Control-flow Integrity for Real-time Embedded Systems

Brown, Nicholas

27 April 2017

As embedded systems become more connected and more ubiquitous in mission- and safety-critical systems, embedded devices have become a high- value target for hackers and security researchers. Attacks on real-time embedded systems software can put lives in danger and put our critical infrastructure at risk. Despite this, security techniques for embedded systems have not been widely studied. Many existing software security techniques for general purpose computers rely on assumptions that do not hold in the embedded case. This thesis focuses on one such technique, control-flow integrity (CFI), that has been vetted as an effective countermeasure against control-flow hijacking attacks on general purpose computing systems. Without the process isolation and fine-grained memory protections provided by a general purpose computer with a rich operating system, CFI cannot provide any security guarantees. This thesis explores a way to use CFI on ARM Cortex-R devices running minimal real-time operating systems. We provide techniques for protecting runtime structures, isolating processes, and instrumenting compiled ARM binaries with CFI protection.

real-time

embedded

CFI

ARM

cybersecurity

Implementation of Embedded LINUX with NOR Flash Memory

Chang, Yuan-Hao

02 June 2004

Recently, Handheld devices are more and more popular. Most of them aim at the low price, small size, high computing power, and powerful functionalities. Therefore, the need for embedded operating systems in the market is absolutely vital. There are many embedded systems in the market, but embedded Linux has some advantages to be outstanding and widely accepted. For example, it has no proprietary problem and high portability, and is comparatively easy to be reconstructed and to develop new applications. Best of them all, it is open source software. Embedded systems are usually diskless systems. In order to keep permanent data in embedded Linux, using flash disk as its disk system is a widely adapted strategy. We use MTD (Memory Technology Devices) system to emulate flash memory as flash disk mounted into Linux virtual file system. This allows accessing flash memory with standard I/O operations without any extra effort. MTD system contains, ¡§user¡¨ and driver¡¨, two different modules. In driver modules, we use CFI (Common Flash Interface) to probe the flash chip and then partition it, while we use MTD BLOCK to emulate the flash partitions as block devices in user modules, and then mount them into Linux¡¦s virtual file system with JFFS2 (Journaling Flash File System version 2) type, which is a file system type specifically designed for flash devices according to the features of flash devices. The purpose of this thesis is to use MTD system to emulate Am29LV320DB flash chip as a flash disk in embedded Linux running on an ARM-based developing board, SMDK2410, designed by Samsung. I hope this porting can help the development of other advanced applications and provide an empirical platform for the research of embedded systems.

CFI

Filesystem

JFFS2

Linux

MTD

Flash disk

Defending Real-Time Systems through Timing-Aware Designs

Mishra, Tanmaya

04 May 2022

Real-time computing systems are those that are designed to achieve computing goals by certain deadlines. Real-time computing systems are present in everything from cars to airplanes, pacemakers to industrial-control systems, and other pieces of critical infrastructure. With the increasing interconnectivity of these systems, system security issues and the constant threat of manipulation by malicious external attackers that have plagued general computing systems, now threaten the integrity and safety of real-time systems. This dissertation discusses three different defense techniques that focuses on the role that real-time scheduling theory can play to reduce runtime cost, and guarantee correctness when applying these defense strategies to real-time systems. The first work introduces a novel timing aware defense strategy for the CAN bus that utilizes TrustZone on state-of-the-art ARMv8-M microcontrollers. The second reduces the runtime cost of control-flow integrity (CFI), a popular system security defense technique, by correctly modeling when a real-time system performs I/O, and exploiting the model to schedule CFI procedures efficiently. Finally, the third studies and provides a lightweight mitigation strategy for a recently discovered vulnerability within mixed criticality real-time systems. / Doctor of Philosophy / Real-time computing systems are those that are designed to achieve computing goals within certain timing constraints. Real-time computing systems are present in everything from cars to airplanes, pacemakers to industrial-control systems, and other pieces of critical infrastructure. With the increasing interconnectivity of these systems, system security issues and the constant threat of manipulation by malicious external attackers that have plagued general computing systems, now threaten the integrity and safety of real-time systems. This dissertation discusses three different defense techniques that focuses on the role that real-time scheduling theory can play to reduce runtime cost, and guarantee correctness when applying these defense strategies to real-time systems. The first work introduces a novel timing aware defense strategy for the Controller Area Network (CAN). CAN is a popular communication system that is at the heart of every modern passenger vehicle and is indispensable for the safe operation of various components such as the engine and transmission systems, and due to its simplicity, may be vulnerable to a variety of attacks. We leverage security advancements in modern processor design to provide a lightweight and predictable (in terms of time taken to perform the operation) defense technique for some of these vulnerabilities. The second work applies a technique called Control-Flow Integrity (CFI) to real-time systems. CFI is a general-purpose defense technique to prevent attackers from modifying software execution, and applying such techniques to real-time systems, particularly those with limited hardware capabilities, may be infeasible. By applying real-time scheduling theory, we propose a strategy to apply CFI to such systems, while reducing its overhead, or cost, without compromising the security guarantees CFI inherently provides. Finally, safety-critical systems may consist of a mix of operations, each having a different level of importance (criticality) with respect to the safe operation of the system. However, due to the complexity of modeling such systems, the models themselves may be vulnerable to attacks. Through simulations we study one such vulnerability and propose a modification to mitigate it.

