Publications
Guest editorial: special issue on hardware solutions for cyber security
August 22, 2019
Journal Article
Published in:
J. Hardw. Syst. Secur., Vol. 3, No. 199, 2019.
Topic:
R&D area:
R&D group:
Summary
A cyber system could be viewed as an architecture consisting of application software, system software, and system hardware. The hardware layer, being at the foundation of the overall architecture, must be secure itself and also provide effective security features to the software layers. In order to seamlessly integrate security hardware into a system with minimal performance compromises, designers must develop and understand tangible security specifications and metrics to trade between security, performance, and cost for an optimal solution. Hardware security components, libraries, and reference architecture are increasingly important in system design and security. This special issue includes four exciting manuscripts on several aspects of developing hardware-oriented security for systems.
Summary
A cyber system could be viewed as an architecture consisting of application software, system software, and system hardware. The hardware layer, being at the foundation of the overall architecture, must be secure itself and also provide effective security features to the software layers. In order to seamlessly integrate security hardware...
READ MORE
A compact end cryptographic unit for tactical unmanned systems
July 11, 2019
Conference Paper
Published in:
Proc. SPIE 11021, Unmanned Systems Technology XXI, 11 July 2019, 1102101.
Topic:
R&D area:
R&D group:
Summary
Under the Navy's Flexible Cyber-Secure Radio (FlexCSR) program, the Naval Information Warfare Center Pacific and the Massachusetts Institute of Technology's Lincoln Laboratory are jointly developing a unique cybersecurity solution for tactical unmanned systems (UxS): the FlexCSR Security/Cyber Module (SCM) End Cryptographic Unit (ECU). To deal with possible loss of unmanned systems that contain the device, the SCM ECU uses only publicly available Commercial National Security Algorithms and a Tactical Key Management system to generate and distribute onboard mission keys that are destroyed at mission completion or upon compromise. This also significantly reduces the logistic complexity traditionally involved with protection and loading of classified cryptographic keys. The SCM ECU is on track to be certified by the National Security Agency for protecting tactical data-in-transit up to Secret level. The FlexCSR SCM ECU is the first stand-alone cryptographic module that conforms to the United States Department of Defense (DoD) Joint Communications Architecture for Unmanned Systems, an initiative by the Office of the Secretary of Defense supporting the interoperability pillar of the DoD Unmanned Systems Integrated Roadmap. It is a credit card-sized enclosed unit that provides USB interfaces for plaintext and ciphertext, support for radio controls and management, and a software Application Programming Interface that together allow easy integration into tactical UxS communication systems. This paper gives an overview of the architecture, interfaces, usage, and development and approval schedule of the device.
Summary
Under the Navy's Flexible Cyber-Secure Radio (FlexCSR) program, the Naval Information Warfare Center Pacific and the Massachusetts Institute of Technology's Lincoln Laboratory are jointly developing a unique cybersecurity solution for tactical unmanned systems (UxS): the FlexCSR Security/Cyber Module (SCM) End Cryptographic Unit (ECU). To deal with possible loss of unmanned...
READ MORE
Security considerations for next-generation operating systems for cyber-physical systems
April 15, 2019
Conference Paper
Published in:
1st Intl. Workshop on Next-Generation Operating Systems for Cyber-Physical Systems, NGOSCPS, 15 April 2019.
Topic:
R&D area:
R&D group:
Summary
Cyber-physical systems (CPSs) are increasingly targeted in high-profile cyber attacks. Examples of such attacks include Stuxnet, which targeted nuclear centrifuges; Crashoverride, and Triton, which targeted power grids; and the Mirai botnet, which targeted internet-of-things (IoT) devices such as cameras to carry out a large-scale distributed denial-of-service (DDoS) attack. Such attacks demonstrate the importance of securing current and future cyber-physical systems. Therefore, next-generation operating systems (OSes) for CPS need to be designed to provide security features necessary, as well as be secure in and of themselves. CPSs are designed with one of three broad classes of OSes: (a) bare-metal applications with effectively no operating system, (b) embedded systems executing on impoverished platforms running an embedded or real-time operating system (RTOS) such as FreeRTOS, or (c) more performant platforms running general purpose OSes such as Linux, sometimes tuned for real-time performance such as through the PREEMPT_RT patch. In cases (a) and (b), the OS, if any, is very minimal to facilitate improved resource utilization in real-time or latency-sensitive applications, especially running on impoverished hardware platforms. In such OSes, security is often overlooked, and many important security features (e.g. process/kernel memory isolation) are notably absent. In case (c), the general-purpose OS inherits many of the security-related features that are critical in enterprise and general-purpose applications, such as virtual memory and address-space layout randomization (ASLR). However, the highly complex nature of general-purpose OSes can be problematic in the development of CPSs, as they are highly non-deterministic and difficult to formally reason about for cyber-physical applications, which often have real-time constraints. These issues motivate the need for a next generation OS that is highly capable, predictable and deterministic for real-time performance, but also secure in the face of many of the next generation of cyber threats. In order to design such a next-generation OS, it is necessary to first reflect on the types of threats that CPSs face, including the attacker intentions and types of effects that can be achieved, as well as the type of access that attackers have. While threat models are not the same for all CPSs, it is important to understand how the threat models for CPSs compare to general-purpose or enterprise computing environments. We discuss these issues next (Sec. 2), before providing insights and recommendations for approaches to incorporate in next-generation OSes for CPS in Sec. 3.
