Conference PaperPDF Available

A Ghost in your Transmitter : analyzing polyglot signals for physical layer covert channels detection

Authors:
José Lopes Esteves at ANSSI
José Lopes Esteves
  • ANSSI
Emmanuel Cottais
Emmanuel Cottais
Chaouki Kasmi at Technology Innovation Institute
Chaouki Kasmi
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

During the last 5 years, the possibility of using physical covert channels to communicate with air-gapped information systems has been widely investigated, the main idea being the instrumentation of software or hardware components in order to code information on a shared physical medium. In complement, logical covert channels in communication protocols have been intensively studied for several decades, mostly relying on unused or reserved fields in frames at logical layers or on the instrumentation of timings and state transitions in the target protocols. Interestingly, the exploitation of physical layer characteristics of legitimate transmissions as covert channels seems to have been underestimated. More recently, an approach was proposed to superimpose two different protocols, one ASK-based and one PSK-based, within the same transmitted PHY frames, thus illustrating the possibility of covert channels using so-called polyglot signals. In this study, we decided to focus on the possibility of using a compromised radiofrequency transceiver in order to create a covert channel on the physical layer while preserving a legitimate communication. To this end, we considered a classical QPSK transmission system on which a covert communication was implemented by modulating the legitimate (modulated) signal. Several modulation schemes were formalized showing that covert channels based on polyglot signals are not restricted to the use of complementary carrier characteristics (e.g. amplitude for channel 1 and phase for channel 2). For each attack model, a specific receiver has been designed. Finally, we will show that the detection of this kind of RF covert channel, which is not possible with a classical receiver, can be achieved by monitoring some simple RF characteristics with state-of-the-art signal processing algorithms.
No caption available
… 
No caption available
… 
No caption available
… 
No caption available
… 
+27
No caption available
… 
Figures - uploaded by Chaouki Kasmi
Author content
All figure content in this area was uploaded by Chaouki Kasmi
Content may be subject to copyright.
Content uploaded by Chaouki Kasmi
Author content
All content in this area was uploaded by Chaouki Kasmi on Sep 22, 2017
Content may be subject to copyright.
A Ghost in your Transmitter :
analyzing polyglot signals for physical layer covert
channels detection
José LOPES ESTEVES,
Emmanuel COTTAIS and Chaouki KASMI
E. Cottais, C.Kasmi & J.Lopes Esteves
WHO WE ARE
E. COTTAIS, C. KASMI, J. LOPES ESTEVES
ANSSI-FNISA / Wireless Security Lab
11 members, including 3 PhD
Electromagnetic security
RF communications security
Embedded systems
Signal processing
2
E. Cottais, C.Kasmi & J.Lopes Esteves
OUTLINE
Covert channels
Polyglot signals
Target QPSK transmission
Generating covert polyglot signals
Exploiting covert polyglot signals
Detection techniques and counter-measures
Conclusion
3
Definitions
Covert channels
E. Cottais, C.Kasmi & J.Lopes Esteves
COVERT CHANNELS
5
Covert channel:
