SIPP - Secure IoT Processor Platform with Remote Attestation
Lead Research Organisation:
Queen's University Belfast
Department Name: Sch of Electronics, Elec Eng & Comp Sci
Abstract
As the world becomes ever more connected, the vast number of Internet of things (IoT) devices necessitates the use of smart, autonomous machine-to-machine communications; however, this poses serious security and privacy issues as we will no longer have direct control over with what or whom our devices communicate. Counterfeit, hacked, or cloned devices acting on a network can have significant consequences: for individuals through the leakage of confidential and personal information, in terms of monetary costs (for e.g. the loss of access to web services - Mirai attack on Dyn took down Twitter, Spotify, Reddit); or for critical national infrastructure, through the loss of control of safety-critical industrial and cyber-physical IoT systems.
In addition, IoT devices are often low-cost, low power devices that are restricted in both memory and computing power. A major challenge is how to address the need for security in such resource-constrained devices. As companies race to get IoT devices to market, many do not consider security or, all too often, security is an afterthought. As such, a common theme in all realms of IoT is the need for dependability and security.
The SIPP project aims to rethink how security is built into IoT processor platforms. Firstly, the architectural fundamentals of a processor design need to be re-engineered to assure the security of individual on-chip components. This has become increasingly evident with the recent Spectre and Meltdown attacks. On the upper layer of systems-on-chip (SoCs), hardware authentication of chip sub-systems and the entire chip is crucial to detect malicious hardware modification. Then, at the systems layer (i.e., multiple chips on a common printed circuit board), innovative approaches for remote attestation will be investigated to determine the integrity at board level. Finally, the security achieved at all hierarchical layers will be assessed by investigating physical-level vulnerabilities to ensure there is no physical leakage of the secrets on which each layer relies.
The proposed project brings together the core partners of the NCSC/EPSRC-funded Research Institute in Secure Hardware and Embedded Systems (RISE), that is, Queen's University Belfast and the Universities of Cambridge, Bristol and Birmingham, with the leading academics in the field of hardware security and security architecture design from the National University of Singapore and Nanyang Technological University, to develop a novel secure IoT processor platform with remote attestation implemented on the RISC-V architecture.
In addition, IoT devices are often low-cost, low power devices that are restricted in both memory and computing power. A major challenge is how to address the need for security in such resource-constrained devices. As companies race to get IoT devices to market, many do not consider security or, all too often, security is an afterthought. As such, a common theme in all realms of IoT is the need for dependability and security.
The SIPP project aims to rethink how security is built into IoT processor platforms. Firstly, the architectural fundamentals of a processor design need to be re-engineered to assure the security of individual on-chip components. This has become increasingly evident with the recent Spectre and Meltdown attacks. On the upper layer of systems-on-chip (SoCs), hardware authentication of chip sub-systems and the entire chip is crucial to detect malicious hardware modification. Then, at the systems layer (i.e., multiple chips on a common printed circuit board), innovative approaches for remote attestation will be investigated to determine the integrity at board level. Finally, the security achieved at all hierarchical layers will be assessed by investigating physical-level vulnerabilities to ensure there is no physical leakage of the secrets on which each layer relies.
The proposed project brings together the core partners of the NCSC/EPSRC-funded Research Institute in Secure Hardware and Embedded Systems (RISE), that is, Queen's University Belfast and the Universities of Cambridge, Bristol and Birmingham, with the leading academics in the field of hardware security and security architecture design from the National University of Singapore and Nanyang Technological University, to develop a novel secure IoT processor platform with remote attestation implemented on the RISC-V architecture.
Planned Impact
The overall goal of the SiPP project is to develop a novel IoT processor platform that has strong effective security mechanisms built-in at the design stage to ensure that the platform itself is tamper-proof and secure against Meltdown and Spectre-type micro-architectural attacks and other forms of side-channel attacks, with an additional layer of security offered through remote attestation capability. Hence, the provision of security assurances to IoT devices, acts as an enabling layer for IoT applications and analytics, which when in full deployment will result in significant societal impact through, for example, more intelligent food production, energy consumption, traffic congestion/collision avoidance and remote healthcare applications.
In terms of direct economic impact, the project partners, Arm, Ericsson, Soitec and the UK National Cyber Security Centre (NCSC) will be the first users and beneficiaries of the research outputs, but further beneficiaries will naturally ensue. Ericsson is one of the leading providers of ICT solutions to service providers. They currently have a particular focus on IoT and promote the view that IoT security must be built in from the beginning. Their vision is to have end-to-end secure IoT devices and services, and hence are interested in all of the WPs in the proposed project. The project is also of significant interest to NCSC as it fits with their philosophy of 'secure by default' design. Soitec is a world leader in the design of innovative semiconductor materials, and offer solutions for improving the performance and energy-efficiency of integrated circuits (ICs). Hence they are particularly interested in the proposed research on security- and energy-aware design approaches. The collaboration with Arm Research, the world's leading provider of processor IP used in the IoT and mobile space, offers the opportunity to interact with countless real-world consumers of processor technologies in IoT products.
The RISE ISAB which includes hardware manufacturers, product designers and user communities also offers potential routes to exploitation. Also, the RISE business development manager's role involves establishing forums to facilitate research and industry engagement and can also help to facilitate new industry partnerships during the lifetime of the SIPP project.
The project will also enrich the skills pool both in the UK and Singapore with uniquely skilled researchers in hardware security, and more specifically in the areas of secure IoT processor design, PUF design, attestation approaches, and physical attack vulnerabilities. In addition, experiences and insights developed in the project will be reflected back into the teaching curriculum of Masters courses in Cyber Security at respective institutions.
