高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

基于Rowhammer 物理不可克隆函数的物理设备测绘框架

刘镝 徐闻含 王文东 李大伟 关振宇 刘建伟

刘镝, 徐闻含, 王文东, 李大伟, 关振宇, 刘建伟. 基于Rowhammer 物理不可克隆函数的物理设备测绘框架[J]. 电子与信息学报, 2023, 45(9): 3200-3209. doi: 10.11999/JEIT230388
引用本文: 刘镝, 徐闻含, 王文东, 李大伟, 关振宇, 刘建伟. 基于Rowhammer 物理不可克隆函数的物理设备测绘框架[J]. 电子与信息学报, 2023, 45(9): 3200-3209. doi: 10.11999/JEIT230388
LIU Di, XU Wenhan, WANG Wendong, LI Dawei, GUAN Zhenyu, LIU Jianwei. Detecting and Mapping Framework for Physical Devices Based on Rowhammer Physical Unclonable Function[J]. Journal of Electronics & Information Technology, 2023, 45(9): 3200-3209. doi: 10.11999/JEIT230388
Citation: LIU Di, XU Wenhan, WANG Wendong, LI Dawei, GUAN Zhenyu, LIU Jianwei. Detecting and Mapping Framework for Physical Devices Based on Rowhammer Physical Unclonable Function[J]. Journal of Electronics & Information Technology, 2023, 45(9): 3200-3209. doi: 10.11999/JEIT230388

基于Rowhammer 物理不可克隆函数的物理设备测绘框架

doi: 10.11999/JEIT230388
基金项目: 国家重点研发计划(2021YFB2700200),国家自然科学基金(62372022, 62002006, U2241213, U21B2021, 62172025, 61932011, 61932014, 61972018, 61972019, 61772538, 32071775, 91646203)
详细信息
    作者简介:

    刘镝:男,博士生,研究方向为硬件安全、隐私保护技术

    徐闻含:男,硕士生,研究方向为物联网安全、隐私保护技术

    王文东:男,硕士生,研究方向为密码学、网络安全

    李大伟:男,副教授,研究方向为区块链、硬件安全、公钥密码学

    关振宇:男,教授,研究方向为硬件安全、区块链、视频压缩

    刘建伟:男,教授,研究方向为密码学、5G网络安全、移动通信网络安全

    通讯作者:

    李大伟 lidawei@buaa.edu.cn

  • 中图分类号: TP333; TN801

Detecting and Mapping Framework for Physical Devices Based on Rowhammer Physical Unclonable Function

Funds: The National Key R&D Program of China (2021YFB2700200), The National Natural Science Foundation of China (62372022, 62002006, U2241213, U21B2021, 62172025, 61932011, 61932014, 61972018, 61972019, 61772538, 32071775, 91646203)
  • 摘要: 网络空间测绘的核心问题是准确识别和动态跟踪设备。然而,随着匿名化技术的发展,设备可以拥有多个IP地址和MAC地址。这使得通过传统的测绘技术将多个虚拟属性映射到同一个物理设备上变得更加困难。该文提出一种基于物理不可克隆函数(PUF)的测绘框架。该框架可以主动检测网络空间中的物理资源,并根据物理指纹构建资源画像来动态跟踪设备。同时,该文提出一种在配备第四代双倍速率(DDR4)内存的个人电脑(PC)上实现基于Rowhammer的动态随机存取存储器物理不可克隆函数(DRAM PUF)的方法。性能评估表明,该方法在PC上提取的Rowhammer PUF的响应是唯一且可靠的,并可以作为设备的唯一物理指纹。实验结果表明,即使目标设备修改了MAC地址、IP地址或重装了操作系统,该文提出的框架仍然可以通过构建一个用于设备匹配的物理指纹数据库,对目标设备进行准确的标识。
  • 图  1  128 bit的DRAM芯片的高级视图

    图  2  基于PUF的测绘框架

    图  3  资源画像及拓扑

    图  4  Jaccard指标下的唯一性和可靠性评价

    图  5  ${{\rm{Jaccard}}}^{{{'}}}$指标下的唯一性和可靠性评价

    图  6  实验架构

    图  7  网络拓扑

    算法1 Rowhammer PUF查询过程
     输入:PUF地址、内存访问模式、数据模式、测量次数
     输出:PUF响应
     分配所需的内存;
     while m < 测量次数 do:
       while b < bank数量 do:
         初始化内存访问行和PUF行;
       end
       while b < bank数量 do:
         快速、重复访问所有的内存访问行;
         扫描所有的PUF行并输出比特翻转的位置;
       end
     end
    下载: 导出CSV

    表  1  PUF 参数设置

    参数
    PUF地址行基址 = 0,地址偏移 = 0
    内存访问模式22 sided
    数据模式PUF行 = 0x55,内存访问行 = 0xAA
    测量次数5个bank, 10次测量
    下载: 导出CSV