Information transfer (uni- or bi-directional)
Entities not allowed to communicate
Channel not intended for communication
Prerequisite: preliminary infection
Both ends know the covert channel
Both ends know the covert protocol
Out of scope of this talk
E. Cottais, C.Kasmi & J.Lopes Esteves
COVERT CHANNELS
6
Host based: communication between
processes on a host [1]
Shared file system: file contents, file lock…
Shared hardware: DRAMA [2]…
Two classes :
Storage based
Timing based
A lot of studies on design, characterization
and detection
E. Cottais, C.Kasmi & J.Lopes Esteves
COVERT CHANNELS
7
Network based: communication between
remote processes on connected hosts
Information hidden in [1,3]:
Protocol Data Units
Through the timing of PDUs or protocol
commands
A lot of studies on design, characterization
and detection
Mostly > layer 3 channels
E. Cottais, C.Kasmi & J.Lopes Esteves
COVERT CHANNELS
8
Air gap based: communication between
remote processes on disconnected hosts
Exploitation of shared physical medium:
Light, pressure, vibration, sound, temperature,
EM environment
Also called physical covert channels
Modulate information directly on physical
medium
Recent security hype
Physical layer network-based covert channels
Polyglot Signals
E. Cottais, C.Kasmi & J.Lopes Esteves
POLYGLOT SIGNALS
10
Goodspeed, Bratus, ReCon 2015 [4]
RF receivers are parsers
Info received is different from info transmitted
to upper layers:
Modulation
Error correction
Try to recover familiar structures from
unknown received signal
E. Cottais, C.Kasmi & J.Lopes Esteves
POLYGLOT SIGNALS
Can be exploited for covert communications
Exploit complementary modulations
ASK modulation added to a PSK based
protocol
The legitimate receiver will still get the PSK
messages and will not consider amplitude
variations, and likely correct them
The covert receiver is a ASK demodulator which
will not consider the phase variations
11
E. Cottais, C.Kasmi & J.Lopes Esteves
POLYGLOT SIGNALS
Covert polyglot signal for data exfiltration
ASK modulation added to a PSK based protocol
12
PSK PSK
PSK PSK
E. Cottais, C.Kasmi & J.Lopes Esteves
POLYGLOT SIGNALS
Covert polyglot signal for data exfiltration
ASK modulation added to a PSK based protocol
13
ASK+PSK
PSK PSK
PSK
ASK
E. Cottais, C.Kasmi & J.Lopes Esteves
POLYGLOT SIGNALS
Covert polyglot signal for data exfiltration
ASK modulation added to a PSK based protocol
Attacker needs:
Minimize impact on legit channel
Maximize covert transmission quality
Minimize detectability
Of course: trade-off !
14
E. Cottais, C.Kasmi & J.Lopes Esteves
POLYGLOT SIGNALS
Is this technique limited to complementary
modulations ?
How can an attacker generate a covert
polyglot signal ?
Is it possible to efficiently detect such covert
channels?
15
Back to school
Target QPSK transmission
E. Cottais, C.Kasmi & J.Lopes Esteves
QPSK TRANSMISSION
Architecture of an IQ transmitter
17
Binary data
Transmitted signal:
= It.cos0t + 0Qt. sin(0t + 0)
Filters
Filters
E. Cottais, C.Kasmi & J.Lopes Esteves
QPSK TRANSMISSION
Received signal (ideal channel):
After low-pass filtering:
18
Transmitted signal:
E. Cottais, C.Kasmi & J.Lopes Esteves
QPSK TRANSMISSION
19
Received signal constellation (ideal channel):
E. Cottais, C.Kasmi & J.Lopes Esteves
QPSK TRANSMISSION
20
Non-ideal channel:
Presence of noise
The receiver implements several correction
blocks
Especially:
