Conference Agenda

Edge devices installed at the front end of a network are easily accessible to third parties and are at risk of electromagnetic information leakage due to side-channel attacks. In this study, we constructed a side-channel leakage simulation model for a printed circuit board equipped with SoC FPGA, which is increasingly used in edge devices. We are working to build a framework for designing side-channel attack resistance in actual products and plan to use this SoC FPGA-equipped board and simulation model as a platform for the study. We predicted power and EM side-channel leakage utilizing the simulation model we created. As a result, we demonstrated the trend of change in leakage strength due to the change in the PDN decoupling configuration and the position of the magnetic field probe. We also obtained a suggestion that modeling of switching currents generated in circuits other than the encryption circuit is necessary to improve the prediction accuracy.

Various Electromagnetic (EM) attacks have been developed to modulate and utilize EM emanations for covert communication, including exploiting processors, memory modules, and peripheral interfaces. The exploitation of clock systems presents unique challenges for attackers, as clocks are typically designed as output circuits with minimal susceptibility to software manipulation. Furthermore, Spread Spectrum (SS) modulated clocks pose additional difficulties since they are specifically engineered to reduce Electromagnetic Interference (EMI), exhibiting lower power levels for EM attacks. State-of-the-art SSC covert channels depend on the precise control of the memory activities, which generates carrier signals as an imitation to a Local Oscillator (LO) behavior. In this paper, we demonstrate that an air-gap covert channel attack on SSCs can be established by leveraging the existing (unintended) coupling between an SSC and nearby clocks, a phenomenon we name Clock-to-Clock Modulation (CCM). CCM-based SSC attacks are characterized by their low complexity, as they require only basic on/off operations to control the carrier signal, without necessitating fine clock manipulation. Unlike previous approaches that rely on non-clock components, CCM represents a direct attack on the clock system itself. We propose a simulation for the observed wide band phenomenon of clock-to-clock modulation, and validate our approach through experimental implementation on an air-gapped desktop system, where we successfully manipulate Peripheral Component Interconnect (PCI) and PCI Express (PCIe) clocks to establish an air-gap covert channel. Our results demonstrate that this novel channel is capable, from a victim-running software, of transmitting 3 bits per symbol period, achieving a bit rate of 100 bit/s.

Intentional electromagnetic interference (IEMI) poses a serious security threat, allowing attackers to disrupt or manipulate electronic equipment remotely by injecting false data through electromagnetic (EM) radiation. Existing methods fall short, often requiring physical access to internal circuitry or depending on the nonlinear characteristics of devices, which results in unreliable logic state injections. This paper introduces a groundbreaking EM dual-wave injection technique that effectively addresses these limitations. Our method stabilizes and precisely controls the injection of logic states into CMOS integrated circuits (ICs). Initial experiments with standard CMOS logic ICs clearly demonstrate the feasibility and reliability of injecting arbitrary logic states using two strategically selected EM wave frequencies. Furthermore, we successfully applied this innovative approach to the widely used Raspberry Pi 4 Model B, equipped with a Broadcom System-on-a-Chip (SoC). We accomplished the remote injection of arbitrary ASCII characters into the Universal Asynchronous Receiver/Transmitter (UART) debug console interface through precise tuning of wave frequencies and power levels. This allowed for data injection into a Linux operating system, including shell commands, without any physical intervention. These results expose critical vulnerabilities inherent in serial communication interfaces like UART and signal potential risks to other prevalent serial protocols, including Inter-Integrated Circuit (I2C) buses. The demonstrated capability for accurate and non-invasive remote manipulation of embedded system operations through EM methods underscores the urgent necessity for enhanced EM protection strategies and robust defensive measures in electronic system design.

This paper evaluates the effectiveness of software jamming, a countermeasure against electromagnetic (EM) information leakage, so-called TEMPEST, in terms of its resilience to image reconstruction methods employing multivariate and nonlinear analyses. Specifically, we quantitatively assess the robustness of software jamming from EM emissions originating from HDMI cable signals, using Principal Component Analysis (PCA) and One-Class Support Vector Machine (OCSVM) as representative multivariate and nonlinear analysis techniques. The results indicate that when the noise level parameter L —which denotes the intensity of the noise superimposed on pixel RGB values—is set to L≤4, the system is vulnerable to nonlinear analytical attacks. In contrast, at L≥5, image reconstruction accuracy deteriorates markedly, demonstrating the efficacy of software jamming as a TEMPEST countermeasure under these conditions.