2018
Detecting derivative malware samples using deobfuscation-assisted similarity analysis
- Wrench, Peter, Irwin, Barry V W
- Authors: Wrench, Peter , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429494 , vital:72617 , 10.23919/SAIEE.2016.8531543
- Description: The abundance of PHP-based Remote Access Trojans (or web shells) found in the wild has led malware researchers to develop systems capable of tracking and analysing these shells. In the past, such shells were ably classified using signature matching, a process that is currently unable to cope with the sheer volume and variety of web-based malware in circulation. Although a large percentage of newly-created webshell software incorporates portions of code derived from seminal shells such as c99 and r57, they are able to disguise this by making extensive use of obfuscation techniques intended to frustrate any attempts to dissect or reverse engineer the code. This paper presents an approach to shell classification and analysis (based on similarity to a body of known malware) in an attempt to create a comprehensive taxonomy of PHP-based web shells. Several different measures of similarity were used in conjunction with clustering algorithms and visualisation techniques in order to achieve this. Furthermore, an auxiliary component capable of syntactically deobfuscating PHP code is described. This was employed to reverse idiomatic obfuscation constructs used by software authors. It was found that this deobfuscation dramatically increased the observed levels of similarity by exposing additional code for analysis.
- Full Text:
- Date Issued: 2016
- Authors: Wrench, Peter , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429494 , vital:72617 , 10.23919/SAIEE.2016.8531543
- Description: The abundance of PHP-based Remote Access Trojans (or web shells) found in the wild has led malware researchers to develop systems capable of tracking and analysing these shells. In the past, such shells were ably classified using signature matching, a process that is currently unable to cope with the sheer volume and variety of web-based malware in circulation. Although a large percentage of newly-created webshell software incorporates portions of code derived from seminal shells such as c99 and r57, they are able to disguise this by making extensive use of obfuscation techniques intended to frustrate any attempts to dissect or reverse engineer the code. This paper presents an approach to shell classification and analysis (based on similarity to a body of known malware) in an attempt to create a comprehensive taxonomy of PHP-based web shells. Several different measures of similarity were used in conjunction with clustering algorithms and visualisation techniques in order to achieve this. Furthermore, an auxiliary component capable of syntactically deobfuscating PHP code is described. This was employed to reverse idiomatic obfuscation constructs used by software authors. It was found that this deobfuscation dramatically increased the observed levels of similarity by exposing additional code for analysis.
- Full Text:
- Date Issued: 2016
Human perception of the measurement of a network attack taxonomy in near real-time
- Van Heerden, Renier, Malan, Mercia M, Mouton, Francois, Irwin, Barry V W
- Authors: Van Heerden, Renier , Malan, Mercia M , Mouton, Francois , Irwin, Barry V W
- Date: 2014
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429924 , vital:72652 , https://doi.org/10.1007/978-3-662-44208-1_23
- Description: This paper investigates how the measurement of a network attack taxonomy can be related to human perception. Network attacks do not have a time limitation, but the earlier its detected, the more damage can be prevented and the more preventative actions can be taken. This paper evaluate how elements of network attacks can be measured in near real-time(60 seconds). The taxonomy we use was developed by van Heerden et al (2012) with over 100 classes. These classes present the attack and defenders point of view. The degree to which each class can be quantified or measured is determined by investigating the accuracy of various assessment methods. We classify each class as either defined, high, low or not quantifiable. For example, it may not be possible to determine the instigator of an attack (Aggressor), but only that the attack has been launched by a Hacker (Actor). Some classes can only be quantified with a low confidence or not at all in a sort (near real-time) time. The IP address of an attack can easily be faked thus reducing the confidence in the information obtained from it, and thus determining the origin of an attack with a low confidence. This determination itself is subjective. All the evaluations of the classes in this paper is subjective, but due to the very basic grouping (High, Low or Not Quantifiable) a subjective value can be used. The complexity of the taxonomy can be significantly reduced if classes with only a high perceptive accuracy is used.
- Full Text:
- Date Issued: 2014
- Authors: Van Heerden, Renier , Malan, Mercia M , Mouton, Francois , Irwin, Barry V W
- Date: 2014
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429924 , vital:72652 , https://doi.org/10.1007/978-3-662-44208-1_23
- Description: This paper investigates how the measurement of a network attack taxonomy can be related to human perception. Network attacks do not have a time limitation, but the earlier its detected, the more damage can be prevented and the more preventative actions can be taken. This paper evaluate how elements of network attacks can be measured in near real-time(60 seconds). The taxonomy we use was developed by van Heerden et al (2012) with over 100 classes. These classes present the attack and defenders point of view. The degree to which each class can be quantified or measured is determined by investigating the accuracy of various assessment methods. We classify each class as either defined, high, low or not quantifiable. For example, it may not be possible to determine the instigator of an attack (Aggressor), but only that the attack has been launched by a Hacker (Actor). Some classes can only be quantified with a low confidence or not at all in a sort (near real-time) time. The IP address of an attack can easily be faked thus reducing the confidence in the information obtained from it, and thus determining the origin of an attack with a low confidence. This determination itself is subjective. All the evaluations of the classes in this paper is subjective, but due to the very basic grouping (High, Low or Not Quantifiable) a subjective value can be used. The complexity of the taxonomy can be significantly reduced if classes with only a high perceptive accuracy is used.
