Formal Analysis of CRT-RSA Vigilant's Countermeasure Against the BellCoRe Attack: A Pledge for Formal Methods in the Field of Implementation Security

In our paper at PROOFS 2013, we formally studied a few known countermeasures to protect CRT-RSA against the BellCoRe fault injection attack. However, we left Vigilant's countermeasure and its alleged repaired version by Coron et al. as future work, because the arithmetical framework of our tool was not sufficiently powerful. In this paper we bridge this gap and then use the same methodology to formally study both versions of the countermeasure. We obtain surprising results, which we believe demonstrate the importance of formal analysis in the field of implementation security. Indeed, the original version of Vigilant's countermeasure is actually broken, but not as much as Coron et al. thought it was. As a consequence, the repaired version they proposed can be simplified. It can actually be simplified even further as two of the nine modular verifications happen to be unnecessary. Fortunately, we could formally prove the simplified repaired version to be resistant to the BellCoRe attack, which was considered a "challenging issue" by the authors of the countermeasure themselves.Comment: arXiv admin note: substantial text overlap with arXiv:1401.817

Modeling Electromagnetic Disturbances in Closed-Loop Computer Controlled Flight Systems

High intensity electromagnetic radiation has been demonstrated to be a source of computer upsets in commercially available digital flight control systems. In this paper we introduce an electromagnetic disturbance model which can be used for stability analysis and augmentation of any such digitally implemented control law. The model is composed of a Markovian exosystem supplying radiation events to a discrete-time jump linear system which models how the radiation interferes with the nominal operation of the closed-loop system. We discuss how this model can be used to characterize stability and how it can be parametrized and validated in an experimental setting

Quantitative Evaluation of the Safety of X-by-Wire Architecture subject to EMI Perturbations

The X-by-Wire systems in cars can only be accepted if they provide at least the same dependability than the traditional ones. In this paper we propose a new approach to evaluate the impact of the EMI perturbations on the dependability of an X-by-Wire architecture. The considered X-by-Wire architecture is distributed around a TDMA-like communication protocol. So a perturbation causes the loss of a communication cycle with a certain probability. The vehicle level failure is then defined as the consecutive loss of a certain number of communication cycles. Its reliability is modeled as that of the well-known consecutive-k-out-of-n:F systems. A case study, together with the EMI perturbations collected on the roads in France, is used to illustrate our approach

Autonomous fault emulation: a new FPGA-based acceleration system for hardness evaluation

The appearance of nanometer technologies has produced a significant increase of integrated circuit sensitivity to radiation, making the occurrence of soft errors much more frequent, not only in applications working in harsh environments, like aerospace circuits, but also for applications working at the earth surface. Therefore, hardened circuits are currently demanded in many applications where fault tolerance was not a concern in the very near past. To this purpose, efficient hardness evaluation solutions are required to deal with the increasing size and complexity of modern VLSI circuits. In this paper, a very fast and cost effective solution for SEU sensitivity evaluation is presented. The proposed approach uses FPGA emulation in an autonomous manner to fully exploit the FPGA emulation speed. Three different techniques to implement it are proposed and analyzed. Experimental results show that the proposed Autonomous Emulation approach can reach execution rates higher than one million faults per second, providing a performance improvement of two orders of magnitude with respect to previous approaches. These rates give way to consider very large fault injection campaigns that were not possible in the past.This work was supported by the Directorate of Research of Madrid Community Government, Spain (Code 07/0052/2003 2) and by the European Commission and Spanish Government under MEDEA+ Project (PARACHUTE-2A701) and PROFIT Project (CIRCE-FIT-330100-2005-60)

Industrial and Technological Applications of Power Electronics Systems

The Special Issue "Industrial and Technological Applications of Power Electronics Systems" focuses on: - new strategies of control for electric machines, including sensorless control and fault diagnosis; - existing and emerging industrial applications of GaN and SiC-based converters; - modern methods for electromagnetic compatibility. The book covers topics such as control systems, fault diagnosis, converters, inverters, and electromagnetic interference in power electronics systems. The Special Issue includes 19 scientific papers by industry experts and worldwide professors in the area of electrical engineering

Energy Shaping Control for Stabilization of Interconnected Voltage Source Converters in Weakly-Connected AC Microgrid Systems

With the ubiquitous installations of renewable energy resources such as solar and wind, for decentralized power applications across the United States, microgrids are being viewed as an avenue for achieving this goal. Various independent system operators and regional transmission operators such as Southwest Power Pool (SPP), Midcontinent System Operator (MISO), PJM Interconnection and Electric Reliability Council of Texas (ERCOT) manage the transmission and generation systems that host the distributed energy resources (DERs). Voltage source converters typically interconnect the DERs to the utility system and used in High voltage dc (HVDC) systems for transmitting power throughout the United States. A microgrid configuration is built at the 13.8kV 4.75MVA National Center for Reliable Energy Transmission (NCREPT) testing facility for performing grid-connected and islanded operation of interconnected voltage source converters. The interconnected voltage source converters consist of a variable voltage variable frequency (VVVF) drive, which powers a regenerative (REGEN) load bench acting as a distributed energy resource emulator. Due to the weak-grid interface in islanded mode testing, a voltage instability occurs on the VVVF dc link voltage causing the system to collapse. This dissertation presents a new stability theorem for stabilizing interconnected voltage source converters in microgrid systems with weak-grid interfaces. The new stability theorem is derived using the concepts of Dirac composition in Port-Hamiltonian systems, passivity in physical systems, eigenvalue analysis and robust analysis based on the edge theorem for parametric uncertainty. The novel stability theorem aims to prove that all members of the classes of voltage source converter-based microgrid systems can be stabilized using an energy-shaping control methodology. The proposed theorems and stability analysis justifies the development of the Modified Interconnection and Damping Assignment Passivity-Based Control (Modified IDA-PBC) method to be utilized in stabilizing the microgrid configuration at NCREPT for mitigating system instabilities. The system is simulated in MATLAB/SimulinkTM using the Simpower toolbox to observe the system’s performance of the designed controller in comparison to the decoupled proportional intergral controller. The simulation results verify that the Modified-IDA-PBC is a viable option for dc bus voltage control of interconnected voltage source converters in microgrid systems

