Peng Ning,Stephen E. Mclaughlin,Michael C. Grace,Ahmed M. Azab,Rohan Bhutkar,Wenbo Shen,Xun Chen,Yong Choi,Ken Chen

2016-01-01

Abstract:L'invention concerne un appareil et un procede d'un element securise isole du materiel permettant de proteger une pluralite de sous-systemes critiques de mission. Le procede consiste a : executer une operation d'actionnement recue par le biais d'un chemin non securise qui modifie l'etat d'un sous-systeme critique de mission ; executer une operation de diagnostic recue par le biais du chemin non securise qui demande les informations d'etat du sous-systeme critique de mission ; stocker les informations permettant de determiner laquelle de l'operation de diagnostic et de l'operation d'actionnement recue par le biais du chemin non securise est executee ; et flasher une image d'execution d'une unite de commande electronique lorsque l'image d'execution de l'unite de commande electronique est recue par le biais du chemin non securise.

Huafeng CHEN,Haibin SHEN,Xiaolang YAN

2008-01-01

Abstract:The design-for-testability structure based on scan-chain often compromises the security of crypto chips.A method to attack certain hardware implementation of elliptic curve cryptography was presented.And an easy but effective secure scan method against the attack was proposed,which would not compromise the security of the chip,while maintaining high fault coverage.By controlling operational mode of the chip,the disability mechanism of scan enable signal was applied.The scan function was disabled when there existed security information in the chip.It solved the problem of secure information disclosure caused by scan chain design.

Peng Ning,Stephen E. McLaughlin,Michael C. Grace,Ahmed M. Azab,Rohan Bhutkar,Wenbo Shen,Xun Chen,Yong Choi,Ken Chen

2019-01-01

Abstract:An apparatus and method of an attachment device for interfacing with an on-board diagnostic system of a vehicle is provided. The device includes an application processor configured to receive input from a terminal, control processing of the input by the on-board diagnostic system, transmit a result of the processing of the input by the on-board diagnostic system to the terminal, and a secure element interposed in the communication path between the application processor and the on-board diagnostic system, the secure element configured to filter the input of an on-board diagnostic operation that is untrusted.

Xiang Gao,Yiqiang Zhao,Haocheng Ma

DOI: https://doi.org/10.3390/s18093034

IF: 3.9

2018-01-01

Sensors

Abstract:Information system security has been in the spotlight of individuals and governments in recent years. Integrated Circuits (ICs) function as the basic element of communication and information spreading, therefore they have become an important target for attackers. From this perspective, system-level protection to keep chips from being attacked is of vital importance. This paper proposes a novel method based on a fringing electric field (FEF) sensor to detect whether chips are dismantled from a printed circuit board (PCB) as system-level protection. The proposed method overcomes the shortcomings of existing techniques that can be only used in specific fields. After detecting a chip being dismantled from PCB, some protective measures like deleting key data can be implemented to be against attacking. Fringing electric field sensors are analyzed through simulation. By optimizing sensor’s patterns, areas and geometrical parameters, the methods that maximize sensitivity of fringing electric field sensors are put forward and illustrated. The simulation is also reproduced by an experiment to ensure that the method is feasible and reliable. The results of experiments are inspiring in that they prove that the sensor can work well for protection of chips and has the advantage of universal applicability, low cost and high reliability.

Fengyuan Xu,Zhengrui Qin,Chiu Chiang Tan,Baosheng Wang,Qun Li

DOI: https://doi.org/10.1109/infcom.2011.5934987

2011-01-01

Abstract:Recent studies have revealed security vulnerabilities in implantable medical devices (IMDs). Security design for IMDs is complicated by the requirement that IMDs remain operable in an emergency when appropriate security credentials may be unavailable. In this paper, we introduce IMDGuard, a comprehensive security scheme for heart-related IMDs to fulfill this requirement. IMDGuard incorporates two techniques tailored to provide desirable protections for IMDs. One is an ECG based key establishment without prior shared secrets, and the other is an access control mechanism resilient to adversary spoofing attacks. The security and performance of IMDGuard are evaluated on our prototype implementation.