IQ imbalance: amplitude and phase correction
Finding entry points for attacking
Generating Covert Polyglot Signals
E. Cottais, C.Kasmi & J.Lopes Esteves
QPSK TRANSMISSION
Target QPSK transmitter
22
Binary data
Filters
Filters
Hardware or software Hardware
E. Cottais, C.Kasmi & J.Lopes Esteves
QPSK TRANSMISSION
Transmitted signal:
23
Binary data
Local
oscillator(s)
IQ samples
= It.cos0t + 0Qt. sin(0t + 0)
Filters
Filters
Hardware or software Hardware
E. Cottais, C.Kasmi & J.Lopes Esteves
GENERATING POLYGLOT SIGNALS
Transmitted signal
24
Binary data
Hardware or software Hardware Local
oscillator(s)
IQ samples
Software attack:
Amplitude of I
Amplitude of Q
Hardware attack:
Amplitude of cos
Amplitude of sin
Cos frequency
Cos phase
Sin frequency
Sin phase
Filters
Filters
E. Cottais, C.Kasmi & J.Lopes Esteves
GENERATING POLYGLOT SIGNALS
Software level
Configuration of radio front-end
Modification of IQ samples of SDR
Modification of FPGA code of SDR
How
Malicious device drivers
Software flowgraph alteration
Specially crafted firmware/bitstream [12]
Modification of I and Q independently
possible
26
E. Cottais, C.Kasmi & J.Lopes Esteves
GENERATING POLYGLOT SIGNALS
Hardware level
Alteration of local oscillator(s) behaviour
Hardware trojan
EMC phenomena
How
Crosstalk, parasitic coupling, impedance
mismatch
On power lines, on oscillator configuration lines
(e.g. VCO, capacitors) [5]
Separate operation on I and Q not
straightforward 27
Playing with the amplitude of I and Q
Exploiting Covert Polyglot Signals
E. Cottais, C.Kasmi & J.Lopes Esteves
EXPLOITING POLYGLOT SIGNALS
Modulating the amplitude of IQ channels
Can be done from hardware or software
Two example polyglot signals:
ASK over QPSK
QPSK over QPSK
29
= It.1 + . cos0t + 0Qt.1 + . sin(0t + 0)
= It.1 + . cos0t + 0Qt.1 + . sin(0t + 0)
E. Cottais, C.Kasmi & J.Lopes Esteves
EXPLOITING POLYGLOT SIGNALS
Transmitted signal:
Received signal (ideal channel):
After low-pass filtering:
30
E. Cottais, C.Kasmi & J.Lopes Esteves
EXPLOITING POLYGLOT SIGNALS
31
IQ imbalance correction block will:
Consider α and β effects as noise
Compensate α and β
Transparent for legit receiver
x1
x2
y2
y1
E. Cottais, C.Kasmi & J.Lopes Esteves
EXPLOITING POLYGLOT SIGNALS
32
On the covert receiver, how to recover α and β ?
We suppose α and β small
Do not change symbol quadrant (we target QPSK)
Compare received samples with expected ones
E. Cottais, C.Kasmi & J.Lopes Esteves
EXPLOITING POLYGLOT SIGNALS
33
Covert receiver data recovery:
E. Cottais, C.Kasmi & J.Lopes Esteves
EXPLOITING POLYGLOT SIGNALS
34
Original and recovered
α
Spectrum of recovered
α
E. Cottais, C.Kasmi & J.Lopes Esteves
EXPLOITING POLYGLOT SIGNALS
ASK over QPSK
Just choose α = β
35
Data bit
Interference
sign
0
α>0 and β>0
1
α<0 and β<0
E. Cottais, C.Kasmi & J.Lopes Esteves
EXPLOITING POLYGLOT SIGNALS
QPSK over QPSK
Just give α and β
two possible values
36
Data
Interference
sign
00
α>0 and β>0
01
α>0 and β<0
10
α<0 and β>0
11
α<0 and β<0
Advanced signal processing
Detection techniques
and
Counter-measures
E. Cottais, C.Kasmi & J.Lopes Esteves
DETECTION TECHNIQUES
38
Detection of such data exfiltration
Instrumentation of observables
Extract features of correction blocks at receiver
IQ imbalance correction [6]
Measuring the mismatch between parallel section of receivers
Fixing coefficient update interval -> limitation for detection !