Formal Configuration of Fault-Tolerant Systems

Bit flips are known to be a source of strange system behavior, failures, and crashes. They can cause dramatic financial loss, security breaches, or even harm human life. Caused by energized particles arising from, e.g., cosmic rays or heat, they are hardly avoidable. Due to transistor sizes becoming smaller and smaller, modern hardware becomes more and more prone to bit flips. This yields a high scientific interest, and many techniques to make systems more resilient against bit flips are developed. Fault-tolerance techniques are techniques that detect and react to bit flips or their effects. Before using these techniques, they typically need to be configured for the particular system they shall protect, the grade of resilience that shall be achieved, and the environment. State-of-the-art configuration approaches have a high risk of being imprecise, of being affected by undesired side effects, and of yielding questionable resilience measures. In this thesis we encourage the usage of formal methods for resiliency configuration, point out advantages and investigate difficulties. We exemplarily investigate two systems that are equipped with fault-tolerance techniques, and we apply parametric variants of probabilistic model checking to obtain optimal configurations for pre-defined resilience criteria. Probabilistic model checking is an automated formal method that operates on Markov models, i.e., state-based models with probabilistic transitions, where costs or rewards can be assigned to states and transitions. Probabilistic model checking can be used to compute, e.g., the probability of having a failure, the conditional probability of detecting an error in case of bit-flip occurrence, or the overhead that arises due to error detection and correction. Parametric variants of probabilistic model checking allow parameters in the transition probabilities and in the costs and rewards. Instead of computing values for probabilities and overhead, parametric variants compute rational functions. These functions can then be analyzed for optimality. The considered fault-tolerant systems are inspired by the work of project partners. The first system is an inter-process communication protocol as it is used in the Fiasco.OC microkernel. The communication structures provided by the kernel are protected against bit flips by a fault-tolerance technique. The second system is inspired by the redo-based fault-tolerance technique \haft. This technique protects an application against bit flips by partitioning the application's instruction flow into transaction, adding redundance, and redoing single transactions in case of error detection. Driven by these examples, we study challenges when using probabilistic model checking for fault-tolerance configuration and present solutions. We show that small transition probabilities, as they arise in error models, can be a cause of previously known accuracy issues, when using numeric solver in probabilistic model checking. We argue that the use of non-iterative methods is an acceptable alternative. We debate on the usability of the rational functions for finding optimal configurations, and show that for relatively short rational functions the usage of mathematical methods is appropriate. The redo-based fault-tolerance model suffers from the well-known state-explosion problem. We present a new technique, counter-based factorization, that tackles this problem for system models that do not scale because of a counter, as it is the case for this fault-tolerance model. This technique utilizes the chain-like structure that arises from the counter, splits the model into several parts, and computes local characteristics (in terms of rational functions) for these parts. These local characteristics can then be combined to retrieve global resiliency and overhead measures. The rational functions retrieved for the redo-based fault-tolerance model are huge - for small model instances they already have the size of more than one gigabyte. We therefor can not apply precise mathematic methods to these functions. Instead, we use the short, matrix-based representation, that arises from factorization, to point-wise evaluate the functions. Using this approach, we systematically explore the design space of the redo-based fault-tolerance model and retrieve sweet-spot configurations

Cyber-Physical Embedded Systems with Transient Supervisory Command and Control: A Framework for Validating Safety Response in Automated Collision Avoidance Systems

The ability to design and engineer complex and dynamical Cyber-Physical Systems (CPS) requires a systematic view that requires a definition of level of automation intent for the system. Since CPS covers a diverse range of systemized implementations of smart and intelligent technologies networked within a system of systems (SoS), the terms “smart” and “intelligent” is frequently used in describing systems that perform complex operations with a reduced need of a human-agent. The difference between this research and most papers in publication on CPS is that most other research focuses on the performance of the CPS rather than on the correctness of its design. However, by using both human and machine agency at different levels of automation, or autonomy, the levels of automation have profound implications and affects to the reliability and safety of the CPS. The human-agent and the machine-agent are in a tidal lock of decision-making using both feedforward and feedback information flows in similar processes, where a transient shift within the level of automation when the CPS is operating can have undesired consequences. As CPS systems become more common, and higher levels of autonomy are embedded within them, the relationship between human-agent and machine-agent also becomes more complex, and the testing methodologies for verification and validation of performance and correctness also become more complex and less clear. A framework then is developed to help the practitioner to understand the difficulties and pitfalls of CPS designs and provides guidance to test engineering design of soft computational systems using combinations of modeling, simulation, and prototyping