Cyber-security for embedded systems: methodologies, techniques and tools

L'abstract è presente nell'allegato / the abstract is in the attachmen

Model-Checking Speculation-Dependent Security Properties: Abstracting and Reducing Processor Models for Sound and Complete Verification

Spectre and Meltdown attacks in modern microprocessors represent a new class of attacks that have been difficult to deal with. They underline vulnerabilities in hardware design that have been going unnoticed for years. This shows the weakness of the state-of-the-art verification process and design practices. These attacks are OS-independent, and they do not exploit any software vulnerabilities. Moreover, they violate all security assumptions ensured by standard security procedures, (e.g., address space isolation), and, as a result, every security mechanism built upon these guarantees. These vulnerabilities allow the attacker to retrieve leaked data without accessing the secret directly. Indeed, they make use of covert channels, which are mechanisms of hidden communication that convey sensitive information without any visible information flow between the malicious party and the victim. The root cause of this type of side-channel attacks lies within the speculative and out-of-order execution of modern high-performance microarchitectures. Since modern processors are hard to verify with standard formal verification techniques, we present a methodology that shows how to transform a realistic model of a speculative and out-of-order processor into an abstract one. Following related formal verification approaches, we simplify the model under consideration by abstraction and refinement steps. We also present an approach to formally verify the abstract model using a standard model checker. The theoretical flow, reliant on established formal verification results, is introduced and a sketch of proof is provided for soundness and correctness. Finally, we demonstrate the feasibility of our approach, by applying it on a pipelined DLX RISC-inspired processor architecture. We show preliminary experimental results to support our claim, performing Bounded Model-Checking with a state-of-the-art model checker

Giosuè Carducci prosatore

Questo volume su Giosuè Carducci prosatore raccoglie i contributi presentati al XVII Convegno internazionale di Letteratura italiana "Gennaro Barbarisi", tenutosi a Palazzo Feltrinelli (Gargnano del Garda) dal 29 settembre al 1° ottobre 2016. Si è trattato di una proficua occasione di incontro, di studio e di approfondimento su un tema forse poco frequentato, soprattutto in tempi recenti, ma ricco di sollecitazioni per una più articolata e storicamente fondata definizione della personalità di un autore così significativo nel panorama della cultura italiana fra Otto e primo Novecento; non soltanto sul versante della poesia (un primato sancito dal premio Nobel nel 1906) ma anche, e forse ancora di più, su quello della prosa saggistica, degli scritti di polemica, delle curatele editoriali, delle ricerche erudite, fino alle prove di alta oratoria e all'epistolografia

Observation of the baryonic decay B¯0→Λ+cp¯K−K+

We report the observation of the baryonic decay (B) over bar (0) -> Lambda(+)(c)(p) over barK(-)K(+) using a data sample of 471 x 10(6) B (B) over bar pairs produced in e(+)e(-) annihilations at root s = 10.58 GeV. This data sample was recorded with the BABAR detector at the PEP- II storage ring at SLAC. We find B((B) over bar (0) -> Lambda(+)(c)(p) over barK(-)K(+)) = (2.5 +/- 0.4((stat)) +/- 0.2((syst)) +/- 0.6(B(Lambda c+)) ) x 10(-5) where the uncertainties are statistical, systematic, and due to the uncertainty of the Lambda(+)(c) -> (p) over barK(-)pi(+) branching fraction, respectively. The result has a significance corresponding to 5.0 standard deviations, including all uncertainties. For the resonant decay (B) over bar (0) -> Lambda(+)(c)(p) over bar phi, we determine the upper limit B((B) over bar (0) -> Lambda(+)(c)(p) over bar phi) < 1.2 x 10(-5) at 90% confidence level

Model Checking Speculation-Dependent Security Properties: Abstracting and Reducing Processor Models for Sound and Complete Verification