Real-time systems

Security

Trusted Execution

CAN

CFI

Mixed Criticality

The Impact of a Multifaceted Intervention on student Math and ELA Achievement

Strachan, Olivean

01 January 2015

Closing the achievement gaps in mathematics and English language arts (ELA) is an ongoing challenge for most New York City Public school administrators. One New York school experiencing this problem implemented a broad intervention including (a) the Children First Intensive (CFI) program, which includes using data to inform instructional and organizational decision-making; (b) added baseline and post assessments; and (c) differentiated instruction including student conferences. The effects of the intervention had not been evaluated within the context of implementation. The purpose of this quantitative study was to evaluate the impact of the multifaceted learning gaps' intervention on 6th grade student achievement in math and ELA. The framework used in this study was the Halverson, Grigg, Prichett, and Thomas data-driven instructional systems model. The comparative study design used paired t tests to examine the change in math and ELA achievement scores on a group of 6th grade students (N = 26), before after the intervention. Results indicated significant increases in the test scores of the students, suggesting that students' learning gaps were closed using their assessment results and differentiated instruction within the comprehensive intervention. Results were used to create a professional development handbook on using a multifaceted data-based approach to improve student achievement. Positive social change might occur by providing the local site findings on the outcomes of their approach and additional training on using the approach, which may ultimately improve the academic performance of all students.

Children First Intensive (CFI)

Data Driven Instruction

Differentiated Instruction

Learning Gap

Whole Child

Education

Higher Education Financial Health - A Case Study of the California State University (CSU)

Blakeslee, Amber

01 January 2019

Higher education is in a challenging financial time. Overall, states are investing considerably less in higher education than they did a decade ago and students are paying significantly more in tuition and fees. Simultaneously, the higher education landscape is changing – changing in terms of demographics, modes of delivery, workforce needs, funding and cost structures, and perceptions of value. Almost every day there is a new media story about a college or university experiencing financial difficulties. With decreasing confidence from campus financial officers in the long-term sustainability of their institutions and campus closures expected to escalate in the coming years, there is a significant need to better understand higher education financial health so that colleges and universities can proactively address challenges as they arise. Research pertaining to higher education financial health, particularly with respect to public higher education, was found to be limited. This project, first explored the research and methods in use to measure higher education financial health. Then, utilizing the Composite Financial Index (CFI), the most widely adopted metric for measuring financial health identified during the literature review, addressed a research gap related to financial analysis in public higher education through conducting a quantitative analysis of the California State University (CSU) system. The CSU, the largest four-year public higher education system in the country, serves as an important litmus test for the higher education industry as a whole given its sheer magnitude in educating over 480,000 students each year and producing one out of every ten workers in California. In addition, leading indicators signal that California public higher education should be exceeding industry performance given that California is the 5th largest economy in the world during a lengthy period of economic growth, is one of only four states to invest more in higher education in 2018 than it did in 2008, and has the 7th highest tuition rate increases over the same time period. The quantitative analysis of the CSU consisted of a four-pronged approach: 1) Analyze system financial health over a 20 year period; 2) analyze campus financial health over a five-year period; 3) analyze the CSU’s CFI over a 20 year period in comparison to key variables - Gross Domestic Product (GDP) growth rate trends, CSU state funding changes, and CSU tuition rate changes; and 4) analyze campus CFIs with campus enrollment size. Overall, results indicate significant underlying financial concerns for the CSU and disaggregating the results by campus indicate even greater financial concerns at a campus level, reinforcing the notion that smaller campuses experience disparate financial impacts and are more susceptible to closure if left unaddressed. In addition, this research establishes correlations with key variables analyzed and outlines recommendations for future research to further validate findings and more closely identify causality. These findings reinforce the need for colleges and universities to develop a sense of urgency to proactively address the changes and challenges that are occurring, with greater use of strategic financial analysis needed to achieve transformation.

