Hiding Information in Flash Memory

TouchDevelop Program Analysis Tool Inception

Hiding Information in Flash MemoryYinglei Wang, Wing-kei Yu, Sarah Q. Xu, Edwin Kan, and G. Edward Suh Cornell University

Tuan TranIntroduction

Steganography? Yes Tyler and Dave are in prison. They are trying to communicate an escape plan, but unfortunately have one major problem: Warden Julie has access to ALL correspondence that passes between the two prisoners. Relying solely on encryption is out of the question since it would arouse Julie's suspicion and result in Dave and Tyler eating only bread and water for six weeksPresentation OutlineOverview

Flash Memory Background

Information Hiding Algorithm

Evaluation

Conclusion

3OverviewThe goal of the hiding technique is to make the detection, retrieval, and removal of hidden information sufficiently time consuming for an attacker.4

OverviewFlash Interface Requirements for the technique

Work with flash and float-gate non-volatile memory which can read, program and erase to specific memory location.

Can be implemented as a software update.5Flash Memory BackgroundFloat Gate Transistors

The floating gate is an insulated conductor surrounded by oxide.

Information is stored as the presence or absence of trapped charge on the floating gate.

6

Flash Memory BackgroundFloat Gate Transistors

Flash cells without charge are read as 1.Flash cells have charge are read as 0.

Single-Level Cells: one bit is stored per cell.Multi-Level Cells: multiple bits are stored per cell.7on the floating-gate allow full current flow in the channelon the floating-gate discourage the presence of current in the channelFlash Memory BackgroundFlash Organization and OperationRead: transistor is turned on and the amount of current is detected.Erase: pushes charge off the floating-gate by applying a large negative voltage on the control gate.Write: stores charge on the floating-gate

Page: the smallest unit in which data is read or writtenBlock: the smallest unit for an erase operation

Flash does not provide bit-level write or erase.

8Flash Memory BackgroundAgingThe voltages involved place great stress on the device oxide, wearing out the device.

The bit is rendered non-operational, leaving it in a stuck-at state.

The program time that is required to flip a state from 1 to 0 for a cell tends to reduce.

9Flash Memory BackgroundPartial Programming

Program time: the time it takes to program a Flash cell.

Flash memory interface requires all bits in a page to be programmed together.

The program time only reveals how long programming the entire page takes.

10the number of partial program operations to flip a bit from 1 to 0 represents the program time for the bit.Flash Memory BackgroundPartial Programming

Partial program: aborting a program operation before completion.

Partial programs: will accumulate charge on the floating gate and eventually result in the cell entering a stable programmed state.

The number of partial program operations to flip a bit from 1 to 0 represents the program time for the bit.

11Information Hiding AlgorithmOverview

The program time is the time it takes for a bit to change from the erased state (1) to the programmed state (0).

Need to be able to intentionally change and control each bits program time.

Stress some bits within a page more than others by controlling the value written to it.

12Information Hiding AlgorithmOverview

The program times of individual bits vary significantly due to manufacturing variations.

Encode one bit of hidden information using many bits in Flash memory.

Use a key (hiding key) to select which Flash bits will be grouped together.

13Information Hiding AlgorithmHiding Algorithm:

Choose set of page/block.

Divide the bits into fixed size group.

The algorithm determines which value ( 0 or 1) need to be written.

14

Information Hiding AlgorithmHiding Algorithm:

Decide on a N to exert on Flash.

N is chosen to ensure good BER.

Each page is programmed N time to imprint the payload into Flash.

15

N: a set number of stresses.Information Hiding Algorithm16

Recovery Algorithm:Use partial programming to measure the program time.

Choose M such that at the end of M partial programs, more than half of the bits, are programmed.

If bits do not flip, its program time is set to constant.

Information Hiding Algorithm17

Recovery Algorithm:Compute the median program time.

If bits program time is above the median, set it to 1.

If bits program time is below the median, set it to 0.

X is chosen empirically.

Information Hiding Algorithm18

Recovery Algorithm:Divide bits into group.

Compute average program time for each group.

Bits payload is set to 1 if the average program time of the group is below Th, 0 otherwise.

Th: the average program times of the more-stressed and less-stressed groups

gap between the average programtimes of the more-stressed and less-stressed groupsEvaluationSetupUse custom Flash test board.Use multiple types of memory flash chip.Used the first 4,096 bits of 16,896-bit pages.19

EvaluationRobustness Bit Error Rate

Bit Error Rate : metric for measuring robustness.

Hide a randomly generated message into Flash memory and compared the retrieved message with the original.

Select 5120 groups and 5000 PE cycles: BER = 0.002920Select multiple pages and blocks across a Flash chip to form 5,120groups, which represent 5,120 hidden bits, and stored bitsusing 5,000 program and erase (PE) cycles in the encodingprocessEvaluationRobustness

BER decreases as the hiding stress increases.

More stress increases the program time difference between bits hiding 1s and 0s.21

blue line shows the average BER using a single Micron 4Gbit chip

the red triangles show the average BER and the error bars show the maximumand minimum BERs across the 15 chips.EvaluationRobustness

BER decreases with an increasing group size.

The capacity decreases as more physical bits are included.

the statistical variations among groups will decrease as the group size increases.22

EvaluationRobustness

Neighboring pages have a strong influence on each other.

Subset of pages with specific interval K.

There is not much benefit to using a group size beyond 128 and a page interval beyond 4.23

If K is 4, then only page 0, page 4, page 8, and soon are used to hide information while the rest is not used.EvaluationEffectiveness

Aim to simulate the normal usage of the Flash chip.

In each program operation for the initial stress, random data are programmed.

As initial stress level increases, the BER also increases24

the BER at the initial stress level of 10 PE cycles shows the error ratewhen bits are hidden after 10 PE cycles of programmingrandom data.EvaluationPerformance

For hiding : Throughput :16.6 bits/second.Higher with smaller number of PE cycles or group.

For reading:Throughput: 564 bit/second.Higher if hiding scheme uses a smaller number of Flash bits to encode each hidden bit.25EvaluationDetectability

Information hiding scheme uses per-bit program time.

The hiding operation does not change normal Flash functions.

An attacker needs to rely on checking the analog properties of the Flash memory.

26EvaluationDetectability

There is no visible pattern in per-page program time.

The program time of a page shows distinct values.

The program time values for each chip stay the same.

27

EvaluationRetrieval without the Hiding Key

10% of Correct Group Members

Group size is a security parameter28

EvaluationErase Tolerance

Stress the chip after hiding info.

Program every bit of the page to 0.

BER is quite reasonable.

29

EvaluationDifferent Flash ModelsTested several different Flash memory models.

Chips from the same manufacturer perform similarly.

In MLC chip:Bits split into a fast group and a slow group.Only the faster programming bits work for info hiding.

30ConclusionDemonstrate a technique to hide information using the program time of individual bits in Flash memory.

Using groups of bits to store one bit of payload allows the technique to effectively hide information robustly with low bit error rates.

Without the key, measuring analog characteristics of the Flash chip can not reveals whether the chip contains hidden information.31Q & A32