т
MODEL OF CHANNEL INFORMATION LEAKAGE VIA SOFTWARE -MANAGED SIDE ELECTROMAGNETIC RADIATION
Рябинин Андрей Михайлович,
graduate student, Bauman Moscow State Technical University, Moscow, Russia, [email protected]
Филатов Владимир Иванович,
Candidate of Technical Sciences,
Bauman Moscow State Technical University, Moscow, Russia, [email protected]
Белков Игорь Владимирович,
Bauman Moscow State Technical University, Moscow, Russia
This work presents a model of a channel information leakage via software - managed side electromagnetic radiation. Limitations of functioning of this channel are performed. Important issues of implementation of special malware, such as operating modes, are described. The process of spreading of special malware is also under consideration. Design/methodology/approach. Channel information leakage via software - managed side electromagnetic radiation is forming by manipulation of the parameters of current and voltage in the circuit solutions of software and hardware. These manipulations are gained by changing the firmware of microcontrollers, included in the computer equipment, or by changing control registers of circuit logic of computer facilities. Due to changes in the parameters of current and voltage, it is possible to modulate any leakage radiation by information signal. The sources of leakage radiation can be data bus frequency generators or the peripheral technological equipment, not involved in secure information processing but physically connected to the computer equipment.
Findings. A new approach in forming of information leakage via side electromagnetic radiation - leakage via software - managed radiation is described. The basic distinctions of this approach are targeted modulation of radiation by the information signal and forming it by using of special malware. A model, based on this approach, is presented.
Practical implications. This model must be taken into account when building a protection system of objects of information against information leakage via side electromagnetic radiation. Originality value. The approach, described in this article, opens new ways of the formation of a channel information leakage via side electromagnetic radiation. It allows an unauthorized access to information on computer equipment and must be taken into account when forming the protection of objects of information.
List of abbreviations
ICS - Industrial Control System; AH - Assistive Hardware; RPD - regulatory and procedural documents; UA - Unauthorised aAccess; BH - Basic Hardware; PC - Personal Computer; Soft tempest -Hidden Data Transmission Using Electromagnetic Emanations; Tempest - Adverse Electromagnetic Emanations; GD - Guidance Document; CE - Computer Equipment; ISS - Information Security System; SS - Special Software; EMR - Electromagnetic Radiation.
Для цитирования:
Рябинин А.М., Филатов В.И., Белков И.В. Модель канала передачи информации с помощью программно-управляемого ПЭМИН // T-Comm: Телекоммуникации и транспорт. - 2016. - Том 10. - №1. - С. 77-80.
For citation:
Ryabinin A.M., Filatov V.I., Belkov I.V. Model of channel information leakage via software - managed side electromagnetic radiation. T-Comm. 2016. Vol. 10. No.1, рр. 77-80. (in Russian).
Keywords: information security, information leakage via electromagnetic radiation, soft tempest, malware.
г Г\
T
In order to define Soft Tempest, we consider the basic principles of Tempest generation and estimates in the field of security against Tempest data leakage.
According to current RPD, while performing special studies, it is essential to measure informative Tempest, i.e. radiation and crosstalk caused by the analyzed computer equipment, containing processed data of that technical equipment.
Such radiations are only a small part of whole radiation spectrum of technique. All other kinds of radiations, in accordance with the procedures of studies, should not be considered.
Specific test working modes should be stipulated on analyzed equipment in order to identify informative Tempest.
It is common knowledge that device informative radiations in test mode should have the highest possible level. When searching for the informative frequencies of the radiation hazardous ones are fixed with measurement systems.
Identification of signals detected by comparing the received demodulated signal with the origina! test data signal is required to classify the detected signal at a particular frequency in the category of hazardous.
Next, evaluation of levels of the detected signals and calculating the R2 area is required in accordance with the current procedure.
Therefore, dangerous informative Soft Tempest signal formed during special researches is a signal, that is generated during the work of test program and then emitted by studied computer equipment.
The test program detects blocks of computer equipment, involved in data processing, and generates test data streams, processing of which results in generating a side electromagnetic radiation with maximum signal level.
