Abstract
Information disclosure leads to serious exploits, disruption or damage of critical operations and privacy breaches, both in Critical Infrastructures (CIs) and Industrial Control Systems (ICS) and in traditional IT systems. Side channel attacks in computer security refer to attacks on data confidentiality through information gained from the physical implementation of a system, rather an attack on the algorithm or software itself. Depending on the source and the type of information leakage, certain general types of side channel attacks have been established: power, electromagnetic, cache, timing, sensor-based, acoustic and memory analysis attacks. Given the sensitive nature of ICS and the vast amount of information stored on IT systems, consequences of side channel attacks can be quite significant. In this paper, we present an extensive survey on side channel attacks that can be implemented either on ICS or traditional systems often used in Critical Infrastructure environments. Presented taxonomies try to take into consideration all major publications of the last decade and present them using three different classification systems to provide an objective form of multi-level taxonomy and a potentially profitable statistical approach. We conclude by discussing open issues and challenges in this context and outline possible future research directions.
General Terms
- Security
- Privacy
- Side channel attacks
- ICS
- Critical infrastructures
- Timing
- Electromagnetic
- Sensor
- IT
- Cryptography
- Cache
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Department of Homeland Security (2017) Office of infrastructure protection. [online] Available at: https://www.dhs.gov/office-infrastructure-protection. Accessed 5 June 2018
Zhou Y, Feng D (2005) Side-channel attacks: ten years after its publication and the impacts on cryptographic module security testing. IACR Cryptol ePrint Arch 2005:388
Liu F, Yarom Y, Ge Q, Heiser G, Lee RB (2015). Last-level cache side-channel attacks are practical. In: Security and privacy (SP), 2015 IEEE Symposium on. IEEE, pp 605–622
Gullasch D, Bangerter E, Krenn S (2011) Cache games–bringing access-based cache attacks on AES to practice. In: Security and Privacy (SP), 2011 IEEE Symposium on. IEEE, pp 490–505
Guanciale R, Nemati H, Baumann C, Dam M (2016) Cache storage channels: Alias-driven attacks and verified countermeasures. In: 2016 IEEE Symposium on Security and Privacy (SP). IEEE, pp 38–55
Moghimi A, Irazoqui G, Eisenbarth T (2017) CacheZoom: how SGX amplifies the power of cache attacks. In: International conference on cryptographic hardware and embedded systems. Springer, Cham, pp 69–90
Benger N, Van de Pol J, Smart NP, Yarom Y (2014) “Ooh Aah… Just a Little Bit”: a small amount of side channel can go a long way. In: International workshop on cryptographic hardware and embedded systems. Springer, Berlin/Heidelberg, pp 75–92
Genkin D, Valenta L, Yarom Y (2017) May the fourth be with you: a microarchitectural side channel attack on several real-world applications of Curve25519. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. ACM, New York, pp 845–858
Zhang Y, Juels A, Reiter MK, Ristenpart T (2012) Cross-VM side channels and their use to extract private keys. In: Proceedings of the 2012 ACM conference on computer and communications security. ACM, New York, pp 305–316
Zhang Y, Juels A, Reiter MK, Ristenpart T (2014) Cross-tenant side-channel attacks in PaaS clouds. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM, New York, pp 990–1003
Lipp M, Schwarz M, Gruss D, Prescher T, Haas W, Mangard S, …, Hamburg M (2018) Meltdown. arXiv preprint arXiv:1801.01207
Zhang Y, Juels A, Oprea A, Reiter MK (2011) Homealone: co-residency detection in the cloud via side-channel analysis. In: 2011 IEEE symposium on security and privacy. IEEE, Piscataway, pp 313–328
Irazoqui G, Eisenbarth T, Sunar B (2015) S $ A: a shared cache attack that works across cores and defies VM sandboxing–and its application to AES. In: Security and privacy (SP), 2015 IEEE symposium on. IEEE, Piscataway, pp 591–604
Hund R, Willems C, Holz T (2013) Practical timing side channel attacks against kernel space ASLR. In: 2013 IEEE symposium on security and privacy. IEEE, Piscataway, pp 191–205
