Sylvain Leblanc

Compromise through USB-based Hardware Trojan Horse device

This paper continues the discussion of the risks posed by Hardware Trojan Horse devices by detailing research efforts to build such a Hardware Trojan Horse based on unintended USB channels. Because of the ubiquitousness of the USB protocol in contemporary computer systems, the research focused on identifying, characterizing and modeling unintended USB channels. The research demonstrated that such unintended USB channels can allow the creation of two way communications with a targeted network endpoint, thus violating the integrity and confidentiality of the data residing on the network endpoint. The work was validated through the design and implementation of a Proof of Concept Hardware Trojan that uses two such unintended USB channels to successfully interact with a target network endpoint to compromise and exfiltrate data from it.

Hardware Trojan Horse Device Based on Unintended USB Channels

This paper discusses research activities that investigated the risk associated with USB devices. The research focused on identifying, characterizing and modelling unintended USB channels in contemporary computer systems. Such unintended channels can be used by a USB Hardware Trojan Horse device to create two way communications with a targeted network endpoint, thus violating the integrity and confidentiality of the data residing on the endpoint. The work was validated through the design and implementation of a proof of concept Hardware Trojan Horse device that uses two such unintended USB channels to successfully interact with a target network endpoint to compromise and exfiltrate data from it.

Anomaly Detection in Automobile Control Network Data with Long Short-Term Memory Networks

Modern automobiles have been proven vulnerable to hacking by security researchers. By exploiting vulnerabilities in the cars external interfaces, such as wifi, bluetooth, and physical connections, they can access a cars controller area network (CAN) bus. On the CAN bus, commands can be sent to control the car, for example cutting the brakes or stopping the engine. While securing the cars interfaces to the outside world is an important part of mitigating this threat, the last line of defence is detecting malicious behaviour on the CAN bus. We propose an anomaly detector based on a Long Short-Term Memory neural network to detect CAN bus attacks. The detector works by learning to predict the next data word originating from each sender on the bus. Highly surprising bits in the actual next word are flagged as anomalies. We evaluate the detector by synthesizing anomalies with modified CAN bus data. The synthesized anomalies are designed to mimic attacks reported in the literature. We show that the detector can detect anomalies we synthesized with low false alarm rates. Additionally, the granularity of the bit predictions can provide forensic investigators clues as to the nature of flagged anomalies.

Frequency-based anomaly detection for the automotive CAN bus

The modern automobile is controlled by networked computers. The security of these networks was historically of little concern, but researchers have in recent years demonstrated their many vulnerabilities to attack. As part of a defence against these attacks, we evaluate an anomaly detector for the automotive controller area network (CAN) bus. The majority of attacks are based on inserting extra packets onto the network. But most normal packets arrive at a strict frequency. This motivates an anomaly detector that compares current and historical packet timing. We present an algorithm that measures inter-packet timing over a sliding window. The average times are compared to historical averages to yield an anomaly signal. We evaluate this approach over a range of insertion frequencies and demonstrate the limits of its effectiveness. We also show how a similar measure of the data contents of packets is not effective for identifying anomalies. Finally we show how a one-class support vector machine can use the same information to detect anomalies with high confidence.

Risks associated with USB Hardware Trojan devices used by insiders

This paper extends the discussion of potential damage that can be done by Hardware Trojan Horse devices by discussing the specific risks associated with an Insiders use of such a device to circumvent established security policies, even when these are implemented with state of the art Endpoint Security Solutions. The paper argues that a specific category of Hardware Trojan Horse devices, those implemented as functional peripheral devices, are particularly dangerous when used by a malicious Insider. The research discusses the implementation of a proof of concept Hardware Trojan Horse device, implemented as a USB Human Interface Devices, that exploits unintended USB channels to exfiltrate data from a computer. The work discusses unintended USB channels, paying particular attention to the observability of the channel in operation. Various scenarios are presented to show that Hardware Trojan Horse devices implemented as peripheral devices can be used to prosecute a wide variety of attacks that are not mitigated by modern defensive techniques. The work demonstrates that a Hardware Trojan Horse device and physical access by a malicious Insider are sufficient to compromise a modern computer system. The paper argues that the study of Hardware Trojan devices must become an integral part of research on Insider Threats.

A Constraint-based intrusion detection system

The expressiveness of constraints has a potential to define network behavior and defend against complex network intrusions. This potential can be an integral part of an Intrusion Detection System (IDS) for defending networks against various attacks. The existing approaches of constraint logic programming have limitations when it comes to solving the network constraints in the presence of the continuous, constantly changing stream of network data. In this paper, we propose two variations of a tree-based constraint satisfaction technique to evaluate network constraints on continuous network data. A Domain Specific Language (DSL) is developed so that the IDS users can specify different intrusions related to their networks. We also present a prototype implementation of these techniques. We evaluate the performance and effectiveness of our approach against the network traffic data generated from an experimental network.