WO2017203078A1 - System for preventing hardware attacks in an i2c bus, slave module and network comprising same - Google Patents

System for preventing hardware attacks in an i2c bus, slave module and network comprising same Download PDF

Info

Publication number
WO2017203078A1
WO2017203078A1 PCT/ES2017/070336 ES2017070336W WO2017203078A1 WO 2017203078 A1 WO2017203078 A1 WO 2017203078A1 ES 2017070336 W ES2017070336 W ES 2017070336W WO 2017203078 A1 WO2017203078 A1 WO 2017203078A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
signal
bus
slave
scl
Prior art date
Application number
PCT/ES2017/070336
Other languages
Spanish (es)
French (fr)
Inventor
Fernando Gomez Bravo
Juan Antonio Gomez Galan
Raúl JIMENEZ NAHARRO
Manuel Sanchez Raya
Jonatan Medina Garcia
Original Assignee
Universidad De Huelva
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Universidad De Huelva filed Critical Universidad De Huelva
Publication of WO2017203078A1 publication Critical patent/WO2017203078A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/38Information transfer, e.g. on bus
    • G06F13/42Bus transfer protocol, e.g. handshake; Synchronisation

Definitions

  • the invention belongs to the field of industrial robotics. In particular, it relates to security against attacks on communication between devices under the I2C protocol.
  • the motors or actuators are present in any robotic environment, since they will be responsible for the movement of the different parts of the robot (in case of manipulators) or of the robot itself (in case of mobile robots). In the case of manipulators, the motors will be responsible for performing the movement of the arm, as well as the wrist and final effector (or part with which the manipulator interacts). On the other hand, in the case of mobile robots, the main function of the motors is to provide them with movement, usually through wheels. Any failure in the process of communication with the motors will cause an error in the trajectory of the robot, and hence the importance of ensuring reliability in the communication with the motors.
  • I2C Inter-I Integrated Circuit
  • the bus will connect an element (usually a microcontroller) that will perform the master functions, and one or more additional elements (usually peripheral) that will perform the slave functions.
  • the protocol will use three different lines: the SCL line, which will be the synchronization line or clock line (controlled by the master); the SDA data line, which will be the line through which the communication process will be carried out (controlled by the master or slave according to the operation performed); the land line, to have a common reference.
  • the logical values in the transmission are the ground level for the logical O ', and high impedance for the logical ⁇ '.
  • the high impedance avoids the need for all components to have the same level of polarization.
  • the I2C bus lines are accessible to allow the connection of other peripherals.
  • the communication process requires a waiting condition (identified because the SCL and SDA lines are both in high impedance).
  • the communication process begins with a start condition, identified by a drop in the SDA line while the SCL line remains in high impedance. From that moment on, the SCL line varies by behaving like a clock signal, and the SDA line can only change while the SCL line remains low, since while it is high, the SDA line must remain stable to be monitored
  • the communication process of a write operation is as follows. First, the master sends the address of the slave with which he wants to communicate, and the control bit is kept at '0' to identify a write. The slave whose address has been transmitted will respond in the next cycle with an acknowledgment. Next, the master sends the address of the slave record where he wants to write, which will be answered by the slave with a recognition. Finally, the master sends the value he wants to write, which will be answered by the slave with recognition. As a final act, the teacher generates a stop condition. This condition is that the SDA line goes from low level to high impedance while the SCL line remains high impedance. Therefore, the stop condition implies leaving the lines in the waiting condition.
  • some implementations of the I2C protocol have the feature called "dock stretching", according to which the peripheral can stop the communication process for a limited time. While the peripheral stops communication (usually because it needs more time to carry out its operation), the master enters a waiting situation without modifying the values of the two SCL and SDA lines of the I2C bus. When the peripheral enables the communication process again, the master continues at the point where the communication had stopped.
  • This protocol is very vulnerable against hardware attacks for two fundamental reasons.
  • the protocol lines have high accessibility, not only for the peripherals connected to them, but also for any other element, among which one that perpetrates an attack on the communication process can be found.
  • the fact of using high impedance as a logical '1' allows the value O 'to prevail over the value T.
  • This situation may have the consequence that when two elements want to transmit on the bus (either on the line SCL, as a clock bus, or on the SDA line, as a data bus) two different values simultaneously (commonly known as information collision), the predominant value is the value ' ⁇ '. Therefore, the rest of the elements connected to said bus would identify that its value is ' ⁇ ', without realizing the situation of information collision.
  • Typical attacks by insertion of failures are attacks that vary the frequency of the clock signal.
  • the vulnerability to attacks by reverse engineering is increased. While the increase in the operating frequency above the maximum allowed causes failures, since the system does not have enough time to complete its operation. This type of Attacks can be viable in any electronic system, such as robotic environments.
  • the main objective of an attack by insertion of fault in the clock line is that the program executes a certain portion of code (for example relative to a privileged access) that was not contemplated in the normal program execution.
  • the failure due to the variation of the frequency of the clock signal (in this case increase) prevents the instruction responsible for preventing the entry into said portion of code from being executed.
  • the traditional defense against such attacks consists in introducing a system that cancels the clock signal when there is a variation in the frequency of the clock signal that is not allowed. In this way, the microprocessor system remains waiting until a valid frequency cycle arrives to execute the instructions, avoiding the non-execution of any instruction.
  • a frequency sensor based on bandpass filters has been used for this purpose, whose mission is to identify areas where the signal has a different frequency than allowed.
  • the common characteristics of these sensors are the following:
  • the detection is performed during the entire system execution time.
  • the response of the system is the cancellation of the clock signal (avoiding the execution of the fault) during the attack.
  • the effect that causes the execution of these attacks on a robotic application has not been considered, nor therefore its defenses.
  • a robotic platform will be considered where the attack will be carried out on the communication between the master and a slave in particular, connected through the I2C protocol.
  • An attack by insertion of failures to an I2C protocol would be as simple as placing a logical O 'on the SCL line during a given period of the communication process. Although apparently it can be interpreted as a "dock stretching" situation, the difference is that the attacker will only release the communication when it has ended; while the release of the real "dock stretching" does not imply the end of the transmission. Such action would mean that a communication process was not completed, and therefore that the order immersed in the message was not executed.
  • the implementation of a selective attack attacking the communication to a specific slave
  • the attack considered can be seen as an attack by insertion of failures by varying the frequency of the clock signal, achieving that the frequency is zero during the rest of the communication process.
  • the detection should not be carried out during the entire execution time but only during a communication process. In the event that a communication process is not occurring, the sensor must remain inactive. The response of the sensor cannot be the cancellation of the clock signal, because it is the same action as that produced by the attack.
  • the object of this is a system to inhibit hardware attacks on an I2C bus that includes a detector device that detects the start of communication on the SDA data line of the I2C bus and that generates, after detection, an initialization signal.
  • the system also includes an oscillating device that receives the initialization signal from the detector and generates an independent clock signal.
  • the system also includes a measuring device that receives the detector's initialization signal, automatically measures the frequency of the SCL synchronization signal and compares with the oscillator clock signal to generate a signal indicating the existence of an attack based on the result of the comparison.
  • the system also includes a response device that receives the signal indicating the existence of an attack and regenerates the SCL line from the oscillator device signal.
  • the response device can stop the SDA line while an attack is detected.
  • the measuring device includes a ring counter.
  • a slave module for an I2C bus comprising the above inhibitor system integrated. It is another additional object of the present invention, a network that includes an I2C bus to which at least one slave module connected to the inhibitor device and also a master module are connected.
  • the response will be according to the specific application (preferably through a programmable module).
  • the invention To defend the communication process through an I2C bus in the field of slave devices, the invention will have two fundamental missions: first, it must detect the presence of an attack in the communication process by monitoring in real time the frequency of the synchronization signal (SCL); secondly, and in the event that an attack has been detected, the detection will entail a response (deemed appropriate) known by the system. Therefore, the present invention presents a solution to attacks by insertion of faults in robotic environments.
  • SCL synchronization signal
  • FIG. 1 shows the traditional attack and defense situation in a microprocessor-based system.
  • FIG. 2 shows the waveforms related to a write operation on an I2C bus.
  • FIG. 2A normal operation is seen without attack and in FIG. 2B when he has suffered an attack.
  • FIG. 3 shows the connection scheme of the different modules in a communication process with the possibility of attack.
  • FIG. 4 Shows the scheme in more detail of the communication attack inhibition system.