When it comes to considering Soft Tempest data leakage, an information signal receiver is added in the scheme described above. It receives Soft Tempest and emits information unit of data to be processed, for example, in the case of Soft Tempest - pixel on the screen.
Based on the foregoing, in their composition CE contain blocks, that are not involved in data processing and are sources of EMR. Also, CE can participate in the AH management that is not directly involved in information processing, but may generate EMR, the level of which may in some cases be higher than Tempest of BH.
Any CE is represented by software and hardware, EMR is generated by hardware blocks, data buses, and by the whole component base of semiconductor elements. It is possible to achieve the formation of a maximum level of EMR by changing the parameters of current and voltage in the circuit solution of software and hardware. Changing currents and voltages at the "low" hardware may be implemented by changing of the microcontroller firmware included in the CE or circuit logic computational tools' control registers.
With the help of the software, running on the target system, this approach allows to create side electromagnetic radiation emitted by all of the technical system's hardware components, with the highest Tempest level possible for this technology.
Moreover, modulating the electromagnetic radiation of units not involved in processing of the payload data - Information circulating on computer equipment, becomes possible. This side electromagnetic radiation is called Soft Tempest - software-controlled Tempest.
Naturally, Soft Tempest does not arise from nowhere, it is continuously connected with the process of improvement and complexity of computer equipment functioning logic. Previously, computer systems were focused on the exploitation by trained people - programmers, and CE were exploited strictly according to the algorithm of functioning and avoiding the extraneous code execution.
Then the era of operating systems came, and the notion of system and application software, antivirus software, trusted boot, system integrity monitoring software, certificates of system and application software appeared.
Tempest tests that exist nowadays are aimed at utilization of possibilities of application software to generate signal sequences of various intensities in tire data buses and in blocks, involved in processing information.
However, the program code, that is to be launched at CE nowadays, is not limited by these conditions. BIOS (or basic output/input system) appeared with the appearance of first operation systems. The BIOS is a type of firmware used to perform hardware initialization during the booting process, and to provide runtime services for operating hardware systems and devices, connected to PC.
The fundamental purposes of the BIOS in modern PCs are to initialize and test the system hardware components, and to load a boot loader or an operating system from a mass memory device. The BIOS additionally provides an abstraction layer for the hardware, i.e., a consistent way for application programs and operating systems to interact with the keyboard, display, and other input/output (I/O) devices.
BIOS program code can be rewritten. BIOS code mostly consists of firmware, that is intended to initialize the controllers situated on the motherboard, and the devices connected to it (which, in turn, can have their own controllers with firmware).
Right after turning on the PC, the processor reads the BIOS code from EEPROM, stores it into the memory and transfers control to it. First, BIOS code initializes hardware test of PC - POST(power-on self-test).
During POST BIOS code checks the performance of controllers situated on the motherboard, defines the low-level parameters of their work (for example, bus frequency and the parameters of the centra! microprocessor, RAM controller, controllers of data buses (FSB, AGP, PCI, USB) and other basic hardware).
Modification of BIOS code is called reflashing, it's dangerous because of additional functionality of BIOS test programs, for example, loading extra code in RAM and modifing OS files from BIOS, or reflashing of BIOS or other controllers on the motherboard, such as controller of data bus.
Soft Tempest can be generated by any circuitry mentioned above, managed by code of their controller.
T-Comm Tom 10. #1-2016
T
7T\
т
ПУБЛИКАЦИИ НА АНГЛИЙСКОМ ЯЗЫКЕ
References
I Markus C. Kuhn, Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations, 1998. Available at: http://www.cl.cam.ac.uk/-mgk25/ih98-tempest.pdf, accessed 20.03.2015.
2. Pyatachkov A.C. Zashchita informatsii, obrabatyvaemoi vychislitel'noi tekhnikoi, ot utechki po tekhnicheskim kanalam // NP RTsIB «Fakel», 2007.
