![Page 1: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/1.jpg)
EECS 388: Embedded Systems
11. Safety and Security
Heechul Yun
1
![Page 2: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/2.jpg)
Agenda
• Safety and security challenges
• Safety and fault tolerance
• Security basics
2
![Page 3: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/3.jpg)
Safety
• Many CPS are safety-critical systems
– Can harm people or things
3
![Page 4: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/4.jpg)
Remote Attack on Jeep (2015)
4
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
• Able to remotely (via cellular network) control steering, brake, and other critical functions via the car’s infotainment system
![Page 5: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/5.jpg)
5C. Miller and C. Valasek, “A Survey of Remote Automotive Attack Surfaces”
![Page 6: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/6.jpg)
Remote Attack Surfaces
“…As cars move into the future, they are being more connected with features normally found in desktop computers like apps and even web browsers. The 2014 Jeep Cherokee even has a Wi-Fi hotspot with open ports (when not using encryption)…”
6
C. Miller and C. Valasek, “A Survey of Remote Automotive Attack Surfaces”
![Page 7: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/7.jpg)
Ukraine Power Grid Attack (2016)
• Attack on SCADA control network of a power grid in Ukraine, causing blackout on 80K users.
7
https://www.antiy.net/p/comprehensive-analysis-report-on-ukraine-power-system-attacks/
![Page 8: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/8.jpg)
Pacemaker Hack (2017,2018)
8
https://www.wired.com/story/pacemaker-hack-malware-black-hat/
https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update
![Page 9: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/9.jpg)
Internet of Things (IoT)
• IoT ~= Internet connected embedded systems
• “Internet is evil and wants to kill you”
9
![Page 10: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/10.jpg)
Mirai Bot DDoS Attack (2016)
10https://www.nytimes.com/2016/10/22/business/internet-problems-attack.html
![Page 11: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/11.jpg)
The Mirai IoT Botnet
https://www.corero.com/resources/ddos-attack-types/mirai-botnet-ddos-attack
![Page 12: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/12.jpg)
IoT WiFi Attacks (2019)
12https://hackaday.com/2019/09/05/esp8266-and-esp32-wifi-hacked/
“… These EAP hacks are more
troubling, and not just because
session hijacking is more
dangerous than a crash-DOS
scenario. The ESP32 codebase
has already been patched
against them, but the older
ESP8266 SDK has not yet. So
as of now, if you’re running an
ESP8266 on EAP, you’re
vulnerable. We have no idea how
many ESP8266 devices are out
there in EAP networks, but we’d
really like to see Espressif patch
up this hole anyway. “
![Page 13: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/13.jpg)
13https://techcrunch.com/2019/11/07/amazon-ring-doorbells-wifi-hackers/
![Page 14: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/14.jpg)
Challenges
• Predictability
• Complexity
• Reliability
• Security
14
![Page 15: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/15.jpg)
Real-Time Predictability
Michael G. Bechtel and Heechul Yun. “Denial-of-Service Attacks on Shared Cache in Multicore: Analysis and Prevention.” In RTAS, 2019 (Outstanding Paper Award)
LLC
Core1 Core2 Core3 Core4
victim attackers
• Observed worst-case: >300X (times) slowdown
– On simple in-order multicores (Raspberry Pi3, Odroid C2)Difficult to guarantee predictable timing
![Page 16: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/16.jpg)
Complexity
• Software complexity increases
16
More bugs, unintended side-effects
![Page 17: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/17.jpg)
Ibe et al., “Scaling Effects on Neutron-Induced Soft Error in SRAMs Down to 22nm Process” (Hitachi)
Reliability
• Transient hardware faults (soft errors)
– Due to environment factors (ex: alpha particle, cosmic radiation)
– Manifested as software failures
– Bigger problem in advanced CPU• Increased density higher soft error rate (SER) per chip
17
http://www.cotsjournalonline.com/articles/view/102279
Hardware can fail
![Page 18: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/18.jpg)
Security
• Insecure software in CPS safety hazards
• Stuxnet: first reported cyber warfare, targeted for Iranian nuclear plants (destroying centrifuges)
• Vermont power grid hack by Russia
• Remote hack into cars (Zeep)
• Police drone hacking
18
CPS software can be attacked
![Page 20: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/20.jpg)
How to Improve Safety of CPS?