  • FIG. 1 is an example that shows the traditional attack and defense situation in a microprocessor-based system.
  • the frequency of the clock signal increases so that instruction N is not executed and passes to instruction N + 1; although due to the operation of the program this instruction should not be executed. If there is a defense against this type of attack, the frequency sensor will cancel the clock signal when its frequency is outside the allowed range, keeping instruction N waiting for the arrival of a new cycle of the clock signal to be executed.
  • FIG. 2 you can see an example of write operation without attack and with attack on an I2C bus.
  • FIG. 2A shows the waveforms relative to a normal write operation without communication attack.
  • FIG. 2B a writing is illustrated that has suffered an attack whose effect is seen in the designated areas. The attack forces the SCL line at a low level when the slave to be attacked in the communication process has been identified.
  • the attack module will also perform this task so that the master module believes that the communication is taking its proper course.
  • the defense mechanism has been advantageously designed in such a way that it can solve two different scenarios.
  • FIG. 3 illustrates the connection scheme of the main modules that can intervene in a communication process.
  • the modules included are the following:
  • the master module 10 responsible for managing the communication process, and thus, responsible for controlling the SCL synchronization line.
  • a slave module defended 20a that is, coupled to the inhibitor system 40.
  • An attack module 30 (which the attacker would add) that would be responsible for managing said attack.
  • Said attack module 30 will have the same design philosophy as a conventional slave module 20 except that it will be willing to alter the values of the synchronization signal SCL.
  • the insertion of the attack module 30 does not imply the modification of any other module. It is enough to have the I2C bus lines accessible, normal situation due to the protocol's own philosophy.
  • the master module 10 communicates with two slaves: one without protection 20 and another protected 20a by means of the inhibitor system 40 object of this invention.
  • An attacking module 30 is also represented.
  • the architecture of the defended slave module 20a would be identical to that of the traditional slave module 20 without defense, whereby neither the communication protocol nor the traditionally used hardware have to undergo modifications.
  • the use of the cascade inhibitor system 40 with the slave module 20a will allow it to be immune to the damage caused by an attack.
  • This inhibitor system 40 will be formed by four elements as can be seen in FIG. 4. Each one is explained below:
  • a first detector device 42 that detects the start and stop conditions (to know when the sensor has to operate) and the start of cycles (to know when to start a new measurement). This detector 42 will generate the initialization signals for the rest of the devices of the inhibitor system 40.
  • a second oscillator device 44 will be dedicated to the generation of an internal clock that will control the operation of the monitoring and inhibition process, that is, of the other devices except the detector 42.
  • This clock must be generated on the same substrate to avoid vulnerabilities .
  • This internal generation will involve the use of ring oscillation techniques (to have an oscillatory signal) and frequency division techniques (to avoid excessive use of hardware).
  • a third measuring device 46 will be designed to automatically measure the frequency of the SCL signal, taking as a temporary basis the clock signal generated in the oscillator 44 and the initialization signal generated by the detector 42. This frequency measurement will be immediately available in the next pulse to be measured or when it is verified that it has a lower frequency than allowed. The meter 46 will generate a signal indicating the existence of an attack according to the value of the measured frequency.
  • a fourth response device 48 will be intended to generate the response of the inhibitor system 40.
  • the response In case there is no attack, the response must be the passage of the SCL and SDA signals without any interference, so that the presence of the inhibitor system 40 would be transparent. In case there is an attack, the response implemented must be the one that best suits the application and the specific use. Usually, the SCL and SDA lines will not be passed in the event of an attack, and this response device 40 will autonomously generate a response which will be coded based on a set of messages transmitted through the I2C bus and that will make the slave 20a immune to the detected attack. Until such response has been completed, no additional communication will be accepted (whether it is under attack or not). Therefore, in case of attack, the response module 48 will act as if it were a master module 10.
  • the response considered by default may be the motor or actuator stop.
  • this response device 48 will preferably be a programmable element that will implement the sending, via the I2C bus that connects it to the slave 20a, of the corresponding stop messages.
  • This depending on the application (for example a motor controller), may be done by a single message or by a set of messages that guarantees the execution of a speed profile that safely stops the robot.
  • the message sequence will be programmable according to the nature of the application.
  • the SCL signal of this transmission will employ the oscillator 44 which is local and will ensure a communication free of attacks.
  • a first embodiment can be considered in which the inhibitor system 40 and the slave module 20 to be protected are included in the same integrated substrate obtaining a slave module free of attacks 20b that already incorporates the functions of the inhibitor system 40.
  • a second embodiment can be conceived in which the inhibitor system 40 will be coupled to a standard slave module 20a in the sense that it does not have to manage the possibility of an attack but will then be protected against attacks.
  • the inhibitor system 40 can be implemented by digital techniques, and therefore, can be implemented as hardware in a specific application circuit (ASIC) or in a programmable device (such as FPGAs or CPLDs). These options facilitate their integration into the same substrate as the slave module 20, having this form of a single integrated block 20b. It can also be used externally to the slave element since it does not require any specific signal to function.
  • ASIC application circuit
  • CPLD programmable device
  • an adapted option has been used, that is, the inhibitor system 40 on a different substrate than the slave element 20.
  • the inhibitor has been implemented in an FPGA device of the Spartan-3AN family (more specifically the model XC3S700AN included in a development board based on FPGA). While the slave element used has been the MD23 motor controller. Due to the adaptation, the response of the inhibitor has involved the regeneration of the I2C bus, so that the response agreed to an attack situation has been the immediate shutdown of the motors.
  • the proposed architecture allows you to program another type of response that best suits the specific application of the robotic system.
  • a master module 10 of the I2C bus In order to complete the communication process environment, it has been implemented in the same FPGA as the inhibitor system 40, a master module 10 of the I2C bus, a slave module 20a without defense and an attack module 30.
  • the actions followed in each of the elements will be detailed.
  • the detector device 42 an asynchronous solution insensitive to delays has been used, since this element has no clock signal to operate.
  • the initialization sequence is as follows. First, oscillator device 44 is stopped so that the clock signal does not affect the initialization conditions of the other elements. Secondly, the response device 48 is initialized since it needs the previous data of the measuring device 46 in the case of attack (since it has to regenerate the synchronization signal). Thirdly, the measuring device 46 is initialized to start the measurement at zero. Finally, the oscillator device 44 is restarted to begin monitoring. In the first prototypes, this initialization cycle takes approximately 15 ns. The oscillator device 44 has been mixedly implemented.
  • a fine oscillation frequency is generated using a ring oscillator.
  • the fine signal is used as input to a frequency divider to generate the final oscillation frequency.
  • the previous divider is used to reduce excessive use of hardware elements due to generating low frequencies only with ring oscillators.
  • a final frequency of about 320 ns has been generated, starting from an initial fine frequency of about 10 ns.
  • the measuring device 46 should measure as quickly as possible that allows the use of said inhibitor system 40 to the greatest possible number of situations, even if it is not necessary in the case of the prototype.
  • the measurement account has been implemented with the use of a ring counter. This solution has two advantages. First, it is the fastest solution to the account operation. Secondly, the comparison of the measures requires a simple implementation like a two-door AND gate. The size of this ring counter should be such that it covers the entire range of the allowed frequency. In this prototype a maximum limit of 10 cycles has been used, corresponding to a period of about 3.2 us.
  • the response device 48 must generate the response of the inhibitor 40. In the case of an attack, and as previously mentioned, it must regenerate the SCL and SDA lines, so that the response is the one programmed.
  • the SDA line is generated from scratch with the appropriate values and following the synchronization of master 10 (for cases where there was no attack). In the case of the SCL line, it must be regenerated with the same synchronization. For this, the measurement obtained in the measuring device 46 is used, and based on this measurement the signal will be regenerated following the inverse philosophy, that is, based on an oscillator 44 with a ring counter to determine when the regenerated SCL signal should be worth ⁇ 'or ⁇ '. Once said signal has been regenerated, the normal flow of the I2C communication must be implemented as if it were a master element 10.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a system for preventing hardware attacks for a slave module (20) in an I2C bus, which system includes: a detector (42) for detecting the initiation of communication in a data line, SDA, and generating an initialisation signal; an oscillator (44) for generating an independent clock signal; a meter (46) for automatically measuring the frequency of a synchronisation signal, SCL, comparing same to the clock signal of the oscillator (44), and generating a signal indicating the existence of an attack; a response device (48) configured to receive the signal indicating the existence of an attack and to regenerate the SCL line from the signal of the oscillator (44).

