Unified System on Chip RESTAPI Service (USOCRS)

Abstract. This thesis investigates the development of a Unified System on Chip RESTAPI Service (USOCRS) to enhance the efficiency and effectiveness of SOC verification reporting. The research aims to overcome the challenges associated with the transfer, utilization, and interpretation of SoC verification reports by creating a unified platform that integrates various tools and technologies. The research methodology used in this study follows a design science approach. A thorough literature review was conducted to explore existing approaches and technologies related to SOC verification reporting, automation, data visualization, and API development. The review revealed gaps in the current state of the field, providing a basis for further investigation. Using the insights gained from the literature review, a system design and implementation plan were developed. This plan makes use of cutting-edge technologies such as FASTAPI, SQL and NoSQL databases, Azure Active Directory for authentication, and Cloud services. The Verification Toolbox was employed to validate SoC reports based on the organization’s standards. The system went through manual testing, and user satisfaction was evaluated to ensure its functionality and usability. The results of this study demonstrate the successful design and implementation of the USOCRS, offering SOC engineers a unified and secure platform for uploading, validating, storing, and retrieving verification reports. The USOCRS facilitates seamless communication between users and the API, granting easy access to vital information including successes, failures, and test coverage derived from submitted SoC verification reports. By automating and standardizing the SOC verification reporting process, the USOCRS eliminates manual and repetitive tasks usually done by developers, thereby enhancing productivity, and establishing a robust and reliable framework for report storage and retrieval. Through the integration of diverse tools and technologies, the USOCRS presents a comprehensive solution that adheres to the required specifications of the SOC schema used within the organization. Furthermore, the USOCRS significantly improves the efficiency and effectiveness of SOC verification reporting. It facilitates the submission process, reduces latency through optimized data storage, and enables meaningful extraction and analysis of report data

A Vulnerability Management Solution for constrained IoT devices with a Trusted Execution Environment using a Hardware Root of Trust

The popularity and prevalence of Internet of Things (IoT) devices has been ever increasing. They have found their way into our everyday lives and increasingly transform our living environments into smart homes. However, most of these constrained devices do not possess sufficient computational power, memory, and battery runtime in order to implement security features that are common for general purpose personal computers. Hence, the increasing numbers of interconnected consumer IoT devices are followed by an increase of their attack surface and vulnerabilities. The following thesis approaches this security issue by providing a novel approach for a Runtime IoT Security Score that provides the inexperienced user of a smart home system with profound insight into the security state of the connected IoT devices during runtime. This is achieved by combining Vulnerability Assessment with Trustworthiness Assessment of the connected devices, which has never been proposed before and represents a very valuable contribution to the state of current research. In addition to the Runtime Security Score, a holistic concept for a Vulnerability Assessment and Management (VAM) solution is proposed as another main contribution of this thesis. The effective and functional interoperability of all relevant components specified in this concept is shown with a Proof of Concept implementation.Die Popularität und Verbreitung von Geräten des Internets der Dinge (engl.~Internet of Things, IoT) nimmt ständig zu. Sie haben Einzug in unser tägliches Leben gehalten und verwandeln unsere Wohnumgebung zunehmend in ein intelligentes Zuhause. Die meisten dieser eingeschränkten Geräte verfügen jedoch nicht über genügend Rechenleistung, Speicher und Akkulaufzeit, um Sicherheitsfunktionen zu implementieren, die für allgemeine Personal Computer üblich sind. Mit der zunehmenden Zahl der vernetzten IoT-Geräte für Verbraucher steigen daher auch deren Angriffsfläche und Schwachstellen. Die vorliegende Arbeit widmet sich diesem Sicherheitsproblem, indem sie einen neuartigen Ansatz für einen Runtime IoT Security Score vorstellt, der dem unerfahrenen Benutzer eines Smart-Home-Systems einen tiefen Einblick in den Sicherheitszustand der angeschlossenen IoT-Geräte zur Laufzeit gibt. Dies wird durch die Kombination von Vulnerability Assessment mit einer Bewertung der Vertrauenswürdigkeit der angeschlossenen Geräte erreicht. Dies stellt einen neuartigen Ansatz darf und leistet damit einen sehr wertvollen Beitrag zum aktuellen Stand der Forschung. Neben dem Runtime Security Score wird als weiterer wichtiger Beitrag dieser Arbeit ein ganzheitliches Konzept für eine Vulnerability Assessment and Management (VAM) Lösung vorgeschlagen. Die effektive und funktionale Interoperabilität aller relevanten Komponenten, die in diesem Konzept spezifiziert sind, wird mit einer Proof of Concept Implementierung gezeigt