• Correct by design
– Model based design, verification and validation
• Deal with failures
– Run-time monitoring
– Redundancy
20
![Page 21: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/21.jpg)
Redundancy
• Triple Modular Redundancy (TMR)
21
Module #1
Module #2
Module #3
Voting
Majority outcome
![Page 22: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/22.jpg)
Automotive Industry Approaches
• Hardware redundancy is needed– A well known solution: 2oo3 (2 out of three with
voting, a.k.a. TMR)
• But the automotive industry is cost sensitive– 2oo3 is too expensive (3 redundant ECUs)
• Alternative approach– 1oo2d: Dual redundancy with diagnostics
22Robert Leibinger, “Software Architectures for Advanced Driver Assistance Systems (ADAS)”, OSPERT 2015
![Page 23: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/23.jpg)
1oo2D Approach
• Runtime diagnostics system detects node failures• Continue to operate while disabling the failed node• What to do after one node failed?
23
ECU #1
ECU #2
Inputdata
Diagnostics
Diagnostics
enable
enable
Outputdata
Robert Leibinger, “Software Architectures for Advanced Driver Assistance Systems (ADAS)”, OSPERT 2015
![Page 24: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/24.jpg)
1oo2D with Reconfiguration
24
Diagnostics
Func3
Func2
Func1
Diagnostics
Func3
Func2
Func1
Func4
Func5
Func6
Func7
Normal operation
Robert Leibinger, “Software Architectures for Advanced Driver Assistance Systems (ADAS)”, OSPERT 2015
ECU #1 ECU #2 ECU #3
![Page 25: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/25.jpg)
1oo2D with Reconfiguration
25
Diagnostics
Func3
Func2
Func1
Diagnostics
Func3
Func2
Func1
Func4
Func5
Func6
Func7
1 node failedECU #1 ECU #2 ECU #3
Robert Leibinger, “Software Architectures for Advanced Driver Assistance Systems (ADAS)”, OSPERT 2015
![Page 26: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/26.jpg)
1oo2D with Reconfiguration
• ECU#3 is not necessarily identical to ECU#1 and #2
• Some (non critical) functions in ECU#3 may be disabled
26
Diagnostics
Func3
Func2
Func1
Diagnostics
Func3
Func2
Func1
Func4
Func5
Critical functions are migrated to a different nodeECU #1 ECU #2 ECU #3
Func6
Func7
Func2 Func1
Robert Leibinger, “Software Architectures for Advanced Driver Assistance Systems (ADAS)”, OSPERT 2015
![Page 27: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/27.jpg)
Tesla FSD Chip
• Dual redundant architecture (1oo2D)
27https://www.youtube.com/watch?time_continue=4988&v=Ucp0TTmvqOE
![Page 28: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/28.jpg)
Simplex Architecture
• Protect an untrusted complex controller with a trusted backup controller– General architectural principal (*)
– Called Run-Time Assurance (RTA) in Airforce (**)
28(*) L. Sha, Using Simplicity to Control Complexity, IEEE Software, 2001(**) M. Clark et al., A study on run time assurance for complex cyber physical systems, Airforce Research Lab, 2013
Safety Controller
PerformanceController
UAVPlant
Decision Logic Plant
![Page 29: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/29.jpg)
UAV Simplex Architecture
• Idea: use two hardware/software platforms with distinct performance and reliability characteristics to realize Simplex
29
High Performance (HP) Platform
High Assurance (HA) Platform
Safety controller
Performance controller
UAVPlant
Decision Logic
GPS,IMU
Radar, Camera
HA Platform(Arduino)
HP Platform:(Tegra TK1)
Rich OS (Linux), Middleware (ROS)
Prasanth Vivekanandan, Gonzalo Garcia, Heechul Yun, Shawn Keshmiri. A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles. IEEE RTCSA, IEEE, 2016. (Best Student Paper Nominee)
![Page 30: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/30.jpg)
Two Platforms
• High Assurance (HA) Platform– Simple hardware and software for verification and reliability– Hardware: low frequency and density to reduce SEUs– Software: certifiable, simple, low SLOC
• High Performance (HP) Platform– Complex hardware and software for performance– Hardware: performance oriented multicore, multi-gigahz, gpu– Software: productivity oriented software framework, millions SLOC