Xiang Wang,Zhun Zhang,Qiang Hao,Dongdong Xu,Jiqing Wang,Haoyu Jia,Zhiyu Zhou

DOI: https://doi.org/10.3390/mi12121450

2021-11-26

Abstract:The hardware security of embedded systems is raising more and more concerns in numerous safety-critical applications, such as in the automotive, aerospace, avionic, and railway systems. Embedded systems are gaining popularity in these safety-sensitive sectors with high performance, low power, and great reliability, which are ideal control platforms for executing instruction operation and data processing. However, modern embedded systems are still exposing many potential hardware vulnerabilities to malicious attacks, including software-level and hardware-level attacks; these can cause program execution failure and confidential data leakage. For this reason, this paper presents a novel embedded system by integrating a hardware-assisted security monitoring unit (SMU), for achieving a reinforced system-on-chip (SoC) on ensuring program execution and data processing security. This architecture design was implemented and evaluated on a Xilinx Virtex-5 FPGA development board. Based on the evaluation of the SMU hardware implementation in terms of performance overhead, security capability, and resource consumption, the experimental results indicate that the SMU does not lead to a significant speed degradation to processor while executing different benchmarks, and its average performance overhead reduces to 2.18% on typical 8-KB I/D-Caches. Security capability evaluation confirms the monitoring effectiveness of SMU against both instruction and data tampering attacks. Meanwhile, the SoC satisfies a good balance between high-security and resource overhead.

Rui Chang,Liehui Jiang,Wenzhi Chen,Yang Xiang,Yuxia Cheng,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1007/s10586-017-0833-4

2017-01-01

Cluster Computing

Abstract:With the rapid development of Internet of Things technology and the promotion of embedded devices’ computation performance, smart devices are probably open to security threats and attacks while connecting with rich and novel Internet. Attracting lots of attention in embedded system security community recently, Trusted Execution Environment (TEE), allows for the execution of arbitrary code within environments completely isolated from the rest of a system. However, existing memory protection methods in a TEE are inadequate. In general, the software-based formal methods are not practical and the hardware-based implementation approaches lack of theoretical proof. To address the memory isolation and protection problems in TEE, in this paper, we propose a practical memory integrity protection method on an ARM-based platform, called MIPE, to defend against security threats including kernel data attacks and direct memory access attacks. MIPE utilizes TrustZone technique to create a isolated execution environment, which can protect the sensitive code and data against attacks. To present the integrity protection strategies, we provide the design of MIPE using B method, which is a practical formal method. We also implement MIPE on the Xilinx Zynq ZC702 evaluation board. The evaluation results show that the automatic proof rate of machines using B method is about 78.32%, and the proposed method is effective and feasible in terms of both load time and overhead.

Chen Dong,Yi Xu,Ximeng Liu,Fan Zhang,Guorong He,Yuzhong Chen

DOI: https://doi.org/10.3390/s20185165

IF: 3.9

2020-01-01

Sensors

Abstract:Diverse and wide-range applications of integrated circuits (ICs) and the development of Cyber Physical System (CPS), more and more third-party manufacturers are involved in the manufacturing of ICs. Unfortunately, like software, hardware can also be subjected to malicious attacks. Untrusted outsourced manufacturing tools and intellectual property (IP) cores may bring enormous risks from highly integrated. Attributed to this manufacturing model, the malicious circuits (known as Hardware Trojans, HTs) can be implanted during the most designing and manufacturing stages of the ICs, causing a change of functionality, leakage of information, even a denial of services (DoS), and so on. In this paper, a survey of HTs is presented, which shows the threatens of chips, and the state-of-the-art preventing and detecting techniques. Starting from the introduction of HT structures, the recent researches in the academic community about HTs is compiled and comprehensive classification of HTs is proposed. The state-of-the-art HT protection techniques with their advantages and disadvantages are further analyzed. Finally, the development trends in hardware security are highlighted.

CUI Qiang,DOND Shu-rong,LIU Jun-jie,HAN Yan

DOI: https://doi.org/10.3969/j.issn.1007-4252.2008.01.036

2008-01-01

Abstract:An on -chip electrostatic discharge (ESD) protection scheme is demonstrated for an emerging technology of microelectromechanieal systems (MEMS) - based embedded sensor (ES) system - on - a - chip (SoC). The ESD protection scheme is implemented using ground - referenced muhifinger thyris- tor- type devices optimized for 1 ) the input/output (I/O) protection, 2) the power supply clamp, and 3) the internal sensors' electrodes during the micromachining process. A multiply finger layout scheme was also developed to the ESD protection level under the constraint of chip size. The ESD protection de- sign methodology was tested and verified at both the device and SoC levels, and its effectiveness and ro- bustness have been illustrated. Experimental results showed that the SoC passed a 4.1 kV Human Body Model ESD stress with no latchup induced and a very low leakage current of 10-10 A.

