Security Techniques for attack resilient Software Defined Radio Kunal Rele, Tim Newman, Jeffrey Reed The Bradley Department of Electrical and Computer Engineering, Virginia Tech, Blacksburg, VA 24061 {krele, trnewman, reedjh}@vt.edu
Abstract: Software Defined Radio (SDR) based Cognitive Radios (CR) has brought in flexibility and high adaptability. The main advantages of such radios can be classified as rewritable software waveforms instead of fixed radio hardware, flexible radio front ends and learning mechanisms that allow the radio to choose optimal transmit parameters based upon the observed dynamic environment. These advantages can also lead to high security risks. The physical layer software can be manipulated to deny the radio environment to others, the tunable element can be used to interfere with communication outside its frequency bands and the learning mechanism can be manipulated by sending false radio information. The paper presents an architecture, with built in security mechanisms that address these specific security issues. The radio has a Trusted Platform Module (TPM) in order to create a root of trust within the SDR architecture itself and can be used to control and manage functions. The paper discusses a PHY layer software waveform update mechanism with built in confidentiality, integrity check, certification and mapping to a radio configuration range. The tuning decisions that the radio makes will be controlled by the TPM and it does not share any resources with the insecure, dynamic part of the radio. TPM controls different aspects of the radio communication that would otherwise be susceptible to malicious exploitation. To prevent learning manipulation in infrastructure based systems, such as the cellular system, the learning task can be done in a cooperative manner with many mobile units. In a more distributed system, watermarking schemes are discussed to help the sensors to distinguish between noise and intentional interference. Index Terms: Security, Software defined radio, Cognitive radio, Infrastructure, Software waveform updates, insecure shared resource and cognition manipulation
I. Introduction
Key to this architecture is the tamper proof TPM where all the control to the security mechanism resides. A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer or laptop or SDR, and communicates with the rest of the system using a hardware bus. SDR‟s that incorporate a TPM will have the ability to create cryptographic keys and encrypt them so that they can be decrypted only by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. Each TPM has a root "wrapping" key, called the Storage Root Key (SRK), which is stored within the TPM itself. The private portion of a key created in a TPM is never exposed to any other component, software, process, or person. This property is used to secure the PHY layer software waveform download detailed in section II. SDR‟s that incorporate a TPM can also create a key that has not only been wrapped, but also tied to certain platform measurements. This type of key can only be unwrapped when those platform measurements have the same values that they had when the key was created. This process is called "sealing" the key to the TPM. Decrypting it is called "unsealing." The TPM can also seal and unseal data generated outside of the TPM. With this
sealed key we can lock data until specific hardware or software conditions are met. This property is used to control the radio tuning configuration for a particular SDR waveform/technology and is detailed in section III. With a TPM, private portions of key pairs are kept separated from the memory controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system—that define its "trustworthiness"—can be made before the keys are unsealed and released for use. Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely upon the operating system and is not exposed to external software vulnerabilities.
Block diagram of Trusted Platform Module (BRA01)
the so-called Endorsement Key. This is stored in such a way that the private key (SRK) can no longer be read out, but can only be used internally in the TPM.
Fig. Security Module in FPGA block diagram There are other proposals as well as FPGA products that have TPM like features in the FPGA slices themselves. Simpson et.al. have shown that AES implementation on Spartan-3 takes 2046 slices with a speed of 124 MHz and Simulated Physically Unclonable Function (PUF) needs 2025 slices with a speed of 124 MHz. II. Secure updates of PHY layer waveform A. Parties involved The models that are considered belongs to cellular like infrastructure based system and Wi-Fi like distributed systems. In cellular systems nowadays dongle are being used for pure broadband services like WiMax and LTE. In this case the parties involved are,
Trusted Platform Support Services (BRA01) At the end of TPM chip fabrication (after final testing), the manufacture generates a 2048 bit private/public key pair in the TPM,
{HW_M, SP, HW}
That is, it involves, hardware manufacturer, Service Provider and the Hardware itself. In a Wi-Fi like system the parties involved are {HW_M, HW} In the former case the new waveforms are stored in the SP Core network and in the later they are stored with the HW_M‟s. To identify this initial storage we will denote it by the name ST. When the HW detects the availability of new version or is communicated by the SP or HW_M via automatic update protocols, the update mechanism is called. B. Enrolment The waveforms are identified by its type and version as well as hardware device compatibility. {W#} Similarly the hardware is identified by manufacturer and type.
can be the operating system firmware updates that we receive continuously via internet. But like the issues with these updates, the SDR updates can be manipulated to tweak the performance of the system. It can either harm the system by introducing malicious code or create a monopoly in the network system that would harm other systems. A case of such a manipulation can be increasing the bandwidth of the modulation, in case of OFDM by increasing the number of subcarriers. Filtering can be eliminated from the signal processing path to decrease the power consumption for the processing but create inter channel interference to other radios. In similar ways different software based signal processing blocks can be tweaked to create adverse effect. These manipulated software‟s can be downloaded from online databases very easily. Hence, there is a need to check the integrity of the waveform as well as the need to verify the update provider.
