• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    A hardware attack inhibiting system for a slave module (20) in an i2c bus including detector (42) for detecting the start of communication in the sda data line and for generating an initialization signal; an oscillator (44) for generating an independent clock signal; a meter (46) for automatically measuring the frequency of the synchronization signal scl and for comparing it with the clock signal of the oscillator (44) and for generating a signal indicating the existence of an attack; a response device (48) configured to receive the signal indicating the existence of an attack and to regenerate the scl line from the signal of the oscillator device (44). (Machine-translation by Google Translate, not legally binding)
    公开号:ES2647941A1
    申请号:ES201600465
    申请日:2016-05-24
    公开日:2017-12-27
    发明作者:Raúl JIMENEZ NAHARRO;Fernando GOMEZ BRAVO;Juan Antonio Gomez Galan;Manuel SÁNCHEZ RAYA;Jonathan Medina Garcia
    申请人:Universidad de Huelva;
    IPC主号:
    专利说明:

    DESCRIPTION

    Hardware attack inhibitor system on an I2C bus, slave module and network that includes it.
     5
    Technical Field of the Invention

    The invention belongs to the field of industrial robotics. In particular, it relates to security against attacks on communication between devices under the I2C protocol. 10

    Background of the invention or State of the Art

    Motors or actuators are present in any robotic environment, since they will be responsible for the movement of the different parts of the robot (in the case of 15 manipulators) or the robot itself (in the case of mobile robots). In the case of manipulators, the motors will be responsible for performing the movement of the arm, as well as the wrist and final effector (or part with which the manipulator interacts). On the other hand, in the case of mobile robots, the main function of the motors is to provide them with movement, usually through wheels. Any failure in the process 20 of communication with the motors will cause an error in the trajectory of the robot, and hence the importance of ensuring the reliability in the communication with the motors.

    One of the most common mechanisms for communication with motors is the I2C (Inter-Integrated Circuit) communications protocol. This protocol, designed by 25 Philips, dates back to 1992 in its version 1.0. This protocol was born with the intention of communicating microcontrollers and their peripherals in a compact way on the same bus. This I2C bus has the following characteristics:

    • It is a bidirectional bus, therefore the communication process allows read and write operations.

    • It is a serial bus, therefore, the information is transmitted bit by bit.

    • The bus will connect an element (usually a microcontroller) that will perform the master functions, and one or more additional elements (usually peripheral) that will perform the slave functions.

    • The protocol will use three different lines the SCL line, which will be the line in charge of the synchronization or clock line (controlled by the master); the SDA data line, which will be the line along which the communication process will be carried out (controlled by the master or slave according to the operation performed): the land line, to have a common reference.

    • The logical values in the transmission are the ground level for the logical '0', and high impedance for the logical '1'. The high impedance avoids the need for all components to have the same level of polarization.

    • The I2C bus lines are accessible to allow connection of other peripherals.
     fifty
    The communication process requires a waiting condition (identified because the SCL and SDA lines are both in high impedance). The communication process begins with a start condition, identified by a drop in the SDA line while the SCL line remains in high impedance. From that moment on, the
    SCL line varies by behaving like a clock signal, and the SDA line can only change while the SCL line remains low, since while it is high, the SDA line must remain stable to be monitored.

    The communication process of a write operation is as follows. First, the master sends the address of the slave with which he wants to communicate, and the control bit is kept at '0' to identify a write. The slave whose address has been transmitted will respond in the next cycle with an acknowledgment. Next, the master sends the address of the slave's record where he wants to write that will be answered by the slave with an acknowledgment. Finally, the master sends the value 10 that he wants to write, which will be answered by the slave with recognition. As a final act, the teacher generates a stop condition. This condition is that the SDA line goes from low level to high impedance while the SCL line remains high impedance. Therefore, the stop condition implies leaving the lines in the waiting condition. fifteen

