CritiX Space Safety and Security Lab: a path towards trustworthy space systems

Space systems security is an emerging discipline in cyberphysical systems security domain. The research conducted in the field has to be done using realistic assumptions and pieces of equipment that take into account multi-disciplinary character of space systems. In CritiX, we've built the Space Systems Safety and Security lab to facilitate the research on space systems and to support the education of future generation of space systems security specialists

Consensual Resilient Control: Stateless Recovery of Stateful Controllers

Safety-critical systems have to absorb accidental and malicious faults to obtain high mean-times-to-failures (MTTFs). Traditionally, this is achieved through re-execution or replication. However, both techniques come with significant overheads, in particular when cold-start effects are considered. Such effects occur after replicas resume from checkpoints or from their initial state. This work aims at improving on the performance of control-task replication by leveraging an inherent stability of many plants to tolerate occasional control-task deadline misses and suggests masking faults just with a detection quorum. To make this possible, we have to eliminate cold-start effects to allow replicas to rejuvenate during each control cycle. We do so, by systematically turning stateful controllers into instants that can be recovered in a stateless manner. We highlight the mechanisms behind this transformation, how it achieves consensual resilient control, and demonstrate on the example of an inverted pendulum how accidental and maliciously-induced faults can be absorbed, even if control tasks run in less predictable environments

PriLok:Citizen-protecting distributed epidemic tracing

Contact tracing is an important instrument for national health services to fight epidemics. As part of the COVID-19 situation, many proposals have been made for scaling up contract tracing capacities with the help of smartphone applications, an important but highly critical endeavor due to the privacy risks involved in such solutions. Extending our previously expressed concern, we clearly articulate in this article, the functional and non-functional requirements that any solution has to meet, when striving to serve, not mere collections of individuals, but the whole of a nation, as required in face of such potentially dangerous epidemics. We present a critical information infrastructure, PriLock, a fully-open preliminary architecture proposal and design draft for privacy preserving contact tracing, which we believe can be constructed in a way to fulfill the former requirements. Our architecture leverages the existing regulated mobile communication infrastructure and builds upon the concept of "checks and balances", requiring a majority of independent players to agree to effect any operation on it, thus preventing abuse of the highly sensitive information that must be collected and processed for efficient contact tracing. This is enforced with a largely decentralised layout and highly resilient state-of-the-art technology, which we explain in the paper, finishing by giving a security, dependability and resilience analysis, showing how it meets the defined requirements, even while the infrastructure is under attack

PriLok: Citizen-protecting distributed epidemic tracing

Contact tracing is an important instrument for national health services to fight epidemics. As part of the COVID-19 situation, many proposals have been made for scaling up contract tracing capacities with the help of smartphone applications, an important but highly critical endeavor due to the privacy risks involved in such solutions. Extending our previously expressed concern, we clearly articulate in this article, the functional and non-functional requirements that any solution has to meet, when striving to serve, not mere collections of individuals, but the whole of a nation, as required in face of such potentially dangerous epidemics. We present a critical information infrastructure, PriLock, a fully-open preliminary architecture proposal and design draft for privacy preserving contact tracing, which we believe can be constructed in a way to fulfill the former requirements. Our architecture leverages the existing regulated mobile communication infrastructure and builds upon the concept of "checks and balances", requiring a majority of independent players to agree to effect any operation on it, thus preventing abuse of the highly sensitive information that must be collected and processed for efficient contact tracing. This is enforced with a largely decentralised layout and highly resilient state-of-the-art technology, which we explain in the paper, finishing by giving a security, dependability and resilience analysis, showing how it meets the defined requirements, even while the infrastructure is under attack

Methods for increasing the dependability of High-performance, Many-core, System-on-Chips

Future space exploration and exploitation missions will require significantly increased autonomy of operation for mission planning, decision-making, and adaptive control techniques. Spacecrafts will integrate new processing and compression algorithms that are often augmented with machine learning and artificial intelligence capabilities. This functionality will have to be provided with high levels of robustness, reliability, and dependability for conducting missions successfully. High-reliability requirements for space-grade processors have led to trade-offs in terms of costs, energy efficiency, and performance to obtain robustness. However, while high-performance / low-robustness configurations are acceptable in the Earth's vicinity, where assets remain protected by the planet's magnetosphere, they cease to work in more demanding environments, like cis-lunar or deep space, where high-energy particles will affect modern components heavily, causing temporary or permanent damage and ultimately system failures. The above has led to a situation where state-of-the-art processing elements (processors, co-processors, memories, special purpose accelerators, and field-programmable-gate arrays (FPGAs), all possibly integrated into System-on-a-Chip (SoC) designs) are superior to their high reliability, space-qualified counterparts in terms of processing power or energy efficiency. For example, from modern, state-of-the-art (SOTA) devices, one can expect a 2-3 order-of-magnitude performance per Watts improvement over space-grade equipment. Likewise, one finds a gap of approximately nine technology nodes between devices, which translates into a factor 25 decrease in operations per Watts. In this paper, we demonstrate how to utilize part of this enormous performance advantage to increase the robustness and resilience of otherwise susceptible semiconductor devices while harnessing the remaining processing power to build affordable space systems capable of hosting the compute-intensive functionality that future space missions require. We are bridging this performance-reliability gap by researching the enabling building blocks for constructing reliable and secure, space-ready Systems-on-a-Chip from SOTA processing elements

