Resilient Cooperative Control of Cyber-Physical Systems: Enhancing Robustness Against Significant Time Delays and Denial-of-Service Attacks

Babu Venkateswaran, Deepalakshmi

01 January 2024

A cyber-physical control system (CPS) typically consists of a set of physical subsystems, their remote terminal units, a central control center (if applicable), and local communication networks that interconnect all the components to achieve a common goal. Applications include energy systems, autonomous vehicles, and collaborative robots. Ensuring stability, performance, and resilience in CPS requires thorough analysis and control design, utilizing robust algorithms to handle delays, communication failures, and potential cyber-attacks. Time delays are a challenge in CPS, particularly in teleoperation systems, where human operators remotely control robotic systems. These delays cause chattering, oscillations, and instability, making it difficult to achieve smooth and stable remote robot control. Applications like remote surgery, space exploration, and hazardous environment operations are highly susceptible to these disruptions. To address this issue, a novel passivity-shortage framework is proposed, that enables systems to maintain stability and transparency despite time-varying communication delays and environmental disturbances. CPS are prone to attacks, particularly Denial-of-Service (DoS) attacks, which disrupt the normal functioning of a network by overwhelming it with excessive internet traffic, rendering the communication channels unavailable to legitimate users. These attacks threaten the stability and functionality of CPS. To enhance resilience in multi-agent systems, novel distributed algorithms are proposed. These graph theory-based algorithms mitigate network vulnerabilities by incorporating strategically placed additional communication channels, thereby increasing tolerance to attacks in large, dynamic networks. The effectiveness of these proposed approaches is validated through simulations, experiments, and numerical examples. The passivity-shortage teleoperation strategies are tested using Phantom Omni devices and they show reduced chattering and better steady-state error convergence. A case study demonstrates how the proposed distributed algorithms effectively achieve consensus, even when some agents are disconnected from the network due to DoS attacks.

Control Systems Design

Resilient Control

Teleoperation Stability

Time-Delay

Denial of Service Attacks

Multi-Agent Systems

Nouvelles Contre-Mesures pour la Protection de Circuits Intégrés / New Protection Strategies for Integrated Circuits

Cioranesco, Jean-Michel

18 December 2014

Les domaines d'application de la cryptographie embarquée sont très divers et se retrouvent au croisement de toutes les applications personnelles, avec un besoin évident de confidentialité des données et également de sécurité d'accès des moyens de paiement. Les attaques matérielles invasives ont fait de tous temps partie de l'environnement industriel. L'objectif de cette thèse est de proposer de nouvelles solutions pour protéger les circuits intégrés contre ces attaques physiques. La première partie décrit les notions d'attaques par canaux cachés, d'attaques invasives et de retro-conception. Plusieurs exemples de ces types d'attaques ont pu être mis en œuvre pendant le travail de recherche de cette thèse, ils sont présentés en détail dans cette partie. La deuxième partie est consacrée à des propositions de différentes contre-mesures pour contrer des attaques par canaux cachés ayant pour vecteur la consommation de courant. La troisième partie est dédiée à la protection contre les attaques invasives en utilisant divers types de boucliers et capteurs. Nous conclurons ce manuscrit de thèse par la proposition d'un bouclier actif cryptographique inviolable ayant pour but premier de contrer Je sondage, mais aussi celui de détecter l'injection de fautes et d'être immunisé contre les analyses par consommation de courant. / Embedded security applications are diverse and at the center of all personal embedded applications. They introduced an obvious need for data confidentiality and security in general. Invasive attacks on hardware have always been part of the industrial scene. The aim of this thesis is to propose new solutions in order to protect embedded circuits against some physical attacks described above. ln a first part of the manuscript, we detail the techniques used to achieve side-channel, invasive attacks and reverse engineering. I could implement several of these attacks during my thesis research, they will be detailed extensively. ln the second part we propose different hardware countermeasures against side-channel attacks. The third part is dedicated to protection strategies against invasive attacks using active shielding and we conclude this work by proposing an innovative cryptographic shield which is faulty and dpa resistant.