Description

SISTEMA INHIBIDOR DE ATAQUES HARDWARE EN UN BUS I2C, MÓDULO ESCLAVO Y RED QUE LO COMPRENDE HARDWARE ATTACK INHIBITOR SYSTEM ON AN I2C BUS, SLAVE MODULE AND NETWORK THAT UNDERSTAND IT
DESCRIPCIÓN DESCRIPTION
Campo técnico de la invención Technical Field of the Invention
La invención pertenece al campo de la robótica industrial. En particular, se relaciona con la seguridad frente a ataques a la comunicación entre dispositivos bajo el protocolo de I2C. The invention belongs to the field of industrial robotics. In particular, it relates to security against attacks on communication between devices under the I2C protocol.
Antecedentes de la invención o Estado de la Técnica Background of the invention or State of the Art
Los motores o actuadores están presentes en cualquier entorno robótico, ya que van a ser los encargados del movimiento de las diferentes partes del robot (en caso de manipuladores) o del robot mismo (en caso de robots móviles). En el caso de manipuladores, los motores serán los encargados de realizar el movimiento del brazo, así como de muñeca y efector final (o parte con la que interactúa el manipulador). En cambio, en el caso de los robots móviles, la principal función de los motores consiste en dotar de movimiento a los mismos, generalmente a través de ruedas. Cualquier fallo en el proceso de comunicación con los motores provocará un error en la trayectoria del robot, y de ahí la importancia de asegurar la fiabilidad en la comunicación con los motores. The motors or actuators are present in any robotic environment, since they will be responsible for the movement of the different parts of the robot (in case of manipulators) or of the robot itself (in case of mobile robots). In the case of manipulators, the motors will be responsible for performing the movement of the arm, as well as the wrist and final effector (or part with which the manipulator interacts). On the other hand, in the case of mobile robots, the main function of the motors is to provide them with movement, usually through wheels. Any failure in the process of communication with the motors will cause an error in the trajectory of the robot, and hence the importance of ensuring reliability in the communication with the motors.
Uno de los mecanismos más usuales para la comunicación con los motores es el protocolo de comunicaciones I2C (Inter-I ntegrated Circuit). Este protocolo, diseñado por Philips, data en sus inicios del año 1992 en su versión 1.0. Este protocolo nació con la intención de comunicar microcontroladores y sus periféricos de una forma compacta en un mismo bus. Este bus I2C tiene las siguientes características: One of the most common mechanisms for communicating with motors is the I2C (Inter-I Integrated Circuit) communications protocol. This protocol, designed by Philips, dates back to 1992 in its version 1.0. This protocol was born with the intention of communicating microcontrollers and their peripherals in a compact way on the same bus. This I2C bus has the following characteristics:
· Es un bus bidireccional, por lo tanto el proceso de comunicación permite operaciones de lectura y de escritura. · It is a bidirectional bus, therefore the communication process allows read and write operations.
Es un bus serie, por lo tanto, la información es transmitida bit a bit. i El bus va a conectar un elemento (generalmente un microcontrolador) que hará las funciones de maestro, y uno o varios elementos adicionales (generalmente periféricos) que harán las funciones de esclavo. It is a serial bus, therefore, the information is transmitted bit by bit. i The bus will connect an element (usually a microcontroller) that will perform the master functions, and one or more additional elements (usually peripheral) that will perform the slave functions.
El protocolo utilizará tres líneas diferentes: la línea SCL, que será la línea encargada de la sincronización o línea de reloj (controlada por el maestro); la línea de dato SDA, que será la línea por la que se llevará a cabo el proceso de comunicación (controlada por el maestro o el esclavo según la operación realizada); la línea de tierra, para tener una referencia común.  The protocol will use three different lines: the SCL line, which will be the synchronization line or clock line (controlled by the master); the SDA data line, which will be the line through which the communication process will be carried out (controlled by the master or slave according to the operation performed); the land line, to have a common reference.
Los valores lógicos en la transmisión son el nivel de tierra para el O' lógico, y alta impedancia para el Ί' lógico. La alta impedancia evita la necesidad de que todos los componentes tengan el mismo nivel de polarización.  The logical values in the transmission are the ground level for the logical O ', and high impedance for the logical Ί'. The high impedance avoids the need for all components to have the same level of polarization.
Las líneas del bus I2C son accesibles para permitir la conexión de otros periféricos.  The I2C bus lines are accessible to allow the connection of other peripherals.
El proceso de comunicación requiere de una condición de espera (identificada porque las líneas SCL y SDA están ambas en alta impedancia). El proceso de comunicación comienza con una condición de inicio, identificado por una bajada en la línea SDA mientras que la línea SCL permanece en alta impedancia. A partir de ese momento, la línea SCL varía comportándose como una señal de reloj, y la línea SDA únicamente puede cambiar mientras que la línea SCL permanece a nivel bajo, ya que mientras está a nivel alto, la línea SDA debe permanecer estable para ser monitorizada. The communication process requires a waiting condition (identified because the SCL and SDA lines are both in high impedance). The communication process begins with a start condition, identified by a drop in the SDA line while the SCL line remains in high impedance. From that moment on, the SCL line varies by behaving like a clock signal, and the SDA line can only change while the SCL line remains low, since while it is high, the SDA line must remain stable to be monitored
El proceso de comunicación de una operación de escritura es como sigue. En primer lugar, el maestro envía la dirección del esclavo con el que se quiere comunicar, y el bit de control se mantiene a '0' para identificar una escritura. El esclavo cuya dirección ha sido transmitida responderá en el siguiente ciclo con un reconocimiento. Seguidamente, el maestro envía la dirección del registro del esclavo donde quiere escribir, que será contestado por el esclavo con un reconocimiento. Finalmente, el maestro envía el valor que quiere escribir, que será contestado por el esclavo con un reconocimiento. Como acto final, el maestro genera una condición de parada. Esta condición consiste en que la línea SDA pase de nivel bajo a alta impedancia mientras que la línea SCL permanece en alta impedancia. Por lo tanto, la condición de parada implica dejar a las líneas en la condición de espera. Adicionalmente, algunas implementaciones del protocolo I2C disponen de la característica denominada "dock stretching", según la cual el periférico puede detener el proceso de comunicación durante un tiempo limitado. Mientras que el periférico detiene la comunicación (usualmente debido a que necesita más tiempo para llevar a cabo su operación), el maestro entra en una situación de espera sin modificar los valores de las dos líneas SCL y SDA del bus I2C. Cuando el periférico habilita de nuevo el proceso de comunicación, el maestro continúa por el punto en el que la comunicación se había detenido. The communication process of a write operation is as follows. First, the master sends the address of the slave with which he wants to communicate, and the control bit is kept at '0' to identify a write. The slave whose address has been transmitted will respond in the next cycle with an acknowledgment. Next, the master sends the address of the slave record where he wants to write, which will be answered by the slave with a recognition. Finally, the master sends the value he wants to write, which will be answered by the slave with recognition. As a final act, the teacher generates a stop condition. This condition is that the SDA line goes from low level to high impedance while the SCL line remains high impedance. Therefore, the stop condition implies leaving the lines in the waiting condition. Additionally, some implementations of the I2C protocol have the feature called "dock stretching", according to which the peripheral can stop the communication process for a limited time. While the peripheral stops communication (usually because it needs more time to carry out its operation), the master enters a waiting situation without modifying the values of the two SCL and SDA lines of the I2C bus. When the peripheral enables the communication process again, the master continues at the point where the communication had stopped.
Este protocolo es muy vulnerable frente ataques hardware por dos motivos fundamentales. En primer lugar, las líneas del protocolo tienen una elevada accesibilidad, no sólo para los periféricos conectados a ellas, sino también para cualquier otro elemento, entre los que se puede encontrar uno que perpetre un ataque al proceso de comunicación. En segundo lugar, el hecho de utilizar la alta impedancia como '1 ' lógico permite que el valor O' prevalezca sobre el valor T. Dicha situación puede tener la consecuencia de que cuando dos elementos quieran transmitir por el bus (ya sea en la línea SCL, como bus de reloj, o en la línea SDA, como bus de datos) dos valores diferentes de forma simultánea (conocida comúnmente como colisión de información), el valor predominante sea el valor 'Ο'. Por lo tanto, el resto de elementos conectados a dicho bus identificarían que su valor es 'Ο', sin darse cuenta de la situación de colisión de información. This protocol is very vulnerable against hardware attacks for two fundamental reasons. First, the protocol lines have high accessibility, not only for the peripherals connected to them, but also for any other element, among which one that perpetrates an attack on the communication process can be found. Secondly, the fact of using high impedance as a logical '1' allows the value O 'to prevail over the value T. This situation may have the consequence that when two elements want to transmit on the bus (either on the line SCL, as a clock bus, or on the SDA line, as a data bus) two different values simultaneously (commonly known as information collision), the predominant value is the value 'Ο'. Therefore, the rest of the elements connected to said bus would identify that its value is 'Ο', without realizing the situation of information collision.