Zichen Zhou,Bo Yin,Renhao Fan,Tao Liu,Bin Xu,Xiang Wang

2011-01-01

Abstract:Most embedded systems present a number of software vulnerabilities, such as buffer overflow, while the physical attacks are becoming popular as well. This paper presents a series of novel architectural-enhanced security solutions. The automated compiler extracts the intrusion model for intrusion detection and secure tag of each main memory segment at the compile time automatically. At runtime, the designed hardware observes its dynamic execution trace and checks whether the trace conforms to the permissible behavior and trigger appropriate response mechanisms. The proposed schemes don't change the compiler or the existing instruction set and imposes no restriction to the software developer. The architectural design is implemented on an actual OR1200-FPGA platform. The experimental analysis shows that the proposed techniques can eliminate a wide range of common software and physical attacks with low performance penalties and minimal overheads.

Ronny Chevalier,Maugan Villatel,David Plaquin,Guillaume Hiet

DOI: https://doi.org/10.1145/3134600.3134622

2018-03-07

Abstract:Highly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect such attacks, we propose an event-based behavior monitoring approach that relies on an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to the monitor. This information helps to resolve the semantic gap issue. Our approach does not depend on a specific model of the behavior nor on a specific target. We apply this approach to detect attacks targeting the System Management Mode (SMM), a highly privileged x86 execution mode executing firmware code at runtime. We model the behavior of SMM using invariants of its control-flow and relevant CPU registers (CR3 and SMBASE). We instrument two open-source firmware implementations: EDK II and coreboot. We evaluate the ability of our approach to detect state-of-the-art attacks and its runtime execution overhead by simulating an x86 system coupled with an ARM Cortex A5 co-processor. The results show that our solution detects intrusions from the state of the art, without any false positives, while remaining acceptable in terms of performance overhead in the context of the SMM (i.e., less than the 150 $\mu$s threshold defined by Intel).

Cryptography and Security

Shen Limin,Li Feng,Peng Siwei,Si Yali

DOI: https://doi.org/10.1109/CSIE.2009.236

2009-01-01

Abstract:A method is proposed for enhancing SCADA systems survivability using exogenous isomorphic real-time monitor and simulation monitor. The formal definition of monitors is given. The fundamental principles of attack resistance, malicious operation detection and fault prediction are introduced, which are accomplished by using cooperation between the real-time monitor and simulation monitor. The real-time monitor is responsible for monitoring the states of SCADA systems, events and control commands, estimating whether there is faults and risk in systems based on states and implementation commands of system, and creating a simulation monitor if it is necessary. The simulation monitor is responsible for simulating implementation of control command, monitoring the process of simulation, forecasting the results of control commands, and estimating whether the commands are harmful based on the results. Finally, a water treatment system is given to illustrate the feasibility and effectiveness of the method.

Abhinandan Panda,Srinivas Pinisetty,Partha Roop

DOI: https://doi.org/10.1145/3638286

2024-01-06

ACM Transactions on Embedded Computing Systems

Abstract:Wearable and implantable medical devices (IMDs) are increasingly deployed to diagnose, monitor, and provide therapy for critical medical conditions. Such medical devices are safety-critical cyber-physical systems (CPSs). These systems support wireless features introducing potential security vulnerabilities. Although these devices undergo rigorous safety certification processes, runtime security attacks are inevitable. Based on published literature, IMDs such as pacemakers and insulin infusion systems can be remotely controlled to inject deadly electric shocks and excess insulin, posing a threat to a patient’s life. While prior works based on formal methods have been proposed to detect potential attack vectors using different forms of static analysis, these have limitations in preventing attacks at runtime. This paper discusses a formal framework for detecting cyber-physical attacks on a pacemaker by monitoring its security policies at runtime. We propose a wearable device that senses the Electrocardiogram (ECG) and Photoplethysmogram (PPG) of the body to detect attacks in a pacemaker. To facilitate the design of this device, we map the security policies of a pacemaker w.r.t ECG and PPG, paving the way for designing formal verification monitors for pacemakers for the first time using multiple physiological signals. The proposed monitoring framework allows the synthesis of parallel monitors from a given set of desired security policies, where all the monitors execute concurrently and generate an alarm to the user in the case of policy violation. Our implementation and the performance evaluation results demonstrate the technical feasibility of designing such a wearable device for attack detection in pacemakers. This device is separate from the pacemaker, ensuring no need for re-certification of pacemakers. Our approach is amenable to the application of security patches when new attack vectors are detected, making the approach ideal for runtime monitoring of medical CPSs.