Attaques par canaux cachés

Attaques invasives

Analyse par consommation de courant

Circuit intégré

Bouclier actif

Émanations électromagnétiques

Chiffrement sécurisé

Sécurité embarquée

Side-channel attacks

Invasive attacks

Differential power analysis

Integrated circuit

Active shield

Embedded security

Cryptography

Fault attack

652.8

Design, Implementation and Cryptanalysis of Modern Symmetric Ciphers

Henricksen, Matthew

January 2005

The main objective of this thesis is to examine the trade-offs between security and efficiency within symmetric ciphers. This includes the influence that block ciphers have on the new generation of word-based stream ciphers. By incorporating block-cipher like components into their designs, word-based stream ciphers have experienced hundreds-fold improvement in speed over bit-based stream ciphers, without any observable security degradation. The thesis also emphasizes the importance of keying issues in block and stream ciphers, showing that by reusing components of the principal cipher algorithm in the keying algorithm, security can be enhanced without loss of key-agility or expanding footprint in software memory. Firstly, modern block ciphers from four recent cipher competitions are surveyed and categorized according to criteria that includes the high-level structure of the block cipher, the method in which non-linearity is instilled into each round, and the strength of the key schedule. In assessing the last criterion, a classification by Carter [45] is adopted and modified to improve its consistency. The classification is used to demonstrate that the key schedule of the Advanced Encryption Standard (AES) [62] is surprisingly flimsy for a national standard. The claim is supported with statistical evidence that shows the key schedule suffers from bit leakage and lacks sufficient diffusion. The thesis contains a replacement key schedule that reuses components from the cipher algorithm, leveraging existing analysis to improve security, and reducing the cipher's implementation footprint while maintaining key agility. The key schedule is analyzed from the perspective of an efficiency-security tradeoff, showing that the new schedule rectifies an imbalance towards e±ciency present in the original. The thesis contains a discussion of the evolution of stream ciphers, focusing on the migration from bit-based to word-based stream ciphers, from which follows a commensurate improvement in design flexibility and software performance. It examines the influence that block ciphers, and in particular the AES, have had upon the development of word-based stream ciphers. The thesis includes a concise literature review of recent styles of cryptanalytic attack upon stream ciphers. Also, claims are refuted that one prominent word-based stream cipher, RC4, suffers from a bias in the first byte of each keystream. The thesis presents a divide and conquer attack against Alpha1, an irregularly clocked bit-based stream cipher with a 128-bit state. The dominating aspect of the divide and conquer attack is a correlation attack on the longest register. The internal state of the remaining registers is determined by utilizing biases in the clocking taps and launching a guess and determine attack. The overall complexity of the attack is 261 operations with text requirements of 35,000 bits and memory requirements of 2 29.8 bits. MUGI is a 64-bit word-based cipher with a large Non-linear Feedback Shift Register (NLFSR) and an additional non-linear state. In standard benchmarks, MUGI appears to su®er from poor key agility because it is implemented on an architecture for which it is not designed, and because its NLFSR is too large relative to the size of its master key. An unusual feature of its key initialization algorithm is described. A variant of MUGI, entitled MUGI-M, is proposed to enhance key agility, ostensibly without any loss of security. The thesis presents a new word-based stream cipher called Dragon. This cipher uses a large internal NLFSR in conjunction with a non-linear filter to produce 64 bits of keystream in one round. The non-linear filter looks very much like the round function of a typical modern block cipher. Dragon has a native word size of 32 bits, and uses very simple operations, including addition, exclusive-or and s-boxes. Together these ensure high performance on modern day processors such as the Intel Pentium family. Finally, a set of guidelines is provided for designing and implementing symmetric ciphers on modern processors, using the Intel Pentium 4 as a case study. Particular attention is given to understanding the architecture of the processor, including features such as its register set and size, the throughput and latencies of its instruction set, and the memory layouts and speeds. General optimization rules are given, including how to choose fast primitives for use within the cipher. The thesis describes design decisions that were made for the Dragon cipher with respect to implementation on the Intel Pentium 4. Block Ciphers, Word-based Stream Ciphers, Cipher Design, Cipher Implementa- tion, -