Multi-Tenant Cloud FPGA: A Survey on Security

With the exponentially increasing demand for performance and scalability in cloud applications and systems, data center architectures evolved to integrate heterogeneous computing fabrics that leverage CPUs, GPUs, and FPGAs. FPGAs differ from traditional processing platforms such as CPUs and GPUs in that they are reconfigurable at run-time, providing increased and customized performance, flexibility, and acceleration. FPGAs can perform large-scale search optimization, acceleration, and signal processing tasks compared with power, latency, and processing speed. Many public cloud provider giants, including Amazon, Huawei, Microsoft, Alibaba, etc., have already started integrating FPGA-based cloud acceleration services. While FPGAs in cloud applications enable customized acceleration with low power consumption, it also incurs new security challenges that still need to be reviewed. Allowing cloud users to reconfigure the hardware design after deployment could open the backdoors for malicious attackers, potentially putting the cloud platform at risk. Considering security risks, public cloud providers still don't offer multi-tenant FPGA services. This paper analyzes the security concerns of multi-tenant cloud FPGAs, gives a thorough description of the security problems associated with them, and discusses upcoming future challenges in this field of study

Monitoring Of Remote Hydrocarbon Wells Using Azure Internet Of Things

Remote monitoring of hydrocarbon wells is a tedious and meticulously thought out task performed to create a cyber-physical bridge between the asset and the owner. There are many systems and techniques on the market that offer this solution but due to their lack of interoperability and/or decentralized architecture they begin to fall apart when remote assets become farther away from the client. This results in extreme latency and thus poor decision making. Microsoft\u27s Azure IoT Edge was the focus of this writing. Coupled with off-the-shelf hardware, Azure\u27s IoT Edge services were integrated with an existing unit simulating a remote hydrocarbon well. This combination successfully established a semi-autonomous IIoT Edge device that can monitor, process, store, and transfer data locally on the remote device itself. These capabilities were performed utilizing an edge computing architecture that drastically reduced infrastructure and pushed intelligence and responsibility to the source of the data. This application of Azure IoT Edge laid a foundation from which a plethora of solutions can be built, enhancing the intelligence capability of this asset. This study demonstrates edge computing\u27s ability to mitigate latency loops, reduce network stress, and handle intermittent connectivity. Further experimentation and analysis will have to be performed at a larger scale to determine if the resources implemented will suffice for production level operations

Recolha de dados em veículos conectados para aplicações de segurança rodoviária

The increasing growth of the automobile industry and the need of overusing personal vehicles amplifies problems directly related to road safety, such as the degradation of the quality of the roads, the increase in volume of the automobile flow, and through the addition of dangerous weather events caused by climate change. To alleviate these emerging problems, intelligent cooperative communication systems (C-ITS) and Internet of Things (IoT) solutions emerge, allowing the overcome of human and local sensory systems limitations through the collection and distribution of relevant data in connected vehicles, which is fundamental in finding solutions that transform the concept of Smart Cities into reality. This dissertation implements an intra- and inter-vehicle sensory data collection system, starting with the acquisition of relevant data present on the CAN bus, collected through the vehicle’s OBD-II port and external sensors. Use is made of short-range communications such as Bluetooth-Low-Energy (BLE), Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) in conjunction with long-range cellular communications (LTE/5G). Data access endpoints are provided through an API and a MQTT broker. At last, logging methods are developed to allow conscious debugging of these systems, as well as to evaluate timing restrictions. The results of the experimental tests carried out reveal the usefulness of the acquired data, which allows the realization of detailed longitudinal analyzes of dangerous roads, as well as notifying, in near real-time, adverse road conditions to drivers. Therefore, the data collection system developed reveals itself as a potentially valuable tool for providing useful information both to competent authorities and to the common population, as a method to improve road safety.O constante crescimento da indústria automóvel e a necessidade do sobreuso do veículo pessoal amplificam problemas diretamente relacionados com a segurança rodoviária, tais como a degradação da qualidade das estradas, o aumento do volume de fluxo automóvel e o acréscimo de eventos metereológicos perigosos causados pelas alterações climáticas. Como forma de atenuar estes problemas emergentes, surgem os sistemas inteligentes de comunicação cooperativos (C-ITS) e de internet das coisas (IoT), que permitem ultrapassar limitações humanas e de sistemas sensoriais locais através da recolha e distribuição de dados em veículos conectados, algo fundamental para encontrar soluções que transformem o conceito de Smart City em realidade. A presente dissertação implementa um sistema de recolha de dados sensoriais intra- e inter-veículares, começando pela aquisição de dados relavantes presentes no barramento CAN, coletados através da porta OBD-II do veículo e de sensores externos. É feito uso de comunicações de curto alcance tais como Bluetooth-Low-Energy (BLE), Veículo-a-Veículo (V2V), e Veículo-a-Infrastrutura (V2I) em conjunto com comunicações celulares de longo alcance (LTE/5G). São fornecido endpoints de acesso aos dados através duma API e de um broker MQTT. Por fim métodos de logging são desenvolvidos para permitir depuração consciente destes sistemas e avalição de requisitos temporais. Os resultados dos testes experimentais efetuados revelam a utilidade forte que os dados adquiridos contém, por permitirem a realização de análises longitudinais detalhadas a estradas de perigo, assim como para fornecimento, em quase tempo-real, de condições adversas da estrada a condutores. Deste modo, o sistema de recolha de dados desenvolvido revela-se como ferramenta potencialmente valiosa para o fornecimento de informação útil tanto a autoridades competentes como à população comum, como meio de melhoria da segurança rodoviária.Mestrado em Engenharia de Computadores e Telemátic

