Publications
TAU: Trust via Asynchronous Updates for satellite network resiliency
June 23, 2025
Conference Paper
Topic:
R&D group:
Summary
Satellite networks are key enablers to many applications, including world-wide sensing and communications. Unlike their terrestrial counterparts, satellites are able to provide coverage in remote and hard-to-reach areas, including areas with regional conflicts. However, they are also susceptible to multiple security threats and potential failures. In addition to commonly used security techniques, it is essential to have algorithms that assess the trustworthiness of satellites as they operate, without limiting the satellites' abilities to perform their intended tasks. In this paper we focus on trust assessment methods that analyze the behavior of satellites to detect attacks and identify failed or compromised nodes in constellation networks. In this work, we (1) present a satellite threat model and enumerate possible attacks, (2) compare several existing trust assessment models when applied to low earth orbit satellite constellations, and (3) propose Trust via Asynchronous Updates (TAU), a novel trust algorithm model that is applicable to all modern satellite constellation networks. Model TAU uses finite state machines and asynchronous updates to track node behavior. Our custom simulator evaluates the performance of our algorithm in comparison to several previously proposed trust models. We consider two well-known attacks, the kinetic and black hole attacks, and show that the proposed Model TAU accurately identifies malicious satellites, with low false positive rate, in time comparable to previously proposed trust models while achieving lower computational complexity and communication overhead.
Summary
Satellite networks are key enablers to many applications, including world-wide sensing and communications. Unlike their terrestrial counterparts, satellites are able to provide coverage in remote and hard-to-reach areas, including areas with regional conflicts. However, they are also susceptible to multiple security threats and potential failures. In addition to commonly used...
READ MORE
It is time to standardize principles and practices for software memory safety
February 1, 2025
Journal Article
Topic:
R&D group:
Summary
For many decades, endemic memory-safety vulnerabilities in software trusted computing bases (TCBs) have enabled the spread of malware and devastating targeted attacks on critical infrastructure, national-security targets, companies, and individuals around the world. During the last two years, the information-technology industry has seen increasing calls for the adoption of memory-safety technologies, frames as part of a broader initiative for Secure by Design, from government, academia, and within the industry itself. These calls are grounded in extensive evidence that memory-safety vulnerabilities have persistently made up the majority of critical security vulnerabilities for multiple decades, and have affected all mainstream software ecosystems and products--and also the growing awareness that these problems are almost entirely avoidable by using recent advances in strong and scalable memory-safety technology. In this Inside Risks column, we explore memory-safety standardization, which we argue is an essential step to promoting universal strong memory safety in government and industry, and in turn, to ensure access to more secure software for all. During the last two decades, a set of research technologies for strong memory safety--memory-safe languages, hardware and software inventory protection, formal approaches, and software compartmentalization--have reached sufficient maturity to see early deployment in security-critical use cases. However, there remains no shared, technology-neutral terminology or framework with which to specify memory-safety requirements. This is needed to enable reliable specification, design, implementation, auditing, and procurement of strongly memory-safe systems. Failure to speak in a common language makes it difficult to understand the possibilities or communicate accurately with each other, limiting perceived benefits and hence actual demand. The lack of such a framework also acts as an impediment to potential future policy interventions, and as an impediment to stating requirements to address observed market failures preventing adoption of these technologies. Standardization would also play a critical role in improving industrial best practice, another key aspect of adoption. This Inside Risks column is derived from a longer technical report published by the same authors, which includes further case studies and applications, as well as considering the potential implications of various events and interventions on potential candidate adoption timelines.
Summary
For many decades, endemic memory-safety vulnerabilities in software trusted computing bases (TCBs) have enabled the spread of malware and devastating targeted attacks on critical infrastructure, national-security targets, companies, and individuals around the world. During the last two years, the information-technology industry has seen increasing calls for the adoption of memory-safety...
READ MORE
Software vulnerability detection using LLM: does additional information help?
December 9, 2024
Conference Paper
Topic:
R&D group:
Summary
Unlike conventional machine learning (ML) or deep learning (DL) methods, Large Language Models (LLM) possess the ability to tackle complex tasks through intricate chains of reasoning, a facet often overlooked in existing work on vulnerability detection. Nevertheless, these models have demonstrated variable performance when presented with different prompts (inputs), motivating a surge of research into prompt engineering – the process of optimizing prompts to enhance their performance. This paper studies different prompt settings (zero-shot and few-shot) when using LLMs for software vulnerability detection. Our exploration involves harnessing the power of both natural language (NL) unimodal and NL-PL (programming language) bimodal models within the prompt engineering process. Experimental results indicate that LLM, when provided only with source code or zero-shot prompts, tends to classify most code snippets as vulnerable, resulting in unacceptably high recall. These findings suggest that, despite their advanced capabilities, LLMs may not inherently possess the knowledge for vulnerability detection tasks. However, fewshot learning benefits from additional domain-specific knowledge, offering a promising direction for future research in optimizing LLMs for vulnerability detection.