Summary
Cyber-physical systems (CPSs) are increasingly targeted in high-profile cyber attacks. Examples of such attacks include Stuxnet, which targeted nuclear centrifuges; Crashoverride, and Triton, which targeted power grids; and the Mirai botnet, which targeted internet-of-things (IoT) devices such as cameras to carry out a large-scale distributed denial-of-service (DDoS) attack. Such attacks...
READ MORE
HARDEN: A high assurance design environment
March 25, 2019
Conference Paper
Published in:
GOMACTech 2019, 25-28 March 2019.
Topic:
R&D area:
R&D group:
Summary
Systems resilient to cyber-attacks for mission assurance are difficult to develop, and the means of effectively evaluating them is even harder. We have developed a new architectural design and engineering environment, referred to as HARDEN (High AssuRance Design ENvironment), which supports an agile design methodology used to create secure and resilient systems. This new toolkit facilitates the quantitative analysis of a system's security posture by setting up a systematic approach of securing and analyzing embedded systems. HARDEN promotes the early co-design of functionality and security that now enables the development of mission assured systems.
Summary
Systems resilient to cyber-attacks for mission assurance are difficult to develop, and the means of effectively evaluating them is even harder. We have developed a new architectural design and engineering environment, referred to as HARDEN (High AssuRance Design ENvironment), which supports an agile design methodology used to create secure and...
READ MORE
Leveraging Intel SGX technology to protect security-sensitive applications
November 1, 2018
Conference Paper
Published in:
17th IEEE Int. Symp. on Network Computing and Applications, NCA, 1-3 November 2018.
Topic:
R&D area:
R&D group:
Summary
This paper explains the process by which Intel Software Guard Extensions (SGX) can be leveraged into an existing codebase to protect a security-sensitive application. Intel SGX provides user-level applications with hardware-enforced confidentiality and integrity protections and incurs manageable impact on performance. These protections apply to all three phases of the operational data lifecycle: at rest, in use, and in transit. SGX shrinks the trusted computing base (and therefore the attack surface) of the application to only the hardware on the CPU chip and the portion of the application's software that is executed within the protected enclave. The SDK enables SGX integration into existing C/C++ codebases while still ensuring program support for legacy and non-Intel platforms. This paper is the first published work to walk through the step-by-step process of Intel SGX integration with examples and performance results from an actual cryptographic application produced in a standard Linux development environment.
Summary
This paper explains the process by which Intel Software Guard Extensions (SGX) can be leveraged into an existing codebase to protect a security-sensitive application. Intel SGX provides user-level applications with hardware-enforced confidentiality and integrity protections and incurs manageable impact on performance. These protections apply to all three phases of the...
READ MORE
Functionality and security co-design environment for embedded systems
September 25, 2018
Conference Paper
Published in:
IEEE High Performance Extreme Computing Conf., HPEC, 25-27 September 2018.
Topic:
R&D area:
R&D group:
Summary
For decades, embedded systems, ranging from intelligence, surveillance, and reconnaissance (ISR) sensors to electronic warfare and electronic signal intelligence systems, have been an integral part of U.S. Department of Defense (DoD) mission systems. These embedded systems are increasingly the targets of deliberate and sophisticated attacks. Developers thus need to focus equally on functionality and security in both hardware and software development. For critical missions, these systems must be entrusted to perform their intended functions, prevent attacks, and even operate with resilience under attacks. The processor in a critical system must thus provide not only a root of trust, but also a foundation to monitor mission functions, detect anomalies, and perform recovery. We have developed a Lincoln Asymmetric Multicore Processing (LAMP) architecture, which mitigates adversarial cyber effects with separation and cryptography and provides a foundation to build a resilient embedded system. We will describe a design environment that we have created to enable the co-design of functionality and security for mission assurance.
Summary
For decades, embedded systems, ranging from intelligence, surveillance, and reconnaissance (ISR) sensors to electronic warfare and electronic signal intelligence systems, have been an integral part of U.S. Department of Defense (DoD) mission systems. These embedded systems are increasingly the targets of deliberate and sophisticated attacks. Developers thus need to focus...
READ MORE
Mission assurance: beyond secure processing
July 16, 2018
Conference Paper
Published in:
18th IEEE Int. Conf. on Software Quality, Reliability, and Security, QRS 2018, 16-20 July 2018, pp. 593-8.