computer science, software engineering, hardware & architecture

Dongxu CHENG,Chi ZHANG,LIU Jianwei,LI Dawei,GUAN Zhenyu,ZHAO Wei,XU Mai,Jianwei LIU,Dawei LI,Zhenyu GUAN,Wei ZHAO,Mai XU

DOI: https://doi.org/10.1016/j.cja.2021.03.004

IF: 5.7

2021-11-01

Chinese Journal of Aeronautics

Abstract:With the wide application of electronic hardware in aircraft such as air-to-ground communication, satellite communication, positioning system and so on, aircraft hardware is facing great secure pressure. Focusing on the secure problem of aircraft hardware, this paper proposes a supervisory control architecture based on secure System-on-a-Chip (SoC) system. The proposed architecture is attack-immune and trustworthy, which can support trusted escrow application and Dynamic Integrity Measurement (DIM) without interference. This architecture is characterized by a Trusted Monitoring System (TMS) hardware isolated from the Main Processor System (MPS), a secure access channel from TMS to the running memory of the MPS, and the channel is unidirectional. Based on this architecture, the DIM program running on TMS is used to measure and call the Lightweight Measurement Agent <strong>(</strong>LMA<strong>)</strong> program running on MPS. By this method, the Operating System (OS) kernel, key software and data of the MPS can be dynamically measured without disturbance, which makes it difficult for adversaries to attack through software. Besides, this architecture has been fully verified on FPGA prototype system. Compared with the existing systems, our architecture achieves higher security and is more efficient on DIM, which can fully supervise the running of application and aircraft hardware OS.

engineering, aerospace

Monowar Hasan,Sibin Mohan

2023-04-27

Abstract:Cyber-physical systems (CPS) are vulnerable to attacks targeting outgoing actuation commands that modify their physical behaviors. The limited resources in such systems, coupled with their stringent timing constraints, often prevents the checking of every outgoing command. We present a "selective checking" mechanism that uses game-theoretic modeling to identify the right subset of commands to be checked in order to deter an adversary. This mechanism is coupled with a "delay-aware" trusted execution environment (TEE) to ensure that only verified actuation commands are ever sent to the physical system, thus maintaining their safety and integrity. The selective checking and trusted execution (SCATE) framework is implemented on an off-the-shelf ARM platform running standard embedded Linux. We demonstrate the effectiveness of SCATE using four realistic cyber-physical systems (a ground rover, a flight controller, a robotic arm and an automated syringe pump) and study design trade-offs. Not only does SCATE provide a high level of security and high performance, it also suffers from significantly lower overheads (30.48%-47.32% less) in the process. In fact, SCATE can work with more systems without negatively affecting the safety of the system. Considering that most CPS do not have any such checking mechanisms, and SCATE is guaranteed to meet all the timing requirements (i.e., ensure the safety/integrity of the system), our methods can significantly improve the security (and, hence, safety) of the system.

Cryptography and Security

genxian liu,xi zhang,dongsheng wang,zhenyu liu,haixia wang

DOI: https://doi.org/10.1007/978-3-662-43908-1_1

2014-01-01

Abstract:Security is a crucial element of information systems. Extensive research for cryptographic algorithms that provide the sound theoretical basis of security. Among them security and integrity of memory has been a longstanding issue in trusted system design. Main memory is a critical component of all computing systems. Most of those systems are vulnerable to memory attacks, in which an attacker gains physical accesses to the unattended hardware, obtains the decryption keys from memory. We propose a method for protecting memory systems against attacks with hardware authentication and full memory encryption. The method is secure against all known type of memory attack. We have tested the method with software simulator and Field Programmable Gate Array (FPGA) platform. The results show that the method can authenticate and encrypt the contents of DRAM with 2.5 % performance penalties.