Diao W, Liu X, Li Z, Zhang K (2016) No pardon for the interruption: new inference attacks on android through interrupt timing analysis. In: Security and privacy (SP), 2016 IEEE symposium on. IEEE, Piscataway, pp 414–432
Wang L, Grubbs P, Lu J, Bindschaedler V, Cash D, Ristenpart T (2017) Side-channel attacks on shared search indexes. In: 2017 38th IEEE Symposium on Security and Privacy (SP). IEEE, pp 673–692
Vila P, Köpf B (2017) Loophole: timing attacks on shared event loops in chrome. In USENIX security symposium
Van Goethem T, Joosen W, Nikiforakis N (2015) The clock is still ticking: timing attacks in the modern web. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security. ACM, New York, pp 1382–1393
Meyer C, Somorovsky J, Weiss E, Schwenk J, Schinzel S, Tews E (2014) Revisiting SSL/TLS implementations: new Bleichenbacher side channels and attacks. In: USENIX security symposium, pp 733–748
Kim TW, Kim TH, Hong S (2017) Breaking Korea transit card with side-channel analysis attack unauthorized recharging. In Black Hat Asia
Genkin D, Pipman I, Tromer E (2015) Get your hands off my laptop: physical side-channel key-extraction attacks on PCs. J Cryptogr Eng 5(2):95–112
Clavier C, Marion D, Wurcker A (2014) Simple power analysis on AES key expansion revisited. In: International workshop on cryptographic hardware and embedded systems. Springer, Berlin/Heidelberg, pp 279–297
Genkin D, Pachmanov L, Pipman I, Tromer E (2015) Stealing keys from PCs using a radio: cheap electromagnetic attacks on windowed exponentiation. In: International workshop on cryptographic hardware and embedded systems. Springer, Berlin/Heidelberg, pp 207–228
Genkin D, Pachmanov L, Pipman I, Tromer E (2016) ECDH key-extraction via low-bandwidth electromagnetic attacks on PCs. In: Cryptographers’ track at the RSA conference. Springer, Cham, pp 219–235
Belgarric P, Fouque PA, Macario-Rat G, Tibouchi M (2016) Side-channel analysis of Weierstrass and Koblitz curve ECDSA on Android smartphones. In: Cryptographers’ track at the RSA conference. Springer, pp 236–252, Cham
Espitau T, Fouque PA, Gérard B, Tibouchi M (2017) Side-channel attacks on BLISS lattice-based signatures: exploiting branch tracing against strongswan and electromagnetic emanations in microcontrollers. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. ACM, New York, pp 1857–1874
Genkin D, Pachmanov L, Pipman I, Tromer E, Yarom Y (2016) ECDSA key extraction from mobile devices via nonintrusive physical side channels. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, New York, pp 1626–1638
Bauer A, Jaulmes E, Lomné V, Prouff E, Roche T (2014) Side-channel attack against RSA key generation algorithms. In: International workshop on cryptographic hardware and embedded systems. Springer, Berlin/Heidelberg, pp 223–241
Genkin D, Shamir A, Tromer E (2014) RSA key extraction via low-bandwidth acoustic cryptanalysis. In: International cryptology conference. Springer, Berlin/Heidelberg, pp 444–461
Hojjati A, Adhikari A, Struckmann K, Chou E, Tho Nguyen TN, Madan K et al (2016) Leave your phone at the door: side channels that reveal factory floor secrets. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, New York, pp 883–894
Faruque A, Abdullah M, Chhetri SR, Canedo A, Wan J (2016) Acoustic side-channel attacks on additive manufacturing systems. In: Proceedings of the 7th international conference on cyber-physical systems. IEEE Press, New York, p 19
Bosman E, Razavi K, Bos H, Giuffrida C (2016) Dedup est machina: memory deduplication as an advanced exploitation vector. In: 2016 IEEE symposium on security and privacy (SP). IEEE, Los Alamitos, pp 987–1004
Wang W, Chen G, Pan X, Zhang Y, Wang X, Bindschaedler V et al (2017) Leaky cauldron on the dark land: understanding memory side-channel hazards in SGX. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. ACM, New York, pp 2421–2434
Xu Z, Bai K, Zhu S (2012) Taplogger: inferring user inputs on smartphone touchscreens using on-board motion sensors. In: Proceedings of the fifth ACM conference on security and privacy in wireless and mobile network. ACM, New York, pp 113–124
Cai L, Chen H (2011) TouchLogger: inferring keystrokes on touch screen from smartphone motion. HotSec 11:9–9
