Skip to content

Latest commit

 

History

History
329 lines (275 loc) · 15.5 KB

README.md

File metadata and controls

329 lines (275 loc) · 15.5 KB

noise-sdr

Welcome to the Noise-SDR project!

Giovanni Camurati and Aurélien Francillon. "Noise-SDR: Arbitrary Modulation of Electromagnetic Noise from Unprivileged Software and Its Impact on Emission Security" to appear at IEEE S&P 2022.

PDF BIB DOI

Electronic devices emit some unintended radio noise when working, this is usually known as Electro Magnetic (EM) noise (or EM leakage). This effect is well known for EM side channel attacks (or Tempest attacks) that exploit it to spy on the device, but also for building covert channels: a piece of code on the device controls the noise generated by the device to transmit information (Soft-Tempest). Such covert channels are limited in power and bandwidth, and, more importantly, they can transmit only on the frequencies where the leakage is present (e.g. harmonics of the clock). Existing covert channels are usually using simple modulations, for example, On Off Keying (make noise or not), to transmit information, which are simple to implement but also not very robust. With Noise-SDR we demonstrate that by controlling software running on the device, we can generate arbitrary modulations (using a technique known as RF-PWM). This allows to build more diverse and resilient transmitters and even allows to use protocols written for software defined radios, despite some limitations in power, frequency, and bandwidth. We also demonstrate the possibility to transmit at longer distance and more reliably. Interestingly, the ability to transmit using existing protocols with a software defined approach opens the potential for applications other than covert channels, for example, trying to inject data in a victim receiver.

thor22-psk125.mp4
hamdrm.mp4
sstv.mp4

Noise-SDR in a nutshell

Noise-SDR uses a leakage-based fully-digital software-defined approach to shape electromagnetic noise produced by unprivileged software into generic radio signals, arbitrarily modulated in amplitude/frequency/phase. Despite some limitations on power, frequency and bandwidth, it can transmit data with a variety of analog and digital radio protocols. Noise-SDR currently runs on x86_64 (Linux and Windows), ARMV7A/ARMV8A (Android), and MIPS32 (OpenWrt). Please check the academic paper for more details.

Noise-SDR Overview Noise-SDR Example

Note: This is just an initial release. You can already find the code and how to (cross)compile it. Running fldigi-noise-sdr is straightforward (check the help menu). We assume you have some familiarity with running code on various platforms, EM leakage, popular SDR tools and radio protocols (many resources online are available).

Publications

Giovanni Camurati and Aurélien Francillon, "Noise-SDR: Arbitrary Modulation of Electromagnetic Noise from Unprivileged Software and Its Impact on Emission Security", to appear at IEEE S&P 2022.

Authors

This work was developed at EURECOM by Giovanni Camurati (now at ETH Zurich) and Aurélien Francillon. Please contact camurati@eurecom.fr for any question.

Acknowledgements

We would like to thank Andrea Possemato, Giulia Clerici, Matteo Guarrera, Elie Bursztein, Jean-Michel Picod, the anonymous reviewers and the shepherd for their feedback, help or interesting discussions. This work was partially supported by a Google Faculty Research Award.

We are grateful for the many online resources and open-source tools that made our work possible, in particular: Fldigi, GNURadio, gr-lora_sdr, gnss-sdr, qsstv, wsjt-x, sigidwiki, system-bus-radio, and drammer. Please see the academic paper for more and more detailed citations.