Composite Financial Index

CFI

Financial Health

Financial Sustainability

Higher Education

California State University

Higher Education

Πρωτεϊνική περιοχή FIMAC : Δομή, λειτουργία, εξέλιξη

Πατιού, Περιστέρα

02 March 2015

Το συμπλήρωμα είναι βασικός παράγοντας της φυσικής ανοσίας (innate immunity) και αποτελεί γέφυρα για την ενεργοποίηση της ειδικής ανοσίας (adaptive immunity). Αποτελείται από ένα σύστημα πρωτεϊνών, που συναντώνται ως ανενεργά προένζυμα και ενεργοποιούνται μέσω πρωτεόλυσης πυροδοτώντας έναν καταρράκτη αντιδράσεων. Οι οδοί ενεργοποίησης του συμπληρώματος καταλήγουν στον σχηματισμό ενός λυτικού συμπλόκου (Membrane Attack Complex – MAC) που καταστρέφει τους παθογόνους μικροοργανισμούς. Οι πρωτεΐνες, συστατικά του συμπλόκου, ανήκουν στην οικογένεια MACPF (MAC – Perforin). Σημαντικό ρόλο στη λειτουργία τους παίζει η πρωτεϊνική περιοχή (module) FIMAC (Factor I Membrane Attack Complex). Η περιοχή αυτή υπάρχει στα συστατικά C6 (Complement component 6) και C7 (Complement component 7) του συμπλόκου MAC και φαίνεται να είναι η περιοχή πρόσδεσής τους με την περιοχή C345C του C5b. Επιπλέον, η περιοχή FIMAC υπάρχει και στον παράγοντα Ι του Συμπληρώματος (Complement Factor I, CFI), ο οποίος συμμετέχει στην αποσταθεροποίηση της κομβερτάσης C3/C5, μέσω του καρβοξυτελικού άκρου της FIMAC που φαίνεται να συνδέεται αλλοστερικά με την πρωτεϊνική περιοχή SP (Serine Protease), που αποτελεί την ενεργή του περιοχή. Το μοντέλο, για την ανάλυση της περιοχής FIMAC βασίστηκε στην περιοχή της πρωτεΐνης φολιστατίνη (follistatin, FS) FD (follistatin Domain), η οποία αναλύθηκε πρόσφατα κρυσταλλογραφικά και με την οποία εμφανίζει ομοιότητα στην αλληλουχία της. Η δομή FD αποτελεί ένα υβρίδιο μιας αμινοτελικής περιοχής EGF (Epidermal Growth Factor) και μίας καρβοξυτελικής περιοχής του ωοβλεννοειδούς (ovomucoid) που ομοιάζουν με τις πρωτεϊνικές περιοχές KAZAL και συναντώνται σε πολλούς αναστολείς σερινικών πρωτεασών. Η περιοχή FD περιέχεται, επίσης, στην πρωτεΐνη αγκρίνη (agrin, AGRN) που αποτελεί συστατικό της βασικής μεμβράνης και παίζει σημαντικό ρόλο στην νευρομυϊκή σύναψη. Η μελέτη των πρωτεϊνικών περιοχών FIMAC και KAZAL αναφορικά με την λειτουργία, την δομή και την εξέλιξή τους αποτέλεσε το αντικείμενο της παρούσας εργασίας. Για την εκπόνηση αυτής της μελέτης χρησιμοποιήθηκαν δεδομένα από βάσεις βιολογικών δεδομένων και εργαλεία βιοπληροφορικής ανάλυσης. Πρωτογενές υλικό της μελέτης αποτέλεσαν οι νουκλεοτιδικές και αμινοξικές αλληλουχίες των γονιδίων C6, C7, CFI, AGRN και FS σε όλους τους οργανισμούς που βρέθηκαν (σπονδυλωτά και ασπόνδυλα), και πιο συγκεκριμένα οι αλληλουχίες που αντιστοιχούν στις πρωτεϊνικές περιοχές FIMAC και KAZAL. Οι πρωτοταγείς δομές των FIMAC ( ̴ 78αα) και KAZAL ( ̴ 55αα) διαφέρουν ως προς το μήκος τους, με μερικές εξαιρέσεις που αφορούν περιοχές KAZAL των πρωτεϊνών AGRN και FS (>80αα). Οι δευτεροταγείς δομές των