30
![Page 31: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/31.jpg)
Performance Controller
31
• HW: Nvidia Tegra TK1, 4 x Cortex-A15 @ 2.3GHz, 192 core GPU• SW: Use Linux (Ubuntu), Robot Operating System (ROS)
ROS node/topic architecture
![Page 32: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/32.jpg)
Safety Controller
• HW: Arduino Due, a single ARM Cortex-M3 @ 80MHz
• SW: Matlab Simulink coder + Arduino sketch, no OS
32
Safety controller (Simulink model)
![Page 33: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/33.jpg)
Decision Logic
• Assumption– HA (safety controller, decision logic) is trusted– HP is not trusted
• Fault detection and recovery– Detect crash, connect failure, timing violation, invalid outputs
(e.g., NaN)– Recovery: reboot the HP platform– Limitation: Currently don’t know “unsafe” states
33
Detectable faults
![Page 34: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/34.jpg)
Execution Flow
34
HA platform(Arduino)
HP platform(Tegra TK1)
![Page 35: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/35.jpg)
Prototype Avionics #1
• HA: Arduino based custom DAQ
– Basic sensors: IMU, GPS
• HP: Nvidia Tegra TK1
– 4 x ARM cores + 192 GPU cores
35
![Page 36: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/36.jpg)
12-15 knots wind and 18 knots gust
Prototype Avionics #2
Avionics: Pixhawk (HA) + Odroid XU4 (HP)Airplane: Skyhunter
![Page 37: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/37.jpg)
Your Project
37
Raspberry Pi 4 (Linux)
HiFive1 rev B Microcontroller
Lidar
Camera
Intelligent controller(Vision based steering using DNN)
Safety controller(Basic control + emergency breaking)
Self-Driving Car
![Page 38: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/38.jpg)
Limitations of Simplex
• Assume HA is trusted.– Both software and hardware of HA must be trusted– HA is a single point of failure
• Doesn’t deal with physical system faults– Faults on sensors, actuators– Damaged fuselage, wings, ..
• Doesn’t deal with security issues– What if an attacker re-programs the HA controller?
38
![Page 39: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/39.jpg)
Agenda
• Security attributes
• Threat model
• Encryption
• Digital signature and hashing
• SSL/TLS
39
![Page 40: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/40.jpg)
Security
• What are the attributes of security?
40
![Page 41: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/41.jpg)
Security Attributes
• Confidentiality
– Can secret data be leaked?
• Integrity
– Can the system be modified?
• Availability
– Can the system function when needed?
• Authenticity
– Am I interacting with the right person/thing?
41
![Page 42: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/42.jpg)
System Security
• A system is secure if it is used and accessed as intended under all circumstances
– Unachievable
• A system security can be determined only in the context of a clear threat model
42
![Page 43: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/43.jpg)
Threat Model
• Attacker’s capabilities– What we assume the attacker can do
• Examples– Has a physical access to the system
– Has a remote (network) access to the system
– Can reprogram the software
– Can eavesdrop the communication
– …
43
![Page 44: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/44.jpg)
Example: Pacemaker Security Analysis
44Halperin et al. “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses,” IEEE S&P, 2008 https://www.secure-medicine.org/hubfs/public/publications/icd-study.pdf
![Page 45: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/45.jpg)
Example: Pacemaker Security Analysis
• Threat model: 3 classes of attackers– Attacker possessing an ICD programmer.
– Attacker who simply eavesdrops on communications between an ICD and the programmer, using commodity software-defined radio.
– Attacker who eavesdrops as well as generates arbitrary RF traffic to the ICD, possibly spoofing an ICD programmer.
