Internet of Things From Hype to Reality

The Internet of Things (IoT) has gained significant mindshare, let alone attention, in academia and the industry especially over the past few years. The reasons behind this interest are the potential capabilities that IoT promises to offer. On the personal level, it paints a picture of a future world where all the things in our ambient environment are connected to the Internet and seamlessly communicate with each other to operate intelligently. The ultimate goal is to enable objects around us to efficiently sense our surroundings, inexpensively communicate, and ultimately create a better environment for us: one where everyday objects act based on what we need and like without explicit instructions

Fault-tolerant satellite computing with modern semiconductors

Miniaturized satellites enable a variety space missions which were in the past infeasible, impractical or uneconomical with traditionally-designed heavier spacecraft. Especially CubeSats can be launched and manufactured rapidly at low cost from commercial components, even in academic environments. However, due to their low reliability and brief lifetime, they are usually not considered suitable for life- and safety-critical services, complex multi-phased solar-system-exploration missions, and missions with a longer duration. Commercial electronics are key to satellite miniaturization, but also responsible for their low reliability: Until 2019, there existed no reliable or fault-tolerant computer architectures suitable for very small satellites. To overcome this deficit, a novel on-board-computer architecture is described in this thesis.Robustness is assured without resorting to radiation hardening, but through software measures implemented within a robust-by-design multiprocessor-system-on-chip. This fault-tolerant architecture is component-wise simple and can dynamically adapt to changing performance requirements throughout a mission. It can support graceful aging by exploiting FPGA-reconfiguration and mixed-criticality.  Experimentally, we achieve 1.94W power consumption at 300Mhz with a Xilinx Kintex Ultrascale+ proof-of-concept, which is well within the powerbudget range of current 2U CubeSats. To our knowledge, this is the first COTS-based, reproducible on-board-computer architecture that can offer strong fault coverage even for small CubeSats.European Space AgencyComputer Systems, Imagery and Medi

Hardware-Assisted Dependable Systems

Unpredictable hardware faults and software bugs lead to application crashes, incorrect computations, unavailability of internet services, data losses, malfunctioning components, and consequently financial losses or even death of people. In particular, faults in microprocessors (CPUs) and memory corruption bugs are among the major unresolved issues of today. CPU faults may result in benign crashes and, more problematically, in silent data corruptions that can lead to catastrophic consequences, silently propagating from component to component and finally shutting down the whole system. Similarly, memory corruption bugs (memory-safety vulnerabilities) may result in a benign application crash but may also be exploited by a malicious hacker to gain control over the system or leak confidential data. Both these classes of errors are notoriously hard to detect and tolerate. Usual mitigation strategy is to apply ad-hoc local patches: checksums to protect specific computations against hardware faults and bug fixes to protect programs against known vulnerabilities. This strategy is unsatisfactory since it is prone to errors, requires significant manual effort, and protects only against anticipated faults. On the other extreme, Byzantine Fault Tolerance solutions defend against all kinds of hardware and software errors, but are inadequately expensive in terms of resources and performance overhead. In this thesis, we examine and propose five techniques to protect against hardware CPU faults and software memory-corruption bugs. All these techniques are hardware-assisted: they use recent advancements in CPU designs and modern CPU extensions. Three of these techniques target hardware CPU faults and rely on specific CPU features: ∆-encoding efficiently utilizes instruction-level parallelism of modern CPUs, Elzar re-purposes Intel AVX extensions, and HAFT builds on Intel TSX instructions. The rest two target software bugs: SGXBounds detects vulnerabilities inside Intel SGX enclaves, and “MPX Explained” analyzes the recent Intel MPX extension to protect against buffer overflow bugs. Our techniques achieve three goals: transparency, practicality, and efficiency. All our systems are implemented as compiler passes which transparently harden unmodified applications against hardware faults and software bugs. They are practical since they rely on commodity CPUs and require no specialized hardware or operating system support. Finally, they are efficient because they use hardware assistance in the form of CPU extensions to lower performance overhead