Block Ciphers

Word-based Stream Ciphers

Cipher Design

Cipher Implementation

Cryptanalysis

Key Schedule Classifcation

Key Agility

Advanced Encryption Standard

RC4

Alpha1

MUGI

Dragon

Correlation Attacks

Divide and Conquer Attacks

Intel Pentium 4

Malware Analysis using Profile Hidden Markov Models and Intrusion Detection in a Stream Learning Setting

Saradha, R

January 2014

In the last decade, a lot of machine learning and data mining based approaches have been used in the areas of intrusion detection, malware detection and classification and also traffic analysis. In the area of malware analysis, static binary analysis techniques have become increasingly difficult with the code obfuscation methods and code packing employed when writing the malware. The behavior-based analysis techniques are being used in large malware analysis systems because of this reason. In prior art, a number of clustering and classification techniques have been used to classify the malwares into families and to also identify new malware families, from the behavior reports. In this thesis, we have analysed in detail about the use of Profile Hidden Markov models for the problem of malware classification and clustering. The advantage of building accurate models with limited examples is very helpful in early detection and modeling of malware families. The thesis also revisits the learning setting of an Intrusion Detection System that employs machine learning for identifying attacks and normal traffic. It substantiates the suitability of incremental learning setting(or stream based learning setting) for the problem of learning attack patterns in IDS, when large volume of data arrive in a stream. Related to the above problem, an elaborate survey of the IDS that use data mining and machine learning was done. Experimental evaluation and comparison show that in terms of speed and accuracy, the stream based algorithms perform very well as large volumes of data are presented for classification as attack or non-attack patterns. The possibilities for using stream algorithms in different problems in security is elucidated in conclusion.

Malware (Malicious Software)

Malware, Cyber Attacks

Malware Analysis

Profile Hidden Markov Models

Intrusion Detection Systems

Data Mining

Malware Classification and Clustering

Machine Learning

Malware Detection

Cyber Attacks

Stream-based Learning

Polymorphic Malware Detection

Huffman Encoding

Stream Algorithms

Computer Science

Imperfections and self testing in prepare-and-measure quantum key distribution

Woodhead, Erik

10 December 2014

Quantum key distribution (QKD) protocols are intended to allow cryptographic keys to be generated and distributed in way that is provably secure based on inherent limitations, such as the no-cloning principle, imposed by quantum mechanics. This unique advantage compared with classical cryptography comes with an added difficulty: key bits in QKD protocols are encoded in analogue quantum states and their preparation is consequently subject to the usual imprecisions inevitable in any real world experiment. The negative impact of such imprecisions is illustrated for the BB84 QKD protocol. Following this, the main part of this thesis is concerned with the incorporation of such imprecisions in security proofs of the BB84 and two semi-device-independent protocols against the class of collective attacks. On a technical level, by contrast with the vast majority of security proofs developed since the turn of the century, in which recasting the protocol into an equivalent entanglement-based form features heavily in the analysis, the main results obtained here are approached directly from the prepare-and-measure perspective and in particular the connection with the no-cloning theorem and an early security proof by Fuchs et al. against the class of individual attacks is emphasised.<p><p>This thesis also summarises, as an appendix, a separate project which introduces and defines a hierarchy of polytopes intermediate between the local and no-signalling polytopes from the field of Bell nonlocality. / Doctorat en Sciences / info:eu-repo/semantics/nonPublished

