Work Description
Title: Authenticated Boot Acceleration Algorithm Open Access Deposited
Attribute | Value |
---|---|
Methodology |
|
Description |
|
Creator | |
Depositor |
|
Contact information | |
Discipline | |
Keyword | |
Citations to related material |
|
Resource type | |
Last modified |
|
Published |
|
Language | |
DOI |
|
License |
(2019). Authenticated Boot Acceleration Algorithm [Data set], University of Michigan - Deep Blue Data. https://doi.org/10.7302/yeh1-1x17
Relationships
- This work is not a member of any user collections.
Files (Count: 7; Size: 646 MB)
Thumbnailthumbnail-column | Title | Original Upload | Last Modified | File Size | Access | Actions |
---|---|---|---|---|---|---|
README.md | 2019-04-18 | 2019-05-13 | 7.69 KB | Open Access |
|
|
setup_phase_sampled_boot.py | 2019-04-18 | 2019-04-18 | 6.51 KB | Open Access |
|
|
verification_phase_sampled_boot.py | 2019-04-18 | 2019-04-18 | 6.19 KB | Open Access |
|
|
CMAC.py | 2019-04-18 | 2019-04-18 | 11.7 KB | Open Access |
|
|
drbg.py | 2019-04-18 | 2019-04-18 | 18.9 KB | Open Access |
|
|
get-pip.py | 2019-04-18 | 2019-04-18 | 1.59 MB | Open Access |
|
|
data.zip | 2019-04-17 | 2019-04-17 | 644 MB | Open Access |
|
Package Title: Python Sampled Boot Authentication
This package consists of two scripts which implement 3 different Sampled Boot Authentication
schemes, (Random Block Sampling, One per Block Sampling and Two per Block Sampling).
Date Created: 17 April, 2019
Authors: Wonder-Junior Gumise: Wonder-Junior.Gumise@hsrw.org/Ahmad MK Nasser: ahmadnas@umich.edu
Key Points:
The two scripts in this package implement the setup and verification phases of the Sampled Boot
Authentication procedure proposed in the research paper.
They enable practical evaluation of the performance of Sampled Boot Authentication schemes on
custom hex data images.
The actual C language version of the algorithm is not included. To implement on an embedded device
it is recommended that data is fed into the AES engine in blocks, to allow using a smaller buffer for the fetched data and the
psuedo random numbers.
Research Overview:
------------=-----
The Sampled Boot schemes implemented in this package allow significant reduction of the time
needed to authenticate firmware images during startup, while still retaining a high degree of trust.
Methodology:
An AES CTR DRBG module is used to create randomly sampled addresses belonging to a user provided hex image.
Sampled data corresponding to the sampled addresses is then used to create a CMAC tag of the sampled image.
The generated tag can then be used to verify whether or not modifications have been made to the hex image,
with a certain degree of probability which depends on size of the hex image, the modifications done
to it and the chosen scheme for the procedure.
Software specifications:
Python version: 3.3
pycrypto version: 2.6.1
Installation
-Python 3.3 is required for compatibility with the utilized pycrypto library.
Python 3.3.5 for windows can be found here:
https://www.python.org/downloads/release/python-335/
-Depending on the OS you're using, "python distutils" and "pip" may be installed together with python.
If this isn't the case however, python distutils can be installed on Ubuntu by running:
apt-get install python3-distutils
And pip installation instructions can be found here:
https://www.makeuseof.com/tag/install-pip-for-python/
Note: for windows installation the correct get-pip installer script for python3.3 can be found here:
https://bootstrap.pypa.io/3.3/get-pip.py
Once Python 3.3, distutils and pip have been successfully installed on your machine you are ready to start downloading the
required packages and libraries.
-To install the pycrypto with pip run:
pip install pycrypto
pycrypto 2.6.1 is the latest available version.
Note: pycrypto 2.6.1 is missing the "CMAC" package, the missing package is however already included together with the
provided scripts. If you're interested in it's origins, here is the source:
https://github.com/dlitz/pycrypto/blob/master/lib/Crypto/Hash/CMAC.py
Just like for the CMAC package, the python-drbg library is also already included; it was sourced from here:
https://github.com/blubber/python-drbg
The libary does not have a setup.py file, however, instead of going through the process of adding the packages
to your sys.path list, you can just extract the library to the same folder as the provided scripts.