3. ISBN I553-572X. Stuxnet Worm Impact on Industrial Cyber-Physical System Security. Stamatis Karnouskos. Available at: http://ieeexpiore.ieee.org/xpl/articleDetails.jsp?arnumber=6120048, accessed 20.03.2015.
4. ISBN 978-1-4799-7328-6 Mordechai Guri. AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones using Radio Frequencies. Available at http://ieeexplore.ieee.org'xpl/articleDe-tails.jsp?tp=&arnumber=6999418, accessed 20.03.2015.
5. Kania 6. VGASIG: FM radio transmitter using VGA graphics card. Available at: http://bk.gnarf.org/creativity/vgasig/vgasig.pdf, accessed 20.03.2015.
6. Khorev A.A. Otsenka vozmozhnosci po perekhvatu pobochnykh elektromagnitnykh izluchenii videosistemy komp'yut-era. Ch. 2 // Spetsial'naya tekhnika. 201 I. No. 4. Pp. 51 -62.
7. Kuznetsov Yu.V. Metody izmereniya PEMIN: Cravnitelny analiz «Zashchita informatsii. Konfident», No. 4-5, 2002. Pp. 54-57.
МОДЕЛЬ КАНАЛА ПЕРЕДАЧИ ИНФОРМАЦИИ С ПОМОЩЬЮ ПРОГРАММНО-УПРАВЛЯЕМОГО ПЭМИН
Рябинин Андрей Михайлович, аспирант МГТУ им. Н.Э. Баумана, кафедра "Защита информации",
Москва, Россия, [email protected] Филатов Владимир Иванович, к.т.н., МГТУ им. Н.Э. Баумана, преподаватель кафедры "Защита информации",
Москва, Россия, [email protected] Белков Игорь Владимирович, студент группы ИУ10-71, МГТУ им. Н.Э. Баумана, кафедра "Защита информации",
Москва, Россия
Аннотация
Рассмотрена модель формирования канала утечки информации по каналу программно-управляемого побочного электромагнитного излучения. Защита любой АС складывается из комплекса организационных и технических мероприятий. Представлена модель формирования ТКУ за счет ПУПЭМИН, данный канал утечки информации может быть сформирован при нарушении как организационных мероприятий, так и за счет уязвимостей в технических системах обеспечения безопасности объекта обработки информации. Представлены ограничения канала ПУПЭМИН. Рассмотрены важные вопросы реализации вредоносного СПО, такие как режимы функционирования, описан процесс распространения вредоносного СПО.
Ключевые слова: Побочное электромагнитное излучение, технический канал утечки информации, перехват информации, ПЭМИН, ПУПЭМИН, Soft Tempes.
Литература
1. Markus G. Kuhn. Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations, 1998. Available at: http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf, accessed 20.03.2015.
2. Pyatachkov A.G. Zashchita informatsii, obrabatyvaemoi vychislitel'noi tekhnikoi, ot utechki po tekhnicheskim kanalam / NP RTsIB "Fakel", 2007.
3. ISBN I553-572X. Stuxnet Worm Impact on Industrial Cyber-Physical System Security. Stamatis Karnouskos. Available at: http://ieeex-plore.ieee.org/xpl/articleDetails.jsp?arnumber=6I20048, accessed 20.03.2015.
4. ISBN 978-1-4799-7328-6 Mordechai Guri. AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones using Radio Frequencies. Available at: http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=69994I8, accessed 20.03.2015.
5. Kania B. VGASIG: FM radio transmitter using VGA graphics card. Available at: http://bk.gnarf.org/creativity/vgasig/vgasig.pdf, accessed 20.03.2015.
6. Khorev A.A. Otsenka vozmozhnosti po perekhvatu pobochnykh elektromagnitnykh izluchenii videosistemy komp'yutera. Ch. 2 / Spetsial'naya tekhnika. 2011. No. 4. Pp. 51-62.
7. Metody izmereniya PEMIN: cravnitel'nyi analiz Yu. V. Kuznetsov "Zashchita informatsii. Konfident", No. 4-5, 2002, pp. 54-57.