Design time and runtime collaborative defense to enhance embedded system security
Date
2016
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of Delaware
Abstract
While the ever-growing utilization of embedded systems facilitates our daily life, it also makes the threat from cyber-attacks more severe. Embedded systems are widely deployed in critical circumstances, which make them "attractive" cyber-attack targets. Therefore, designing effective countermeasures against these attacks becomes a hot research area. While effectiveness of countermeasures should be considered seriously, the efficiency of security solutions is of equal importance. Compared to general-purpose computer systems, the resource-critical property of embedded systems brings stricter power, energy, and performance constraints. A high-quality security countermeasure should thus maximize the security level while fulfilling those constraints. ☐ This dissertation utilizes a model that integrates “design-for-trust” (DfT) and “runtime monitoring” to develop security countermeasures for embedded systems. Design-for-trust on one hand introduces security constraints, which are followed during the system design and deployment stage. Runtime monitoring, on the other hand, checks system behaviors in real time to identify suspicious behaviors that violate those pre-defined security rules. Collaboration of design-for-trust and runtime monitoring enhances both the effectiveness and the efficiency of security solutions. On one hand, the security rules and constraints provide easy-to-distinguish patterns, enabling accurate identification of malicious behaviors at runtime. On the other hand, monitoring overhead is reduced since only specific behaviors are checked. ☐ In this dissertation, three scenarios will be discussed as examples of integrating design-for-trust and runtime monitoring to defend against software & hardware attacks towards embedded systems. The first topic discusses stack buffer overflow attacks, performed through overwriting the return address of a procedure, which is stored in stack memory, to alter the control flow and hence change the functionality of the program. Goal of this study is to develop a hardware-based scheme to “filter out” potential stack buffer overflow attacks, through monitoring certain micro-architectural events, such as mis-predictions in the return address stack and misses in the instruction cache. To further reduce the false positive and false negative rates of the security filter, three hardware enhancements to the return address stack, instruction prefetch engine and instruction cache are proposed. ☐ The second topic aims to mute and detect hardware Trojan collusion in a multiprocessor system-on-chip (MPSoC), where hardware Trojans–malicious hardware modifications–in untrusted 3PIP processors may collude with each other to produce system-wide catastrophe. The goal is to detect and mute any unauthorized malicious communication without thwarting authorized communications. To achieve this, vendor diversity is utilized; the proposed framework integrates processors from various third-party vendors into the MPSoC. Communication channels between different vendors are considered “safe” and used to hold authorized inter-task communications. This way, any unauthorized communication at runtime will either be muted (if on a safe channel) or be detected. A set of heuristics are presented to ensure that the introduced security constraints can be fulfilled with minimum impact on other design goals, such as performance and hardware cost. ☐ The third scenario aims to detect the collusion of hardware Trojans in cyber-physical systems (CPS). CPS are usually composed of multiple untrusted nodes connected wirelessly to a trusted server in a multi-hop manner. Hardware Trojans in the nodes may seek to collude with each other, spreading messages with trigger information in order to simultaneously activate their payloads over the whole network. The proposed countermeasure is a collaboration between network deployment and runtime detection stages. When deploying the network, vendor diversity is enforced: any pair of neighboring nodes must be from different vendors. This requirement precludes collusion between neighboring nodes, allowing them to monitor each other's behavior. At runtime, a mutual auditing protocol is utilized to check each message, ensuring that it has been correctly encrypted by the source node and that its content has not been tampered with by any other node on the routing path. This framework ensures that any message embedded with a Trojan trigger will be muted or will be detected and abandoned, without interfering with benign messages. ☐ Integration of DfT and runtime monitoring not only effectively detects attacks at runtime, but also achieves high efficiency: all the proposed schemes fulfill the security requirements with minimum system resource costs and performance impacts. In sum, by combining design-for-trust and runtime monitoring, high-quality security countermeasures can be provided to defend against both software and hardware attacks to embedded systems.