-Finally, you have to install the hexfile library. Download it from here:
https://github.com/ryansturmer/hexfile
The library can be installed using the provided setup.py file. The modules are packaged using the Distutils, so you can simply run "python setup.py build" to build the
package, and "python setup.py install" to install it.
Usage
-Once all the installation steps are complete, run "setup_phase_sampled_boot.py" to start the setup phase application.
Here is an example usage of the setup phase application:
```python
Setup phase:
Enter key as 16byte hexstring: 2b7e151628aed2a6abf7158809cf4f3c --> this is the AES Key used for CMAC generation
Enter filename/relative path of original hexfile: Example_DataSets\SBA_DataSet_1MB_original.hex --> this represents the original firmware image
Enter sample boot method: rbs
Enter sample size as a percentage (1 - 100): 10
```
As shown above, required are a 16 byte hex string key, and the filename/relative path for a hex file representing your original image.
If the hex images are in the same folder as the script the filename is sufficient otherwise the relative path is required.
The sample boot scheme is selected in the 3rd step with options, 'rbs' for Random Block Sampling,
'pbs1' for One byte per block Sampling and 'pbs2' for Two bytes per block Sampling.
The sample size option is only for the rbs scheme, in the above example, 10% of the hex image is sampled.
-The verification phase can now be started by running "verification_phase_sampled_boot.py"
This phase only requires the filename of the hex image to be verified, all the other parameters are automatically extracted from
saved files created in the setup phase. Note the file here represents a modified version of the original firmware.
Here is an example usage of the verification phase application:
```python
Verification phase:
Enter filename/relative path of hexfile to be verified: Example_DataSets\SBA_DataSet_1MB_modified_cont_512.hex
Modification detected
```
SBA_DataSet_1MB_modified_cont_512.hex is a modified version of SBA_DataSet_1MB_original with 512 bytes modified contiguously.
Output is either "Modification detected" or "No modification detected" depending on whether the selected Sampled Boot scheme
detected any modification.
DataSets
Example datasets including the ones shown in the examples above are available in the Example_DataSets folder provided with the package.
The naming scheme follows the following format:
"SBA_DataSet_" - Sampled Boot Authentication datasets.
"
"original" - denotes an original non-modified hex image.
"_modified" - a modified hex image.
"cont
"non-cont
".hex" - the file type of the hex images
The full data set folder contains all the modified images that were used for testing.
The naming scheme follows this format:
"SBA_DataSet_" - Sampled Boot Authentication datasets.
"m
"_n" - for each x value we generate a different file where the modification starts
The files that include
Note for these files, we randomly modify 8 bytes contiguously before moving to the next block. These files were used to evaluate performance of the rBS scheme.
To evaluate performance of pBS schemes you have to reduce the number of contiguously modified bytes. You can use a hex manipulation tool to do that.
File List:
1- setup_phase_sampled_boot.py: contains the implementation of the setup phase algorithm
2- verification_phase_sampled_boot.py: contains the implementation of the verification algorithm
3- CMAC.py: contains CMAC algorithm, this is available from github but included here for convenience
4- drbg.py: contains the DRBG algorithm, this is available from github but included here for convenience
5- get-pip.py: this is available from github but included here for convenience
6- data.zip: contains a 1 MByte hex file that corresponds to the original firmware image, along with sets of modified versions of this file. Each set modifies a number of blocks at random locations.
Related publication(s):
Nasser, A., Ma, D., Gumise, W.J. (2019). Accelerated Secure Boot for Realtime Embedded Safety Systems
How to Cite this Work:
Nasser, A., Gumise, W. (2019). Authenticated Boot Acceleration Algorithm [Code and data]. University of Michigan Deep Blue Data Repository. https://doi.org/10.7302/yeh1-1x17
Use and Access:
This data set is made available under a Creative Commons Public Domain license (CC0 1.0).