>
curriculum/Control Systems
section 10 of 123 min read

10. Hardware-Security Implications

Control theory is foundational to several attack and defense scenarios.

  • Glitch injection as deliberate disturbance. Attackers force a regulator or clock generator out of its stable region using fast transient injection (voltage spike, EM pulse, optical pulse). The system enters an undefined regime, instructions misexecute, secret bits leak. A control engineer would describe this as a designed disturbance pushing a marginally stable system across the stability boundary.

  • Anti-windup as fault-injection defense. A controller with bad anti-windup can be tricked into runaway. An attacker injects a brief disturbance that saturates the actuator, then waits while the integrator winds up, then releases the disturbance: the actuator stays saturated for an unintendedly long time, allowing extraction of side-channel information or causing actuator damage. Robust anti-windup limits the attack's reach.

  • Side-channel attacks as observer construction. A power-analysis attacker is building a Luenberger-style observer for the secret bits in the chip. They observe outputs (power traces); they have a model of the plant (the chip's instruction-level power consumption); they want to estimate hidden states (the key). Defenses (constant-time crypto, masking, EM shielding) are all attempts to make the secret state unobservable to the attacker's external sensor.

  • GPS spoofing and tracking-loop attacks. The GPS receiver's tracking loop is a PLL-style control system locked to satellite signals. A spoofer transmits fake signals that gradually pull the lock; if the loop's bandwidth and dynamics are not carefully limited, the receiver follows the spoofer's signal off into a fake position. Defenses include multi-frequency receivers, antenna arrays, cross-checks with INS.

  • PLL attacks. An attacker who can modulate a chip's VDD or temperature can push its on-chip PLL out of lock, causing clock glitches that break the chip's normal operation. Robust PLLs have lock detectors and gracefully gear down or halt the chip on loss of lock.

  • Resonance and Rowhammer. Rowhammer is fundamentally an attack on coupling between memory cells. From a control perspective, you are exciting a resonance at exactly the frequency where the system has insufficient damping to suppress it. The attack works because the relevant "transfer function" from row activations to bit flips has unintended gain.

  • Hardware-implemented PID. Industrial controllers in IoT actuators (smart valves, motor controllers, building automation) often have PID loops in firmware. Exploiting the firmware (buffer overflow, weak authentication) lets an attacker set arbitrary PID gains, which can drive a real-world actuator unstable, with safety implications.

Every hardware-security student should be able to look at a closed-loop control system and ask: what input could an attacker inject that would push this loop unstable, or extract the controller's hidden state, or fool the sensors? That mindset comes from the math of this chapter.