Though modern microprocessors embed several hardware security mechanisms, aimed at guaranteeing confidentiality and integrity of sensible data, recently disclosed attacks such as Spectre and Meltdown witness weaknesses with potentially great impact on CPU security. Both vulnerabilities exploit speculative execution of modern high-performance micro-architectures, allowing the attacker to observe data leaked via a memory side channel, during speculated and mispredicted instructions. In this paper we present a methodology to formally verify, by means of a model checker, speculative vulnerabilities, such as the class of Spectre/Meltdown attacks, in microprocessors based on speculative execution. In detail, we discuss the problem of formally verifying confidentiality violations, since we deem it will help preventing new vulnerabilities of the same typology. We describe our methodology on a pipelined CPU inspired by the DLX RISC processor architecture. Due to scalability issues, and following related approaches in formal verification of correctness, our approach simplifies the model under verification by proper abstraction and reduction steps. The approach is based on flushing the pipeline, abstracting data and most of the speculative execution logic, keeping a subset of control data, plus speculated data state and tainting logic. Illegal propagation (data leakage) is encoded in terms of taint propagation, from a protected/invalid memory address to the address bus on a subsequent memory read, affecting the cache. We introduce the theoretical flow, relying on known theoretical results combined and exploited to prove soundness and completeness. Finally, using a state-of-the-art model checking tool, we present preliminary data on formal verification based on Bounded Model Checking, that to support our claims and highlight the feasibility of the approach

Scalable FPGA Graph model to detect routing faults

The SRAM cells that form the configuration memory of an SRAM-based FPGA make such FPGAs particularly vulnerable to soft errors. A soft error occurs when ionizing radiation corrupts the data stored in a circuit. The error persists until new data is written. Soft errors have long been recognized as a potential problem as radiation can come from a variety of sources. This paper presents an FPGA fault model focusing on routing aspects. A graph model of SRAM nodes behavior in case of fault, starting from netlist description of well known FPGA models, is presented. It is also performed a classification of possible logical effects of a soft error in the configuration bit controlling, providing statistics on the possible numbers of faults. Finally it is reported the definition of fault metrics computed on a set of complex benchmarks proving the effectiveness of our approach

Embedded Systems Secure Path Verification at the HW/SW Interface

Embedded systems, like medical or automotive, require basic security functions, often referred to as "secure communications". Interest has been growing around defining and formally verifying security related properties, as potentially able to catch hard-to-detect problems. We follow novel research works focused on formalizing security requirements for information flow. We compare State Properties to Path Properties, as two approaches able to capture different aspects on how to leak/corrupt secure data via unexpected taints and paths. We also discuss tools used to verify Path and State properties, on two existing Secure Embedded Architectures, and we discuss the advantages and drawbacks of each approach

Secure Embedded Architectures: Taint Properties Verification

Nowadays embedded devices collect various kinds of information and provide it to communication networks for further processing. These devices often provide critical functionalities that could be exploited by malicious parties. Using formal techniques is a natural way to increase the confidence in the overall embedded system security. However, the major research focus is on verifying only the correctness of encryption algorithms and their implementation in software and hardware and not the whole security process. Following novel research studies, many security requirements of an embedded architecture can be specified as Taint Properties, expressing properties related to information flow and access control. In this paper we define Taint Properties as a way to find out whether there is a path from src to dest, where src is an RTL signal seeded with the Taint and dest is a signal not to be reached by the Taint in order to satisfy the security requirements. In our scenario a Taint is an untrusted code following an illegal path from src to dest. We present a systematic approach to formalize generic security requirements, referring to a model abstraction, and their related Taint Properties of an embedded architecture. First, we present our model abstraction of two selected embedded secure architectures, then we define a portfolio of Taint Properties to verify key secrecy, isolation, attestation, confidentiality and availability features. We finally perform verification of previously defined formal security properties, hence presenting results on two selected embedded architectures proving the effectiveness of our approach

Secure Path Verification

Many embedded systems, like medical, sensing, automotive, military, require basic security functions, often referred to as "secure communications". Nowadays, interest has been growing around defining new security related properties, expressing relationships with information flow and access control. In particular, novel research works are focused on formalizing generic security requirements as propagation properties. These kinds of properties, we name them Path properties, are used to see whether it is possible to leak secure data via unexpected paths. In this paper we compare Path properties, described above, with formal security properties expressed in CTL Logic, named Taint properties. We also compare two verification techniques used to verify Path and Taint properties considering an abstraction of a Secure Embedded Architecture discussing the advantages and drawbacks of each approach