-
arXiv:2303.12340 [pdf, ps, other]
Insecure by Design in the Backbone of Critical Infrastructure
Abstract: We inspected 45 actively deployed Operational Technology (OT) product families from ten major vendors and found that every system suffers from at least one trivial vulnerability. We reported a total of 53 weaknesses, stemming from insecure by design practices or basic security design failures. They enable attackers to take a device offline, manipulate its operational parameters, and execute arbitr… ▽ More
Submitted 22 March, 2023; originally announced March 2023.
Comments: IEEE/ACM Workshop on the Internet of Safe Things 2023
-
Where's Crypto?: Automated Identification and Classification of Proprietary Cryptographic Primitives in Binary Code
Abstract: The continuing use of proprietary cryptography in embedded systems across many industry verticals, from physical access control systems and telecommunications to machine-to-machine authentication, presents a significant obstacle to black-box security-evaluation efforts. In-depth security analysis requires locating and classifying the algorithm in often very large binary images, thus rendering manu… ▽ More
Submitted 15 October, 2020; v1 submitted 9 September, 2020; originally announced September 2020.
Comments: A proof-of-concept implementation can be found at https://github.com/wheres-crypto/wheres-crypto
MSC Class: 68M25 ACM Class: E.3
-
arXiv:2007.02307 [pdf, ps, other]
Challenges in Designing Exploit Mitigations for Deeply Embedded Systems
Abstract: Memory corruption vulnerabilities have been around for decades and rank among the most prevalent vulnerabilities in embedded systems. Yet this constrained environment poses unique design and implementation challenges that significantly complicate the adoption of common hardening techniques. Combined with the irregular and involved nature of embedded patch management, this results in prolonged vuln… ▽ More
Submitted 5 July, 2020; originally announced July 2020.
Comments: Published in 4th IEEE European Symposium on Security and Privacy (EuroS&P'19)
-
Open Sesame: The Password Hashing Competition and Argon2
Abstract: In this document we present an overview of the background to and goals of the Password Hashing Competition (PHC) as well as the design of its winner, Argon2, and its security requirements and properties.
Submitted 11 February, 2016; v1 submitted 8 February, 2016; originally announced February 2016.
Comments: 17 pages
ACM Class: E.3
-
Sponges and Engines: An introduction to Keccak and Keyak
Abstract: In this document we present an introductory overview of the algorithms and design components underlying the Keccac cryptographic primitive and the Keyak encryption scheme for authenticated (session-supporting) encryption. This document aims to familiarize readers with the basic principles of authenticated encryption, the Sponge and Duplex constructions (full-state, keyed as well as regular version… ▽ More
Submitted 12 October, 2015; v1 submitted 9 October, 2015; originally announced October 2015.
Comments: 30 pages Revision: corrected minor terminology error
ACM Class: E.3
-
Simple SIMON: FPGA implementations of the SIMON 64/128 Block Cipher
Abstract: In this paper we will present various hardware architecture designs for implementing the SIMON 64/128 block cipher as a cryptographic component offering encryption, decryption and self-contained key-scheduling capabilities and discuss the issues and design options we encountered and the tradeoffs we made in implementing them. Finally, we will present the results of our hardware architectures' impl… ▽ More
Submitted 22 July, 2015; originally announced July 2015.
Comments: 20 pages
-
Hidden in snow, revealed in thaw: Cold boot attacks revisited
Abstract: In this paper, we will provide an overview of the current state-of-the-art with regards to so-called cold boot attacks, their practical applicability and feasibility, potential counter-measures and their effectiveness.
Submitted 4 August, 2014; originally announced August 2014.
Comments: 26 pages
ACM Class: K.6.5
-
Broken keys to the kingdom: Security and privacy aspects of RFID-based car keys
Abstract: This paper presents an overview of the current state-of-the-art of security and privacy concerns regarding RFID-based car key applications. We will first present a general overview of the technology and its evolution before moving on to an overview and discussion of the various known security weaknesses and attacks against such systems and the associated privacy risks they introduce.
Submitted 28 May, 2014; originally announced May 2014.
Comments: 20 pages
ACM Class: K.6.5