- Full Text:
- Date Issued: 2014
High level internet scale traffic visualization using hilbert curve mapping
- Irwin, Barry V W, Pilkington, Nick
- Authors: Irwin, Barry V W , Pilkington, Nick
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429911 , vital:72650 , https://doi.org/10.1007/978-3-540-78243-8_10
- Description: A high level analysis tool was developed for aiding in the analysis of large volumes of network telescope traffic, and in particular the comparisons of data col-lected from multiple telescope sources. Providing a visual means for the evaluation of worm propagation algorithms has also been achieved. By using a Hilbert curve as a means of ordering points within the visual-ization space, the concept of nearness between nu-merically sequential network blocks was preserved. The design premise and initial results obtained using the tool developed are discussed, and a number of fu-ture extensions proposed.
- Full Text:
- Date Issued: 2008
- Authors: Irwin, Barry V W , Pilkington, Nick
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429911 , vital:72650 , https://doi.org/10.1007/978-3-540-78243-8_10
- Description: A high level analysis tool was developed for aiding in the analysis of large volumes of network telescope traffic, and in particular the comparisons of data col-lected from multiple telescope sources. Providing a visual means for the evaluation of worm propagation algorithms has also been achieved. By using a Hilbert curve as a means of ordering points within the visual-ization space, the concept of nearness between nu-merically sequential network blocks was preserved. The design premise and initial results obtained using the tool developed are discussed, and a number of fu-ture extensions proposed.
- Full Text:
- Date Issued: 2008
A Digital Forensic investigative model for business organisations
- Forrester, Jock, Irwin, Barry V W
- Authors: Forrester, Jock , Irwin, Barry V W
- Date: 2007
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430078 , vital:72664 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228783555_A_Digital_Forensic_investigative_model_for_business_organisations/links/53e9c5e80cf28f342f414987/A-Digital-Forensic-investigative-model-for-business-organisations.pdf
- Description: When a digital incident occurs there are generally three courses of ac-tions that are taken, generally dependant on the type of organisation within which the incident occurs, or which is responding the event. In the case of law enforcement the priority is to secure the crime scene, followed by the identification of evidentiary sources which should be dispatched to a specialist laboratory for analysis. In the case of an inci-dent military (or similar critical infrastructures) infrastructure the primary goal becomes one of risk identification and elimination, followed by re-covery and possible offensive measures. Where financial impact is caused by an incident, and revenue earning potential is adversely af-fected, as in the case of most commercial organisations), root cause analysis, and system remediation is of primary concern, with in-depth analysis of the how and why left until systems have been restored.
- Full Text:
- Date Issued: 2007
- Authors: Forrester, Jock , Irwin, Barry V W
- Date: 2007
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430078 , vital:72664 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228783555_A_Digital_Forensic_investigative_model_for_business_organisations/links/53e9c5e80cf28f342f414987/A-Digital-Forensic-investigative-model-for-business-organisations.pdf
- Description: When a digital incident occurs there are generally three courses of ac-tions that are taken, generally dependant on the type of organisation within which the incident occurs, or which is responding the event. In the case of law enforcement the priority is to secure the crime scene, followed by the identification of evidentiary sources which should be dispatched to a specialist laboratory for analysis. In the case of an inci-dent military (or similar critical infrastructures) infrastructure the primary goal becomes one of risk identification and elimination, followed by re-covery and possible offensive measures. Where financial impact is caused by an incident, and revenue earning potential is adversely af-fected, as in the case of most commercial organisations), root cause analysis, and system remediation is of primary concern, with in-depth analysis of the how and why left until systems have been restored.