FIMAC και KAZAL παρουσιάζουν μεγάλη ομοιότητα, φέροντας δομές α – έλικας και β – πτυχωτής επιφάνειας στην αλληλουχία τους. Τέλος, τα μοντέλα προσομοίωσης τριτοταγούς δομής και των δύο περιοχών FIMAC και KAZAL οπτικοποιούν τη διαμόρφωση των δομών της α – έλικας και των β – πτυχωτών επιφανειών στον χώρο. Αξιοσημείωτη είναι η παρουσία σημαντικού αριθμού κυστεϊνικών καταλοίπων στις αλληλουχίες των περιοχών FIMAC (8 – 10 Cys), με μεγαλύτερη συγκέντρωση στο αμινοτελικό άκρο, και KAZAL (4 – 6 Cys) με ομοιόμορφη κατανομή. Εξελικτικά, η εμφάνιση γονιδίων που συμμετέχουν και στις τρεις οδούς ενεργοποίησης του συμπληρώματος και καταλήγουν στη διαμόρφωση του συμπλόκου MAC συνοδεύεται με την εμφάνιση των χονδριχθύων. Πιο συγκεκριμένα, όσον αφορά τα γονίδια του συμπληρώματος που περιλαμβάνουν τις περιοχές FIMAC και KAZAL, ο CFI πρωτοεμφανίζεται στα άγναθα, το C6 στους χονδριχθείς και το C7 στους οστεϊχθείς. Η παρουσία των γονιδίων AGRN και FS έχει πιστοποιηθεί νωρίτερα εξελικτικά στο στάδιο των κεφαλοχορδωτών καθώς και στους πλατυέλμινθες των πρωτοστομίων. Έτσι, φαίνεται ότι η περιοχή KAZAL στις πρωτεΐνες AGRN και FS στα ασπόνδυλα αποτελεί προγονική περιοχή όλων των FIMAC και KAZAL που υπάρχουν σήμερα. Ωστόσο, νέες πρωτεϊνικές περιοχές KAZAL εμφανίστηκαν και αργότερα κατά την εξέλιξη των ειδών. Η συντηρητικότητα και των δύο περιοχών FIMAC και KAZAL στο επίπεδο της γονιδιακής τους κληρονόμησης είναι μεγάλη. Όλα τα intron phases των εξονίων που κωδικοποιούν τις περιοχές KAZAL και FIMAC σε όλα τα γονίδια όπου συναντώνται είναι 1, εκτός από τα αντίστοιχα εξόνια για την περιοχή FIMAC της γραμμικής θέσης 1 στις πρωτεΐνες C6 και C7 (intron phase 2), που φαίνεται να είναι εξελικτικά μεταγενέστερες περιοχές, και δημιουργήθηκαν με διπλασιασμό εξονίου, σε μεταγενέστερα εξελικτικά στάδια. / The complement system is a key component of the innate immune system and links the innate and adaptive immunity. It consists of more than 35 soluble and membrane proteins that initially are found as inactivated proenzymes and they can be activated by a proteolytic cascade. All three pathways that activate the complement leads to the formation of a Membrane Attack Complex (MAC) that lyses the pathogenic microorganisms. Proteins that participate in the formation of MAC, belongs to the MACPF (MAC – Perforin) family. The FIMAC (Factor I Membrane Attack Complex) module plays significant role in the function of MACPF proteins. The Complement proteins 6 (C6) and 7 (C7) that are components of the MAC, include the FIMAC module in their sequences and it seems that this module is their binding region with C345C of C5b. Moreover, the FIMAC module exists in Complement Factor I (CFI), which is a serine protease (SP) and degrades C4b and C3b molecules. The carboxyl - terminal of FIMAC module binds allosteric with the SP region in CFI and seems to be important for the function of CFI