Secure Communication in Disaster Scenarios

Während Naturkatastrophen oder terroristischer Anschläge ist die bestehende Kommunikationsinfrastruktur häufig überlastet oder fällt komplett aus. In diesen Situationen können mobile Geräte mithilfe von drahtloser ad-hoc- und unterbrechungstoleranter Vernetzung miteinander verbunden werden, um ein Notfall-Kommunikationssystem für Zivilisten und Rettungsdienste einzurichten. Falls verfügbar, kann eine Verbindung zu Cloud-Diensten im Internet eine wertvolle Hilfe im Krisen- und Katastrophenmanagement sein. Solche Kommunikationssysteme bergen jedoch ernsthafte Sicherheitsrisiken, da Angreifer versuchen könnten, vertrauliche Daten zu stehlen, gefälschte Benachrichtigungen von Notfalldiensten einzuspeisen oder Denial-of-Service (DoS) Angriffe durchzuführen. Diese Dissertation schlägt neue Ansätze zur Kommunikation in Notfallnetzen von mobilen Geräten vor, die von der Kommunikation zwischen Mobilfunkgeräten bis zu Cloud-Diensten auf Servern im Internet reichen. Durch die Nutzung dieser Ansätze werden die Sicherheit der Geräte-zu-Geräte-Kommunikation, die Sicherheit von Notfall-Apps auf mobilen Geräten und die Sicherheit von Server-Systemen für Cloud-Dienste verbessert

Microkernel mechanisms for improving the trustworthiness of commodity hardware

The thesis presents microkernel-based software-implemented mechanisms for improving the trustworthiness of computer systems based on commercial off-the-shelf (COTS) hardware that can malfunction when the hardware is impacted by transient hardware faults. The hardware anomalies, if undetected, can cause data corruptions, system crashes, and security vulnerabilities, significantly undermining system dependability. Specifically, we adopt the single event upset (SEU) fault model and address transient CPU or memory faults. We take advantage of the functional correctness and isolation guarantee provided by the formally verified seL4 microkernel and hardware redundancy provided by multicore processors, design the redundant co-execution (RCoE) architecture that replicates a whole software system (including the microkernel) onto different CPU cores, and implement two variants, loosely-coupled redundant co-execution (LC-RCoE) and closely-coupled redundant co-execution (CC-RCoE), for the ARM and x86 architectures. RCoE treats each replica of the software system as a state machine and ensures that the replicas start from the same initial state, observe consistent inputs, perform equivalent state transitions, and thus produce consistent outputs during error-free executions. Compared with other software-based error detection approaches, the distinguishing feature of RCoE is that the microkernel and device drivers are also included in redundant co-execution, significantly extending the sphere of replication (SoR). Based on RCoE, we introduce two kernel mechanisms, fingerprint validation and kernel barrier timeout, detecting fault-induced execution divergences between the replicated systems, with the flexibility of tuning the error detection latency and coverage. The kernel error-masking mechanisms built on RCoE enable downgrading from triple modular redundancy (TMR) to dual modular redundancy (DMR) without service interruption. We run synthetic benchmarks and system benchmarks to evaluate the performance overhead of the approach, observe that the overhead varies based on the characteristics of workloads and the variants (LC-RCoE or CC-RCoE), and conclude that the approach is applicable for real-world applications. The effectiveness of the error detection mechanisms is assessed by conducting fault injection campaigns on real hardware, and the results demonstrate compelling improvement

Internet of Things (IoT): Societal Challenges & Scientific Research Fields for IoT