Existen muchas formas de ataques hardware sin incluir la utilización de virus informáticos. Estos ataques no necesitan grandes recursos, ni tienen porqué resultar en implementaciones complicadas. Una categoría de estos ataques es la denominada ataques por inserción de fallos. There are many forms of hardware attacks without including the use of computer viruses. These attacks do not need large resources, nor do they have to result in complicated implementations. One category of these attacks is the so-called fault insertion attacks.
Ataques típicos por inserción de fallos son ataques que varían la frecuencia de la señal de reloj. En el caso de disminuir la frecuencia de operación, se consigue aumentar la vulnerabilidad frente a ataques por ingeniería inversa. Mientras que el aumento de la frecuencia de operación por encima de la máxima permitida provoca fallos, ya que el sistema no dispone del tiempo suficiente para finalizar su operación. Este tipo de ataques puede ser viable en cualquier sistema electrónico, como pueden ser los entornos robóticos. Typical attacks by insertion of failures are attacks that vary the frequency of the clock signal. In the case of reducing the frequency of operation, the vulnerability to attacks by reverse engineering is increased. While the increase in the operating frequency above the maximum allowed causes failures, since the system does not have enough time to complete its operation. This type of Attacks can be viable in any electronic system, such as robotic environments.
No obstante, hasta ahora las aplicaciones informáticas basadas en microprocesadores y/o microcontroladores han sido donde se ha centrado la consideración de los ataques hardware; mientras que, hasta la fecha, este tipo de ataques no han sido considerados en las aplicaciones robóticas. En el campo informático (en el cual se centra la búsqueda de defensas), el fin principal de los ataques por inserción de fallos ha sido la obtención de información privilegiada. Por lo tanto, los objetivos de estos ataques suelen ser sistemas de seguridad, tales como tarjetas inteligentes (smart cards) o mecanismos de encriptación y/o desencriptación. El objetivo de estos ataques suele ser que el sistema de seguridad tenga un fallo creando una vulnerabilidad, la cual es utilizada para obtener la información privilegiada. However, until now, computer applications based on microprocessors and / or microcontrollers have been the focus of hardware attacks; while, to date, these types of attacks have not been considered in robotic applications. In the computer field (on which the search for defenses is centered), the main purpose of attacks by insertion of failures has been to obtain privileged information. Therefore, the objectives of these attacks are usually security systems, such as smart cards or encryption and / or decryption mechanisms. The objective of these attacks is usually that the security system has a fault creating a vulnerability, which is used to obtain the privileged information.
Centrándose en la aplicación con un microprocesador, el principal objetivo de un ataque por inserción de fallo en la línea de reloj consiste en que el programa ejecute una determinada porción de código (por ejemplo relativa a un acceso con privilegios) que no estaba contemplada en la ejecución normal del programa. El fallo debido a la variación de la frecuencia de la señal de reloj (en este caso aumento) impide que la instrucción encargada de evitar la entrada en dicha porción de código no sea ejecutada. La defensa tradicional frente a este tipo de ataques consiste en introducir un sistema que anule la señal de reloj cuando se produce una variación en la frecuencia de la señal de reloj no permitida. De esta forma, el sistema microprocesador permanece esperando hasta que llegue un ciclo de frecuencia válida para ejecutar las instrucciones, evitando la no ejecución de ninguna instrucción. Tradicionalmente, se ha utilizado para tal fin un sensor de frecuencia basado en filtros paso banda, cuya misión es identificar zonas en las que la señal tiene una frecuencia diferente a la permitida. Las características comunes de estos sensores son las siguientes: Focusing on the application with a microprocessor, the main objective of an attack by insertion of fault in the clock line is that the program executes a certain portion of code (for example relative to a privileged access) that was not contemplated in the normal program execution. The failure due to the variation of the frequency of the clock signal (in this case increase) prevents the instruction responsible for preventing the entry into said portion of code from being executed. The traditional defense against such attacks consists in introducing a system that cancels the clock signal when there is a variation in the frequency of the clock signal that is not allowed. In this way, the microprocessor system remains waiting until a valid frequency cycle arrives to execute the instructions, avoiding the non-execution of any instruction. Traditionally, a frequency sensor based on bandpass filters has been used for this purpose, whose mission is to identify areas where the signal has a different frequency than allowed. The common characteristics of these sensors are the following:
· La detección es realizada durante todo el tiempo de ejecución del sistema. · The detection is performed during the entire system execution time.
La respuesta del sistema es la anulación de la señal de reloj (evitando la ejecución del fallo) durante el ataque. Por el contrario, el efecto que causa la ejecución de estos ataques sobre una aplicación robótica no ha sido considerado, ni por lo tanto sus defensas. Para ello, se considerará una plataforma robótica donde el ataque será realizado sobre la comunicación entre el maestro y un esclavo en particular, conectados mediante el protocolo I2C. The response of the system is the cancellation of the clock signal (avoiding the execution of the fault) during the attack. On the contrary, the effect that causes the execution of these attacks on a robotic application has not been considered, nor therefore its defenses. For this, a robotic platform will be considered where the attack will be carried out on the communication between the master and a slave in particular, connected through the I2C protocol.
Un ataque por inserción de fallos a un protocolo I2C sería tan simple como colocar un O' lógico en la línea SCL durante un periodo determinado del proceso de comunicación. A pesar de que aparentemente se pueda interpretar que es una situación de "dock stretching", la diferencia radica en que el atacante sólo liberará la comunicación cuando ésta haya finalizado; mientras que la liberación del "dock stretching" real no implica la finalización de la transmisión. Dicha acción supondría que un proceso de comunicación no fuese completado, y por lo tanto que no fuera ejecutada la orden inmersa en el mensaje. Además, la implementación de un ataque selectivo (atacar la comunicación a un esclavo determinado) es muy simple ya que el sistema atacante puede leer muy fácilmente la dirección del esclavo con el que se desea establecer la comunicación. En el caso de que se desee evitar la comunicación con dicho esclavo, después de leer la dirección, se forzará la línea SCL a 'Ο', y por lo tanto, la comunicación no será completada y, en consecuencia, la orden no será ejecutada. Además, como ningún esclavo detecta que se desea establecer la comunicación con él, ninguno advierte que el sistema está siendo atacado. An attack by insertion of failures to an I2C protocol would be as simple as placing a logical O 'on the SCL line during a given period of the communication process. Although apparently it can be interpreted as a "dock stretching" situation, the difference is that the attacker will only release the communication when it has ended; while the release of the real "dock stretching" does not imply the end of the transmission. Such action would mean that a communication process was not completed, and therefore that the order immersed in the message was not executed. In addition, the implementation of a selective attack (attacking the communication to a specific slave) is very simple since the attacking system can very easily read the address of the slave with which it is desired to establish communication. In the event that it is desired to avoid communication with said slave, after reading the address, the SCL line will be forced to 'Ο', and therefore, the communication will not be completed and, consequently, the order will not be executed . In addition, as no slave detects that it is desired to establish communication with him, none warns that the system is being attacked.
Según lo anterior, el ataque considerado puede ser visto como un ataque por inserción de fallos variando la frecuencia de la señal de reloj, logrando que la frecuencia valga cero durante el resto del proceso de comunicación. According to the above, the attack considered can be seen as an attack by insertion of failures by varying the frequency of the clock signal, achieving that the frequency is zero during the rest of the communication process.
Teniendo en cuenta que en el campo de aplicación de la robótica, no se ha considerado esta situación, tampoco se conoce ninguna solución frente al ataque. Se podría plantear la defensa tradicional aplicada en el campo informático, es decir, el sensor de frecuencia basado en filtros paso-banda. No obstante, no sería de utilidad por las siguientes razones: Taking into account that in the field of application of robotics, this situation has not been considered, nor is there any known solution to the attack. The traditional defense applied in the computer field could be raised, that is, the frequency sensor based on pass-band filters. However, it would not be useful for the following reasons:
La detección no debe ser realizada durante todo el tiempo de ejecución sino únicamente mientras dure un proceso de comunicación. En el caso de que no se esté produciendo un proceso de comunicación, el sensor debe permanecer inactivo. La respuesta del sensor no puede ser la anulación de la señal de reloj, debido a que es la misma acción que la producida por el ataque. The detection should not be carried out during the entire execution time but only during a communication process. In the event that a communication process is not occurring, the sensor must remain inactive. The response of the sensor cannot be the cancellation of the clock signal, because it is the same action as that produced by the attack.
Breve descripción de la invención Brief Description of the Invention
A la vista de las limitaciones identificadas en el estado de la técnica, sería deseable la inhibición de ataques hardware que evite problemas en la comunicación y la pérdida de órdenes. In view of the limitations identified in the state of the art, it would be desirable to inhibit hardware attacks that avoid communication problems and loss of orders.
Es objeto de la presente un sistema para inhibir ataques hardware en un buses I2C que incluye un dispositivo detector que detecta el inicio de comunicación en la línea de datos SDA del bus I2C y que genera, tras la detección, una señal de inicialización. El sistema incluye también un dispositivo oscilador que recibe la señal de inicialización del detector y que genera una señal de reloj independiente. El sistema incluye también un dispositivo medidor que recibe la señal de inicialización del detector, mide automáticamente la frecuencia de la señal de sincronización SCL y compara con la señal de reloj del oscilador para generar una señal indicando la existencia de ataque en función del resultado de la comparación. El sistema incluye además un dispositivo de respuesta que recibe la señal indicando la existencia de ataque y regenera la línea SCL a partir de la señal del dispositivo oscilador. The object of this is a system to inhibit hardware attacks on an I2C bus that includes a detector device that detects the start of communication on the SDA data line of the I2C bus and that generates, after detection, an initialization signal. The system also includes an oscillating device that receives the initialization signal from the detector and generates an independent clock signal. The system also includes a measuring device that receives the detector's initialization signal, automatically measures the frequency of the SCL synchronization signal and compares with the oscillator clock signal to generate a signal indicating the existence of an attack based on the result of the comparison. The system also includes a response device that receives the signal indicating the existence of an attack and regenerates the SCL line from the oscillator device signal.
Opcionalmente, el dispositivo de respuesta puede detener la línea SDA mientras se detecta un ataque. Optionally, the response device can stop the SDA line while an attack is detected.
Opcionalmente, el dispositivo medidor incluye un contador en anillo. Optionally, the measuring device includes a ring counter.
Es otro objeto de la presente invención, un módulo esclavo para un bus I2C que comprende integrado el sistema inhibidor anterior. Es otro objeto adicional de la presente invención, una red que incluye un bus I2C al que se conectan al menos un módulo esclavo acoplado con el dispositivo inhibidor y también un módulo maestro. It is another object of the present invention, a slave module for an I2C bus comprising the above inhibitor system integrated. It is another additional object of the present invention, a network that includes an I2C bus to which at least one slave module connected to the inhibitor device and also a master module are connected.
Ante la detección de dos situaciones diferentes, la presente propuesta es capaz de actuar selectivamente. Esto es: Before the detection of two different situations, the present proposal is able to act selectively. This is:
cuando el proceso de comunicación ha sido completado con éxito, en cuyo caso no interviene en el proceso;  when the communication process has been successfully completed, in which case it is not involved in the process;
cuando no ha sido completado con éxito, debido a un ataque hardware, en cuyo caso, la respuesta será acorde a la aplicación específica (preferiblemente mediante un módulo programable).  when it has not been successfully completed, due to a hardware attack, in which case, the response will be according to the specific application (preferably through a programmable module).
Para defender el proceso de comunicación a través de un bus I2C en el ámbito de los dispositivos esclavos, la invención tendrá dos misiones fundamentales: en primer lugar, debe detectar la presencia de un ataque en el proceso de comunicación monitorizando en tiempo real la frecuencia de la señal de sincronización (SCL); en segundo lugar, y en el caso de que se haya detectado un ataque, la detección llevará aparejada una respuesta (que se considere adecuada) conocida por el sistema. Por lo tanto, la presente invención presenta una solución a ataques por inserción de fallos en entornos robóticos. To defend the communication process through an I2C bus in the field of slave devices, the invention will have two fundamental missions: first, it must detect the presence of an attack in the communication process by monitoring in real time the frequency of the synchronization signal (SCL); secondly, and in the event that an attack has been detected, the detection will entail a response (deemed appropriate) known by the system. Therefore, the present invention presents a solution to attacks by insertion of faults in robotic environments.
A lo largo de la descripción y las reivindicaciones, la palabra "comprende" y sus variantes no pretende excluir otras características técnicas, aditivos, componentes o pasos. Los siguientes ejemplos y figuras se proporcionan a modo de ilustración, sin ser limitativos de la presente invención. Throughout the description and the claims, the word "comprises" and its variants is not intended to exclude other technical characteristics, additives, components or steps. The following examples and figures are provided by way of illustration, without being limiting of the present invention.
Breve descripción de las figuras Brief description of the figures
A continuación se pasa a describir de manera muy breve una serie de dibujos que ayudan a comprender mejor la invención y que se relacionan expresamente con una realización de dicha invención que se presenta como un ejemplo no limitativo de ésta. La FIG. 1 muestra la situación de ataque y defensa tradicional en un sistema basado en microprocesador. A series of drawings that help to better understand the invention and that expressly relate to an embodiment of said invention which is presented as a non-limiting example thereof is described very briefly below. FIG. 1 shows the traditional attack and defense situation in a microprocessor-based system.
La FIG. 2 muestra las formas de onda relativas a una operación de escritura en un bus I2C. En la FIG. 2A se aprecia la operación normal sin ataque y en la FIG. 2B cuando ha sufrido un ataque. FIG. 2 shows the waveforms related to a write operation on an I2C bus. In FIG. 2A normal operation is seen without attack and in FIG. 2B when he has suffered an attack.
FIG. 3 muestra el esquema de conexión de los diferentes módulos en un proceso de comunicación con posibilidad de ataque. FIG. 3 shows the connection scheme of the different modules in a communication process with the possibility of attack.
FIG. 4 Muestra el esquema en más detalle del sistema de inhibición de ataques de comunicación. FIG. 4 Shows the scheme in more detail of the communication attack inhibition system.
Descripción detallada de la invención Detailed description of the invention
Con referencia a las figuras anteriores, se describe una realización en la que varios dispositivos esclavos están conectados a un bus I2C controlado por un dispositivo maestro. With reference to the previous figures, an embodiment is described in which several slave devices are connected to an I2C bus controlled by a master device.
La FIG. 1 es un ejemplo que muestra la situación de ataque y defensa tradicional en un sistema basado en microprocesador. En el caso de ataque, la frecuencia de la señal de reloj aumenta para que la instrucción N no sea ejecutada y pase a la instrucción N+1 ; aunque por la operación del programa no se debiera ejecutar dicha instrucción. Si hay defensa contra este tipo de ataque, el sensor de frecuencia anulará la señal de reloj cuando su frecuencia esté fuera del rango permitido, manteniéndose la instrucción N a la espera de la llegada de un nuevo ciclo de la señal de reloj para ser ejecutada. FIG. 1 is an example that shows the traditional attack and defense situation in a microprocessor-based system. In the case of attack, the frequency of the clock signal increases so that instruction N is not executed and passes to instruction N + 1; although due to the operation of the program this instruction should not be executed. If there is a defense against this type of attack, the frequency sensor will cancel the clock signal when its frequency is outside the allowed range, keeping instruction N waiting for the arrival of a new cycle of the clock signal to be executed.
En la FIG. 2 se puede ver un ejemplo de operación de escritura sin ataque y con ataque en un bus I2C. En la FIG. 2A se muestran las formas de onda relativas a una operación de escritura normal sin ataque en la comunicación. De forma análoga, en la FIG. 2B, se ilustra una escritura que ha sufrido un ataque cuyo efecto se aprecia en las zonas señaladas. El ataque fuerza la línea SCL a nivel bajo cuando se ha identificado al esclavo que se desea atacar en el proceso de comunicación. In FIG. 2 you can see an example of write operation without attack and with attack on an I2C bus. In FIG. 2A shows the waveforms relative to a normal write operation without communication attack. Similarly, in FIG. 2B, a writing is illustrated that has suffered an attack whose effect is seen in the designated areas. The attack forces the SCL line at a low level when the slave to be attacked in the communication process has been identified.
Debido a que el esclavo atacado no va a contestar mediante los reconocimientos, el módulo de ataque también realizará esta tarea con el fin de que el módulo maestro crea que la comunicación sigue su curso adecuado. Because the attacked slave is not going to answer through the acknowledgments, the attack module will also perform this task so that the master module believes that the communication is taking its proper course.