as a serine protease. The model for the analysis of FIMAC module was based in Follistatin Domain (FD) of follistatin (FS) protein, which has been analyzed by crystallography. FIMAC and FD modules seem to have homologous sequences. The FD structure is a hybrid of an amino – terminal EGF (Epidermal Growth Factor) subdomain and of a carboxyl – terminal similar to ovomucoid subdomain, which is called KAZAL and is present in many serine protease inhibitors. The FD module is also present in the Agrin (AGRN) protein. AGRN is an extracellular matrix molecule released by the nerve and is critical for the formation of the neuromuscular junction. The subject of this work was the study of FIMAC and KAZAL modules concerning their function, structure and evolution. There were used data from biological databases and bioinformatic tools for analysis. The nucleotide and amino acid sequences of C6, C7, CFI, AGRN and FS genes from the organisms that were found (vertebrates and invertebrates), and more specific, FIMAC and KAZAL sequences, were the primary material of this study. There are differences in the length of the primary structures of FIMAC ( ̴ 78aa) and KAZAL ( ̴ 55aa) modules, except for some KAZAL modules of AGRN and FS proteins (>80aa). The secondary structures of FIMAC and KAZAL modules seem to be similar as both of them contain α-helix and β-sheet conformations. Simulation models of tertiary structure of both FIMAC and KAZAL modules revealed a common conformation of α-helix and β-sheet in space. The presence of cysteine residues are very conserved and seem to be important in FIMAC (8 – 10 Cys) and KAZAL (4 – 6 Cys) modules, although the concentration of cysteine residues in FIMAC modules are denser in amino – terminal region compared with their corresponding concentration in KAZALs, where they follow an equable distribution. Evolutionary, the genes that participate in all three pathways of complement activation and result in MAC formation, first appeared on chondrichthyes. Moreover, FIMAC and KAZAL modules included in CFI sequence found firstly on agnatha, on chondrichthyes in C6 sequences and on osteichthyes in C7 sequences. The presence of AGRN and FS genes were certified earlier in evolution on cephalochordates and platyelminthes of protostomes. As a result, it seems that the KAZAL modules of AGRN and FS proteins in invertebrates are the ancestors of all FIMAC and KAZAL modules. Nevertheless, new KAZAL modules appeared later during evolution of species. At the genomic level, exons corresponding to the FIMAC and KAZAL modules are highly conserved in different taxa. Intron phases of all exons corresponding to the FIMAC and KAZAL modules in all genes are 1, except for exons of FIMAC modules in first position of C6 and C7 genes (phase 2) that seem to be evolutionary posterior and were emerged by exon duplication, later in evolution.