Summary
Unlike conventional machine learning (ML) or deep learning (DL) methods, Large Language Models (LLM) possess the ability to tackle complex tasks through intricate chains of reasoning, a facet often overlooked in existing work on vulnerability detection. Nevertheless, these models have demonstrated variable performance when presented with different prompts (inputs), motivating...
READ MORE
Manipulative interference attacks
October 14, 2024
Conference Paper
Topic:
R&D group:
Summary
A μ-kernel is an operating system (OS) paradigm that facilitates a strong cybersecurity posture for embedded systems. Unlike a monolithic OS such as Linux, a μ-kernel reduces overall system privilege by deploying most OS functionality within isolated, userspace protection domains. Moreover, a μ-kernel ensures confidentiality and integrity between protection domains (i.e., spatial isolation), and offers timing predictability for real-time tasks in mixed-criticality systems (i.e., temporal isolation). One popular μ-kernel is seL4 which offers extensive formal guarantees of implementation correctness and flexible temporal budgeting mechanisms. However, we show that an untrusted protection domain on a μ-kernel can abuse service requests to other protection domains in order to corrode system availability. We generalize this denial-of-service (DoS) attack strategy as Manipulative Interference Attacks (MIAs) and introduce techniques to efficiently identify instances of MIAs within a configured system. Specifically, we propose a novel hybrid approach that first leverages static analysis to identify software components with influenceable execution times, and second, uses an automatically generated model-based analysis to determine which compromised protection domains can manipulate the influenceable components and trigger MIAs. We investigate the risk of MIAs in several representative system examples including the seL4 Microkit, as well as a case study of seL4 software artifacts from the DARPA Cyber Assured Systems Engineering (CASE) program. In particular, we demonstrate that our analysis is efficient enough to discover practical instances of MIAs in real-world systems.
Summary
A μ-kernel is an operating system (OS) paradigm that facilitates a strong cybersecurity posture for embedded systems. Unlike a monolithic OS such as Linux, a μ-kernel reduces overall system privilege by deploying most OS functionality within isolated, userspace protection domains. Moreover, a μ-kernel ensures confidentiality and integrity between protection domains...
READ MORE
Exploiting temporal vulnerabilities for unauthorized access in intent-based networking
October 14, 2024
Conference Paper
Published in:
ACM Conf. on Computer and Communications Security, CCS '24, 14-18 October 2024.
Topic:
R&D area:
R&D group:
Summary
Intent-based networking (IBN) enables network administrators to express high-level goals and network policies without needing to specify low-level forwarding configurations, topologies, or protocols. Administrators can define intents that capture the overall behavior they want from the network, and an IBN controller compiles such intents into low-level configurations that get installed in the network and implement the desired behavior. We discovered that current IBN specifications and implementations do not specify that flow rule installation orderings should be enforced, which leads to temporal vulnerabilities where, for a limited time, attackers can exploit indeterminate connectivity behavior to gain unauthorized network access. In this paper, we analyze the causes of such temporal vulnerabilities and their security impacts with a representative case study via the ONOS IBN implementation.We devise the Phantom Link attack and demonstrate a working exploit to highlight the security impacts. To defend against such attacks, we propose Spotlight, a detection method that can alert a system administrator of risky intent updates prone to exploitable temporal vulnerabilities. Spotlight is effective in identifying risky updates using realistic network topologies and policies. We show that Spotlight can detect risky updates in a mean time of 0.65 seconds for topologies of over 1,300 nodes.
Summary
Intent-based networking (IBN) enables network administrators to express high-level goals and network policies without needing to specify low-level forwarding configurations, topologies, or protocols. Administrators can define intents that capture the overall behavior they want from the network, and an IBN controller compiles such intents into low-level configurations that get installed...
READ MORE
Exploiting temporal vulnerabilities for unauthorized access in intent-based networking
October 14, 2024
Conference Paper
R&D group:
Summary
Intent-based networking (IBN) enables network administrators to express high-level goals and network policies without needing to specify low-level forwarding configurations, topologies, or protocols. Administrators can define intents that capture the overall behavior they want from the network, and an IBN controller compiles such intents into low-level configurations that get installed in the network and implement the desired behavior. We discovered that current IBN specifications and implementations do not specify that flow rule installation orderings should be enforced, which leads to temporal vulnerabilities where, for a limited time, attackers can exploit indeterminate connectivity behavior to gain unauthorized network access. In this paper, we analyze the causes of such temporal vulnerabilities and their security impacts with a representative case study via the ONOS IBN implementation. We devise the Phantom Link attack and demonstrate a working exploit to highlight the security impacts. To defend against such attacks, we propose Spotlight, a detection method that can alert a system administrator of risky intent updates prone to exploitable temporal vulnerabilities. Spotlight is effective in identifying risky updates using realistic network topologies and policies. We show that Spotlight can detect risky updates in a mean time of 0.65 seconds for topologies of over 1,300 nodes.