Carrier recovery [7]
Phase/ Frequency differences
Estimate and compensate differences between RX and TX signals
Equalization algorithm [8]
Inter-symbol interference suppression -> detecting cyclic symbol
modifications
Coefficients updated each packet
Monitoring of the variation of the correction coefficients
E. Cottais, C.Kasmi & J.Lopes Esteves
DETECTION TECHNIQUES
39
Almost random
correction
Repetitive correction
Presence of periodic
variations
E. Cottais, C.Kasmi & J.Lopes Esteves
DETECTION TECHNIQUES
40
Detection of such data exfiltration
Implementation of a dedicated detection system
Prospective thoughts
Use of signal processing algorithms
Wavelet transform: recursive LF vs HF analysis [9]
Use blind demodulation techniques [10]
Input: IF signal, baseband
Features : amplitude, phase, phase difference, frequency, Cyclic
Spectral analysis, complex envelop
Statistics: histogram, STD,
Classifier: maximum likelihood, max correlation, decision tree
E. Cottais, C.Kasmi & J.Lopes Esteves
COUNTER-MEASURES
41
At FPGA level
Verify the integrity of the code at startup
Prevent code to be modified/rewritten
At hardware level
Design hardened RF front-end
Active self test of hardware with control loops
Avoid coupling path (follow electronic rules and guidelines)
EMC Tests of PCB’s with improved EMSEC capabilities
At fab. level
Check PCB’s fabrication process
Masks validation
Conclusion
E. Cottais, C.Kasmi & J.Lopes Esteves
CONCLUSION
Polyglot signals:
Interesting phy layer network covert channels
Attack vector:
Software based: can be a malware
Hardware based: can be a HW trojan (or
interference)
Not limited to complementary modulations
QPSK in QPSK
Any modulation should work on any modulation
43
E. Cottais, C.Kasmi & J.Lopes Esteves
CONCLUSION
Channel capacity depends on:
Legitimate transmission
Covert transmission choices
We propose detection methods:
Use correction blocks
Already present in receivers
Look for periodicity in correction factors
Additional ideas:
Blind demodulation techniques
44
E. Cottais, C.Kasmi & J.Lopes Esteves
FURTHER THOUGHTS
Explore the hardware based attack
We like RF interference
And HW trojans
Covert channel is a hot topic
Need of new detection systems
Investigate physical layers against hidden
communication
Implementation of specific processes to
avoid/detect HW trojans
45
References
E. Cottais, C.Kasmi & J.Lopes Esteves
REFERENCES
[1] Wojciech Mazurczyk et al., “Information Hiding in Communication Networks: Fundamentals, Mechanisms” March 2016,
Wiley and Sons, 2016
[2] Peter Pessl, “DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks”, 25th Usenix Security Symposium 2016,
August 2016
[3] E. Tumoian and M. Anikeev, "Network Based Detection of Passive Covert Channels in TCP/IP," The IEEE Conference on
Local Computer Networks 30th Anniversary (LCN'05)l, Sydney, NSW, 2005
[4] Travis Goodspeed, Sergey Bratus , “Polyglots and Chimeras in Digital Radio Modes”, Recon 2015, 2015
[5]Ramon Cerda, “Sources of Phase Noise and Jitter in Oscillators”, March 2006, online:
http://www.crystek.com/documents/appnotes/SourcesOfPhaseNoiseAndJitterInOscillators.pdf
[6] J. Tubbax et al., "Compensation of IQ imbalance and phase noise in OFDM systems," in IEEE Transactions on Wireless
Communications, vol. 4, no. 3, pp. 872-877, May 2005.
[7] Timo Pfau et al., “Hardware-Efficient Coherent Digital Receiver Concept With Feedforward Carrier Recovery for -QAM
Constellations”, Journal of lightwave technology, April 15, 2009
[8] L. He and S. A. Kassam, "Convergence analysis of blind equalization algorithms using constellation-matching," in IEEE
Transactions on Communications, vol. 56, no. 11, pp. 1765-1768, November 2008.
[9] QI Li-mei et al., “Wavelet Transform Theory and Its Application in Signal Processing”, Journal of University of Electronic
Science and Technology of China, March 2008
[10] Octavia A. Dobre et al., “Blind Modulation Classification: A Concept Whose Time Has Come”, Course online material:
http://ntrg.cs.tcd.ie/en/TCD_VT_Course_Cognitive_Radios_and_Networks/Week%204/Readings%20and%20discussion%20Q
uestions/dobre2005.pdf
[11] S. Ghosh, A. Basak and S. Bhunia, "How Secure Are Printed Circuit Boards Against Trojan Attacks?," in IEEE Design &
Test, vol. 32, no. 2, pp. 7-16, April 2015.