Song C, Lin F, Ba Z, Ren K, Zhou C, Xu W (2016) My smartphone knows what you print: exploring smartphone-based side-channel attacks against 3d printers. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, New York, pp 895–907
Maiti A, Armbruster O, Jadliwala M, He J (2016) Smartwatch-based keystroke inference attacks and context-aware protection mechanisms. In: Proceedings of the 11th ACM on Asia conference on computer and communications security. ACM, New York, pp 795–806
Liu X, Zhou Z, Diao W, Li Z, Zhang K (2015) When good becomes evil: keystroke inference with smartwatch. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security. ACM, New York, pp 1273–1285
Simon L, Anderson R (2013) Pin skimmer: inferring pins through the camera and microphone. In: Proceedings of the third ACM workshop on security and privacy in smartphones & mobile devices. ACM, New York, pp 67–78
Maiti A, Jadliwala M, He J, Bilogrevic I (2015) (Smart) watch your taps: side-channel keystroke inference attacks using smartwatches. In: Proceedings of the 2015 ACM International Symposium on Wearable Computers. ACM, New York, pp 27–30
Spreitzer R, Moonsamy V, Korak T, Mangard S (2018) Systematic classification of side-channel attacks: a case study for mobile devices
Goodin D (2018) Scientists break card that secures homes, offices, transit. Retrieved from https://www.theregister.co.uk/2011/10/10/mifare_desfire_smartcard_broken/. Accessed 6 June 2018
Trippel T, Weisse O, Xu W, Honeyman P, Fu K (2017) WALNUT: waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks. In: Security and privacy (EuroS&P), 2017 IEEE European symposium on. IEEE, pp 3–18
Asonov D, Agrawal R (2004) Keyboard acoustic emanations. In: Null. IEEE, p 3
Zhuang L, Zhou F, Tygar JD (2009) Keyboard acoustic emanations revisited. ACM Transactions on Information and System Security (TISSEC) 13(1):3
Backes M, Dürmuth M, Gerling S, Pinkal M, Sporleder C (2010). Acoustic side-channel attacks on printers. In: USENIX Security symposium, pp 307–322
Chhetri SR, Canedo A, Faruque MAA (2018) Confidentiality breach through acoustic side-channel in cyber-physical additive manufacturing systems. ACM Trans Cyber-Phys Sys 2(1):3
Chhetri SR, Canedo A, Faruque MAA (2016) Kcad: kinetic cyber-attack detection method for cyber-physical additive manufacturing systems. In: Proceedings of the 35th international conference on computer-aided design. ACM, New York, p 74
Krishnamurthy P, Khorrami F, Karri R, Paul-Pena D, Salehghaffari H (2018) Process-aware covert channels using physical instrumentation in cyber-physical systems. IEEE Trans Inf Forensics Secur 13(11):2761–2771
Ristenpart T, Tromer E, Shacham H, Savage S (2009) Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM conference on computer and communications security. ACM, New York, pp 199–212
Vincent H, Wells L, Tarazaga P, Camelio J (2015) Trojan detection and side-channel analyses for cyber-security in cyber-physical manufacturing systems. Proced Manuf 1:77–85
Grzesiak K, Przybysz A (2010) Emission security of laser printers. In: Military communications and information systems conference, Wrocław, pp 353–363
Lee HS, Sim K, Yook JG (2015) Measurement and analysis of the electromagnetic emanations from video display interface. In: Electrical design of advanced packaging and systems symposium (EDAPS), 2015 IEEE. IEEE, pp 71–73
Islam MA, Ren S, Wierman A (2017) Exploiting a thermal side channel for power attacks in multi-tenant data centers. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, pp 1079–1094
Mowery K, Meiklejohn S, Savage S (2011) Heat of the moment: characterizing the efficacy of thermal camera-based attacks. In: Proceedings of the 5th USENIX conference on offensive technologies. USENIX Association, pp 6–6
Wodo W, Hanzlik L (2016) Thermal imaging attacks on keypad security systems. In: SECRYPT, pp 458–464
Andriotis P, Tryfonas T, Oikonomou G, Yildiz C (2013) A pilot study on the security of pattern screen-lock methods and soft side channel attacks. In: Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks. ACM, New York, pp 1–6
Abdelrahman Y, Khamis M, Schneegass S, Alt F (2017) Stay cool! understanding thermal attacks on mobile-based user authentication. In: Proceedings of the 2017 CHI conference on human factors in computing systems. ACM, New York, pp 3751–3763
