FPGA based remote code integrity verification of programs in distributed embedded systems

The explosive growth of networked embedded systems has made ubiquitous and pervasive computing a reality. However, there are still a number of new challenges to its widespread adoption that include scalability, availability, and, especially, security of software. Among the different challenges in software security, the problem of remote-code integrity verification is still waiting for efficient solutions. This paper proposes the use of reconfigurable computing to build a consistent architecture for generation of attestations (proofs) of code integrity for an executing program as well as to deliver them to the designated verification entity. Remote dynamic update of reconfigurable devices is also exploited to increase the complexity of mounting attacks in a real-word environment. The proposed solution perfectly fits embedded devices that are nowadays commonly equipped with reconfigurable hardware components that are exploited to solve different computational problems

Modal Abstractions for Virtualizing Memory Addresses

Operating system kernels employ virtual memory management (VMM) subsystems to virtualize the addresses of memory regions in order to to isolate untrusted processes, ensure process isolation and implement demand-paging and copy-on-write behaviors for performance and resource controls. Bugs in these systems can lead to kernel crashes. VMM code is a critical piece of general-purpose OS kernels, but their verification is challenging due to the hardware interface (mappings are updated via writes to memory locations, using addresses which are themselves virtualized). Prior work on VMM verification has either only handled a single address space, trusted significant pieces of assembly code, or resorted to direct reasoning over machine semantics rather than exposing a clean logical interface. In this paper, we introduce a modal abstraction to describe the truth of assertions relative to a specific virtual address space, allowing different address spaces to refer to each other, and enabling verification of instruction sequences manipulating multiple address spaces. Using them effectively requires working with other assertions, such as points-to assertions in our separation logic, as relative to a given address space. We therefore define virtual points-to assertions, which mimic hardware address translation, relative to a page table root. We demonstrate our approach with challenging fragments of VMM code showing that our approach handles examples beyond what prior work can address, including reasoning about a sequence of instructions as it changes address spaces. All definitions and theorems mentioned in this paper including the operational model of a RISC-like fragment of supervisor-mode x86-64, and a logic as an instantiation of the Iris framework, are mechanized inside Coq

Formal Verification of Privacy in Pervasive Systems

Pervasive systems enhance a user's everyday experience. However, the use of pervasive sensing and context aware devices can result very intrusive from a privacy perspective. A familiar pervasive device is a mobile phone. Mobile telephony equipment is daily carried everywhere. Avoiding linkability of subscribers by third parties, and protecting their privacy is one of the goals of mobile telecommunication protocols. We use experimental and formal methods to model and analyse the security properties of mobile telephony protocols. We expose novel threats to the user privacy, which make it possible to trace and identify mobile telephony subscribers, and for some of the attacks we demonstrate the feasibility of a low cost implementation. We propose fixes to these privacy issues. We prove that our privacy friendly fixes satisfy the desired unlinkability and anonymity properties. Finally, we develop the first extension of the Pro Verif tool for the automatic verification of equivalence based properties of stateful protocols. This work shows how to formally verity privacy properties of pervasive systems. Moreover, we develop an automatic verification tool for the verification of equivalence based properties of stateful protocols. Further work in this direction will eventually widen the class of security protocols and security properties verifiable using automatic verification tools