Physique

Sciences exactes et naturelles

Quantum theory

Quantum optics

Théorie quantique

Optique quantique

QKD

practical QKD

device-independent

semi-device-independent

individual attacks

collective attacks

BB84

quantum key distribution

Bennett-Brassard

Side-channel and fault analysis in the presence of countermeasures : tools, theory, and practice / Canaux cachés et attaques par injection de fautes en présence de contre-mesures : outils, théorie et pratique

Korkikian, Roman

27 October 2016

Dans cette thèse nous développons et améliorons des attaques de systèmes cryptographiques. Un nouvel algorithme de décomposition de signal appelé transformation de Hilbert-Huang a été adapté pour améliorer l’efficacité des attaques parcanaux auxiliaires. Cette technique permet de contrecarrer certaines contre-mesures telles que la permutation d’opérations ou l’ajout de bruit à la consommation de courant. La seconde contribution de ce travail est l’application de certaines distributions statistiques de poids de Hamming à l’attaque d’algorithmes de chiffrement par bloc tels que AES, DES ou LED. Ces distributions sont distinctes pour chaque valeur de sous-clef permettent donc de les utiliser comme modèles intrinsèques. Les poids de Hamming peuvent être découverts par des analyses de canaux auxiliaires sans que les clairs ni les chiffrés ne soient accessibles. Cette thèse montre que certaines contremesures peuvent parfois faciliter des attaques. Les contre-mesures contagieuses proposées pour RSA protègent contre les attaques par faute mais ce faisant et moyennant des calculs additionnels facilitent la découverte de la clef. Finalement, des contre-mesures à faible complexité calculatoire sont proposées. Elles sont basées sur le masquage antagoniste, c’est-à-dire, l’exécution d’une opération d’équilibrage sur des données sensibles pour masquer la consommation de courant. / The goal of the thesis is to develop and improve methods for defeating protected cryptosystems. A new signal decompositionalgorithm, called Hilbert Huang Transform, was adapted to increase the efficiency of side-channel attacks. This technique attempts to overcome hiding countermeasures, such as operation shuffling or the adding of noise to the power consumption. The second contribution of this work is the application of specific Hamming weight distributions of block cipher algorithms, including AES, DES, and LED. These distributions are distinct for each subkey value, thus they serve as intrinsic templates. Hamming weight data can be revealed by side-channel and fault attacks without plaintext and ciphertext. Therefore these distributions can be applied against implementations where plaintext and ciphertext are inaccessible. This thesis shows that some countermeasures serve for attacks. Certain infective RSA countermeasures should protect against single fault injection. However, additional computations facilitate key discovery. Finally, several lightweight countermeasures are proposed. The proposed countermeasures are based on the antagonist masking, which is an operation occurring when targeting data processing, to intelligently mask the overall power consumption.

Attaques par canaux auxiliaires

Attaques par fautes

Cryptographie

Systèmes embarqués

Contremesures

Transformation de Hilbert-Huang

Statistiques

Side-Channel attacks

Fault attacks

Cryptography

Embedded systems

Countermeasures

Hilbert-Huang transform

Hamming weight probability distribution

Statistics

004

Security analysis for pseudo-random number generators / Analyse de sécurité pour les générateurs de nombre pseudo-aléatoires