[12] Chrsitian Krieg, Clifford Wolf, and Axel Jantsch. Malicious LUT: A stealthy FPGA trojan injected and triggered by the
design flow. In Proceedings of the International Conference on Computer Aided Design (ICCAD), Austin, Texas, November
2016.
47
Thank You
E. Cottais, C.Kasmi & J.Lopes Esteves
QUESTIONS ?
Emmanuel COTTAIS, emmanuel.cottais@ssi.gouv.fr
Chaouki KASMI, chaouki.kasmi@ssi.gouv.fr
Jose LOPES ESTEVES, jose.lopes-esteves@ssi.gouv.fr
49
E. Cottais, C.Kasmi & J.Lopes Esteves
AMPLITUDE-BASED EXFILTRATION
50
Simulation results
α=±0,1
β=±0,1
Freq. legit = 500Hz
Freq. α = 100Hz
Freq. β = 100Hz
Received constellation
... Les canaux cachés sont étudiés depuis longtemps et peuvent intervenir à différentes couches du modèle OSI [4]. Récemment, certains travaux se sont focalisés sur la mise en oeuvre de canaux cachés par compromission d'interfaces de communication radiofréquence [5] par sur-modulation, appelés signaux polyglottes. Dans cet article, les méthodes de génération de signaux polyglottes sont étudiées et la possibilité d'apparition de signaux polyglottes due à une perturbation d'oscillateurs locaux par des interférences RF ou par diaphonie est démontrée. ...
... (et le système de supervision qui y est dédié) ne percevra que la transmission légitime, comme l'illustre la Figure 1. Plus généralement, il a été démontré que les signaux polyglottes ne sont pas restreints à des modulations complémentaires, par exemple une modulation d'amplitude associée à une modulation de phase et qu'il existe, pour l'attaquant, un compromis entre la préservation du lien légitime, la maximisation de la capacité du canal caché et la probabilité de détection du canal caché [5]. ...
... Une analyse des différents vecteurs de génération intentionnelle de signaux polyglottes, c'est-à-dire les points d'entrée pour un attaquant voulant mettre en place un canal caché, a permis d'identifier des interactions logicielles ou matérielles [5]. Nous nous limiterons dans cette étude à l'approche matérielle. ...
View
View
Second Order Soft-TEMPEST in RF Front-Ends: Design and Detection of Polyglot Modulations
Conference Paper
  • Aug 2018
Many studies have focused on threats induced by electromagnetic compatibility for information security. A po- tential correlation between the information processed by an electronic device and its emanations represents a real threat for the confidentiality of the information. Studies have also shown that the susceptibility of electronic devices represents a non- negligible risk for its integrity and its availability. In particular, several Soft-Tempest attacks have been proposed recently in order to create electromagnetic physical covert channels. These however focus on a direct correlation between the processed data and the electromagnetic emanations. In this paper we propose to investigate indirect attacks involving a local impact of the electromagnetic emanations, such as a crosstalk, modifying the behaviour of a component which in turn will contribute to establish the covert channel. To introduce such second order Soft- Tempest attack, the case of an attacker controlled communication line inducing perturbations on the local oscillator of a radio frequency front-end and creating a polyglot modulation based covert channel is detailed.
View
Malicious LUT: a stealthy FPGA trojan injected and triggered by the design flow
Conference Paper
Full-text available
  • Nov 2016
We present a novel type of Trojan trigger targeted at the field-programmable gate array (FPGA) design flow. Traditional triggers base on rare events, such as rare values or sequences. While in most cases these trigger circuits are able to hide a Trojan attack, exhaustive functional simulation and testing will reveal the Trojan due to violation of the specification. Our trigger behaves functionally and formally equivalent to the hardware description language (HDL) specification throughout the entire FPGA design flow, until the design is written by the place-and-route tool as bitstream configuration file . From then, Trojan payload is always on. We implement the trigger signal using a 4-input lookup table (LUT), each of the inputs connecting to the same signal. This lets us directly address the least significant bit (LSB) and most significant bit (MSB) of the LUT. With the remaining 14 bits, we realize a "magic" unary operation. This way, we are able to implement 16 different Triggers. We demonstrate the attack with a simple example and discuss the effectiveness of the recent detection techniques unused circuit identification (UCI), functional analysis for nearly-unused circuit identification (FANCI) and VeriTrust in order to reveal our trigger.
