Ordered Merkle Tree a Versatile Data-Structure for Security Kernels

Mohanty, Somya Darsan

17 August 2013

Hidden undesired functionality is an unavoidable reality in any complex hardware or software component. Undesired functionality — deliberately introduced Trojan horses or accidentally introduced bugs — in any component of a system can be exploited by attackers to exert control over the system. This poses a serious security risk to systems — especially in the ever growing number of systems based on networks of computers. The approach adopted in this dissertation to secure systems seeks immunity from hidden functionality. Specifcally, if a minimal trusted computing base (TCB) for any system can be identifed, and if we can eliminate hidden functionality in the TCB, all desired assurances regarding the operation of the system can be guaranteed. More specifcally, the desired assurances are guaranteed even if undesired functionality may exist in every component of the system outside the TCB. A broad goal of this dissertation is to characterize the TCB for various systems as a set of functions executed by a trusted security kernel. Some constraints are deliberately imposed on the security kernel functionality to reduce the risk of hidden functionality inside the security kernel. In the security model adopted in this dissertation, any system is seen as an interconnection of subsystems, where each subsystem is associated with a security kernel. The security kernel for a subsystem performs only the bare minimal tasks required to assure the integrity of the tasks performed by the subsystem. Even while the security kernel functionality may be different for each system/subsystem, it is essential to identify reusable components of the functionality that are suitable for a wide range of systems. The contribution of the research is a versatile data-structure — Ordered Merkle Tree (OMT), which can act as the reusable component of various security kernels. The utility of OMT is illustrated by designing security kernels for subsystems participating in, 1) a remote fle storage system, 2) a generic content distribution system, 3) generic look-up servers, 4) mobile ad-hoc networks and 5) the Internet’s routing infrastructure based on the border gateway protocol (BGP).

Authenticated Data-Structures

Trustworthy Computing

Security Kernels

Trustworthy Computing Approach for Securing Ad Hoc Routing Protocols

Thotakura, Vinay

30 April 2011

Nodes taking part in mobile ad hoc networks (MANET) are expected to adhere to the rules dictated by the routing protocol employed in the subnet. Secure routing protocols attempt to reduce the ill-effect of nodes under the control of malicious entities who deliberately violate the protocol. Most secure routing protocols are reactive strategies which include elements like redundancies and cryptographic authentication to detect inconsistencies in routing data advertised by nodes, and perhaps explicit measures to react to detected inconsistencies. The approach presented in this dissertation is a proactive approach motivated by the question “what is a minimal trusted computing base for a MANET node?” Specifically, the goal of the research was to identify a small set of well-defined low-complexity functions, simple enough to be executed inside highly resource limited trusted boundaries, which can ensure that nodes will not be able to violate the protocol. In the proposed approach every node is assumed to possess a low complexity trusted MANET module (TMM). Only the TMM in a node is trusted - all other hardware and software are assumed to be untrusted or even hostile. TMMs offer a set of interfaces to the untrusted node housing the TMM, using which the node can submit data to the TMM for cryptographic verification and authentication. As other nodes will not accept packets that are not authenticated by TMMs, the untrusted node is forced to submit any data that it desires to advertise, to its TMM. TMMs will authenticate data only if the untrusted node can convince the TMM of the validity of the data. The operations performed by TMMs are to accept, verify, validate data submitted by the untrusted node, and authenticate such data to TMMs housed in other nodes. We enumerate various TMM interfaces and provide a concrete description of the functionality behind the interfaces for popular ad hoc routing protocols.