El mecanismo de defensa se ha ideado ventajosamente de tal forma que pueda dar solución a dos escenarios diferentes. Primero: su implementación en el mismo sustrato que el dispositivo esclavo, logrando de esta forma un dispositivo esclavo que se comunica mediante el bus I2C libre de ataques de comunicación. Segundo: su uso con dispositivos esclavos estándares de tal forma que se le añade funcionalidad sin necesidad de su modificación. The defense mechanism has been advantageously designed in such a way that it can solve two different scenarios. First: its implementation on the same substrate as the slave device, thus achieving a slave device that communicates via the I2C bus free of communication attacks. Second: its use with standard slave devices in such a way that functionality is added without modification.
En la FIG. 3 se ilustra el esquema de conexión de los principales módulos que pueden intervenir en un proceso de comunicación. Los módulos incluidos son los siguientes: In FIG. 3 illustrates the connection scheme of the main modules that can intervene in a communication process. The modules included are the following:
El módulo maestro 10 encargado de gestionar el proceso de comunicación, y de esta forma, encargado de controlar la línea de sincronización SCL.  The master module 10 responsible for managing the communication process, and thus, responsible for controlling the SCL synchronization line.
Un módulo esclavo defendido 20a, es decir, acoplado al sistema inhibidor 40. · Un módulo esclavo sin defensa 20, y por lo tanto, susceptible a los ataques de comunicación.  A slave module defended 20a, that is, coupled to the inhibitor system 40. · A slave module without defense 20, and therefore, susceptible to communication attacks.
Un módulo de ataque 30 (que añadiría el atacante) que se encargaría de gestionar dicho ataque. Dicho módulo de ataque 30 tendrá la misma filosofía de diseño que un módulo esclavo 20 convencional exceptuando que estará dispuesto a alterar los valores de la señal de sincronización SCL.  An attack module 30 (which the attacker would add) that would be responsible for managing said attack. Said attack module 30 will have the same design philosophy as a conventional slave module 20 except that it will be willing to alter the values of the synchronization signal SCL.
Como se puede apreciar de la FIG. 3, la inserción del módulo de ataque 30 no implica la modificación de ningún otro módulo. Basta con tener accesible las líneas del bus I2C, situación normal por la propia filosofía del protocolo. As can be seen from FIG. 3, the insertion of the attack module 30 does not imply the modification of any other module. It is enough to have the I2C bus lines accessible, normal situation due to the protocol's own philosophy.
Continuando con la FIG. 3, el módulo maestro 10 se comunica con dos esclavos: uno sin protección 20 y otro protegido 20a mediante el sistema inhibidor 40 objeto de esta invención. También se representa un módulo atacante 30. La arquitectura del módulo esclavo defendido 20a sería idéntica a la del módulo esclavo tradicional 20 sin defensa, con lo cual ni el protocolo de comunicación, ni el hardware tradicionalmente utilizado han de sufrir modificaciones. En cambio, la utilización del sistema inhibidor 40 en cascada con el módulo esclavo 20a, permitirá que éste quede inmune a los perjuicios provocados por un ataque. En otra realización es posible integrar el sistema inhibidor 40 en el módulo esclavo, obteniendo un módulo esclavo libre de ataques 20b. Continuing with FIG. 3, the master module 10 communicates with two slaves: one without protection 20 and another protected 20a by means of the inhibitor system 40 object of this invention. An attacking module 30 is also represented. The architecture of the defended slave module 20a would be identical to that of the traditional slave module 20 without defense, whereby neither the communication protocol nor the traditionally used hardware have to undergo modifications. On the other hand, the use of the cascade inhibitor system 40 with the slave module 20a, will allow it to be immune to the damage caused by an attack. In another embodiment it is possible to integrate the inhibitor system 40 into the slave module, obtaining a slave module free of attacks 20b.
Este sistema inhibidor 40 estará formado por cuatro elementos como se puede ver en la FIG. 4. Se explican cada uno a continuación: This inhibitor system 40 will be formed by four elements as can be seen in FIG. 4. Each one is explained below:
Un primer dispositivo detector 42 que detecta las condiciones de inicio y parada (para saber cuándo el sensor tiene que operar) y de inicio de ciclos (para saber cuándo tiene que iniciar una nueva medida). Este detector 42 generará las señales de inicialización para el resto de dispositivos del sistema inhibidor 40.  A first detector device 42 that detects the start and stop conditions (to know when the sensor has to operate) and the start of cycles (to know when to start a new measurement). This detector 42 will generate the initialization signals for the rest of the devices of the inhibitor system 40.
· Un segundo dispositivo oscilador 44 estará dedicado a la generación de un reloj interno que controlará el funcionamiento del proceso de monitorización e inhibición, es decir, de los demás dispositivos exceptuando el detector 42. Este reloj debe ser generado en el mismo sustrato para evitar vulnerabilidades. Esta generación interna implicará el uso de técnicas de oscilación en anillo (para disponer de una señal oscilatoria) y técnicas de división de frecuencias (para evitar un uso excesivo de hardware). · A second oscillator device 44 will be dedicated to the generation of an internal clock that will control the operation of the monitoring and inhibition process, that is, of the other devices except the detector 42. This clock must be generated on the same substrate to avoid vulnerabilities . This internal generation will involve the use of ring oscillation techniques (to have an oscillatory signal) and frequency division techniques (to avoid excessive use of hardware).
Un tercer dispositivo medidor 46 estará destinado a medir automáticamente la frecuencia de la señal SCL tomando como base temporal la señal de reloj generada en el oscilador 44 y la señal de inicialización generada por el detector 42. Esta medida de frecuencia estará disponible inmediatamente en el siguiente pulso a medir o cuando se comprueba que tiene una frecuencia menor que la permitida. El medidor 46 generará una señal indicando la existencia de un ataque según el valor de la frecuencia medida.  A third measuring device 46 will be designed to automatically measure the frequency of the SCL signal, taking as a temporary basis the clock signal generated in the oscillator 44 and the initialization signal generated by the detector 42. This frequency measurement will be immediately available in the next pulse to be measured or when it is verified that it has a lower frequency than allowed. The meter 46 will generate a signal indicating the existence of an attack according to the value of the measured frequency.
Un cuarto dispositivo de respuesta 48 estará destinado a generar la respuesta del sistema inhibidor 40. En caso de que no exista ningún ataque, la respuesta debe ser el paso de las señales SCL y SDA sin ninguna interferencia, por lo que la presencia del sistema inhibidor 40 sería transparente. En caso de que haya ataque, la respuesta implementada debe ser la que mejor se adapte a la aplicación y al uso determinado. Habitualmente, no se dejarán pasar las líneas SCL y SDA en caso de ataque, y este dispositivo de respuesta 40 autónomamente generará una respuesta que se codificará en base a un conjunto de mensajes transmitidos a través del bus I2C y que harán al esclavo 20a inmune al ataque detectado. Hasta que no haya finalizado dicha respuesta, no se aceptará ninguna comunicación adicional (esté siendo atacada o no). Por tanto, en caso de ataque, el módulo de respuesta 48 actuará como si fuera un módulo maestro 10. A fourth response device 48 will be intended to generate the response of the inhibitor system 40. In case there is no attack, the response must be the passage of the SCL and SDA signals without any interference, so that the presence of the inhibitor system 40 would be transparent. In case there is an attack, the response implemented must be the one that best suits the application and the specific use. Usually, the SCL and SDA lines will not be passed in the event of an attack, and this response device 40 will autonomously generate a response which will be coded based on a set of messages transmitted through the I2C bus and that will make the slave 20a immune to the detected attack. Until such response has been completed, no additional communication will be accepted (whether it is under attack or not). Therefore, in case of attack, the response module 48 will act as if it were a master module 10.
A modo de ejemplo, la respuesta considerada por defecto puede ser la parada del motor o actuador. Con este fin, este dispositivo de respuesta 48 será preferiblemente un elemento programable que implementará el envío, a través del bus I2C que lo conecta al esclavo 20a, de los correspondientes mensajes de parada. Esto, dependiendo de la aplicación (por ejemplo un controlador de motores), puede que ser efectuado mediante un solo mensaje o mediante un conjunto de mensajes que garantice la ejecución de un perfil de velocidades que detenga de forma segura el robot. No obstante, la secuencia de mensajes será programable atendiendo a la naturaleza de la aplicación. La señal de SCL de esta transmisión empleará el oscilador 44 que es local y que garantizará una comunicación libre de ataques. As an example, the response considered by default may be the motor or actuator stop. To this end, this response device 48 will preferably be a programmable element that will implement the sending, via the I2C bus that connects it to the slave 20a, of the corresponding stop messages. This, depending on the application (for example a motor controller), may be done by a single message or by a set of messages that guarantees the execution of a speed profile that safely stops the robot. However, the message sequence will be programmable according to the nature of the application. The SCL signal of this transmission will employ the oscillator 44 which is local and will ensure a communication free of attacks.