{HW#} The waveforms will be attested and stored at the ST along with its identity, W#. Similarly, the HW# will be attested and stored at the ST. C. Secure Update of the waveform Updates of PHY layer waveform is a property of SDR systems that allows rapid developments and implementation of standards along with its continuous improvement. It also helps in fixing bugs in the waveform code and making them more efficient with respect to time and power consumption. An analogy to current systems
Fig. Waveform Updates Above figure shows the Waveform update. It has four features. The first is the waveform code itself. The second is the hash of the waveform code. Hash is a mathematical function that converts a varied sized data, in our case the waveform code into fixed sized identifier. It‟s a one way
function and can be assumed unique for our application because collisions are rare. This builds integrity into the system. The complete update can be signed by a private key of the update provider. This provide the authentication of the update provider as the private key for the provider is unique and can be decrypted by only the public key which the radios can get from certificate lookup authorities. The complete update is encrypted by the public version of TPM‟s unique key (SRK) or its derivatives.
Fig. Waveform Attestation The general architecture for the loading of the waveforms is shown in the above figure. The waveforms are written from a waveform cache which stores all the recently used waveform in it so that the loading of the waveform on the fly is fast. The waveforms from the updates are stored in a waveform library. These waveforms can comprise of different types of modulations, encoding, filtering etc. When the waveform is written on the FPGA or a section of the code is executed on a processor, or during the boot up phase of the radio the code is tapped. The TPM module has a command where the external data can be sent to the module. The tapped code undergoes a hash algorithm which is
compared against the hash from the secure update. The matching confirms that the code is not manipulated. (IBM01) If the waveform code is manipulated or corrupted, the current update is deleted and a new update is triggered. If this continues twice then the TPM module gives an error, after which the radio needs be recertified by the manufacturer or the appropriate authorities. As explained earlier the certificate and the keys used in this operation are wrapped and unwrapped only by the TPM only. This ensures that the code was developed and thoroughly tested by someone the manufacturer‟s of the radio trust and wasn‟t changed after the testing was completed. III. Securing the common resource shared by the secure and insecure section of the radio There are vulnerabilities regarding the shared resources that can be manipulated like the temporary registers that store value of the tuned frequency. Kernel level commands like get value and set value can change the values of the tuned parameters. The TPM contains a number of Platform Configuration Registers (PCRs) (PAR01). In our SDR the tune registers are bind to these PCR‟s. Tuning register 1 (Tunes frequency)
PCR 1
Fig. Tuning Register and Platform Configuration Register pair The tuning registers are used for tuning the frequency, power level, number of antenna and their lengths. These are the radio configuration we want to avoid being manipulated intentionally or otherwise. A. Changing the tuning register values The only way for software to change the value of a PCR is by invoking the TPM operation, PCRExtend(index, data)
The parameter to this operation is the PCR index and the data value that we need to set the associated tuning register with. So when we set a tuning register representing the frequency to 425MHz, we set the associated PCR, for e.g. PCR with index value 2 with the same frequency value using the following operation. PCRExtend(2, 425MHz)
The result of this operation is as follows, PCR2 ← H(data, PCR2-)
The hash of the data, in this case the bits representing 450 MHz, is stored in the PCR with index value 2. B. Binding a particular SDR signal processing block to a legal configuration TPM presents a simple interface for binding data to the current platform configuration using „Seal‟ command, Seal(indices, PCR‟sindex, data) → (C,MACSRK ((index0, PCRindex0), (index1, PCRindex1), ...))
We input the PCR index, value at that PCR and the data that we want to associate with the PCR to the „Seal‟ command. It should be noted that this PCR configuration is provide in the update shown in Fig. ….The output of the operation is the integrity-protected list of PCR indices and their values along with encryption of the data: C. The data is actually a waveform code and the PCR values represent the legal tuning configurations. C is stored in the waveform database and not the actual waveform code itself. C. Unbinding the SDR signal processing block to a legal configuration When the waveform needs to be loaded, it first needs to be decoded and for decoding, the SDR needs to have a proper tuning configuration. The Unseal command takes in a cipher-text and PCR list created by the Seal command. The TPM verifies the integrity of the list of PCR values, and then compares them against the current values of those PCRs. If they match, the TPM decrypts C and outputs the resulting data. If any of the checks fail, the TPM simply returns an error. Unseal(C,MACKroot((1, PCR1), (3, PCR3), (17, PCR17))
In the case of our radio the waveform code is decrypted only if the current tuning registers configuration is legal. Without decrypting the waveform code, we cannot transmit. To decrease the time for decryption during writing of the waveform, a single critical waveform of the waveform chain can be used for the above process.