Visual Analytics Platform for Centralized COVID-19 Digital Contact Tracing

The COVID-19 pandemic and its dramatic worldwide impact has required global multidisciplinary actions to mitigate its effects. Mobile phone activity-based digital contact tracing (DCT) via Bluetooth low energy technology has been considered a powerful pandemic monitoring tool, yet it sparked a controversial debate about privacy risks for people. In order to explore the potential benefits of a DCT system in the context of occupational risk prevention, this article presents the potential of visual analytics methods to summarize and extract relevant information from complex DCT data collected during a long-term experiment at our research center. Visual tools were combined with quantitative metrics to provide insights into contact patterns among volunteers. Results showed that crucial actors, such as participants acting as bridges between groups could be easily identified—ultimately allowing for making more informed management decisions aimed at containing the potential spread of a disease.This research work has been carried out within the context of the RAPIDm initiative, fostered by the Basque Government as part of the fast reaction program (PRAP Euskadi, led by SPRI—the entity of the Economic Development, Sustainability, and Environment Department of the Basque Government for promoting the Basque industry) with the aim to boost the Basque industrial sector by maintaining the productive activity in the context of the threat of the COVID-19 pandemic. Three research centers of BRTAn (Basque Research and Technology Alliance) have collaborated in this R&D initiative: Tecnalia, Ikerlan, and Vicomtech. Among the different research lines carried out in the RAPID initiative, Vicomtech has been responsible for the centralized BLE-based DCT system and visual analytics of the obtained data which has been selected as one of the representative cases by the OECDo of pandemic reaction report