    Additionally, some implementations of the I2C protocol have the feature called "clock stretching", according to which the peripheral can stop the communication process for a limited time. While the peripheral stops communication (usually because it needs more time to carry out its operation), the master enters a waiting situation without modifying the values of the two SCL and SDA lines of the I2C bus. When the peripheral enables the communication process again, the master continues at the point where the communication had stopped.
     25
    This protocol is very vulnerable against hardware attacks for two fundamental reasons. First, the protocol lines have high accessibility, not only for the peripherals connected to them, but also for any other element, among which one can be found that perpetrates an attack at the communication process. Second, using high impedance as logical '1' 30 allows the value '0' to prevail over the value '1'. This situation may have the consequence that when two elements want to transmit on the bus (either on the SCL line, as a clock bus, or on the SDA line, as a data bus) two different values simultaneously (commonly known as information collision), the predominant value is the value '0'. Therefore, the rest of the elements connected to said bus would identify that its value is '0', without realizing the situation of information collision.

    There are many forms of hardware attacks without including the use of computer viruses. These attacks do not need large resources, nor do they have to result in 40 complicated implementations. One category of these attacks is the so-called fault insertion attacks.

    Typical attacks by insertion of failures are attacks that vary the frequency of the clock signal. In the case of reducing the frequency of operation, the vulnerability is increased in the face of attacks by reverse engineering. While the increase in the operating frequency above the maximum allowed causes failures, since the system does not have enough time to complete its operation. These types of attacks can be viable in any electronic system, such as robotic environments. fifty

    However, until now, computer applications based on microprocessors and / or microcontrollers have been the focus of hardware attacks; while, to date, such attacks have not been considered in
    bouncing applications. In the computer field (in which the search for defenses is centered), the main purpose of attacks by insertion of failures has been to obtain privileged information. Therefore, the objectives of these attacks are usually security systems, such as smart cards or encryption and / or decryption mechanisms. The objective of these attacks is usually that the security system has a fault creating a vulnerability, which is used to obtain the privileged information.

    Focusing on the application with a microprocessor, the main objective of an attack by insertion of fault in the clock line is that the program executes a certain portion of code (for example relative to a privileged access) that was not contemplated in the normal execution of the program. The failure due to the variation of the frequency of the clock signal (in this case increase) prevents the instruction responsible for preventing the entry into said portion of code from being executed. The traditional defense against such attacks consists in introducing a system that cancels the clock signal when a variation in the frequency of the clock signal is not allowed. In this way, the microprocessor system remains waiting until a valid frequency cycle arrives to execute the instructions, avoiding the non-execution of any instruction. Traditionally, a frequency sensor based on bandpass filters has been used for this purpose, whose mission is to identify areas in which the signal has a different frequency than allowed. The common characteristics of these sensors are as follows ·

    • Detection is performed during the entire system execution time.
     25
    • The response of the system is the cancellation of the clock signal (avoiding the execution of the fault) during the attack.

    On the contrary, the effect that causes the execution of these attacks on a bounce application has not been considered, nor therefore its defenses. To this end, a bounce platform will be considered where the attack will be carried out on the communication between the master and a particular slave, connected by means of the I2C protocol.

    An attack by insertion of failures to an I2C protocol would be as simple as placing a logical '0' on the SCL line during a given period of the communication process. Although apparently it can be interpreted as a "clock stretching" situation, the difference is that the attacker will only release the communication when it is over; while the release of the real "clock stretching" does not imply the end of the transmission. Such action would mean that a communication process was not completed, and therefore that the order immersed in the message was not executed. In addition, the implementation of a selective attack (attacking the communication to a specific slave) is very simple since the attacking system can very easily read the address of the slave with which it is desired to establish communication. In the case that it is desired to avoid communication with said slave, after reading the address, the SCL line will be forced to '0', and therefore, the communication will not be completed 45 and, consequently, the order will not be executed. In addition, as no slave detects that it is desired to establish communication with him, none warns that the system is being attacked.

    According to the above, the attack considered can be seen as an attack by insertion of 50 failures by varying the frequency of the clock signal, making the frequency worth zero during the rest of the communication process.

