Publications

Refine Results

(Filters Applied) Clear All

Security considerations for next-generation operating systems for cyber-physical systems

Published in:
1st Intl. Workshop on Next-Generation Operating Systems for Cyber-Physical Systems, NGOSCPS, 15 April 2019.

Summary

Cyber-physical systems (CPSs) are increasingly targeted in high-profile cyber attacks. Examples of such attacks include Stuxnet, which targeted nuclear centrifuges; Crashoverride, and Triton, which targeted power grids; and the Mirai botnet, which targeted internet-of-things (IoT) devices such as cameras to carry out a large-scale distributed denial-of-service (DDoS) attack. Such attacks demonstrate the importance of securing current and future cyber-physical systems. Therefore, next-generation operating systems (OSes) for CPS need to be designed to provide security features necessary, as well as be secure in and of themselves. CPSs are designed with one of three broad classes of OSes: (a) bare-metal applications with effectively no operating system, (b) embedded systems executing on impoverished platforms running an embedded or real-time operating system (RTOS) such as FreeRTOS, or (c) more performant platforms running general purpose OSes such as Linux, sometimes tuned for real-time performance such as through the PREEMPT_RT patch. In cases (a) and (b), the OS, if any, is very minimal to facilitate improved resource utilization in real-time or latency-sensitive applications, especially running on impoverished hardware platforms. In such OSes, security is often overlooked, and many important security features (e.g. process/kernel memory isolation) are notably absent. In case (c), the general-purpose OS inherits many of the security-related features that are critical in enterprise and general-purpose applications, such as virtual memory and address-space layout randomization (ASLR). However, the highly complex nature of general-purpose OSes can be problematic in the development of CPSs, as they are highly non-deterministic and difficult to formally reason about for cyber-physical applications, which often have real-time constraints. These issues motivate the need for a next generation OS that is highly capable, predictable and deterministic for real-time performance, but also secure in the face of many of the next generation of cyber threats. In order to design such a next-generation OS, it is necessary to first reflect on the types of threats that CPSs face, including the attacker intentions and types of effects that can be achieved, as well as the type of access that attackers have. While threat models are not the same for all CPSs, it is important to understand how the threat models for CPSs compare to general-purpose or enterprise computing environments. We discuss these issues next (Sec. 2), before providing insights and recommendations for approaches to incorporate in next-generation OSes for CPS in Sec. 3.
READ LESS

Summary

Cyber-physical systems (CPSs) are increasingly targeted in high-profile cyber attacks. Examples of such attacks include Stuxnet, which targeted nuclear centrifuges; Crashoverride, and Triton, which targeted power grids; and the Mirai botnet, which targeted internet-of-things (IoT) devices such as cameras to carry out a large-scale distributed denial-of-service (DDoS) attack. Such attacks...

READ MORE

Design and analysis framework for trusted and assured microelectronics

Published in:
GOMACTech 2019, 25-28 March 2019.

Summary

An in-depth understanding of microelectronics assurance in Department of Defense (DoD) missions is increasingly important as the DoD continues to address supply chain challenges. Many studies take a "bottom-up" approach, in which vulnerabilities are assessed in terms of general-purpose usage. This is beneficial in developing a general knowledge foundation. However, it does not offer much insight for program managers, technical leads, etc. to determine, for a specific mission and operating environment, the risks and requirements to using a microelectronic device. It is critical to develop a systematic approach that considers mission objectives, as the same component could be used in a weapon system or a surveillance system with significantly different requirements. We have been developing a Trusted and Assured Microelectronics (T&AM) Framework, which considers the entire system life cycle to produce mission-specific metrics and assessments. A radar system exemplar illustrates the approach and how the metric can be used as a Figure of Merit for quantitative analysis during development.
READ LESS

Summary

An in-depth understanding of microelectronics assurance in Department of Defense (DoD) missions is increasingly important as the DoD continues to address supply chain challenges. Many studies take a "bottom-up" approach, in which vulnerabilities are assessed in terms of general-purpose usage. This is beneficial in developing a general knowledge foundation. However...

READ MORE

HARDEN: A high assurance design environment

Summary

Systems resilient to cyber-attacks for mission assurance are difficult to develop, and the means of effectively evaluating them is even harder. We have developed a new architectural design and engineering environment, referred to as HARDEN (High AssuRance Design ENvironment), which supports an agile design methodology used to create secure and resilient systems. This new toolkit facilitates the quantitative analysis of a system's security posture by setting up a systematic approach of securing and analyzing embedded systems. HARDEN promotes the early co-design of functionality and security that now enables the development of mission assured systems.
READ LESS

Summary

Systems resilient to cyber-attacks for mission assurance are difficult to develop, and the means of effectively evaluating them is even harder. We have developed a new architectural design and engineering environment, referred to as HARDEN (High AssuRance Design ENvironment), which supports an agile design methodology used to create secure and...