Ruhault, Sylvain

30 June 2015

La génération d’aléa joue un rôle fondamental en cryptographie et en sécurité. Des nombres aléatoires sont nécessaires pour la production de clés cryptographiques ou de vecteurs d’initialisation et permettent également d’assurer que des protocoles d’échange de clé atteignent un niveau de sécurité satisfaisant. Dans la pratique, les bits aléatoires sont générés par un processus de génération de nombre dit pseudo-aléatoire, et dans ce cas, la sécurité finale du système dépend de manière cruciale de la qualité des bits produits par le générateur. Malgré cela, les générateurs utilisés en pratique ne disposent pas ou peu d’analyse de sécurité permettant aux utilisateurs de connaître exactement leur niveau de fiabilité. Nous fournissons dans cette thèse des modèles de sécurité pour cette analyse et nous proposons des constructions prouvées sûres et efficaces qui répondront à des besoins de sécurité forts. Nous proposons notamment une nouvelle notion de robustesse et nous étendons cette propriété afin d’adresser les attaques sur la mémoire et les attaques par canaux cachés. Sur le plan pratique, nous effectuons une analyse de sécurité des générateurs utilisés dans la pratique, fournis de manière native dans les systèmes d’exploitation (/dev/random sur Linux) et dans les librairies cryptographiques (OpenSSL ou Java SecureRandom) et nous montrons que ces générateurs contiennent des vulnérabilités potentielles. / In cryptography, randomness plays an important role in multiple applications. It is required in fundamental tasks such as key generation and initialization vectors generation or in key exchange. The security of these cryptographic algorithms and protocols relies on a source of unbiased and uniform distributed random bits. Cryptography practitioners usually assume that parties have access to perfect randomness. However, quite often this assumption is not realizable in practice and random bits are generated by a Pseudo-Random Number Generator. When this is done, the security of the scheme depends of course in a crucial way on the quality of the (pseudo-)randomness generated. However, only few generators used in practice have been analyzed and therefore practitioners and end users cannot easily assess their real security level. We provide in this thesis security models for the assessment of pseudo-random number generators and we propose secure constructions. In particular, we propose a new definition of robustness and we extend it to capture memory attacks and side-channel attacks. On a practical side, we provide a security assessment of generators used in practice, embedded in system kernel (Linux /dev/random) and cryptographic libraries (OpenSSL and Java SecureRandom), and we prove that these generators contain potential vulnerabilities.

Modèles de sécurité

Robustesse

Attaques contre la mémoire

Attaques par canaux cachés

Linux /dev/random

OpenSSL

Java SecureRandom

Pseudo-random number generators

Security models

Robustness

Memory attacks

Side-channel attacks

Linux /dev/random

OpenSSL

Java SecureRandom

005.8

A framework for higher academic institutions in the republic of South Africa to mitigate network security threats and attacks.

Mohapi, Matrinta Josephine

06 1900

M. Tech. (Department of Information and Communication Technology, Faculty of Applied and Computer Sciences), Vaal University of Technology. / The computer networks of higher academic institutions play a significant role in the academic lives of students and staff in terms of offering them an environment for teaching and learning. These institutions have introduced several educational benefits such as the use of digital libraries, cluster computing, and support for distance learning. As a result, the use of networking technologies has improved the ability of students to acquire knowledge, thereby providing a supportive environment for teaching and learning. However, academic networks are constantly being attacked by viruses, worms, and the intent of malicious users to compromise perceived secured systems. Network security threats and cyber-attacks are significant challenges faced by higher academic institutions that may cause a negative impact on systems and Information and Communications Technology (ICT) resources. For example, the infiltration of viruses and worms into academic networks can destroy or corrupt data and by causing excessive network traffic, massive delays may be experienced. This weakens the ability of the institution to function properly, and results in prolonged downtime and the unavailability of Information Technology (IT) services. This research determines challenges faced by higher academic institutions, identifies the type of security measures used at higher academic institutions, and how network security could be addressed and improved to protect against network security threats and attacks. Two research approaches were adopted, namely a survey and an experiment. Survey questionnaires were distributed to IT technical staff at higher academic institutions in Gauteng province to determine the challenges they face in terms of securing their networks. It is crucial that network security takes on a prominent role when managing higher academic institutions‘ networks. The results of the study reveal several challenges such as budget constraints, inadequate security measures, lack of enforcing network security policies, and lack of penetration testing on systems and the network. The results also reveal that the implementation of security measures can and does address network security threats and attacks. It is therefore extremely important for higher academic institutions to implement proper security measures to help mitigate network security threats and attacks. The framework proposed is based on the results from the research study to help mitigate network security threats and attacks at higher academic institutions.