Makoto Nagata,Takuji Miki,Noriyuki Miura

DOI: https://doi.org/10.1109/tvlsi.2021.3073946

2022-01-01

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Abstract:Secure hardware systems are threatened by adversarial attempts on integrated circuit (IC) chips in a practical utilization environment. This article provides overviews of physical attacks on cryptographic circuits, associated vulnerabilities in an IC chip, and protection schemes in the vertical unification of systems, circuits, and packaging technologies. The design principles of on-chip monitoring circuits to sense the attackers' attempts are discussed and tested with Si demonstrators. Physical structures are explored for secure IC chips to establish protections against multimodal side-channel attacks. The backside buried metal (BBM) wirings in a Si substrate are unified with its frontside complementary metal–oxide semiconductor (CMOS) circuits to achieve avoidance, detection, and resiliency against electromagnetic and laser attacks.

engineering, electrical & electronic,computer science, hardware & architecture

Zhenliang An,Weike Wang,Wenxin Li,Senyang Li,Dexue Zhang

DOI: https://doi.org/10.3390/mi14081525

IF: 3.4

2023-07-30

Micromachines

Abstract:The growing prevalence of embedded systems in various applications has raised concerns about their vulnerability to malicious code reuse attacks. Current software-based and hardware-assisted security techniques struggle to detect or block these attacks with minor performance and implementation overhead. To address this issue, this paper presents a lightweight hardware-assisted scheme to enhance the security of embedded systems against code reuse attacks. We develop an on-chip lightweight hardware shadow stack to validate target addresses at runtime for backward-edge control flow integrity, which backs up valid return addresses during function calls and automatically verifies actual return addresses during the return phase. Additionally, we propose a lightweight stream cipher circuit that encrypts and decrypts critical stack data related to control flow manipulation, preventing attackers from analyzing or tampering with them. When designing and implementing the security mechanism for embedded systems, we fully consider the constraints of limited system resources and performance, optimizing both the architecture design and implementation of the proposed hardware. Finally, we integrate both the proposed lightweight hardware shadow stack and the runtime data encryption hardware into the OR1200 processor. We have verified the system security function on the Terasic DE1-SoC FPGA platform and evaluated the system performance as well as implementation overhead. The results show that the proposed lightweight hardware-assisted scheme can provide a dedicated defense capability against code reuse attacks for embedded systems, with an average system performance overhead of 0.39% and an area footprint of 0.316 mm2.

chemistry, analytical,nanoscience & nanotechnology,instruments & instrumentation,physics, applied

Mengmeng Ling,Liji Wu,Xiangyu Li,Xiangmin Zhang,Jinsong Hou,Yong Wang

DOI: https://doi.org/10.1109/CIS.2012.125

2012-01-01

Abstract:As information security chips are more widely used in the field of information security, the security of chips becomes increasingly important, which has also been a hot research field of information security. With the advances in technology, a chip-invasive method of attack which uses laser or focused ion beam (FIB) to change the chip's internal signal line, and then probe the chip's secret information with the electron microprobe, becomes a serious threat to information security chip. Such an attack makes the shielding metal wire an effective mean to improve chip security. The protection circuit module monitoring the shielding metal line is to ensure the layer of the metal wire is undamaged, in order to ensure that the chip has not been attacked by laser or FIB. This paper studies the design and implementation of Monitor and Protect Circuits (MPC) based on RC delay, which monitor if the shielding metal wires are damaged. The circuit is designed in SMIC0.18um CMOS process and an entire layout is completed. The gate count of MPC is about 642, which is 2.9% of that of AES. And its power consumption is about 81uw.

Fardin Abdi,Chien-Ying Chen,Monowar Hasan,Songran Liu,Sibin Mohan,Marco Caccamo

DOI: https://doi.org/10.48550/arXiv.1705.01520

2017-05-04

Abstract:Many physical plants that are controlled by embedded systems have safety requirements that need to be respected at all times - any deviations from expected behavior can result in damage to the system (often to the physical plant), the environment or even endanger human life. In recent times, malicious attacks against such systems have increased - many with the intent to cause physical damage. In this paper, we aim to decouple the safety of the plant from security of the embedded system by taking advantage of the inherent inertia in such systems. In this paper we present a system-wide restart-based framework that combines hardware and software components to (a) maintain the system within the safety region and (b) thwart potential attackers from destabilizing the system. We demonstrate the feasibility of our approach using two realistic systems - an actual 3 degree of freedom (3-DoF) helicopter and a simulated warehouse temperature control unit. Our proof-of-concept implementation is tested against multiple emulated attacks on the control units of these systems.

Cryptography and Security