    表  2  实验1目标设备画像

    A1A2A3A4
    物理指纹数据库1数据库2数据库3数据库4
    MAC地址f4:4d:30:d0:f1:32f4:4d:30:d0:f2:bff4:4d:30:32:2a:fbf4:4d:30:82:73:91
    IP地址192.168.171.100192.168.171.122192.168.171.125192.168.171.147
    端口号22:sshd22:sshd22:sshd; 80:http; 443:https22:sshd; 3306:mysql
    网关192.168.171.1192.168.171.1192.168.171.1192.168.171.1
    内存序列号M378A1K43
    DB2-CVF
    M378A1K43
    DB2-CVF
    M378A1K43
    DB2-CVF
    M378A1K43
    DB2-CVF
    操作系统版本Ubuntu 20.04.3 LTS
    CPU型号Intel(R) Core(TM) i7-10700 CPU @ 2.90 GHz
    下载: 导出CSV

    表  3  实验2目标设备画像

    B1B2B3B4
    物理指纹PUF查询1PUF查询2PUF查询3PUF查询4
    MAC地址c0:c6:f7:cf:08:0e01:e7:19:da:a2:5cf6:d9:68:a1:88:0300:86:af:33:84:66
    IP地址192.168.171.100192.168.171.8192.168.171.215192.168.171.216
    端口号22:sshd22:sshd22:sshd; 80:http; 443:https22:sshd; 3306:mysql
    网关192.168.171.1192.168.171.1192.168.171.1192.168.171.1
    内存序列号M378A1K43
    DB2-CVF
    M378A1K43
    DB2-CVF
    M378A1K43
    DB2-CVF
    M378A1K43
    DB2-CVF
    操作系统版本Ubuntu 18.04.3 LTS
    CPU型号Intel(R) Core(TM) i7-10700 CPU @ 2.90 GHz
    下载: 导出CSV

    表  4  实验2与实验1设备之间的$ {\bf{Jaccard}}'$值

    ${\mathrm{J}\mathrm{a}\mathrm{c}\mathrm{c}\mathrm{a}\mathrm{r}\mathrm{d} }{{' } }$A1A2A3A4
    B10.96000
    B2000.940
    B300.9500
    B40001
    下载: 导出CSV

    表  5  实验3与实验1设备之间的${\bf{Jaccard}}'$值

    ${\mathrm{J}\mathrm{a}\mathrm{c}\mathrm{c}\mathrm{a}\mathrm{r}\mathrm{d} }'$A1A2A3A4
    C10000
    C2000.960
    C30000
    C40001
    下载: 导出CSV
  • [1] 郭莉, 曹亚男, 苏马婧, 等. 网络空间资源测绘: 概念与技术[J]. 信息安全学报, 2018, 3(4): 1–14. doi: 10.19363/J.cnki.cn10-1380/tn.2018.07.01

    GUO Li, CAO Ya’nan, SU Majing, et al. Cyberspace resources surveying and mapping: The concepts and technologies[J]. Journal of Cyber Security, 2018, 3(4): 1–14. doi: 10.19363/J.cnki.cn10-1380/tn.2018.07.01
    [2] 陈庆, 李晗, 杜跃进, 等. 网络空间测绘技术的实践与思考[J]. 信息通信技术与政策, 2021, 47(8): 30–38. doi: 10.12267/j.issn.2096-5931.2021.08.005