READ MORE

Understanding Mission-Driven Resiliency Workshop

Summary

MIT Lincoln Laboratory hosted an invitation-only, one-day interdisciplinary workshop entitled
“Understanding Mission-Driven Resiliency” on behalf of the US Air Force, on March 18, 2019 at MIT
Lincoln Laboratory Beaver Works in Cambridge, MA. Participants began to bridge the gap between
government and industry to improve the resiliency of government systems to cyber attacks. The
workshop focused on understanding and defining resiliency from different perspectives and included
five panels devoted to discussing how different industries view and manage resiliency within their
organizations, the sources of resiliency within organizations and software-intensive systems, measuring
resiliency, and building resiliency within an organization or technology stack.
READ LESS

Summary

MIT Lincoln Laboratory hosted an invitation-only, one-day interdisciplinary workshop entitled
“Understanding Mission-Driven Resiliency” on behalf of the US Air Force, on March 18, 2019 at MIT
Lincoln Laboratory Beaver Works in Cambridge, MA. Participants began to bridge the gap between
government and industry to improve the resiliency of government systems...

READ MORE

Guidelines for secure small satellite design and implementation: FY18 Cyber Security Line-Supported Program

Summary

We are on the cusp of a computational renaissance in space, and we should not bring past terrestrial missteps along. Commercial off-the-shelf (COTS) processors -- much more powerful than traditional rad-hard devices -- are increasingly used in a variety of low-altitude, short-duration CubeSat class missions. With this new-found headroom, the incessant drumbeat of "faster, cheaper, faster, cheaper" leads a familiar march towards Linux and a menagerie of existing software packages, each more bloated and challenging to secure than the last. Lincoln Laboratory has started a pilot effort to design and prototype an exemplar secure satellite processing platform, initially geared toward CubeSats but with a clear path to larger missions and future high performance rad-hard processors. The goal is to provide engineers a secure "grab-and-go" architecture that doesn't unduly hamstring aggressive build timelines yet still provides a foundation of security that can serve adopting systems well, as well as future systems derived from them. This document lays out the problem space for cybersecurity in this domain, derives design guidelines for future secure space systems, proposes an exemplar architecture that implements the guidelines, and provides a solid starting point for near-term and future satellite processing.
READ LESS

Summary

We are on the cusp of a computational renaissance in space, and we should not bring past terrestrial missteps along. Commercial off-the-shelf (COTS) processors -- much more powerful than traditional rad-hard devices -- are increasingly used in a variety of low-altitude, short-duration CubeSat class missions. With this new-found headroom, the...

READ MORE

Secure input validation in Rust with parsing-expression grammars

Published in:
Thesis (M.E.)--Massachusetts Institute of Technology, 2019.

Summary

Accepting input from the outside world is one of the most dangerous things a system can do. Since type information is lost across system boundaries, systems must perform type-specific input handling routines to recover this information. Adversaries can carefully craft input data to exploit any bugs or vulnerabilities in these routines, thereby causing dangerous memory errors. Including input validation routines in kernels is especially risky. Sensitive memory contents and powerful privileges make kernels a preferred target of attackers. Furthermore, the fact that kernels must process user input, network data, as well as input from a wide array of peripheral devices means that including such input validation schemes is unavoidable. In this thesis we present Automatic Validation of Input Data (AVID), which helps solve the issue of input validation within kernels by automatically generating parser implementations for developer-defined structs. AVID leverages not only the unambiguity guarantees of parsing expression grammars but also the type safety guarantees of Rust. We show how AVID can be used to resolve a manufactured vulnerability in Tock, an operating system written in Rust for embedded systems. Using Rust’s procedural macro system, AVID generates parser implementations at compile time based on existing Rust struct definitions. AVID exposes a simple and convenient parser API that is able to validate input and then instantiate structs from the validated input. AVID's simple interface makes it easy for developers to use and to integrate with existing codebases.
READ LESS

Summary

Accepting input from the outside world is one of the most dangerous things a system can do. Since type information is lost across system boundaries, systems must perform type-specific input handling routines to recover this information. Adversaries can carefully craft input data to exploit any bugs or vulnerabilities in these...

READ MORE

Security and performance analysis of custom memory allocators

Author:
Published in:
Thesis (M.E.)--Massachusetts Institute of Technology, 2019.

Summary

Computer programmers use custom memory allocators as an alternative to built-in or general-purpose memory allocators with the intent to improve performance and minimize human error. However, it is difficult to achieve both memory safety and performance gains on custom memory allocators. In this thesis, we study the relationship between memory safety and custom allocators. We analyze three popular servers, Apache, Nginx, and Appweb, and show that while the performance benefits might exist in the unprotected version of the server, as soon as partial or full memory safety is enforced, the picture becomes much more complex. Based on the target, using a custom memory allocator might be faster, about the same, or slower than the system memory allocator. Another caveat is that custom memory allocation can only be protected partially (at the allocation granularity) without manual modification. In addition, custom memory allocators may also introduce additional vulnerabilities to an application (e.g., OpenSSL Heartbleed). We thus conclude that using custom memory allocators is very nuanced, and that the challenges they pose may outweigh the small performance gains in the unprotected mode in many cases. Our findings suggest that developers must carefully consider the trade-offs and caveats of using a custom memory allocator before deploying it in their project.
READ LESS

Summary

Computer programmers use custom memory allocators as an alternative to built-in or general-purpose memory allocators with the intent to improve performance and minimize human error. However, it is difficult to achieve both memory safety and performance gains on custom memory allocators. In this thesis, we study the relationship between memory...