Academic networks

Cyber-attacks

Higher academic institutions

Network

Network security attacks

Network security threats

Vulnerabilities

Dissertations, Academic -- South Africa

Computer networks -- Security measures

Computer security

Cyberspace -- Security measures

Computer crimes -- Prevention

Web-based prototype for protecting controllers from existing cyber-attacks in an industrial control system / Webbaserad prototyp för att skydda styrsystem från förekommande cyberattacker i ett industriellt kontrollsystem

Sanyang, Pa

January 2020

Industrial control system or ICS is a critical part of the infrastructure in society. An example of ICS is the rail networks or energy plants like the nuclear plant. SCADA is an ICS system following a hierarchical structure. Due to the fact that a control system can be very large, monitoring remote through networks is an effective way to do so. But because of digitalization ICS or SCADA systems are vulnerable to cyber attacks that can hijack or intercept network traffic or deny legitimate user services. SCADA protocols (e.g. Modbus, DNP3) that are prone to get attacks due to not being a secure protocol make a SCADA system even more vulnerable to attacks. The paper focuses on how to best protect the network traffic between an HMI as the client and a different controller as the server from attacks. The proposed solution, the prototype, is based on the reverse proxy server setup to protect controllers from the external network traffic. Only the reverse proxy server, or gateway server, can forward a client request to the intended controller. The gateway server, a web-based solution, will be the additional security layer that encrypts the payload in the application layer using TLS version 1.2 by using HTTPS protocol, thereby protect from usual security threats. The prototype went through a penetration testing of MITM (Based on ARP-poisoning), SYN flooding, slow HTTP POST attacks. And the result indicated that the prototype was vulnerable to SYN flooding and the network traffic was intercepted by the MITM. But from the Confidentiality-Integrity-Availability (C.I.A) criteria, the prototype did uphold the integrity and confidentiality due to the TLS security and successful mitigation of certain attacks. The results and suggestions on how to improve the gateway server security were discussed, including that the testing was not comprehensive but that the result is still valuable. In conclusion, more testing in the future would most likely showcase different results, but that will only mean to better the security of the gateway server, the network that the client and gateway server runs in and the physical security of the location where the client and gateway server is located. / Industrial Control System (ICS, sve. Industriella Kontrollsystem) är en kritisk del av infrastrukturen i samhället. Ett exempel på ICS är järnvägsnät eller energianläggningar som kärnkraftverket. SCADA är ett ICS-system som följer en hierarkisk struktur. Eftersom ett kontrollsystem kan täcka stora ytor är fjärrövervakning och fjärrstyrning via nätverk ett effektivt sätt att göra det på. Men på grund av digitalisering är ICS- eller SCADA-system sårbara för cyberattacker som kan kapa nätverkstrafik eller förneka legitima användare från att nå vissa tjänster. SCADA-protokoll (t.ex. Modbus, DNP3) som är benägna att få attacker på grund av att de inte är ett säkert protokoll gör SCADA-system ännu mer sårbart för attacker. Uppsatsen fokuserar huvudsakligen på hur man bäst skyddar nätverkstrafiken mellan en HMI som klient och en annan controller som servern från attacker. Den föreslagna lösningen, prototypen, är baserad på hur en reverse proxy server är uppsatt för att skydda styrenheter från den externa nätverkstrafiken. Endast reverse proxy servern eller gateway-servern kan vidarebefordra en begäran från en klient till den avsedda styrenheten. Gateway-servern, en webbaserad lösning, kommer att vara det extra säkerhetslagret som krypterar nyttolasten (eng. payload) i applikationslagret med TLS version 1.2 med hjä lp av protokollet HTTPS, och därmed skyddar mot de mest förekommande säkerhetshot som vill se och påverka skyddad information. Prototypen genomgick en penetrationstestning av MITM (Baserat på ARP-poisoning), SYN-flooding, slow HTTP POST-attacker. Och resultatet indikerade att prototypen var sårbar för SYN-flooding och nätverkstrafiken avlyssnades genom MITM. Men baserad på kriterierna för C.I.A (sve. Konfidentialitet, Integritet och Tillgänglighet) upprätthöllprototypen integriteten och konfidentialiteten på grund av säkerhetsprotokollen TLSv1.2 och framgångsrika minskningar av vissa attacker. Resultaten och förslag på hur man kan förbättra prototypen diskuterades, inklusive att testningen inte var omfattande men att resultatet fortfarande är värdefullt. Sammanfattningsvis skulle fler tester i framtiden sannolikt visa ett helt annat resultat, men det kommer bara att innebära att förbättra säkerheten för gateway-servern, nätverket som klienten och gateway-servern kör i och den fysiska säkerheten för platsen där klienten och gateway-servern befinner sig inom.