View
Hardware-Efficient Coherent Digital Receiver Concept With Feedforward Carrier Recovery for M -QAM Constellations
Article
Full-text available
  • Apr 2009
This paper presents a novel digital feedforward carrier recovery algorithm for arbitrary -ary quadrature amplitude modulation (-QAM) constellations in an intradyne coherent optical receiver. The approach does not contain any feedback loop and is therefore highly tolerant against laser phase noise. This is crucial, especially for higher order QAM constella-tions, which inherently have a smaller phase noise tolerance due to the lower spacing between adjacent constellation points. In addition to the mathematical description of the proposed carrier recovery algorithm also a possible hardware-efficient implemen-tation in a parallelized system is presented and the performance of the algorithm is evaluated by Monte Carlo simulations for square 4-QAM (QPSK), 16-QAM, 64-QAM, and 256-QAM. For the simulations ASE noise and laser phase noise are considered as well as analog-to-digital converter (ADC) and internal resolution effects. For a 1 dB penalty at BER = 10 3 , linewidth times symbol duration products of 4 1 10 4 (4-QAM), 1 4 10 4 (16-QAM), 4 0 10 5 (64-QAM) and 8 0 10 6 (256-QAM) are tolerable.
View
Convergence analysis of blind equalization algorithms using constellation-matching
Article
Full-text available
  • Dec 2008
Two modified blind equalization algorithms are analyzed for performance. These algorithms add a constellation-matched error term to the cost functions of the generalized Sato and multimodulus algorithms. The dynamic convergence behavior and steady-state performance of these algorithms, and of a related version of the constant modulus algorithm, are characterized. The analysis establishes the improved performance of the proposed algorithms.
View
Information Hiding in Communication Networks: Fundamentals, Mechanisms, and Applications
Book
  • Mar 2016
Describes Information Hiding in communication networks, and highlights their important issues, challenges, trends, and applications. This book provides the fundamental concepts, terminology, and classifications of information hiding in communication networks along with its historical background. Information Hiding In Communication Networks: Fundamentals, Mechanisms, Applications, and Countermeasures begins with introducing data concealment methods and their evolution. Chapter two discusses the existing terminology and describes the model for hidden communication and related communication scenarios. Chapters three to five present the main classes of information hiding in communication networks accompanied by a discussion of their robustness and undetectability. The book concludes with a discussion of potential countermeasures against information hiding techniques, which includes different types of mechanisms for the detection, limitation and prevention of covert communication channels. This book is intended for academics, graduate students, professionals, and researchers working in the fields of network security, networking, and communications.
View
Wavelet transform theory and its application in signal processing
Article
  • May 2008
The wavelet transform has become a new signal processing technology in last decade, it has been imposed great importance by more and more theoretical workers and engineers. Simultaneity, the mathematical theory of the wavelet transform is complicated. In this paper, the basic theory and advantage of wavelet transform is simply revealed by comparing with Fourier transform and short time Fourier transform, deep cognition and understanding of wavelet transform is given by MATLAB simulation. These result shows that wavelet transform is superior to Fourier transform and short time Fourier transform both in time and frequency orientation in signal processing.