READ MORE

Leveraging Intel SGX technology to protect security-sensitive applications

Published in:
17th IEEE Int. Symp. on Network Computing and Applications, NCA, 1-3 November 2018.

Summary

This paper explains the process by which Intel Software Guard Extensions (SGX) can be leveraged into an existing codebase to protect a security-sensitive application. Intel SGX provides user-level applications with hardware-enforced confidentiality and integrity protections and incurs manageable impact on performance. These protections apply to all three phases of the operational data lifecycle: at rest, in use, and in transit. SGX shrinks the trusted computing base (and therefore the attack surface) of the application to only the hardware on the CPU chip and the portion of the application's software that is executed within the protected enclave. The SDK enables SGX integration into existing C/C++ codebases while still ensuring program support for legacy and non-Intel platforms. This paper is the first published work to walk through the step-by-step process of Intel SGX integration with examples and performance results from an actual cryptographic application produced in a standard Linux development environment.
READ LESS

Summary

This paper explains the process by which Intel Software Guard Extensions (SGX) can be leveraged into an existing codebase to protect a security-sensitive application. Intel SGX provides user-level applications with hardware-enforced confidentiality and integrity protections and incurs manageable impact on performance. These protections apply to all three phases of the...

READ MORE

OS independent and hardware-assisted insider threat detection and prevention framework

Summary

Governmental and military institutions harbor critical infrastructure and highly confidential information. Although institutions are investing a lot for protecting their data and assets from possible outsider attacks, insiders are still a distrustful source of information leakage. As malicious software injection is one among many attacks, turning innocent employees into malicious attackers through social attacks is the most impactful one. Malicious insiders or uneducated employees are dangerous for organizations that they are already behind the perimeter protections that guard the digital assets; actually, they are trojans on their own. For an insider, the easiest possible way for creating a hole in security is using the popular and ubiquitous Universal Serial Bus (USB) devices due to its versatile and easy to use plug-and-play nature. USB type storage devices are the biggest threats for contaminating mission critical infrastructure with viruses, malware, and trojans. USB human interface devices are also dangerous as they may connect to a host with destructive hidden functionalities. In this paper, we propose a novel hardware-assisted insider threat detection and prevention framework for the USB case. Our novel framework is also OS independent. We implemented a proof-of-concept design on an FPGA board which is widely used in military settings supporting critical missions, and demonstrated the results considering different experiments. Based on the results of these experiments, we show that our framework can identify rapid-keyboard key-stroke attacks and can easily detect the functionality of the USB device plugged in. We present the resource consumption of our framework on the FPGA for its utilization on a host controller device. We show that our hard-to-tamper framework introduces no overhead in USB communication in terms of user experience.
READ LESS

Summary

Governmental and military institutions harbor critical infrastructure and highly confidential information. Although institutions are investing a lot for protecting their data and assets from possible outsider attacks, insiders are still a distrustful source of information leakage. As malicious software injection is one among many attacks, turning innocent employees into malicious...

READ MORE

Cross-app poisoning in software-defined networking

Published in:
Proc. ACM Conf. on Computer and Communications Security, CCS, 15-18 October 2018, pp. 648-63.

Summary

Software-defined networking (SDN) continues to grow in popularity because of its programmable and extensible control plane realized through network applications (apps). However, apps introduce significant security challenges that can systemically disrupt network operations, since apps must access or modify data in a shared control plane state. If our understanding of how such data propagate within the control plane is inadequate, apps can co-opt other apps, causing them to poison the control plane's integrity. We present a class of SDN control plane integrity attacks that we call cross-app poisoning (CAP), in which an unprivileged app manipulates the shared control plane state to trick a privileged app into taking actions on its behalf. We demonstrate how role-based access control (RBAC) schemes are insufficient for preventing such attacks because they neither track information flow nor enforce information flow control (IFC). We also present a defense, ProvSDN, that uses data provenance to track information flow and serves as an online reference monitor to prevent CAP attacks. We implement ProvSDN on the ONOS SDN controller and demonstrate that information flow can be tracked with low-latency overheads.
READ LESS

Summary

Software-defined networking (SDN) continues to grow in popularity because of its programmable and extensible control plane realized through network applications (apps). However, apps introduce significant security challenges that can systemically disrupt network operations, since apps must access or modify data in a shared control plane state. If our understanding of...

READ MORE