    CHEN Qing, LI Han, DU Yuejin, et al. Practice and thinking of cyberspace surveying and mapping technology[J]. Information and Communications Technology and Policy, 2021, 47(8): 30–38. doi: 10.12267/j.issn.2096-5931.2021.08.005
    [3] HOU Yuanwei, CHEN Xiaoxiao, HAO Yongle, et al. Survey of cyberspace resources scanning and analyzing[C]. The 14th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS-2020), Lodz, Poland, 2021: 279–291.
    [4] NMAP. Nmap: The network mapper - free security scanner[EB/OL]. https://nmap.org/, 2023.
    [5] DURUMERIC Z, WUSTROW E, and HALDERMAN J A. ZMap: Fast internet-wide scanning and its security applications[C]. The 22th USENIX Security Symposium, Washington, USA, 2013: 605–620.
    [6] GRAHAM R D. MASSCAN: Mass IP port scanner[EB/OL]. https://github.com/robertdavidgraham/masscan, 2023.
    [7] Shodan. Search engine for the internet of everything[EB/OL]. https://www.shodan.io, 2023.
    [8] KIM Y, DALY R, KIM J, et al. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors[J]. ACM SIGARCH Computer Architecture News, 2014, 42(3): 361–372. doi: 10.1145/2678373.2665726
    [9] COJOCAR L, KIM J, PATEL M, et al. Are we susceptible to rowhammer? An end-to-end methodology for cloud providers[C]. 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, USA, 2020: 712–728.
    [10] GRUSS D, MAURICE C, and MANGARD S. Rowhammer. js: A remote software-induced fault attack in javascript[C]. 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, San Sebastián, Spain, 2016: 300–321.
    [11] DE RIDDER F, FRIGO P, VANNACCI E, et al. SMASH: Synchronized many-sided rowhammer attacks from JavaScript[C/OL]. 30th USENIX Security Symposium, 2021: 1001–1018.
    [12] QIAO Rui and SEABORN M. A new approach for rowhammer attacks[C]. 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), McLean, USA, 2016: 161–166.
    [13] KWONG A, GENKIN D, GRUSS D, et al. RAMBleed: Reading bits in memory without accessing them[C]. 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, USA, 2020: 695–711.
    [14] ZHANG Zhi, CHENG Yueqiang, WANG Minghua, et al. SoftTRR: Protect page tables against rowhammer attacks using software-only target row refresh[C]. 2022 USENIX Annual Technical Conference, Carlsbad, USA, 2022: 399–414.
    [15] PESSL P, GRUSS D, MAURICE C, et al. DRAMA: Exploiting DRAM addressing for cross-CPU attacks[C]. The 25th USENIX Conference on Security Symposium, Austin, USA, 2016: 565–581.
    [16] WANG Minghua, ZHANG Zhi, CHENG Yueqiang, et al. DRAMDig: A knowledge-assisted tool to uncover DRAM address mapping[C]. 2020 57th ACM/IEEE Design Automation Conference (DAC), San Francisco, USA, 2020: 1–6.
    [17] GRUSS D, LIPP M, SCHWARZ M, et al. Another flip in the wall of rowhammer defenses[C]. 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, USA, 2018: 245–261.
    [18] SAROIU S, WOLMAN A, and COJOCAR L. The price of secrecy: How hiding internal DRAM topologies hurts rowhammer defenses[C]. 2022 IEEE International Reliability Physics Symposium (IRPS), Dallas, USA, 2022: 2C. 3–1–2C. 3–6.
    [19] FRIGO P, VANNACC E, HASSAN H, et al. TRRespass: Exploiting the many sides of target row refresh[C]. 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, USA, 2020: 747–762.
    [20] VAN DER VEEN V, FRATANTONIO Y, LINDORFER M, et al. Drammer: Deterministic rowhammer attacks on mobile platforms[C]. 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 2016: 1675–1689.
    [21] SHARIFFUDDIN S, SIVAMANGAI N M, NAPOLEAN A, et al. Review on arbiter physical unclonable function and its implementation in FPGA for IoT security applications[C]. 2022 6th International Conference on Devices, Circuits and Systems (ICDCS), Coimbatore, India, 2022: 369–374.
    [22] TEHRANIPOOR F, KARIMIAN N, YAN Wei, et al. DRAM-based intrinsic physically unclonable functions for system-level security and authentication[J]. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 2017, 25(3): 1085–1097. doi: 10.1109/tvlsi.2016.2606658
    [23] NAJAFI F, KAVEH M, MARTÍN D, et al. Deep PUF: A highly reliable DRAM PUF-based authentication for IoT networks using deep convolutional neural networks[J]. Sensors, 2021, 21(6): 2009. doi: 10.3390/s21062009
    [24] SCHALLER A, XIONG Wenjie, ANAGNOSTOPOULOS N A, et al. Intrinsic rowhammer PUFs: Leveraging the rowhammer effect for improved security[C]. 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), Mclean, USA, 2017: 1–7.
    [25] SCHALLER A, XIONG Wemjie, ANAGNOSTOPOULOS N A, et al. Decay-based DRAM PUFs in commodity devices[J]. IEEE Transactions on Dependable and Secure Computing, 2019, 16(3): 462–475. doi: 10.1109/TDSC.2018.2822298
    [26] SUTAR S, RAHA A, and RAGHUNATHAN V. D-PUF: An intrinsically reconfigurable DRAM PUF for device authentication in embedded systems[C]. The International Conference on Compliers, Architectures, and Sythesis of Embedded Systems, Pittsburgh, USA, 2016: 1–10.
    [27] TALUKDER B M S B, RAY B, FORTE D, et al. PreLatPUF: Exploiting DRAM latency variations for generating robust device signatures[J]. IEEE Access, 2019, 7: 81106–81120. doi: 10.1109/ACCESS.2019.2923174
  • 加载中
图(7) / 表(6)
计量
  • 文章访问数:  391
  • HTML全文浏览量:  242
  • PDF下载量:  45
  • 被引次数: 0
出版历程
  • 收稿日期:  2023-05-08
  • 修回日期:  2023-08-28
  • 网络出版日期:  2023-08-31
  • 刊出日期:  2023-09-27

目录

    /

    返回文章
    返回