    Taking into account that in the field of application of reboot, this situation has not been considered, no solution is known in the face of the attack. The traditional defense applied in the computer field could be raised, that is, the frequency sensor based on pass-band filters. However, it would not be useful for the following reasons
     5
    • The detection should not be carried out during the entire execution time but only during a communication process. In the event that a communication process is not occurring, the sensor must remain inactive.

    • The response of the sensor cannot be the cancellation of the clock signal, because it is the same action as that produced by the attack.

    Brief Description of the Invention

    In view of the limitations identified in the state of the art, it would be desirable to inhibit hardware attacks that avoid communication problems and loss of orders.

    The object of this is a system to inhibit hardware attacks on an I2C bus that includes a detector device that detects the start of communication in the data line 20 SOA of the I2C bus and that generates, upon detection, an initialization signal. The system also includes an oscillating device that receives the initialization signal from the detector and generates an independent clock signal. The system also includes a measuring device that receives the initialization signal from the detector, automatically measures the frequency of the SCL synchronization signal and compares with the oscillator clock signal to generate a signal indicating the existence of an attack based on the result of the comparison. The system also includes a response device that receives the signal indicating the existence of an attack and regenerates the SCL line from the oscillator device signal.
     30
    Optionally, the response device can stop the SOA line while an attack is detected.

    Optionally, the measuring device includes a ring counter.
     35
    It is another object of the present invention, a slave module for an I2C bus comprising the above inhibitor system integrated.

    It is another additional object of the present invention, a network that includes an I2C bus to which at least one slave module connected to the inhibitor device and also a master module are connected.

    Before the detection of two different situations, the present proposal is able to act selectively. This is:
     Four. Five
    • when the communication process has been successfully completed, in which case it is not involved in the process;

    • when it has not been successfully completed, due to a hardware attack, in which case, the response will be according to the specific application (preferably through a programmable module 50).

    To defend the communication process through an I2C bus in the field of slave devices, the invention will have two fundamental missions: first,
    it must detect the presence of an attack in the communication process by monitoring in real time the frequency of the synchronization signal (SCL); secondly, and in the event that an attack has been detected, the detection will entail a response (deemed appropriate) known by the system. Therefore, the present invention presents a solution to attacks by insertion of faults in robotic environments. 5

    Throughout the description and the claims, the word "comprises" and its variants is not intended to exclude other technical characteristics, additives, components or steps. The following examples and figures are provided by way of illustration, without being limiting of the present invention. 10

    Brief description of the figures

    A series of drawings that help to better understand the invention and that expressly relate to an embodiment of said invention which is presented as a non-limiting example of this is very briefly described below.

    FIG. 1 shows the traditional attack and defense situation in a microprocessor-based system
     twenty
    FIG. 2 shows the waveforms related to a write operation on an I2C bus. In FIG. 2A normal operation is seen without attack and in FIG. 2B when he has suffered an attack.

    FIG. 3 shows the connection scheme of the different modules in a communication process with the possibility of attack.

    FIG. 4 Shows the scheme in more detail of the communication attack inhibition system.
     30
    Detailed description of the invention

    With reference to the previous figures, an embodiment is described in which several slave devices are connected to an I2C bus controlled by a master device. 35

    FIG. 1 is an example that shows the traditional attack and defense situation in a microprocessor-based system. In the case of an attack, the frequency of the clock signal increases so that instruction N is not executed and goes to instruction N + 1: although the instruction should not execute that instruction. If there is 40 defense against this type of attack, the frequency sensor will cancel the clock signal when its frequency is outside the allowed range while keeping instruction N waiting for the arrival of a new cycle of the clock signal to be executed.

    In FIG. 2 an example of write operation can be seen without attack and with attack 45 on an I2C bus. In FIG. 2A shows the waveforms relative to a normal write operation without communication attack. Similarly, in FIG. 2B, a writing is illustrated that has suffered an attack whose effect is seen in the designated areas. The attack forces the SCL line at a low level when the slave to be attacked in the communication process has been identified. fifty

    Because the attacked slave is not going to answer through the acknowledgments, the attack module will also perform this task so that the master module believes that the communication is taking its proper course.
    The defense mechanism has been advantageously designed in such a way that it can solve two different scenarios. First: its implementation on the same substrate as the slave device, thus achieving a slave device that communicates via the I2C bus free of communication attacks. Second: its use with standard slave devices in such a way that functionality is added without the need for modification.