Al Faruque MA, Chhetri SR, Canedo A, Wan J (2016) Forensics of thermal side-channel in additive manufacturing systems. In: CECS technical report# 16–01. University of California, Irvine
Stone S, Temple M (2012) Radio-frequency-based anomaly detection for programmable logic controllers in the critical infrastructure. Int J Crit Infrastruct Prot 5(2):66–73
Stone SJ, Temple MA, Baldwin RO (2015) Detecting anomalous programmable logic controller behavior using RF-based Hilbert transform features and a correlation-based verification process. Int J Crit Infrastruct Prot 9:41–51
Van Aubel P, Papagiannopoulos K, Chmielewski Ł, Doerr C (2017) Side-channel based intrusion detection for industrial control systems. arXiv preprint arXiv:1712.05745
Han Y, Etigowni S, Liu H, Zonouz S, Petropulu A (2017) Watch me, but don’t touch me! contactless control flow monitoring via electromagnetic emanations. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. ACM, New York, pp 1095–1108
Boggs N, Chau JC, Cui A (2018) Utilizing electromagnetic emanations for out-of-band detection of unknown attack code in a programmable logic controller. In: Cyber sensing 2018, vol 10630, p 106300D. International Society for Optics and Photonics
Classen J, Chen J, Steinmetzer D, Hollick M, Knightly E (2015) The spy next door: eavesdropping on high throughput visible light communications. In: Proceedings of the 2nd international workshop on visible light communications systems. ACM, New York, pp 9–14
Loughry J, Umphress DA (2002) Information leakage from optical emanations. ACM Trans Inf Sys Secur (TISSEC) 5(3):262–289
Backes M, Dürmuth M, Unruh D (2008) Compromising reflections-or-how to read LCD monitors around the corner. In: Security and privacy, 2008. SP 2008. IEEE symposium on. IEEE, Piscataway, pp 158–169
Chakraborty S, Ouyang W, Srivastava M (2017) LightSpy: optical eavesdropping on displays using light sensors on mobile devices. In: Big Data (Big Data), 2017 IEEE international conference on. IEEE, pp 2980–2989
Wei L, Liu Y, Luo B, Li Y, Xu Q (2018) I know what you see: power side-channel attack on convolutional neural network accelerators. arXiv preprint arXiv:1803.05847
Jeon Y, Kim M, Kim H, Kim H, Huh JH, Yoon JW (2018) I’m listening to your location! Inferring user location with acoustic side channels. In: Proceedings of the 2018 World Wide web conference on world wide web. International World Wide Web Conferences Steering Committee, pp 339–348
Cao F, Malik S (2006) Vulnerability analysis and best practices for adopting IP telephony in critical infrastructure sectors. IEEE Commun Mag 44(4):138–145
De Meulenaer G, Standaert FX (2010) Stealthy compromise of wireless sensor nodes with power analysis attacks. In: International conference on mobile lightweight wireless systems. Springer, Berlin/Heidelberg, pp 229–242
Hively LM, McDonald JT (2013) Theorem-based, data-driven, cyber event detection. In: Proceedings of the eighth annual cyber security and information intelligence research workshop. ACM, New York, p 58
Dawson JA, McDonald JT, Shropshire J, Andel TR, Luckett P, Hively L (2017) Rootkit detection through phase-space analysis of power voltage measurements. In: 2017 12th international conference on malicious and unwanted software (MALWARE). IEEE, Piscataway, pp 19–27
Gunti N B, Lingasubramanian K (2015) Efficient static power based side channel analysis for hardware trojan detection using controllable sleep transistors. In: SoutheastCon 2015. IEEE, pp 1–6
Shende R, Ambawade DD (2016) A side channel based power analysis technique for hardware trojan detection using statistical learning approach. In: Wireless and optical communications networks (WOCN), 2016 thirteenth international conference on. IEEE, Piscataway, pp 1–4
Moore S, Yampolskiy M, Gatlin J, McDonald JT, Andel TR (2016) Buffer overflow attack’s power consumption signatures. In: Proceedings of the 6th workshop on software security, protection, and reverse engineering. ACM, New York, p 6
Clark SS, Ransford B, Rahmati A, Guineau S, Sorber J, Xu W, …, Holcomb D (2013) WattsUpDoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices. In: HealthTech
Abbas M, Prakash A, Srikanthan T (2017) Power profile based runtime anomaly detection. In: TRON symposium (TRONSHOW). IEEE, Tokyo