Gestor de Risco aplicado à área de cibersegurança

No cenário moderno de gestão de riscos de segurança cibernética, uma verdade desconfortável é clara: a gestão de riscos cibernéticos numa empresa, de forma a manter arquiteturas e sistemas seguros e em conformidade, está mais difícil do que nunca. Esta gestão passa por um processo contínuo de identificação, análise, avaliação e tratamento das ameaças de segurança cibernética. Quando se trata de gestores de riscos, geralmente segue-se um processo de quatro etapas, começando com a identificação do risco. Em seguida, o risco é avaliado com base na probabilidade de ameaças que exploram essas vulnerabilidades e o potencial impacto. Os riscos são priorizados e categorizados dependendo da estratégia de mitigação existente, na terceira etapa. Por fim, a quarta etapa, monitorização, é estruturada para a resposta ao risco num ambiente em constante mudança. Esta tese tem como objetivo o desenvolvimento de uma aplicação de gestão de risco de vulnerabilidades dos assets encontrados numa topologia de rede. Esta aplicação web tem por base a framework Flask e o uso da ferramenta open-source Nmap, para a realização da deteção dos assets e todos os serviços que estes incluem. Para a deteção das vulnerabilidades a aplicação conta com uma ligação através de duas APIs, uma para o repositório NVD e outra para o repositório VulDB de forma a identificar as vulnerabilidades existentes de cada serviço encontrado. Toda a informação encontrada é guardada numa base de dados com base em SQLite. De notar que o uso do Nmap é proibido por Lei (109/2009) mas se autorizada de forma evidenciava com permissão das partes envolventes, pode ser usado. Os testes efetuados utilizam a ferramenta VirtualBox para simular virtualmente a rede de um hospital virtual criado num outro projeto. Os resultados são por fim detalhados num relatório através da aplicação web. Este projeto conseguiu de forma bem-sucedida o desenvolvimento de um gestor de risco funcional através de uma aplicação web capaz de mapear uma rede e encontrar os assets com vulnerabilidades. Igualmente bem-sucedida foi a implementação da deteção de vulnerabilidades através de repositórios externos. Por fim esta tese implementou com sucesso uma comparação entre scans de forma a descobrir quais vulnerabilidades foram corrigidas ou que novas vulnerabilidades possam existir em determinados assets. Contudo não foi possível uma implementação com sucesso desta aplicação num projeto já existente usando React. Igualmente não foi realizada uma forma automatizada da realização de scans. Por último, devido aos recursos disponíveis, a rede hospitalar virtual foi bastante reduzida.In the modern scenario of cybersecurity, one uncomfortable truth is clear, the risk management of a company and/or institution in order to keep all its systems and information secure, is harder than ever. This management goes through a continuous cycle of identification, analysis, evaluation, and treatment of the daily threats. Usually risk management follows four steps, starting by the identification of the risk, then the evaluation of it with the probability of actors exploiting any existing vulnerability and the consequent impact. Given this analysis, the risks are prioritized and categorized depending on the mitigation strategy in place, and finally the last step is the monitorization, in other words, the structure that answers to the risk in an ever-changing environment. This Thesis has as objectives the development of a Risk Management web application that scans all the assets of a given network. This web application uses the framework Flask for its development and the open-source tool Nmap for the asset scanning and all the services running on each live host. For the detection of vulnerabilities, the application has a connection to the repository NVD through an API, and to the repository VulDB through another API, in order to identify all the existing vulnerabilities associated with the services found during the scan. All this information is stored on a SQLite database. According to the Portuguese law (109/2009), the use of the tool Nmap is strictly forbidden but can be authorized for use given the proper permission from the involved parties. The experiments use the virtualization software VirtualBox to simulate a network of a virtual Hospital that was already created in another project. All the results are in the end available as a report through the web application. This project was able to develop a functional risk management web application, capable of scan a network in order to find the vulnerable assets. Equally successful was the implementation of the vulnerability detection through the use of external vulnerability databases. Finally, this thesis successfully implemented a comparation between scans to discover which vulnerabilities have been corrected and which ones appear as new in specific assets. However, it was not possible to integrate in a successful way this application to an already existing project using React. Equally not accomplished was an automated way to schedule periodic scans. Finally, given the available resources, the hospital virtual network was largely reduced

Towards Modular and Flexible Access Control on Smart Mobile Devices

Smart mobile devices, such as smartphones and tablets, have become an integral part of our daily personal and professional lives. These devices are connected to a wide variety of Internet services and host a vast amount of applications, which access, store and process security- and privacy-sensitive data. A rich set of sensors, ranging from microphones and cameras to location and acceleration sensors, allows these applications and their back end services to reason about user behavior. Further, enterprise administrators integrate smart mobile devices into their IT infrastructures to enable comfortable work on the go. Unsurprisingly, this abundance of available high-quality information has made smart mobile devices an interesting target for attackers, and the number of malicious and privacy-intrusive applications has steadily been rising. Detection and mitigation of such malicious behavior are in focus of mobile security research today. In particular, the Android operating system has received special attention by both academia and industry due to its popularity and open-source character. Related work has scrutinized its security architecture, analyzed attack vectors and vulnerabilities and proposed a wide variety of security extensions. While these extensions have diverse goals, many of them constitute modifications of the Android operating system and extend its default permission-based access control model. However, they are not generic and only address specific security and privacy concerns. The goal of this dissertation is to provide generic and extensible system-centric access control architectures, which can serve as a solid foundation for the instantiation of use-case specific security extensions. In doing so, we enable security researchers, enterprise administrators and end users to design, deploy and distribute security extensions without further modification of the underlying operating system. To achieve this goal, we first analyze the mobile device ecosystem and discuss how Android's security architecture aims to address its inherent threats. We proceed to survey related work on Android security, focusing on system-centric security extensions, and derive a set of generic requirements for extensible access control architectures targeting smart mobile devices. We then present two extensible access control architectures, which address these requirements by providing policy-based and programmable interfaces for the instantiation of use-case specific security solutions. By implementing a set of practical use-cases, ranging from context-aware access control, dynamic application behavior analysis to isolation of security domains we demonstrate the advantages of system-centric access control architectures over application-layer approaches. Finally, we conclude this dissertation by discussing an alternative approach, which is based on application-layer deputies and can be deployed whenever practical limitations prohibit the deployment of system-centric solutions