• Demonstrated successful attacks on all cases
45
![Page 46: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/46.jpg)
Basic Cryptography
• Symmetric (shared key) crypto
– XOR encryption (one-time pad)
– DES (56 bit key)
– AES (up to 256bit key)
• Asymmetric (public-key) crypto
– RSA
• Digital signature and secure hashing
– SHA-256
46
![Page 47: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/47.jpg)
XOR
NPUT OUTPUT
A B A XOR B
0 0 0
0 1 1
1 0 1
1 1 0
47
![Page 48: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/48.jpg)
XOR Encryption
Slide source: Edward A. Lee and Prabal Dutta (UCB)
![Page 49: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/49.jpg)
XOR Encryption
Slide source: Edward A. Lee and Prabal Dutta (UCB)
![Page 50: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/50.jpg)
Example
• Encryption
• Decryption
50
01010111 01101001 01101011 01101001 M: message (“Wiki”)XOR 11110011 11110011 11110011 11110011 K: repeat key (11110011)-------------------------------------------= 10100100 10011010 10011000 10011010 C: encrypted message
10100100 10011010 10011000 10011010 C: encrypted messageXOR 11110011 11110011 11110011 11110011 K: repeat key-------------------------------------------= 01010111 01101001 01101011 01101001 M: message (“Wiki”)
https://en.wikipedia.org/wiki/XOR_cipher
![Page 51: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/51.jpg)
XOR Encryption
How?
Slide source: Edward A. Lee and Prabal Dutta (UCB)
![Page 52: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/52.jpg)
Example
• Recovering the key from M and C
• Pros and Cons of XOR Encryption
– Inexpensive
– Insecure when key is used repeatedly and/or part of the message is known
52
01010111 01101001 01101011 01101001 M: message (“Wiki”)XOR 10100100 10011010 10011000 10011010 C: encrypted message -------------------------------------------= 11110011 11110011 11110011 11110011 K: repeat key (11110011)
![Page 53: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/53.jpg)
Symmetric (Shared Key) Cryptography
• Block cipher uses more elaborate algorithms so that key size and message size don’t need to be the same.
• Data Encryption Standard (DES) – mid 1970s.
• Advanced Encryption Standard (AES) – 2001Based on a cryptographic scheme called Rijndaelproposed by Joan Daemen and Vincent Rijmen, two researchers from Belgium. AES uses a message block length of 128 bits and three different key lengths of 128, 192, and 256 bits.
![Page 54: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/54.jpg)
Asymmetric (Public Key) Cryptography• Each participant has two keys, a public and a private one.
• A message is encrypted with the public key.
• The message can only be decrypted with the private key.
• Public and private keys match via clever algorithms.
• Relies on a one-way function, easy to compute, hard to reverse without knowing a (private) key.
![Page 55: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/55.jpg)
Widely Used Asymmetric Cryptography:SSL/TLS
• Secure Socket Layer/Transport Layer Security
– Widely used for web serverson the Internet
– Provides:• Authentication
• Confidentiality and integrity of communication
HTTPS = HTTP over SSL/TLS
Slide source: Hokeun Kim and E. A. Lee (UCB)
![Page 56: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/56.jpg)
Intro to SSL/TLS Based on Certificates
Account balance
Make wire transfer
Internet
Eavesdropper
ID/PasswordBrowser (client)
Your bank (server)Message Encryption
Shared secret: Cryptographic key for encryption
Slide source: Hokeun Kim and E. A. Lee (UCB)
![Page 57: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/57.jpg)
Intro to SSL/TLS Based on Certificates
• Public key cryptography (e.g., RSA)
Browser (client)
Secret to be sharedEncrypted With Bank's
Public Key
Bank'sPublic Key
Bank'sPrivate Key
Your bank (server)
Decrypted WithBank's Private Key
Slide source: Hokeun Kim and E. A. Lee (UCB)
![Page 58: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/58.jpg)
Intro to SSL/TLS Based on Certificates
• However, even with public key cryptography…Browser (client) Your bank (server)
Bank'sPublic Key
Bank'sPrivate Key
Fake website &Malory's Public Key
Encrypted With Malory's Public Key
Malory"Man In The Middle"
Decrypted WithMalory's Private Key
Encrypted With Bank's Public Key
Malory'sPublic Key
Malory'sPrivate Key
Spoof network address to redirect client to fake website(e.g. DNS cache poisoning)
www.bankofamerica.com=> Malory's IP address
Slide source: Hokeun Kim and E. A. Lee (UCB)
![Page 59: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/59.jpg)
Signing a Message• Each participant has two keys, a public and a
private one.
• A message is encrypted with the private key and both the message and its encryption are sent.
• The encrypted part can be decrypted with the public key. If it matches the plaintext message, the signature is valid.