Gonzalez CA, Hinton A (2014) Detecting malicious software execution in programmable logic controllers using power fingerprinting. In: International conference on critical infrastructure protection. Springer, Berlin/Heidelberg, pp 15–27
Xiao YJ, Xu WY, Jia ZH, Ma ZR, Qi DL (2017) NIPAD: a non-invasive power-based anomaly detection scheme for programmable logic controllers. Front Inf Technol Electron Eng 18(4):519–534
Gong X, Kiyavash N (2013) Timing side channels for traffic analysis. In: Acoustics, speech and signal processing (ICASSP), 2013 IEEE international conference on. IEEE, Piscataway, pp 8697–8701
Gong X, Kiyavash N (2016) Quantifying the information leakage in timing side channels in deterministic work-conserving schedulers. IEEE/ACM Trans Networking 24(3):1841–1852
Hoyos J, Dehus M, Brown TX (2012) Exploiting the GOOSE protocol: a practical attack on cyber-infrastructure. In: Globecom Workshops (GC Wkshps), 2012 IEEE. IEEE, Piscataway, pp 1508–1513
Zhong X, Ahmadi A, Brooks R, Venayagamoorthy GK, Yu L, Fu Y (2015) Side channel analysis of multiple pmu data in electric power systems. In: Power systems conference (PSC), 2015 Clemson University. IEEE, Piscataway, pp 1–6
Zhong X, Arunagirinathan P, Ahmadi A, Brooks R, Venayagamoorthy GK (2015) Side-channels in electric power synchrophasor network data traffic. In: Proceedings of the 10th annual cyber and information security research conference. ACM, New York, p 3
Islam CS, Mollah MSH (2015) Timing SCA against HMAC to investigate from the execution time of algorithm viewpoint. In: Informatics, electronics & vision (ICIEV), 2015 international conference on. IEEE, Piscataway, pp 1–6
Johnstone MN, Peacock M, den Hartog JI (2015) Timing attack detection on bacnet via a machine learning approach
Dunlap S, Butts J, Lopez J, Rice M, Mullins B (2016) Using timing-based side channels for anomaly detection in industrial control systems. Int J Crit Infrastruct Prot 15:12–26
Kocher P, Genkin D, Gruss D, Haas W, Hamburg M, Lipp M, …, Yarom Y (2018) Spectre attacks: exploiting speculative execution. arXiv preprint arXiv:1801.01203
Hintz A (2002) Fingerprinting websites using traffic analysis. In: International workshop on privacy enhancing technologies. Springer, Berlin/Heidelberg, pp 171–178
Lu L, Chang EC, Chan MC (2010) Website fingerprinting and identification using ordered feature sequences. In: European symposium on research in computer security. Springer, Berlin/Heidelberg, pp 199–214
Chen S, Wang R, Wang X, Zhang K (2010) Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: 2010 IEEE symposium on security and privacy. IEEE, Los Alamitos, pp 191–206
Tsalis N, Stergiopoulos G, Bitsikas E, Gritzalis D, Apostolopoulos T (2018) Side channel attacks over encrypted TCP/IP Modbus reveal functionality leaks. In: Proceeding. of the 15th International Conference on Security and Cryptography (SECRYPT-2018), Portugal
de Souza Faria G, Kim HY (2013) Identification of pressed keys from mechanical vibrations. IEEE Transactions on Information Forensics and Security 8(7):1221–1229
de Souza Faria G, Kim HY (2016) Identification of pressed keys by time difference of arrivals of mechanical vibrations. Comput Secur 57:93–105
Chen CY, Ghassami A, Nagy S, Yoon MK, Mohan S, Kiyavash N, …, Pellizzoni R (2015) Schedule-based side-channel attack in fixed-priority real-time systems
Weiß M, Weggenmann B, August M, Sigl G (2014) On cache timing attacks considering multi-core aspects in virtualized embedded systems. In: International conference on trusted systems. Springer, Cham, pp 151–167
August M (2014) IDP: an analysis of a cache-based timing side channel attack and a countermeasure on PikeOS
Gritzalis D, Iseppi G, Mylonas A, Stavrou V (2018) Exiting the risk assessment maze: a meta-survey. ACM Comput Surv (CSUR) 51(1):11
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Tsalis, N., Vasilellis, E., Mentzelioti, D., Apostolopoulos, T. (2019). A Taxonomy of Side Channel Attacks on Critical Infrastructures and Relevant Systems. In: Gritzalis, D., Theocharidou, M., Stergiopoulos, G. (eds) Critical Infrastructure Security and Resilience. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-00024-0_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-00024-0_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00023-3
Online ISBN: 978-3-030-00024-0
eBook Packages: Computer ScienceComputer Science (R0)