Files

.
├── configs # Example configs for Fldigi, Gqrx, and WSJT-X
│   ├── fldigi_def_example.xml
│   ├── gqrx-example-b210.conf
│   └── WSJT-X-example.ini
├── COPYRIGHT
├── docs
│   └── images
│       ├── overview2.jpg
│       ├── overview.jpg
│       └── thor22-rtty45-psk125r-3.jpg
├── fldigi-noise-sdr # Fldigi-Noise-SDR
│   ├── Makefile # See ARCH and OP options
│   └── src
│       ├── fldigi # Flidigi original modems
│       │   ├── contestia
│       │   ├── cw_rtty
│       │   ├── dominoex
│       │   ├── fft
│       │   ├── filters
│       │   ├── include
│       │   ├── libsamplerate
│       │   ├── lora # Additional Lora from gr-lora_sdr (modified)
│       │   ├── mfsk
│       │   ├── misc
│       │   ├── modem.cxx
│       │   ├── mt63
│       │   ├── olivia
│       │   ├── psk
│       │   ├── rsid
│       │   └── thor
│       ├── fldigi-noise-sdr # Noise-SDR specific code
│       │   ├── AndFlmsg_Fldigi_Interface.cxx # Added RF-PWM code
│       │   ├── include
│       │   └── main.cxx # Main interface
│       └── libion # Added libion for ArmV7-A
├── gnss # Code/scripts for GNSS experiments
│   ├── glonass
│   │   ├── glonass-normal
│   │   │   ├── generate-example.sh # Generate IQ and RF-PWM files
│   │   │   ├── gnss-sdr-1.5M.conf Gnss-sdr config for generated file
│   │   │   ├── gnss-sdr.conf # Gnss-sdr config for rx file
│   │   │   ├── receive-1.5M.sh # Analysis of the IQ generated file with gnss-sdr
│   │   │   ├── receive.sh # Analysis of the IQ rx file with gnss-sdr
│   │   │   └── rx.grc # Gnuradio flowgraph for reception with a USRP B210
│   │   ├── glonass-sim.py # GLONASS signal generator (simple, not a complete spoofer)
│   │   └── glonass-slow-10 # Same as glonass-normal but 10 times lower rate
│   │       ├── generate-slow-10-example.sh
│   │       ├── gnss-sdr.conf
│   │       ├── receive.sh
│   │       ├── rx.grc
│   │       └── signal_glonass.bin
│   └── gps # Similar to Glonass, but for GPS, 100 times lower rate
│       ├── generate-slow-100-example.sh
│       ├── gnss-sdr.conf
│       ├── receive.sh
│       └── rx.grc
├── gnuradio # Gnuradio flowgraphs
│   └── misc
│   |   └── generic.grc # AM, (NB)FM, USB
│   └── gr-lora_sdr-noise-sdr # gr-lora_sdr, added support simple mode, clone separately (see vagrant/bootstrap.sh).
├── LICENSE
├── offline-noise-sdr # Offline implementation of Noise-SDR
│   ├── generate # Python script to convert IQ files generated by an SDR tool into RF-PWM timings for noise-sdr.
│   │   └── rf-pwm.py 
│   └── transmit # Offline version of Noise-SDR that reads a timing file and transmits that signal.
│       ├── Makefile
│       └── src
│           ├── libion
│           │   ├── chipset.cxx
│           │   ├── include
│           │   │   └── ion
│           │   │       └── ion.h
│           │   ├── ion.c
│           │   └── kernel-headers
│           │       └── linux
│           │           └── ion.h
│           └── noise-sdr
│               └── main.cxx
├── README.md
├── scripts # Useful scripts
│   ├── data
│   │   ├── buffer.txt
│   │   ├── ft4-turing-2020-08-12-log.csv
│   │   └── rfpwm.txt
│   ├── fig12.py # Replicate Figure 12 in the paper.
│   ├── fig15.py # Replicate Figure 15 in the paper.
│   └── fig3.py # Replicate Figure 3 in the paper.
└── vagrant # Vagrant to create a VirtualBox VM or as reference for native installation
    ├── bin # bootstrap.ch will fill this folder, or you can dodwnload it (see below).
    │   ├── fldigi-noise-sdr-mips-CNT # MIPS32, leak with CNT, for OpenWRT
    │   ├── fldigi-noise-sdr-v7-ION # ARMV7-A, leak with ION, for Android
    │   ├── fldigi-noise-sdr-v8-CIVAC # ARMV8-A, leak with CIVAC, for Android
    │   ├── fldigi-noise-sdr-v8-ION # ARMV8-A, leak with ION, for Android
    │   ├── fldigi-noise-sdr-x86-STREAM # x86_64, leak with STREAM, for Linux
    │   ├── fldigi-noise-sdr-x86-STREAM.exe # x86_64, leak with STREAM, for Windows
    │   ├── offline-noise-sdr-mips-CNT 
    │   ├── offline-noise-sdr-v7-ION 
    │   ├── offline-noise-sdr-v8-CIVAC
    │   ├── offline-noise-sdr-v8-ION
    │   ├── offline-noise-sdr-x86-STREAM
    │   └── offline-noise-sdr-x86-STREAM
    ├── bootstrap.sh # Provision script, use as guide for native installation too
    ├── rfpwm # Some pre-generated rf-pwm files, you can download them (see below).
    ├── traces # Some pre-collected traces, you can download them (see below).
    └── Vagrantfile # VirtualBox configuration for vagrant