ICS

SCADA

Modbus

Honeypot

Conpot

Cyber attacks

MITM

DoS

Flooding

Reverse proxy server

AWS

ICS

SCADA

Modbus

Honeypot

Conpot

Cyber attacks

MITM

DoS

Flooding

Reverse proxy server

AWS

Computer and Information Sciences

Data- och informationsvetenskap

Towards attack-tolerant trusted execution environments : Secure remote attestation in the presence of side channels

Crone, Max

January 2021

In recent years, trusted execution environments (TEEs) have seen increasing deployment in computing devices to protect security-critical software from run-time attacks and provide isolation from an untrustworthy operating system (OS). A trusted party verifies the software that runs in a TEE using remote attestation procedures. However, the publication of transient execution attacks such as Spectre and Meltdown revealed fundamental weaknesses in many TEE architectures, including Intel Software Guard Exentsions (SGX) and Arm TrustZone. These attacks can extract cryptographic secrets, thereby compromising the integrity of the remote attestation procedure. In this work, we design and develop a TEE architecture that provides remote attestation integrity protection even when confidentiality of the TEE is compromised. We use the formally verified seL4 microkernel to build the TEE, which ensures strong isolation and integrity. We offload cryptographic operations to a secure co-processor that does not share any vulnerable microarchitectural hardware units with the main processor, to protect against transient execution attacks. Our design guarantees integrity of the remote attestation procedure. It can be extended to leverage co-processors from Google and Apple, for wide-scale deployment on mobile devices. / Under de senaste åren används betrodda exekveringsmiljöer (TEE) allt mera i datorutrustning för att skydda säkerhetskritisk programvara från attacker och för att isolera dem från ett opålitligt operativsystem. En betrodd part verifierar programvaran som körs i en TEE med hjälp av fjärrattestering. Nyliga mikroarkitekturella anfall, t.ex. Spectre och Meltdown, har dock visat grundläggande svagheter i många TEE-arkitekturer, inklusive Intel SGX och Arm TrustZone. Dessa attacker kan avslöja kryptografiska hemligheter och därmed äventyra integriteten av fjärrattestning. I det här arbetet utvecklar vi en arkitektur för en betrodd exekveringsmiljö (TEE) som ger integritetsskydd genom fjärrattestering även när TEE:s konfidentialitet äventyras. Vi använder den formellt verifierade seL4-mikrokärnan för att bygga TEE:n som garanterar stark isolering och integritet. För att skydda kryptografiska operationer, overför vi dem till en säker samprocessor som inte delar någon sårbar mikroarkitektur med huvudprocessorn. Vår arktektur garanterar fjärrattesteringens integritet och kan utnyttja medprocessorer från Google och Apple för att användas i stor skala på mobila enheter.

trusted execution environment

remote attestation

sel4

microkernel

arm trustzone

intel sgx

side-channels

transient execution attacks

trusted execution environment

remote attestation

sel4

microkernel

arm trustzone

intel sgx

side-channels

transient execution attacks

Computer and Information Sciences

Data- och informationsvetenskap