- Full Text:
- Date Issued: 2007
Wireless Network Visualization Using Radio Propagation Modelling
- Janse van Rensburg, Johanna, Irwin, Barry V W
- Authors: Janse van Rensburg, Johanna , Irwin, Barry V W
- Date: 2005
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428859 , vital:72541 , https://d1wqtxts1xzle7.cloudfront.net/81589186/Papers_5CJanse_van_Rensburg_Wireless_Radio_Prop-libre.pdf?1646243170=esponse-content-disposi-tion=inline%3B+filename%3DWireless_Network_Visualization_Using_Rad.pdfExpires=1714748958Signature=OF69CzUsXIaE9WuVUQ~p01LV8Fdm4EOpX1eudE3qomWEWQ9jngy36AuZ38dZEAfIhWWFgO7byMtmx8hOUE3uYjjqLLGziqWV05r~K2n~DdSHAO1x2omrK53ew3lSW2AJ677zsqOIcRb-yVr7kE2PbAw1QolptUWQVI2YpAHEKdg5EQXm2iAW~FrQ7ljJxuwZTKaVLoubxj4HRLwJxTPIS9iN9nHn3sNKyIojfG6duWnCQ0dpkIKiKWTY6HVioBQCiN1vSdLUagXnTeRthoOFGyfo2kd3XG1Pi3tttIwFviPCh5H1297BCpMruY-h6XjSnPBGgAG33dOnkClBFnyAKg__Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: Wireless technologies have had an enormous impact on networking in re-cent years. It can create new business oppurtunities and allow users to communicate and share data in a new fashion. Wireless Networks de-crease installation costs, reduce the deployment time of a network and overcome physical barrier problems inherent in wiring. Unfortunately this flexibility comes at a price. The deployment, installation and setup of a WLAN is not a simple task and a number of factors need to be considered. Wireless Networks are notorious for being insecure due to signal spill, ad-hoc unauthorized access points and varying encryption strengths and standards. RF (Radio Frequency) interference and physical barriers sup-press a signal. In addition the channel frequencies each access point will be using in order to provide maximum roaming but minimum inter access point interference need to be considered. It is a complex balancing act to take these factors into account while still maintaining coverage, perfor-mance and security requirements. In this paper the benefits and feasibility of a model will be discussed that will enable the network administrator to visualize the coverage footprint of their wireless network when the above factors are taken into consideration. The program will be able to predict the strength, propagation and unwanted spill of signals which could compro-mise the security of an organisation prior to the deployment of a WLAN. In addition the model will provide functionality to visualize a signal from audit data once the WLAN is operational. The end result will be a program that can aid in the configuration, installation and management of a secure WLAN.
- Full Text:
- Date Issued: 2005
- Authors: Janse van Rensburg, Johanna , Irwin, Barry V W
- Date: 2005
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428859 , vital:72541 , https://d1wqtxts1xzle7.cloudfront.net/81589186/Papers_5CJanse_van_Rensburg_Wireless_Radio_Prop-libre.pdf?1646243170=esponse-content-disposi-tion=inline%3B+filename%3DWireless_Network_Visualization_Using_Rad.pdfExpires=1714748958Signature=OF69CzUsXIaE9WuVUQ~p01LV8Fdm4EOpX1eudE3qomWEWQ9jngy36AuZ38dZEAfIhWWFgO7byMtmx8hOUE3uYjjqLLGziqWV05r~K2n~DdSHAO1x2omrK53ew3lSW2AJ677zsqOIcRb-yVr7kE2PbAw1QolptUWQVI2YpAHEKdg5EQXm2iAW~FrQ7ljJxuwZTKaVLoubxj4HRLwJxTPIS9iN9nHn3sNKyIojfG6duWnCQ0dpkIKiKWTY6HVioBQCiN1vSdLUagXnTeRthoOFGyfo2kd3XG1Pi3tttIwFviPCh5H1297BCpMruY-h6XjSnPBGgAG33dOnkClBFnyAKg__Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: Wireless technologies have had an enormous impact on networking in re-cent years. It can create new business oppurtunities and allow users to communicate and share data in a new fashion. Wireless Networks de-crease installation costs, reduce the deployment time of a network and overcome physical barrier problems inherent in wiring. Unfortunately this flexibility comes at a price. The deployment, installation and setup of a WLAN is not a simple task and a number of factors need to be considered. Wireless Networks are notorious for being insecure due to signal spill, ad-hoc unauthorized access points and varying encryption strengths and standards. RF (Radio Frequency) interference and physical barriers sup-press a signal. In addition the channel frequencies each access point will be using in order to provide maximum roaming but minimum inter access point interference need to be considered. It is a complex balancing act to take these factors into account while still maintaining coverage, perfor-mance and security requirements. In this paper the benefits and feasibility of a model will be discussed that will enable the network administrator to visualize the coverage footprint of their wireless network when the above factors are taken into consideration. The program will be able to predict the strength, propagation and unwanted spill of signals which could compro-mise the security of an organisation prior to the deployment of a WLAN. In addition the model will provide functionality to visualize a signal from audit data once the WLAN is operational. The end result will be a program that can aid in the configuration, installation and management of a secure WLAN.
- Full Text:
- Date Issued: 2005
- «
- ‹
- 1
- ›
- »