View
DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks
Conference Paper
  • Aug 2016
In cloud computing environments, multiple tenants are often co-located on the same multi-processor system. Thus, preventing information leakage between tenants is crucial. While the hypervisor enforces software isolation, shared hardware, such as the CPU cache or memory bus, can leak sensitive information. For security reasons, shared memory between tenants is typically disabled. Furthermore, tenants often do not share a physical CPU. In this setting, cache attacks do not work and only a slow cross-CPU covert channel over the memory bus is known. In contrast, we demonstrate a high-speed covert channel as well as the first side-channel attack working across processors and without any shared memory. To build these attacks, we use the undocumented DRAM address mappings. We present two methods to reverse engineer the mapping of memory addresses to DRAM channels, ranks, and banks. One uses physical probing of the memory bus, the other runs entirely in software and is fully automated. Using this mapping, we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row buffer that is shared, even in multi-processor systems. Thus, our attacks work in the most restrictive environments. First, we build a covert channel with a capacity of up to 2\,Mbps, which is three to four orders of magnitude faster than memory-bus-based channels. Second, we build a side-channel template attack that can automatically locate and monitor memory accesses. Third, we show how using the DRAM mappings improves existing attacks and in particular enables practical Rowhammer attacks on DDR4.
View
How Secure Are Printed Circuit Boards Against Trojan Attacks?
Article
  • Apr 2015
Hardware Trojan attacks at the integrated circuit (IC) level have been studied extensively in recent times. Researchers have analyzed the impact of these attacks and explored possible countermeasures for ICs. However, vulnerability with respect to hardware Trojan attacks at higher levels of system abstraction, e.g., at printed circuit board (PCB) level, have not been reported earlier. Previous studies have covered security of PCBs against piracy and various post-fabrication tampering attacks. JTAG (Joint Test Access Group) and other field programmability features, e.g., probe pins, unused sockets and USB have been extensively exploited by hackers to gain access to internal features of the designs as well as snooping of secret key, collection of test responses, and manipulating JTAG test pins. One instance demonstrated that Xbox can be hacked by disabling the Digital Rights Management (DRM) policy using JTAG. The emerging business model of PCB design and fabrication that favors extensive outsourcing and integration of untrusted components/entities in the PCB life-cycle to lower manufacturing cost, makes hardware Trojan attacks in PCBs highly feasible.
View
Network Based Detection of Passive Covert Channels in TCP/IP
Conference Paper
  • Dec 2005
A new method of covert channel detection in Initial Sequence Number (ISN) of TCP/IP is proposed in the paper. The detection is based on ISN generation model of original OS. Whenever any statistical deviations of ISN network packet from the ISN model are discovered; it is considered that this ISN packet is generated by malicious software, which tries to create a covert channel. The method was tested using experimental data generated by NUSHU covert channel creation tool, which has been developed by Joanna Rutkowska.
View
Blind Modulation Classification: A Concept Whose Time Has Come
Conference Paper
  • May 2005
We address the problem of identifying the modulation format of an incoming signal. We review many existing techniques for digital modulation recognition in a systematic way, which helps the reader to see the main features of each technique. The goal is to provide useful guidelines for choosing appropriate classification algorithms for different modulations, from the large pool of available techniques. Furthermore, the performance of a benchmark classifier is presented, as well as its sensitivity to several model mismatches. Open problems and possible directions for further research are briefly discussed
View
Compensation of IQ imbalance and phase noise in OFDM systems
Article
  • Jun 2005
Nowadays, a lot of effort is spent on developing inexpensive orthogonal frequency-division multiplexing (OFDM) receivers. Especially, zero intermediate frequency (zero-IF) receivers are very appealing, because they avoid costly IF filters. However, zero-IF front-ends also introduce significant additional front-end distortion, such as IQ imbalance. Moreover, zero-IF does not solve the phase noise problem. Unfortunately, OFDM is very sensitive to the receiver nonidealities IQ imbalance and phase noise. Therefore, we developed a new estimation/compensation scheme to jointly combat the IQ imbalance and phase noise at baseband. In this letter, we describe the algorithms and present the performance results. Our compensation scheme eliminates the IQ imbalance based on one OFDM symbol and performs well in the presence of phase noise. The compensation scheme has a fast convergence and a small residual degradation: even for large IQ imbalance, the overall system performance for an OFDM-wireless local area network (WLAN) case study is within 0.6 dB of the optimal case. As such, our approach greatly relaxes the mismatch specifications and thus enables low-cost zero-IF receivers.
View