Consensual Resilient Control: Stateless Recovery of Stateful Controllers

peer reviewedSafety-critical systems have to absorb accidental and malicious faults to obtain high mean-times-to-failures (MTTFs). Traditionally, this is achieved through re-execution or replication. However, both techniques come with significant overheads, in particular when cold-start effects are considered. Such effects occur after replicas resume from checkpoints or from their initial state. This work aims at improving on the performance of control-task replication by leveraging an inherent stability of many plants to tolerate occasional control-task deadline misses and suggests masking faults just with a detection quorum. To make this possible, we have to eliminate cold-start effects to allow replicas to rejuvenate during each control cycle. We do so, by systematically turning stateful controllers into instants that can be recovered in a stateless manner. We highlight the mechanisms behind this transformation, how it achieves consensual resilient control, and demonstrate on the example of an inverted pendulum how accidental and maliciously-induced faults can be absorbed, even if control tasks run in less predictable environments

To verify or tolerate, that’s the question

Formal verification carries the promise of absolute correctness, guaranteed at the highest level of assurance known today. However, inherent to many verification attempts is the assumption that the underlying hardware, the code-generation toolchain and the verification tools are correct, all of the time. While this assumption creates interesting recursive verification challenges, which already have been executed successfully for all three of these elements, the coverage of this assumption remains incomplete, in particular for hardware. Accidental faults, such as single-event upsets, transistor aging and latchups keep causing hardware to behave arbitrarily in situations where such events occur and require other means (e.g., tolerance) to safely operate through them. Targeted attacks, especially physical ones, have a similar potential to cause havoc. Moreover, faults of the above kind may well manifest in such a way that their effects extend to all software layers, causing incorrect behavior, even in proven correct ones. In this position paper, we take a holistic system-architectural point of view on the role of trusted-execution environments (TEEs), their implementation complexity and the guarantees they can convey and that we want to be preserved in the presence of faults. We find that if absolute correctness should remain our visionary goal, TEEs can and should be constructed differently with tolerance embedded at the lowest levels and with verification playing an essential role. Verification should both assure the correctness of the TEE construction protocols and mechanisms as well as help protecting the applications executing inside the TEEs

Consent To Shoot – Rethinking The Anti-satellite Weapon Versus Space Debris Dilemma

Space debris, whether caused by anti-satellite weapons or from collisions with defunct vehicles, has become a serious threat to the safe and sustainable use of space. Technologies have been proposed to mitigate this problem by actively removing debris (ADR) by capturing and de-orbiting the targets (e.g., rendezvous operations, tethers, or harpoons) or by indirectly affecting the target’s orbit (e.g., using lasers). However, rather sooner than later, deploying ADR technologies against healthy satellites turns the tools for making space safer into anti-satellite weapons, capable of crippling other nations’ infrastructure. In an attempt to resolve the tool-versus-weapon dilemma, we discuss in this paper technical solutions that involve a paradigm shift in the Concept of Operations, but that also have the potential to avoid political implications and many concerns that currently prevent us from solving the space-debris problem. The solutions we advocate require consensus between involved stakeholders for all critical operations of an ADR system. We show it is technologically possible and, in fact, already well understood how to enforce that such operations can only be performed consensually. We sketch a distributed infrastructure, capable of supporting such operations among all stakeholders, enforcing agreement in international cooperation about where and for how long an ADR system gets activated, what targets it follows and where safety zones and objects are. In this way, stakeholders have to validate every piece of information to remove single points of failures, but more importantly to put the required mutual trust on solid and technologically enforced foundations

EphemeriShield - Defence Against Cyber-Antisatellite Weapons

Mitigating the risks associated with space system operations, especially in Low Earth Orbit, requires a holistic approach, which addresses, in particular, cybersecurity challenges, in addition to meeting the data acquisition requirements the mission needs. Space traffic management systems form no exception to this rule, but are further constrained by backward compatibility requirements that sometimes are based on decades old foundations. As a result, some space situational awareness systems continue to operate with object catalogues and data dissemination architectures that are prone to failures, not to mention adversarial actions. Proof-of-Concept papers, demonstrating this vulnerability in example attacks on space object ephemerides distribution channels have already been published and show the urgency in rethinking the way we build such high-critical infrastructure. Leveraging recent developments of distributed systems theory and concepts from multi-party consensus in limited-trust environments and in the presence of malicious actors, we designed a more secure system for orbital object ephemerides distribution, ultimately targeting at increasing the safety of satellite operations. This paper presents EphemeriShield, a distributed ephemerides storage and distribution system, aiming at maintaining safety and security guarantees in presence of active attacker or unfortunate fault. Using our EphemeriShield prototype setup, we were able to prove its ability to mask attacks and local faults that otherwise would lead to unnecessary maneuvers. Wide adoption of EphemeriShield may help satellite system operations to become safer and less vulnerable to intentionally adversarial activities, which improves the overall sustainability of space