D Using the above mechanism in open source test-beds Wireless@VT has been building a unique heterogeneous wireless communication network of test-bed based on cognitive radios. The network will consist of 48 radio nodes spread over four floors in a building. The test-bed will enable researchers from VT and outside to implement and test their algorithms, protocols, applications, and hardware technologies within a realistic environment. Other Universities are embarking on a similar endeavour. If we take an example of USRP2 based radios in the test-bed, the signal sample processing code is written on the FPGA present on the motherboard from a flash card every time the radio boots up. If a TPM chip is build on the motherboard of such highly flexible radio, different level of security can be built using the mechanism from the previous sections (III A, B and C) for this system, based on the expertise of the students working on these radios. The faculty can be the administrator of these TPM modules allowing them to put limits on the radio for a particular group of students and allow the complete flexibility for more advanced students. The flash card of USRP2 can have the signal sample processing code for the FPGA in encrypted form. This code will only be decrypted and written on the FPGA if the values in the tuning registers are within limits. IV. Securing the learning mechanism of CR
The learning mechanisms in Cognitive radio networks are constantly updating their classifiers as new data arrives. By carefully monitoring and sequencing transmitted signals, an adversary can manipulate the output of the classifier long-term (NEW01). For example, if the system uses high level of security or high throughput, a malicious user can monitor the signal and jam it until the learning algorithm starts thinking that it needs to use low security and throughput. The solution to this problem is differentiating between noise and a malicious user. One reason why these algorithms are able to be manipulated is that, they are designed to classify signals in environments with specific noise, not environments where malicious users are present. The first approach in developing signal classifiers that are robust to malicious users, is to use signal feature combinations that are difficult to emulate. The drawback is higher-order signal features require more complex signal analysis and are much more computationally complex to implement. The solution can be the use of PHY layer watermarking schemes as described in (GOE01). The watermarking method presented may be applied to every SDR signal at IF, enabling its use without modification to the transmitter, as a preconditioning component in the IF chain of the transmitter, before signal upconversion and power amplification. Goergen et al define the alphabet for the
authentication signal C, where each vector cl ∈ C is a finite length synthetic FIR channel response to be applied by the transmitter,
and l is the length in primary-signal symbols of the maximum length impulse response.
[NEW01] T. Newman, T. Clancy, "Security Threats to Cognitive Radio Signal Classifiers," Wireless @ Virginia Tech Symposium, June 2009
The actual authentication signal C contains,
[GOE01]N. Goergen, T. Clancy, T. Newman, "Physical Layer Authentication Watermarks Through Synthetic Channel Emulation" , IEEE Dynamic Spectrum Access Networks Conference (DySPAN), April 2010
{T S, F, L, T, C, SignSRK (Hash(T S, F, L, T ))}
where TS, F, L and T represent time stamp, frequency, location, and time of the signal. The TPM can build in the integrity by doing a Hash on these values and signing the complete message by the TPM private key. This is used by other radios while sensing to check if what they are seeing is noise or a radio itself. If this radio is acting maliciously, then these other radios can send the information from the watermark to a particular authority. The authority can easily find this malicious transmitter and shut it down. Conclusion References [BRA01] Hans Brandl, Thomas Rosteck, “Trusted Computing: The TCG Trusted Platform Module Specification”, Infineon Technologies AG Trusted Computing [SIM01] E. Simpson, P. Schaumont, "Offline Hardware/Software Authentication for Reconfigurable Platforms," Workshop on Cryptographic Hardware and Embedded Systems 2006 (CHES 06), Yokohama, Japan, October 2006 [Wind01] Windows Trusted Platform Module Management Step-by-Step Guide, http://technet.microsoft.com/enus/library/cc749022(WS.10).aspx [IBM01] IBM-Linux Application Enforcer (Checking of programs during the loading) http://enforcer.sourceforge.net/ [PAR01] B. Parno, “The Trusted Platform Module (TPM) and Sealed Storage,” RSA, June 21, 2007. [Online]. Available: http://www.rsa.com/rsalabs/technotes/tpm/sealedst orage.pdf