Según lo anterior, puede plantearse una primera realización en la que el sistema inhibidor 40 y el módulo esclavo 20 a proteger están incluidos en un mismo sustrato integrado obteniendo un módulo esclavo libre de ataques 20b que ya incorpora las funciones del sistema inhibidor 40. According to the above, a first embodiment can be considered in which the inhibitor system 40 and the slave module 20 to be protected are included in the same integrated substrate obtaining a slave module free of attacks 20b that already incorporates the functions of the inhibitor system 40.
Alternativamente, puede concebirse una segunda realización en la que se acoplará la el sistema inhibidor 40 a un módulo esclavo estándar 20a en el sentido de que no tiene que gestionar la posibilidad de un ataque pero que quedará protegido entonces frente a ataques. Alternatively, a second embodiment can be conceived in which the inhibitor system 40 will be coupled to a standard slave module 20a in the sense that it does not have to manage the possibility of an attack but will then be protected against attacks.
Implementación en un prototipo Implementation in a prototype
El sistema inhibidor 40 se puede implementar mediante técnicas digitales, y por lo tanto, puede ser implementado como hardware en un circuito de aplicación específica (ASIC) o en un dispositivo programable (como FPGAs o CPLDs). Estas opciones facilitan su integración en el mismo sustrato que el módulo esclavo 20 disponiendo de esta forma de un solo bloque integrado 20b. Así mismo puede ser utilizado de forma externa al elemento esclavo ya que no requiere de ninguna señal específica para funcionar. The inhibitor system 40 can be implemented by digital techniques, and therefore, can be implemented as hardware in a specific application circuit (ASIC) or in a programmable device (such as FPGAs or CPLDs). These options facilitate their integration into the same substrate as the slave module 20, having this form of a single integrated block 20b. It can also be used externally to the slave element since it does not require any specific signal to function.
En los primeros prototipos se ha empleado una opción adaptada, es decir, el sistema inhibidor 40 en un sustrato diferente al del elemento esclavo 20. La implementación del inhibidor ha sido realizada en un dispositivo FPGA de la familia Spartan-3AN (más concretamente el modelo XC3S700AN incluido en una placa de desarrollo basada en FPGA). Mientras que el elemento esclavo utilizado ha sido el controlador de motores MD23. Debido a la adaptación, la respuesta del inhibidor ha implicado la regeneración del bus I2C, de tal forma que la respuesta pactada a una situación de ataque ha sido la parada inmediata de los motores. No obstante, la arquitectura propuesta permite programar otro tipo de respuesta que se adaptase mejor a la aplicación específica del sistema robótico. In the first prototypes, an adapted option has been used, that is, the inhibitor system 40 on a different substrate than the slave element 20. The inhibitor has been implemented in an FPGA device of the Spartan-3AN family (more specifically the model XC3S700AN included in a development board based on FPGA). While the slave element used has been the MD23 motor controller. Due to the adaptation, the response of the inhibitor has involved the regeneration of the I2C bus, so that the response agreed to an attack situation has been the immediate shutdown of the motors. However, the proposed architecture allows you to program another type of response that best suits the specific application of the robotic system.
Con el fin de completar el entorno del proceso de comunicación, se ha implementado en la misma FPGA que el sistema inhibidor 40, un módulo maestro 10 del bus I2C, un módulo esclavo 20a sin defensa y un módulo de ataque 30. In order to complete the communication process environment, it has been implemented in the same FPGA as the inhibitor system 40, a master module 10 of the I2C bus, a slave module 20a without defense and an attack module 30.
Con respecto a la implementación interna del inhibidor, se van a detallar las actuaciones seguidas en cada uno de los elementos. En el caso del dispositivo detector 42, se ha utilizado una solución asincrona insensible a retrasos, ya que este elemento no dispone de ninguna señal de reloj para poder operar. La secuencia de inicialización es la siguiente. En primer lugar, se para el dispositivo oscilador 44 para que la señal de reloj no afecte a las condiciones de inicialización del resto de elementos. En segundo lugar, se inicializa el dispositivo de respuesta 48 ya que necesita los datos previos del dispositivo medidor 46 en el caso de ataque (ya que tiene que regenerar la señal de sincronización). En tercer lugar, se inicializa el dispositivo medidor 46 para comenzar la medición en cero. Finalmente, se vuelve a poner en marcha el dispositivo oscilador 44 para comenzar la monitorización. En los primeros prototipos, este ciclo de inicialización tarda aproximadamente unos 15 ns. El dispositivo oscilador 44 ha sido implementado de forma mixta. En primer lugar, se genera una frecuencia de oscilación fina utilizando un oscilador en anillo. En segundo lugar, se utiliza la señal fina como entrada a un divisor de frecuencia para generar la frecuencia final de oscilación. El divisor anterior es utilizado para reducir un excesivo uso de elementos hardware debido a generar frecuencias bajas únicamente con osciladores en anillo. En nuestro caso particular, se ha generado una frecuencia final de unos 320 ns, partiendo de una frecuencia fina inicial de unos 10 ns. With respect to the internal implementation of the inhibitor, the actions followed in each of the elements will be detailed. In the case of the detector device 42, an asynchronous solution insensitive to delays has been used, since this element has no clock signal to operate. The initialization sequence is as follows. First, oscillator device 44 is stopped so that the clock signal does not affect the initialization conditions of the other elements. Secondly, the response device 48 is initialized since it needs the previous data of the measuring device 46 in the case of attack (since it has to regenerate the synchronization signal). Thirdly, the measuring device 46 is initialized to start the measurement at zero. Finally, the oscillator device 44 is restarted to begin monitoring. In the first prototypes, this initialization cycle takes approximately 15 ns. The oscillator device 44 has been mixedly implemented. First, a fine oscillation frequency is generated using a ring oscillator. Second, the fine signal is used as input to a frequency divider to generate the final oscillation frequency. The previous divider is used to reduce excessive use of hardware elements due to generating low frequencies only with ring oscillators. In our particular case, a final frequency of about 320 ns has been generated, starting from an initial fine frequency of about 10 ns.
El dispositivo medidor 46 deberá realizar la medición de la forma más rápida posible que permita la utilización de dicho sistema inhibidor 40 al mayor número de situaciones posible, aunque en el caso del prototipo no fuese necesario. La cuenta de la medición ha sido implementada con la utilización de un contador en anillo. Esta solución tiene dos ventajas. En primer lugar, es la solución más rápida a la operación de cuenta. En segundo lugar, la comparación de las medidas requiere una implementación tan simple como una puerta AND de dos entradas. El tamaño de este contador en anillo debe ser tal que abarque todo el rango de la frecuencia permitida. En este prototipo se ha utilizado un límite máximo de 10 ciclos, correspondiendo a un periodo de unos 3.2 us. The measuring device 46 should measure as quickly as possible that allows the use of said inhibitor system 40 to the greatest possible number of situations, even if it is not necessary in the case of the prototype. The measurement account has been implemented with the use of a ring counter. This solution has two advantages. First, it is the fastest solution to the account operation. Secondly, the comparison of the measures requires a simple implementation like a two-door AND gate. The size of this ring counter should be such that it covers the entire range of the allowed frequency. In this prototype a maximum limit of 10 cycles has been used, corresponding to a period of about 3.2 us.
El dispositivo de respuesta 48 deberá generar la respuesta del inhibidor 40. En el caso de ataque, y como ya se ha comentado previamente, debe regenerar las líneas SCL y SDA, para que la respuesta sea la programada. La línea SDA es generada desde cero con los valores adecuados y siguiendo la sincronización del maestro 10 (para los casos en los que no había ataque). En el caso de la línea SCL, hay que regenerarla con la misma sincronización. Para ello, se utiliza la medida obtenida en el dispositivo medidor 46, y en base a esta medida se regenerará la señal siguiendo la filosofía inversa, es decir, basándose en un oscilador 44 con un contador en anillo para determinar cuando la señal SCL regenerada debe valer Ό' ó Ί'. Una vez que dicha señal ha sido regenerada hay que implementar el flujo normal de la comunicación I2C como si se tratara de un elemento maestro 10. The response device 48 must generate the response of the inhibitor 40. In the case of an attack, and as previously mentioned, it must regenerate the SCL and SDA lines, so that the response is the one programmed. The SDA line is generated from scratch with the appropriate values and following the synchronization of master 10 (for cases where there was no attack). In the case of the SCL line, it must be regenerated with the same synchronization. For this, the measurement obtained in the measuring device 46 is used, and based on this measurement the signal will be regenerated following the inverse philosophy, that is, based on an oscillator 44 with a ring counter to determine when the regenerated SCL signal should be worth Ό 'or Ί'. Once said signal has been regenerated, the normal flow of the I2C communication must be implemented as if it were a master element 10.