![Page 60: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/60.jpg)
Intro to SSL/TLS Based on CertificatesA (Digital) Certificate (Proof of Public Key's Authenticity)
Signed (encrypted)* with issuer (CA)'s Private key
Can only be decrypted (verified) with issuer (CA)'s matching public key!
• www.bankofamerica.com
• Additional Information: validity period, etc.
• Bank's public key
Actually the hash of data is encrypted (signed), and the result of decryption is also hash
• Digital Signature
• Name of certificate authority (CA)
Slide source: Hokeun Kim and E. A. Lee (UCB)
![Page 61: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/61.jpg)
Intro to SSL/TLS Based on Certificates
Browser (client) Your bank (server)
CAs Issues a certificate for Bank
Connects to www.bankofamerica.com
CA Certificates(embedded in browser)
Bank's certificate issued by CA
Verify Bank's certificatewith CA's certificate
Malory's (invalid)certificateinsisting ownership of domain
Can't be verified!
Slide source: Hokeun Kim and E. A. Lee (UCB)
![Page 62: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/62.jpg)
Issues with Using SSL/TLS for IoT
• Overhead for resource-constrained devices
– Energy/computation overhead for public key crypto, communication bandwidth, memory, etc.
• Limited support one-to-many communication
– Connections are 1-to-1 (server/client model)
Thermostat
Sensors
HVAC
Garage door
Vehicle
Fridge
Microwave
Washing Machine
Roomba
Mobile phoneRemote doorcontrol
Certificates
Slide source: Hokeun Kim and E. A. Lee (UCB)
![Page 63: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/63.jpg)
Issues with Using SSL/TLS for IoT
• Company Validation… First, we will verify that the company requesting a certificate is in good standing …
• Domain Validation… can include emails or phone calls to the contact listed in a domain's whois record …
• Management overhead of certificates
– If you use commercial certificate authorities (CAs)
– Alternative: free & automated CA• Overhead for managing domains to get certificates
Quotes from www.digicert.com
Slide source: Hokeun Kim and E. A. Lee (UCB)
![Page 64: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/64.jpg)
Is Your Project Secure?
64
Raspberry Pi 4 (Linux)
HiFive1 rev B Microcontroller
Lidar
Camera
Intelligent controller(Vision based steering using DNN)
Safety controller(Basic control + emergency breaking)
Self-Driving Car
Can’t be answered until you define the threat model.
![Page 65: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/65.jpg)
Threat Model(What Attacker Can Do)
• Have remote access to the same WiFi network?
• Have remote login capability to the Pi 4?
• Have physical access to the hardware?
65
Raspberry Pi 4 (Linux)
HiFive1 rev B Microcontroller
Lidar
Camera
Intelligent controller(Vision based steering using DNN)
Safety controller(Basic control + emergency breaking)
Self-Driving Car
![Page 66: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/66.jpg)
Design Your Defenses
• Have remote access to the same WiFi network?
• Have remote login capability to the Pi 4?
• Have physical access to the hardware?
66
Raspberry Pi 4 (Linux)
HiFive1 rev B Microcontroller
Lidar
Camera
Intelligent controller(Vision based steering using DNN)
Safety controller(Basic control + emergency breaking)
Self-Driving Car
![Page 67: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/67.jpg)
Example Defenses
• Have remote access to the same WiFi network?– Encrypt all communications over WiFi (e.g., ssh)
• Have remote login capability to the Pi 4?– Don’t give the sudo permission, patch OS, …
• Have physical access to the hardware?– Secure boot, remote attestation, encrypt serial communication, …
67
Raspberry Pi 4 (Linux)
HiFive1 rev B Microcontroller
Lidar
Camera
Intelligent controller(Vision based steering using DNN)
Safety controller(Basic control + emergency breaking)
Self-Driving Car
![Page 68: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/68.jpg)
Agenda
• Software security
• Information flow
68
![Page 69: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/69.jpg)
Memory Safety Vulnerabilities
• Stack overflow
• Heap overflow
• Use after free
• Double free
• Null pointer
• Uninitialized use
• …
69
![Page 70: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/70.jpg)
Memory Safety Vulnerabilities
• Account for 70% percent of all Microsoft patches over the past 12 years
70
Image source: Matt Miller, Microsoft
https://www.youtube.com/watch?v=PjbGojjnBZQ
![Page 71: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/71.jpg)
Stack/Buffer Overflow
• Overflow either the stack or memory buffers
• Failure to check bounds on inputs, arguments
71
![Page 72: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/72.jpg)
Stack Overflow
72
Not this
![Page 73: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/73.jpg)
Stack Overflow
73
![Page 74: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/74.jpg)
Stack Frame Layout
74
Stack pointer
![Page 75: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/75.jpg)
Stack Overflow
return address
saved frame pointer
sensor_data[15]
…
sensor_data[1]
sensor_data[0]
75
What would happen when more than 16 bytes are received?