Ad hoc networks

TPMs

Trustworthy Computing

NSEC

Merkle Tree

Trustworthy Embedded Computing for Cyber-Physical Control

Lerner, Lee Wilmoth

20 February 2015

A cyber-physical controller (CPC) uses computing to control a physical process. Example CPCs can be found in self-driving automobiles, unmanned aerial vehicles, and other autonomous systems. They are also used in large-scale industrial control systems (ICSs) manufacturing and utility infrastructure. CPC operations rely on embedded systems having real-time, high-assurance interactions with physical processes. However, recent attacks like Stuxnet have demonstrated that CPC malware is not restricted to networks and general-purpose computers, rather embedded components are targeted as well. General-purpose computing and network approaches to security are failing to protect embedded controllers, which can have the direct effect of process disturbance or destruction. Moreover, as embedded systems increasingly grow in capability and find application in CPCs, embedded leaf node security is gaining priority. This work develops a root-of-trust design architecture, which provides process resilience to cyber attacks on, or from, embedded controllers: the Trustworthy Autonomic Interface Guardian Architecture (TAIGA). We define five trust requirements for building a fine-grained trusted computing component. TAIGA satisfies all requirements and addresses all classes of CPC attacks using an approach distinguished by adding resilience to the embedded controller, rather than seeking to prevent attacks from ever reaching the controller. TAIGA provides an on-chip, digital, security version of classic mechanical interlocks. This last line of defense monitors all of the communications of a controller using configurable or external hardware that is inaccessible to the controller processor. The interface controller is synthesized from C code, formally analyzed, and permits run-time checked, authenticated updates to certain system parameters but not code. TAIGA overrides any controller actions that are inconsistent with system specifications, including prediction and preemption of latent malwares attempts to disrupt system stability and safety. This material is based upon work supported by the National Science Foundation under Grant Number CNS-1222656. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation. We are grateful for donations from Xilinx, Inc. and support from the Georgia Tech Research Institute. / Ph. D.

Trustworthy Computing

Secure Computing

Autonomic Computing

Cybersecurity

Embedded Systems

Cyber-Physical Systems

Process Control Systems

Optimizing Programmable Logic Design Security Strategies

Graf, Jonathan Peter

10 June 2019

A wide variety of design security strategies have been developed for programmable logic devices, but less work has been done to determine which are optimal for any given design and any given security goal. To address this, we consider not only metrics related to the performance of the design security practice, but also the likely action of an adversary given their goals. We concern ourselves principally with adversaries attempting to make use of hardware Trojans, although we also show that our work can be generalized to adversaries and defenders using any of a variety of microelectronics exploitation and defense strategies. Trojans are inserted by an adversary in order to accomplish an end. This goal must be considered and quantified in order to predict the adversary's likely action. Our work here builds upon a security economic approach that models the adversary and defender motives and goals in the context of empirically derived countermeasure efficacy metrics. The approach supports formation of a two-player strategic game to determine optimal strategy selection for both adversary and defender. A game may be played in a variety of contexts, including consideration of the entire design lifecycle or only a step in product development. As a demonstration of the practicality of this approach, we present an experiment that derives efficacy metrics from a set of countermeasures (defender strategies) when tested against a taxonomy of Trojans (adversary strategies). We further present a software framework, GameRunner, that automates not only the solution to the game but also enables mathematical and graphical exploration of "what if" scenarios in the context of the game. GameRunner can also issue "prescriptions," sets of commands that allow the defender to automate the application of the optimal defender strategy to their circuit of concern. We also present how this work can be extended to adjacent security domains. Finally, we include a discussion of future work to include additional software, a more advanced experimental framework, and the application of irrationality models to account for players who make subrational decisions. / Doctor of Philosophy / We present a security economic model that informs the optimal selection of programmable logic design security strategies. Our model accurately represents the economics and effectiveness of available design security strategies and accounts for the varieties of available exploits. Paired with game theoretic analysis, this model informs microelectronics designers and associated policy makers of optimal defensive strategies. Treating the adversary and defender as opponents in a two-player game, our security economic model tells us how either player will play if it is known in advance how their opponent plays. The additional use of game theory allows us to determine the optimal play of both players simultaneously without prior knowledge other than models of players beliefs.

Field programmable gate arrays

trust

design security

design integrity

design confidentiality

trustworthy computing

game theory