Claims

REIVINDICACIONES
1. Sistema inhibidor de ataques hardware en un buses I2C caracterizado por que comprende: 1. Hardware attack inhibitor system on an I2C bus characterized by:
- un dispositivo detector (42) configurado para detectar el inicio de comunicación en la línea de datos SDA del bus I2C y para generar, si se ha detectado, una señal de inicialización;  - a detector device (42) configured to detect the start of communication in the SDA data line of the I2C bus and to generate, if detected, an initialization signal;
- un dispositivo oscilador (44) configurado para recibir la señal de inicialización del detector (42) y para generar una señal de reloj independiente;  - an oscillating device (44) configured to receive the initialization signal from the detector (42) and to generate an independent clock signal;
- un dispositivo medidor (46) configurado para recibir la señal de inicialización del detector (42) y para medir automáticamente la frecuencia de la señal de sincronización SCL y para compararla con la señal de reloj del oscilador (44) y para generar una señal indicando la existencia de ataque en función del resultado de la comparación;  - a measuring device (46) configured to receive the detector initialization signal (42) and to automatically measure the frequency of the SCL synchronization signal and to compare it with the oscillator clock signal (44) and to generate a signal indicating the existence of attack depending on the result of the comparison;
- un dispositivo de respuesta (48) configurado para recibir la señal indicando la existencia de ataque y para regenerar la línea SCL a partir de la señal del dispositivo oscilador (44).  - a response device (48) configured to receive the signal indicating the existence of an attack and to regenerate the SCL line from the oscillator device signal (44).
2. Sistema inhibidor según la reivindicación 1 , caracterizado por que el dispositivo de respuesta (48) está configurado para detener la línea SDA mientras se detecta un ataque. 2. Inhibitor system according to claim 1, characterized in that the response device (48) is configured to stop the SDA line while an attack is detected.
3. Sistema inhibidor según la reivindicación 1 o 2, caracterizado por que el dispositivo medidor (46) comprende un contador en anillo. 3. Inhibitor system according to claim 1 or 2, characterized in that the measuring device (46) comprises a ring counter.
4. Módulo esclavo (20b) para un bus I2C que comprende integrado un sistema inhibidor (40) según una cualquiera de las reivindicaciones 1 a 3. 4. Slave module (20b) for an I2C bus comprising an integrated inhibitor system (40) according to any one of claims 1 to 3.
5. Red que comprende un bus I2C al que se conectan al menos: 5. Network comprising an I2C bus to which at least they are connected:
- un módulo esclavo (20a) acoplado con un dispositivo inhibidor (40) según una cualquiera de las reivindicaciones 1 a 3, un módulo maestro (10). - a slave module (20a) coupled with an inhibitor device (40) according to any one of claims 1 to 3, a master module (10).
PCT/ES2017/070336 2016-05-24 2017-05-22 System for preventing hardware attacks in an i2c bus, slave module and network comprising same WO2017203078A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ES201600465A ES2647941B1 (en) 2016-05-24 2016-05-24 Hardware attack inhibitor system on an l2C bus, slave module and network comprising it
ESP201600465 2016-05-24

Publications (1)

Publication Number Publication Date
WO2017203078A1 true WO2017203078A1 (en) 2017-11-30

Family

ID=60411135

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/ES2017/070336 WO2017203078A1 (en) 2016-05-24 2017-05-22 System for preventing hardware attacks in an i2c bus, slave module and network comprising same

Country Status (2)

Country Link
ES (1) ES2647941B1 (en)
WO (1) WO2017203078A1 (en)

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GOMEZ-BRAVO ET AL.: "Sobre the vulnerabilidad of los robots moviles frente a los ataques hardware", XXXVI JORNADAS OF AUTOMÁTICA. COMITÉ ESPANOL DE AUTOMÁTICA DE IFAC (CEA-IFAC, 2015, pages 358 - 365, XP055441740, Retrieved from the Internet <URL:http://www.ehu.eus/documents/3444171/4484749/144.pdf> *
JIMENEZ-NAHARRO, R. ET AL.: "Design and Implementation of a New Real-Time Frequency Sensor Used as Hardware Countermeasure", SENSORS, vol. 9, 9 April 2013 (2013-04-09), pages 11709 - 11727, XP055441735 *

Also Published As

Publication number Publication date
ES2647941B1 (en) 2018-09-04
ES2647941A1 (en) 2017-12-27

Similar Documents

Publication Publication Date Title
US10191795B2 (en) Method and system for timeout monitoring
JP6487406B2 (en) Network communication system
JP5951429B2 (en) Watchdog circuit, power supply IC, and watchdog monitoring system
JP2019023896A (en) Method for secure access to peripheral device via bus
US10726122B2 (en) Automatic reset filter deactivation during critical security processes
US10045095B2 (en) Communication processing device, communication method, and communication system
US11714474B2 (en) Clock control to increase robustness of a serial bus interface
US20150286607A1 (en) Determination of the state of an i2c bus
ES2864210T3 (en) Monitoring procedure for a device equipped with a microprocessor
ES2647941B1 (en) Hardware attack inhibitor system on an l2C bus, slave module and network comprising it
JP6696511B2 (en) Communication device, communication method, program, and communication system
JP4294503B2 (en) Operation mode control circuit, microcomputer including operation mode control circuit, and control system using the microcomputer
US9400708B2 (en) Integrated circuit and method of detecting a data integrity error
ES2363650T3 (en) SECURITY CONTROL.
EP2784678A2 (en) Integrated circuit
US11010225B2 (en) Electronic control unit including a break-output section configured to output a break signal to interrupt an input of a monitoring signal to an external monitoring circuit
US10956356B1 (en) Clock control to increase robustness of a serial bus interface
WO2016110968A1 (en) Programmable device, control apparatus using same, and failure countermeasure method
TWI775505B (en) Microcontroller, protection circuit, and protection method capable of avoiding inteference from sudden events
JPS6059597A (en) Circuit for preventing writing of error data in eeprom
JPS5840674A (en) Fault deciding method of microcomputer
JP2021004587A (en) Electronic control unit and vehicle control system
JPS62184554A (en) Memory protection circuit
JP2001101019A (en) Register protecting circuit
JP2006163597A (en) Wait signal releasing circuit

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17802251

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17802251

Country of ref document: EP

Kind code of ref document: A1