    In FIG. 3 illustrates the connection scheme of the main modules that can intervene in a communication process. The modules included are the following:
     10
    • The master module 10 responsible for managing the communication process, and in this way, responsible for controlling the SCL synchronization line.

    • A slave module defended 20a, that is, coupled to the inhibitor system 40.
     fifteen
    • A slave module without defense 20, and therefore, susceptible to communication attacks.

    • An attack module 30 (which the attacker would add) that would handle the attack. Said attack module 30 will have the same design philosophy as a conventional slave module 20 except that it will be willing to alter the values of the synchronization signal SCL.

    As can be seen from FIG. 3 the insertion of the attack module 30 does not imply the modification of any other module. It is enough to have the I2C bus lines accessible, a normal situation due to the protocol's own philosophy.

    Continuing with FIG. 3, the master module 10 communicates with two slaves: one without protection 20 and another protected 20a by means of the inhibitor system 40 object of this invention. An attacking module 30 is also represented. The architecture of the slave module 30 defended 20a would be identical to that of the traditional slave module 20 without defense, whereby neither the communication protocol nor the traditionally used hardware have to undergo modifications. On the other hand, the use of the cascade inhibitor system 40 with the slave module 20a, will allow it to be immune to the damage caused by an attack. In another embodiment it is possible to integrate the inhibitor system 40 into the slave module 35, obtaining a slave module free from attacks 20b.

    This inhibitor system 40 will be formed by four elements as can be seen in FIG. 4 Each one is explained below:
     40
    • A first detector device 42 that detects the start and stop conditions (to know when the sensor has to operate) and the start of cycles (to know when to start a new measurement). This detector 42 will generate the initialization signals for the rest of the devices of the inhibitor system 40.
     Four. Five
    • A second oscillator device 44 will be dedicated to the generation of an internal clock that will control the operation of the monitoring and inhibition process, that is, of the other devices except for the detector 42. This clock must be generated on the same substrate to avoid vulnerabilities . This internal generation will involve the use of ring oscillation techniques (to have an oscillatory signal) and frequency division techniques (to avoid excessive use of hardware).

    • A third measuring device 46 will be designed to automatically measure the frequency of the SCL signal based on the clock signal generated in the
    oscillator 44 and the initialization signal generated by the detector 42. This frequency measurement will be available immediately on the next pulse to be measured or when it is found to have a lower frequency than allowed. The meter 46 will generate a signal indicating the existence of an attack according to the value of the measured frequency.
     5
    • A fourth response device 48 will be designed to generate the response of the inhibitor system 40. If there is no attack, the response must be the passage of the SCL and SDA signals without any interference, so that the presence of the system inhibitor 40 would be transparent. In case there is an attack, the response implemented must be the one that best suits the application and the specific use. 10 Usually, the SCL and SDA lines will not be allowed to pass in the event of an attack, and this response device 40 will autonomously generate a response that will be coded based on a set of messages transmitted through the I2C bus and that will make the slave 20a immune to the attack detected. Until such response has been completed, no additional communication will be accepted (whether it is being attacked or not). Therefore, in case of attack 15, the response module 48 will act as if it were a master module 10.

    As an example, the response considered by default may be the motor or actuator stop. To this end, this response device 48 will preferably be a programmable element that will implement the sending, via the I2C bus that connects it to the slave 20a, of the corresponding stop messages. This, depending on the application (for example a motor controller), may be done by a single message or by a set of messages that guarantees the execution of a speed profile that safely stops the robot. However, the message sequence will be programmable according to the nature of the application. The SCL signal 25 of this transmission will employ the oscillator 44 which is local and will ensure a communication free of attacks.

    According to the above, a first embodiment can be considered in which the inhibitor system 40 and the slave module 20 to be protected are included in the same integrated substrate 30 obtaining a slave module free of attacks 20b that already incorporates the functions of the inhibitor system 40.