Install

You can either install Noise-SDR manually or use Vagrant and Virtualbox to automatically create a virtual machine. In either case, look at noise-sdr/vagrant/Vagrantfile and noise-sdr/vagrant/boostrap.sh for self-explaining installation instructions. Note that the actual Noise-SDR code is only a small part of this, the rest being popular SDR tools required, for example, for reception. In addition, precompiled binaries for Noise-SDR are available here.

git clone https://github.com/eurecom-s3/noise-sdr.git
cd noise-sdr/vagrant
vagrant up
vagrant ssh

Usage of fldigi/offline-noise-sdr

Transmit side

Once you have compiled Noise-SDR, run in on your machine, or push it to a phone or other device to run it there (use the correct architecture).

fldigi-noise-sdr-XXXX --help

There is also an offline version of Noise-SDR. In offline-noise-sdr you can find both a python script to generate RF-PWM timing from IQ files

./rf-pwm.py generate --help

and a version of noise-sdr that reads these files

./offline-noise-sdr-XXXX --help

For Android you can use adb, e.g.,

adb push file /data/local/tmp # to push files to the device
adb shell
$ cd /data/local/tmp # to get a shell to run the programs

USB debugging has to be activated. If device and laptop are on the same network you can connect without cable.

For the Carambola2, follow the guides: to build OpenWRT and connect to the board, to install packages manually, and to add an unprivileged user. Cross-comilation is already covered here.

Receive side

Use your favorite tool for reception. For example, we use gqrx (and a USRP B210) and Fldigi, using a virtual audio sink to connect them:

pulseaudio --start
pacmd load-module module-null-sink sink_name=MySink

Note that we provide example configuration files for FLDigi, GQRX, and WSJTX in the folder configs.

Replaying traces at the receive side

When using GQRX, you can save raw IQ samples and then replay it later. Please check the GQRX documentations and tutorials for this. FLDigi can also open and replay wav recordings.

You can find wav traces for the videos at the top of this page here in the sub-folder gqrx/videos-wav.

You can find an IQ traces for the same examples as in the videos at the top of this page here in the sub-folder gqrx/videos-iq.

Some more details for GNSS

We provide helper scripts and configurations in the gnss/ folder.

For example, for GLONASS follow these steps.

  1. Glonass with pre-recorded traces
    1. Download a GLONASS trace from here. For example, glonass-innosd6000-2MSaps-800MHz-glonass-example.complex
    2. Run the reception script: ./receive.sh glonass-innosd6000-2MSaps-800MHz-glonass-example.complex
  2. Record new traces
    1. Connect a suitable phone (e.g., Innos D6000, see paper) and make sure adb works.
    2. Enter in the glonass folder cd gnss/glonass/glonass-normal/
    3. Run the script that generates an example of glonass signal, conversts it to rfpwm, and pushes it on the phone ./generate-example.sh
    4. Connect a USRP B210 radio to your laptop and run the rx.grc flowgraph. Adjust the parameters (e.g., harmonic you want to look at) in necessary.
    5. Run offline-noise-sdr on the phone giving the rfpwm file generated at step 3 as input.
    6. After a while, stop the flowgraph, which has generated the /tmp/glonass_rec IQ file.
    7. Run the reception script ./receive.sh /tmp/glonass_rec

Similar steps apply to the examples in glonass-slow-10and gps.

Some more details for LoRa

To receive LoRa packets we provide a modified version of gr-lora_sdr available at git@github.com:giocamurati/gr-lora_sdr-noise-sdr.git (automatically installed in the vagrant VM).

Compared to the original version, we provide:

  1. Two flowgraphs apps/lora_rx.grc and apps/lora_rx_simple.grc to scan the spectrum for packets sent by fldigi-noise-sdr using different modes.
  2. An additional mode to receive LoRa-like packets without error correction, that we used in the paper as baseline.

Like for the original version, remember to run source apps/setpaths.sh before running Gnuradio and opening the flowgraphs.

Traces

You can find some pre-collected IQ traces here, and some pre-computed RF-PWM files for offline-noise-sdr here. Precompiled binaries are here.