![Page 76: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/76.jpg)
Buffer Overflow
76
What would happen when more than 16 bytes are received?
![Page 77: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/77.jpg)
Use after Free
• Freed but uninitialized pointers can be exploited77
#include <stdlib.h>#include <stdio.h>struct auth{
char name[32];int priv;
};
int main() {struct auth *auth_ptr;char *service;auth_ptr = malloc(sizeof(struct auth));free(auth_ptr);service = malloc(36);printf("[auth = %p, service = %p]\n",
auth_ptr, service);free(service);return 0;
}
$ ./use_after_free[auth = 0x716010, service = 0x716010]
![Page 78: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/78.jpg)
Linux Kernel: Buffer Overflow
78http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-9/cvssscoremax-/Linux-Linux-Kernel.html
![Page 79: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/79.jpg)
Linux Kernel: Use-after-free
79http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-9/cvssscoremax-/Linux-Linux-Kernel.html
![Page 80: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/80.jpg)
Linux Kernel: Use-after-free
80http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-9/cvssscoremax-/Linux-Linux-Kernel.html
![Page 81: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/81.jpg)
Linus Torvalds: "Nothing better than C"
81
https://www.youtube.com/watch?v=CYvJPra7Ebk
![Page 82: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/82.jpg)
Recall: C is popular but …
• Why popular?– Fast, efficient, and portable
– Close to machine (assembly-like control)
– Pointer, minimal type checking
• Problems– Pointer, minimal type checking
– Require manual control of dynamic memory
– Unsafe (memory leak, undefined behavior, ..)
– Difficult to write correct, safe, secure code
82
![Page 83: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/83.jpg)
“C is assembly, Rust is future”
83
Intel and Rust: the Future of Systems Programming: Josh Triplett
![Page 84: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/84.jpg)
Information Flow
• Many security properties concern the FLOW of information between different principals in a system.– Confidentiality: preventing secret attacker
– Integrity: preventing attacker system
• Information flow security is the study of how such flows affect the security and privacy properties of a system.
84
![Page 85: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/85.jpg)
Example 1: Illegal Information Flow?
85
![Page 86: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/86.jpg)
Example 2: Illegal Information Flow?
86
![Page 87: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/87.jpg)
Example 3: Illegal Information Flow?
87
The fact that you failed to loginLeak some information about Your password
![Page 88: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/88.jpg)
Limiting Password Attempts
• To limit information leakage, most today’s devices disable them after a few failed attempts.
88
![Page 89: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/89.jpg)
Invasive Attack
89
What if the attacker is capable of directly reading from the memory?
![Page 90: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/90.jpg)
Secure Storage and Hashing
90
(hash(input_pwd) == patient_pwd_hash)
patient_pwd_hash = read_from_secure_storage(…)
![Page 91: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/91.jpg)
Invasive Attack
91
What if the attacker is capable of directly reading from the memory?
![Page 92: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/92.jpg)
Summary
• Security used to be an after thought (if any)
• In networked embedded systems (a.k.a. IoT) security is a first-class concern
• Embedded systems security are even harder than desktop/server security because of:– Diversity (no standard os, hardware, runtime, …)
– Resource constraints (performance, energy, memory space, …)
– The prevalent use of C (insecure language)
• Read chapter 17, take security courses…
92
![Page 93: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11.security.pdf · Simplex Architecture ... A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles](https://reader031.vdocument.in/reader031/viewer/2022041014/5ec467a9bc24016ad7623440/html5/thumbnails/93.jpg)
Acknowledgements
• Security slides draw heavily on materials developed by
– Edward A. Lee and Prabal Dutta (UCB) for EECS149/249A
93