International audienceJust as the Internet radically reshaped society, the Internet of Things (IoT) willhave an impact on all areas of human life: from our homes, vehicles, workplacesand factories, to our cities and towns, agriculture and healthcare systems. It willalso affect all levels of society (individuals, companies and state-level), from urbanto rural and the natural world beyond. This makes it essential to have a properunderstanding of IoT and the challenges which relate to it. The primary aims ofthis document are to (i) determine the scope of IoT, its origins, current developments and perspectives, and (ii) identify the main societal, technical and scientific challenges linked to IoT.It seems inevitable that IoT will become increasingly omnipresent. Indeed, itis set to penetrate every aspect of all of our lives, connecting everything (billionsof new heterogeneous machines communicating with each other) and measuringeverything: from the collective action we take at a global level, right down to oursmallest individual physiological signals, in real-time. This is a double-edged sword,in that it simultaneously gives people cause for hope (automation, ­optimisation,innovative new functionalities etc.) and cause for fear (surveillance, dependency,cyberattacks, etc.). Given the ever-evolving nature of the IoT, new challenges linked to privacy, transparency, security appear, while new civil and industrialresponsibilities are starting to emerge.IoT is centred around an increasingly complex set of interlinked concepts andembedded technologies. At an industrial level, this growing complexity is makingthe idea of having full control over all components of IoT increasingly difficult, oreven infeasible. However, as a society, we must get to grips with the technologicalfoundations of IoT. One challenge for education will therefore be to graduallyincrease awareness of IoT, both in order to protect individuals’ sovereignty andfree will, and to initiate the training of our future scientists and technicians. Apublic research institute such as Inria can contribute towards understandingand explaining the technological foundations of IoT, in addition to preservingsovereignty in Europe.IoT will inevitably increase dependency on certain types of embeddedt ­ echno­logy. It is hence necessary to identify the new risks that entail, and todevise new strategies in order to take full advantage of IoT, while minimising theserisks. Similarly to the situation in other domains where one must continually seekto preserve ethics without hindering innovation, creating a legal framework forIoT is both necessary and challenging. It nevertheless seems clear already thatthe best way of facing up to industrial giants or superpowers is to take action atthe EU level, as shown by recent examples such as GDPR. Furthermore, given thegrowing influence of technological standards on society, playing an active rolein the process of standardising IoT technology is essential. Open standards andopen source – conceived as a common public good – will be pivotal for IoT, justas they have been for the Internet. Last but not least, massive use of IoT can helpbetter capture and understand the environmental challenges we are ­currentlyfacing – it is also expected IoT will help to mitigate these challenges. The goals inthis context are not only to reduce the quantities of natural resources consumedby IoT (for production, deployment, maintenance and recycling). We must alsoaim to more accurately evaluate the overall net benefit of IoT on the environment,at a global level. This requires determining and subtracting IoT’s environmentalcosts from its (measured) benefits, which is currently a challenge. The growingimpact of IoT underscores the importance of remaining at the cutting edge whenit comes to scientific research and technological development. This documenttherefore aims to (i) highlight the wide range of research fields which are fundamental to IoT, and(ii) take stock of current and future research problems in each of these fields. A number of links are made throughout the document to contributionsmade by Inria. These contributions are, by their nature, diverse (basic and appliedresearch, open source software, startup incubation) and concern the majority ofresearch fields on which IoT is based

Affordable Separation on Embedded Platforms: Soft Reboot Enabled Virtualization on a Dual Mode System

While security has become important in embedded systems, commodity operating systems often fail in effectively separating processes, mainly due to a too large trusted computing base. System virtualization can establish isolation already with a small code base, but many existing embedded CPU architectures have very limited virtualization hardware support, so that the performance impact is often non-negligible. Targeting both security and performance, we investigate an approach in which a few minor hardware additions together with virtualization offer protected execution in embedded systems while still allowing non-virtualized execution when secure services are not needed. Benchmarks of a prototype implementation on an emulated ARM Cortex A8 platform confirm that switching between those two execution forms can be done efficiently.This is the author version of the correspondent paper published in the proceedings of TRUST 2014 (editors: Thorsten Holz, Sotiris Ioannidis), Springer LNCS 8564. The publisher is Springer International Publishing Switzerland. The final publication is available at http://link.springer.com/10.1007/978-3-319-08593-7_3.PROSPERNSHIEL