Summary
Intent-based networking (IBN) enables network administrators to express high-level goals and network policies without needing to specify low-level forwarding configurations, topologies, or protocols. Administrators can define intents that capture the overall behavior they want from the network, and an IBN controller compiles such intents into low-level configurations that get installed...
READ MORE
VulSim: Leveraging similarity of multi-dimensional neighbor embeddings for vulnerability detection
August 14, 2024
Conference Paper
Topic:
R&D group:
Summary
Despite decades of research in vulnerability detection, vulnerabilities in source code remain a growing problem, and more effective techniques are needed in this domain. To enhance software vulnerability detection, in this paper, we first show that various vulnerability classes in the C programming language share common characteristics, encompassing semantic, contextual, and syntactic properties. We then leverage this knowledge to enhance the learning process of Deep Learning (DL) models for vulnerability detection when only sparse data is available. To achieve this, we extract multiple dimensions of information from the available, albeit limited, data. We then consolidate this information into a unified space, allowing for the identification of similarities among vulnerabilities through nearest-neighbor embeddings. The combination of these steps allows us to improve the effectiveness and efficiency of vulnerability detection using DL models. Evaluation results demonstrate that our approach surpasses existing State-of-the-art (SOTA) models and exhibits strong performance on unseen data, thereby enhancing generalizability.
Summary
Despite decades of research in vulnerability detection, vulnerabilities in source code remain a growing problem, and more effective techniques are needed in this domain. To enhance software vulnerability detection, in this paper, we first show that various vulnerability classes in the C programming language share common characteristics, encompassing semantic, contextual...
READ MORE
Security challenges of intent-based networking
July 1, 2024
Journal Article
Published in:
Communications of the ACM, Vol. 67, No. 7, July 2024, pp. 56-65.
Topic:
R&D area:
R&D group:
Summary
Intent-based networking (IBN) offers advantages and opportunities compared with SDN, but IBN also poses new and unique security challenges that must be overcome.
Summary
Intent-based networking (IBN) offers advantages and opportunities compared with SDN, but IBN also poses new and unique security challenges that must be overcome.
READ MORE
Security-as-a-service for embedded systems
October 30, 2023
Conference Paper
Topic:
Summary
In order to promote competition and technology refresh, the Department of Defense (DoD) has required the use of a Modular Open Systems Approach (MOSA) for the acquisition and implementation of embedded systems. Designing security and mission assurance for MOSA systems often relies upon payload specific, potentially inadequate, and difficult to update schemes. Our goal is to develop a physically separated Embedded Security-as-a-Service (ESaaS) function as a payload agnostic, updatable security manager for MOSA systems. In this paper, we describe the ongoing development of an ESaaS module for securing embedded systems that align with DoD standards, OpenVPX and Sensor Open Systems Architecture (SOSA).
Summary
In order to promote competition and technology refresh, the Department of Defense (DoD) has required the use of a Modular Open Systems Approach (MOSA) for the acquisition and implementation of embedded systems. Designing security and mission assurance for MOSA systems often relies upon payload specific, potentially inadequate, and difficult to...
READ MORE
Holding the high ground: Defending satellites from cyber attack
March 31, 2023
Journal Article
Published in:
The Cyber Edge by Signal, 31 March 2023.
Topic:
R&D area:
R&D group:
Summary
MIT Lincoln Laboratory and the Space Cyber-Resiliency group at Air Force Research Laboratory-Space Vehicles Directorate have prototyped a practical, operationally capable and secure-by-design spaceflight software platform called Cyber-Hardened Satellite Software (CHSS) for building space mission applications with security, recoverability and performance as first-class system design priorities. Following a successful evaluation of CHSS against an existing U.S. Space Force (USSF) mission, the CHSS platform is currently being extended to support hybrid space vehicle architectures that incorporate both CHSS-aware and legacy subsystems. CHSS has the potential to revolutionize the cyber-resiliency of space systems and substantially ease the burden of defensive cyber operations (DCO).
Summary
MIT Lincoln Laboratory and the Space Cyber-Resiliency group at Air Force Research Laboratory-Space Vehicles Directorate have prototyped a practical, operationally capable and secure-by-design spaceflight software platform called Cyber-Hardened Satellite Software (CHSS) for building space mission applications with security, recoverability and performance as first-class system design priorities. Following a successful evaluation...
READ MORE