Συμπλήρωμα

Αγκρίνη

Φολιστατίνη

616.079 97

Factor I Membrane Attack Complex (FIMAC)

KAZAL

CFI

C6

C7

Seismic Shift

Vice President Research, Office of the

12 1900

Saving lives, securing critical infrastructure and avoiding business interruptions during earthquakes: Terje Haukaas looks to shift the future towards performance-based engineering.

Terje Haukaas

civil engineering

computer simulation

earthquake

Ken Elwood

Canada Foundation for Innovation

CFI

Rozšíření generického ladicího nástroje v projektu Lissom / Extension of Generic Debugger of the Lissom Project

Hons, Petr

January 2014

This thesis deals with an introduction to debugging and debuggers. The thesis describes principles of the debugging information, especially the DWARF format and its Call Frame Information (CFI), that enables a debugger to visualize the call stack. Furthermore, extensions of the debugger used in the Lissom project were designed and implemented. These extensions added support for call stack visualization, history value storage and step return and step over commands.

Usage of Dynamic Analysis to Strengthen Control-Flow Analysis

Priyam Biswas (9761951)

14 December 2020

<div>System programming languages such as C and C++ are ubiquitously used for systems software such as browsers and servers due to their flexibility and high performance. However, this flexibility comes with a price of lack of memory and type safety.</div><div><br></div><div>Control-Flow Hijacking (CFH), by taking advantage of the inherent lack of memory and type safety, has become one of the most common attack vectors against C/C++ programs. In such attacks, an attacker attempts to divert the normal control flow of the program to an attacker-controlled location. The most prominent defense against these kind of attacks is Control-Flow Integrity (CFI), which restricts the attack surface by limiting the set of possible targets for each indirect control-flow transfer. However, current analyses for the CFI target sets are highly conservative. Due to the ambiguity and imprecision in the analyses, CFI restricts adversaries to an over-approximation of the possible targets of individual indirect call sites. State-of-the-art CFI approaches fail to protect against special attack classes such as over-writing variadic function arguments. Furthermore, mitigation of control-flow attacks is not explored to its full potential in the context of language boundaries in current literature. Hence, we need effective solution to improve the precision of the CFI approaches as well as strong protection mechanisms against commonly abused corner cases.</div><div><br></div><div>We leverage the effectiveness of dynamic analysis in deriving a new approach to efficiently mitigate control-flow hijacking attacks. We present Ancile, a novel mechanism to improve the precision of the CFI mechanism by debloating any extraneous targets from the indirect control-flow transfers. We replaced the traditional static analysis approach for target discovery with seed demonstrated fuzzing. We have evaluated the effectiveness of our proposed mechanism with standard SPEC CPU benchmarks and other popular C and C++ applications.</div><div><br></div><div>To ensure complete security of C and C++ programs, we need to shield commonly exploited corners of C/C++ such as variadic functions. We performed extensive case studies to show the prevalence of such functions and their exploits. We also developed a sanitizer, HexVASAN, to effectively type-check and prevent any attack via variadic functions. CFH attacks, by abusing the difference of managed languages and their underlying system languages, are very frequent in client and server side programs. In order to safe-guard the control-flows in language boundaries, we propose a new mechanism, FitJit, to enforce type integrity. Finally, to understand the effectiveness of the dynamic analysis, we present Artemis, a comprehensive study of binary analysis on real world applications.</div>

Computer System Security

Dynamic Analysis

CFI

control-flow integrity

control-flow hijacking

Static Analysis

Variadic function

Evaluation of Crossover Displaced Left-turn (XDL) Intersections and Real-time Signal Control Strategies with Artificial Intelligence Techniques

Jagannathan, Ramanujan

12 October 2004

Although concepts of the XDL intersection or CFI (Continuous Flow Intersection) have been around for approximately four decades, users do not yet have a simplified procedure to evaluate its traffic performance and compare it with a conventional intersection. Several studies have shown qualitative and quantitative benefits of the XDL intersection without providing accessible tools for traffic engineers and planners to estimate average control delays, and queues. Modeling was conducted on typical geometries over a wide distribution of traffic flow conditions for three different design configurations or cases using VISSIM simulations with pre-timed signal settings. Some comparisons with similar conventional designs show considerable savings in average control delay, and average queue length and increase in intersection capacity. The statistical models provide an accessible tool for a practitioner to assess average delay and average queue length for three types of XDL intersections. Pre-timed signal controller settings are provided for each of the five intersections of the XDL network. In this research, a "real-time" traffic signal control strategy is developed using genetic algorithms and neural networks to provide near-optimal traffic performance for XDL intersections. Knowing the traffic arrival pattern at an intersection in advance, it is possible to come up with the best signal control strategy for the respective scenario. Hypothetical cases of traffic arrival patterns are generated and genetic algorithms are used to come up with near-optimal signal control strategy for the respective cases. The neural network controller is then trained and tested using pairs of hypothetical traffic scenarios and corresponding signal control strategies. The developed neural network controller produces near-optimal traffic signal control strategy in "real-time" for all varieties of traffic arrival patterns. / Master of Science

Genetic Algorithms

CFI

XDL

Neural Networks

Continuous Flow Intersections

Real-time Signal Control