Topic:
R&D area:
Summary
The processor of a drone runs essential functions of sensing, communications, coordination, and control. This is the conventional view. But in today's cyber environment, the processor must also provide security to assure mission completion. We have been developing a secure processing architecture for mission assurance. A study on state-of-the-art secure processing technologies has revealed that no one-size-fits-all solution can fully meet our requirements. In fact, we have concluded that the provision of a secure processor as a mission assurance foundation must be holistic and should be approached from a systems perspective. We have thus applied a systems analysis approach to create a secure base for the system. This paper describes our journey of adapting and synergizing various secure processing technologies into a baseline asymmetric multicore processing architecture. We will also describe a functional and security co-design environment, created to customize and optimize the architecture in a design space consisting of hardware, software, performance, and assurance.
Summary
The processor of a drone runs essential functions of sensing, communications, coordination, and control. This is the conventional view. But in today's cyber environment, the processor must also provide security to assure mission completion. We have been developing a secure processing architecture for mission assurance. A study on state-of-the-art secure...
READ MORE
Next-generation embedded processors: an update
March 12, 2018
Conference Paper
Published in:
GOMACTech Conf., 12-15 March 2018.
Topic:
R&D area:
R&D group:
Summary
For mission assurance, Department of Defense (DoD) embedded systems should be designed to mitigate various aspects of cyber risks, while maintaining performance (size, weight, power, cost, and schedule). This paper reports our latest research effort in the development of a next-generation System-on-Chip (SoC) for DoD applications, which we first presented in GOMACTech 2014. This paper focuses on our ongoing work to enhance the mission assurance of its programmable processor. We will explain our updated processor architecture, justify the use of resources, and assess the processor's suitability for mission assurance.
Summary
For mission assurance, Department of Defense (DoD) embedded systems should be designed to mitigate various aspects of cyber risks, while maintaining performance (size, weight, power, cost, and schedule). This paper reports our latest research effort in the development of a next-generation System-on-Chip (SoC) for DoD applications, which we first presented...
READ MORE
Towards a universal CDAR device: a high performance adapter-based inline media encryptor
October 23, 2017
Conference Paper
Published in:
MILCOM 2017, 23-25 October 2017.
Topic:
R&D area:
R&D group:
Summary
As the rate at which digital data is generated continues to grow, so does the need to ensure that data can be stored securely. The use of an NSA-certified Inline Media Encryptor (IME) is often required to protect classified data, as its security properties can be fully analyzed and certified with minimal coupling to the environment in which it is embedded. However, these devices are historically purpose-built and must often be redesigned and recertified for each target system. This tedious and costly (but necessary) process limits the ability for an information system architect to leverage advances made in storage technology. Our universal Classified Data At Rest (CDAR) architecture represents a modular approach to reduce this burden and maximize interface flexibility. The core module is designed around NVMe, a high-performance storage interface built directly on PCIe. Interfacing with non-NVMe interfaces such as SATA is achieved with adapters which are outside the certification boundary and therefore can be less costly and leverage rapidly evolving commercial technology. This work includes an analysis for both the functionality and security of this architecture. A prototype was developed with peak throughput of 23.9 Gb/s at a power consumption of 8.5W, making it suitable for a wide range of storage applications.
Summary
As the rate at which digital data is generated continues to grow, so does the need to ensure that data can be stored securely. The use of an NSA-certified Inline Media Encryptor (IME) is often required to protect classified data, as its security properties can be fully analyzed and certified...
READ MORE
Building low-power trustworthy systems: cyber-security considerations for real-time physiological status monitoring
November 1, 2016
Conference Paper
Published in:
IEEE MILCOM, 1-3 November 2016.
Summary
Real-time monitoring of physiological data can reduce the likelihood of injury in noncombat military personnel and first-responders. MIT Lincoln Laboratory is developing a tactical Real-Time Physiological Status Monitoring (RT-PSM) system architecture and reference implementation named OBAN (Open Body Area Network), the purpose of which is to provide an open, government-owned framework for integrating multiple wearable sensors and applications. The OBAN implementation accepts data from various sensors enabling calculation of physiological strain information which may be used by squad leaders or medics to assess the team's health and enhance safety and effectiveness of mission execution. Security in terms of measurement integrity, confidentiality, and authenticity is an area of interest because OBAN system components exchange sensitive data in contested environments. In this paper, we analyze potential cyber-security threats and their associated risks to a generalized version of the OBAN architecture and identify directions for future research. The threat analysis is intended to inform the development of secure RT-PSM architectures and implementations.
Summary
Real-time monitoring of physiological data can reduce the likelihood of injury in noncombat military personnel and first-responders. MIT Lincoln Laboratory is developing a tactical Real-Time Physiological Status Monitoring (RT-PSM) system architecture and reference implementation named OBAN (Open Body Area Network), the purpose of which is to provide an open, government-owned...
READ MORE