    Alternatively, a second embodiment can be conceived in which the inhibitor system 40 will be coupled to a standard slave module 20a in the sense that it does not have to manage the possibility of an attack but will then be protected against attacks.

    Implementation in a prototype
     40
    The inhibitor system 40 can be implemented by digital techniques, and therefore, can be implemented as hardware in a specific application circuit (ASIC) or in a programmable device (such as FPGAs or CPLDs). These options facilitate its integration into the same substrate as the slave module 20, thus having a single integrated block 20b. It can also be used externally to the slave element since it does not require any specific signal to function.

    In the first prototypes, an adapted option has been used, that is, the inhibitor system 40 on a different substrate from that of the slave element 20. The inhibitor has been implemented in an FPGA device of the Spartan-3AN family (more specifically 50 XC3S700AN model included in an FPGA-based development board). While the slave element used has been the MD23 motor controller. Due to the adaptation, the response of the inhibitor has involved the regeneration of the I2C bus, so that the response agreed to an attack situation has been the
    immediate stop of the engines. However, the proposed architecture allows you to program another type of response that best suits the specific application of the robotic system.

    In order to complete the communication process environment, the same FPGA has been implemented in 5 as the inhibitor system 40, a master module 10 of the I2C bus, a slave module 20a without defense and an attack module 30.

    With respect to the internal implementation of the inhibitor, the actions followed in each of the elements will be detailed. In the case of the detector device 42, an asynchronous solution insensitive to delays has been used, since this element has no clock signal to operate. The initialization sequence is as follows. First, oscillator device 44 is stopped so that the clock signal does not affect the initialization conditions of the other elements. Secondly, the response device 48 is initialized since it needs the previous data of the measuring device 15 46 in the case of attack (since it has to regenerate the synchronization signal). Thirdly, the measuring device 46 is initialized to start the measurement at zero. Finally, the oscillator device 44 is restarted to begin monitoring. In the first prototypes, this initialization cycle takes approximately 15 ns. twenty

    The oscillator device 44 has been mixedly implemented. First, a fine oscillation frequency is generated using a ring oscillator. Second, the fine signal is used as input to a frequency divider to generate the final oscillation frequency. The anterior divider is used to reduce excessive use of hardware elements due to generating low frequencies only with ring oscillators. In our particular case, a final frequency of about 320 ns has been generated, starting from an initial fine frequency of about 10 ns.

    The measuring device 46 should measure as quickly as possible that allows the use of said inhibitor system 40 to the greatest possible number of situations, even if it is not necessary in the case of the prototype. The measurement account has been implemented with the use of a ring counter. This solution has two advantages. First, it is the fastest solution to the account operation. Secondly, the comparison of the measurements requires a simple implementation 35 as a two-input AND gate. The size of this ring counter should be such that it covers the entire range of the allowed frequency. In this prototype a maximum limit of 10 cycles has been used, corresponding to a period of about 3.2 us.

    The response device 48 must generate the response of the inhibitor 40. In the case of an attack, and as previously mentioned, it must regenerate the SCL and SDA lines, so that the response is programmed. The SDA line is generated from scratch with the appropriate values and following the synchronization of master 10 (for cases where there was no attack). In the case of the SCL line, it must be regenerated with the same synchronization. For this, the measurement obtained in the measuring device 46 is used, and based on this measurement the signal will be regenerated following the inverse philosophy, that is, based on an oscillator 44 with a ring counter to determine when the regenerated SCL signal should be worth '0' or '1'. Once this signal has been regenerated, the normal flow of the I2C communication must be implemented as if it were a master element 10. 50
    权利要求:
    Claims (5)
    [1]

    1. Hardware attack inhibitor system on an I2C bus characterized by:
     5
    - a detector device (42) configured to detect the start of communication in the SDA data line of the I2C bus and to generate, if detected, an initialization signal;
    - an oscillating device (44) configured to receive the initialization signal of the detector (42) and to generate an independent clock signal;
    - a measuring device (46) configured to receive the detector initialization signal (42) and to automatically measure the frequency of the SCL synchronization signal and to compare it with the oscillator clock signal (44) and to generate a signal indicating the existence of attack based on the result of the comparison;
    - a response device (48) configured to receive the signal indicating the existence of an attack and to regenerate the SCL line from the signal of the oscillating device 20 (44).

    [2]
    2. Inhibitor system according to claim 1, characterized in that the response device (48) is configured to stop the SDA line while an attack is detected.
     25
    [3]
    3. Inhibitor system according to claim 1 or 2, characterized in that the measuring device (46) comprises a ring counter.

    [4]
    4. Slave module (20b) for an I2C bus comprising an integrated inhibitor system (40) according to any one of claims 1 to 3. 30

    [5]
    5. Network comprising an I2C bus to which at least they are connected:
    - a slave module (20a) coupled with an inhibitor device (40) according to any one of claims 1 to 3, 35
    - a master module (10).
    类似技术:
    公开号 | 公开日 | 专利标题
    US10191795B2|2019-01-29|Method and system for timeout monitoring
    JP6487406B2|2019-03-20|Network communication system
    JP4294503B2|2009-07-15|Operation mode control circuit, microcomputer including operation mode control circuit, and control system using the microcomputer
    US9304943B2|2016-04-05|Processor system and control method thereof
    US10726122B2|2020-07-28|Automatic reset filter deactivation during critical security processes
    SE525273C2|2005-01-18|Distributed control and monitoring system
    JP2017208075A|2017-11-24|Device, system and method for securely accessing peripheral device via bus
    ES2647941B1|2018-09-04|Hardware attack inhibitor system on an l2C bus, slave module and network comprising it
    US9952913B2|2018-04-24|Centralized peripheral access protection
    ES2864210T3|2021-10-13|Monitoring procedure for a device equipped with a microprocessor
    US20210117109A1|2021-04-22|Transparently Attached Flash Memory Security
    US20140289553A1|2014-09-25|Integrated circuit
    EP3213220A1|2017-09-06|Methods and circuits for deadlock avoidance
    JP6263649B2|2018-01-17|Programmable device, control device using the same, and failure countermeasure method thereof
    JP2018525712A|2018-09-06|Method and apparatus for protecting the program counter structure of a processor system and method and apparatus for monitoring the processing of interrupt requests
    US9400708B2|2016-07-26|Integrated circuit and method of detecting a data integrity error
    US10956356B1|2021-03-23|Clock control to increase robustness of a serial bus interface
    KR100889419B1|2009-03-23|Interrupt controller for a microprocessor and device for recording or reproducing information on an optical information medium with such an interrupt controller
    JP2008299717A|2008-12-11|Integrated circuit system
    US11010225B2|2021-05-18|Electronic control unit including a break-output section configured to output a break signal to interrupt an input of a monitoring signal to an external monitoring circuit
    CN107710174B|2021-12-28|Memory monitoring unit
    Yang et al.2021|Implementation of a Hierarchical Embedded Cyber Attack Detection system for sUAS Flight Control Systems
    JP2021004587A|2021-01-14|Electronic control unit and vehicle control system
    JP4258137B2|2009-04-30|Monitoring device
    JP4317672B2|2009-08-19|CPU abnormality monitoring device
    同族专利:
    公开号 | 公开日
    ES2647941B1|2018-09-04|
    WO2017203078A1|2017-11-30|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    法律状态:
    2018-09-04| FG2A| Definitive protection|Ref document number: 2647941 Country of ref document: ES Kind code of ref document: B1 Effective date: 20180904 |
    优先权:
    申请号 | 申请日 | 专利标题
    ES201600465A|ES2647941B1|2016-05-24|2016-05-24|Hardware attack inhibitor system on an l2C bus, slave module and network comprising it|ES201600465A| ES2647941B1|2016-05-24|2016-05-24|Hardware attack inhibitor system on an l2C bus, slave module and network comprising it|
    PCT/ES2017/070336| WO2017203078A1|2016-05-24|2017-05-22|System for preventing hardware attacks in an i2c bus, slave module and network comprising same|
    [返回顶部]