In terms of direct economic impact, the project partners, Arm, Ericsson, Soitec and the UK National Cyber Security Centre (NCSC) will be the first users and beneficiaries of the research outputs, but further beneficiaries will naturally ensue. Ericsson is one of the leading providers of ICT solutions to service providers. They currently have a particular focus on IoT and promote the view that IoT security must be built in from the beginning. Their vision is to have end-to-end secure IoT devices and services, and hence are interested in all of the WPs in the proposed project. The project is also of significant interest to NCSC as it fits with their philosophy of 'secure by default' design. Soitec is a world leader in the design of innovative semiconductor materials, and offer solutions for improving the performance and energy-efficiency of integrated circuits (ICs). Hence they are particularly interested in the proposed research on security- and energy-aware design approaches. The collaboration with Arm Research, the world's leading provider of processor IP used in the IoT and mobile space, offers the opportunity to interact with countless real-world consumers of processor technologies in IoT products.
The RISE ISAB which includes hardware manufacturers, product designers and user communities also offers potential routes to exploitation. Also, the RISE business development manager's role involves establishing forums to facilitate research and industry engagement and can also help to facilitate new industry partnerships during the lifetime of the SIPP project.
The project will also enrich the skills pool both in the UK and Singapore with uniquely skilled researchers in hardware security, and more specifically in the areas of secure IoT processor design, PUF design, attestation approaches, and physical attack vulnerabilities. In addition, experiences and insights developed in the project will be reflected back into the teaching curriculum of Masters courses in Cyber Security at respective institutions.
Organisations
- Queen's University Belfast (Lead Research Organisation)
- NANYANG TECHNOLOGICAL UNIVERSITY (Collaboration)
- National University of Singapore (Collaboration, Project Partner)
- National Cyber Security Centre (Project Partner)
- ARM (United Kingdom) (Project Partner)
- Nanyang Technological University (Project Partner)
- Ericsson (Sweden) (Project Partner)
- Soitec SA (Project Partner)
Publications
Cui Y
(2023)
An Efficient Ring Oscillator PUF Using Programmable Delay Units on FPGA
in ACM Transactions on Design Automation of Electronic Systems
Woodruff J
(2019)
CHERI Concentrate: Practical Compressed Capabilities
in IEEE Transactions on Computers
Van Strydonck T
(2023)
CHERI-TrEE: Flexible enclaves on capability machines
Davis B
(2019)
CheriABI
Xia H
(2019)
CHERIvoke
Tsiokanos I
(2021)
DTA-PUF: Dynamic Timing-aware Physical Unclonable Function for Resource-constrained Devices
in ACM Journal on Emerging Technologies in Computing Systems
Miskelly J
(2020)
Fast DRAM PUFs on Commodity Devices
in IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
Description | The SIPP project aimed to rethink how security is built into IoT processor platforms. Firstly, the architectural fundamentals of a processor design need to be re-engineered to assure the security of individual on-chip components. This has become increasingly evident with the recent Spectre and Meltdown attacks. On the upper layer of systems-on-chip (SoCs), hardware authentication of chip sub-systems and the entire chip is crucial to detect malicious hardware modification. Then, at the systems layer (i.e., multiple chips on a common printed circuit board), innovative approaches for remote attestation will be investigated to determine the integrity at board level. Finally, the security achieved at all hierarchical layers will be assessed by investigating physical-level vulnerabilities to ensure there is no physical leakage of the secrets on which each layer relies. Research findings to date include: - CHERI Concentrate, a new fat-pointer compression scheme applied to CHERI, the most developed capability-pointer system at present. Capability fat pointers are a primary candidate to enforce fine-grained and non-bypassable security properties in future computer systems, although increased pointer size can severely affect performance. Thus, several proposals for capability compression have been suggested elsewhere that do not support legacy instruction sets, ignore features critical to the existing software base, and also introduce design inefficiencies to RISC-style processor pipelines. CHERI Concentrate improves on the state-of-the-art region-encoding efficiency, solves important pipeline problems, and eases semantic restrictions of compressed encoding, allowing it to protect a full legacy software stack. - A novel group-based ML-assisted PUF authentication scheme - the first to perform classification over multiple devices per model to enable a group-based PUF authentication scheme, achieving up to 98% classification accuracy using a modified deep convolutional neural network (CNN) for feature extraction in conjunction with several well-established classifiers. - Design, implementation, and evaluation of RISC-V Instruction Set Extensions (ISEs) for nine of the ten NIST Light Weight Cryptography (LWC) final round submissions, namely Ascon, Elephant, GIFT-COFB, Grain-128AEADv2, PHOTON-Beetle, Romulus, Sparkle, TinyJAMBU, and Xoodyak. The evaluation demonstrated that the more hardware-oriented candidates can achieve a higher speed-up through ISE than the more software-oriented ones, but nonetheless the latter still outperform the former in terms of throughput. - A novel attack methodology against embedded bootloaders - a grey-box approach that leverages binary analysis and advanced software exploitation techniques combined with voltage glitching. The methodology is evaluated with three real-world microcontrollers, namely NXP LPC microcontrollers, STM8 microcontrollers and Renesas 78K0 automotive microcontrollers. It is shown that using inexpensive, open-design equipment, we are able to efficiently breach the security of these microcontrollers and get full control of the protected memory, even when multiple glitches are required. Finally, several vulnerable design patterns are identified that should be avoided when implementing embedded bootloaders. |
Exploitation Route | There are possibilities to disseminate the outcomes via open-sourcing of the results, or to SIPP project industry partners and industry partners on the RISE Industry Advisory Board. |
Sectors | Aerospace Defence and Marine Digital/Communication/Information Technologies (including Software) Electronics |
Title | Fill your Boots: Enhanced Embedded Bootloader Exploits via Fault Injection and Binary Analysis (Dataset) |
Description | This repository contains source code and data to reproduce results from our paper "Fill your Boots: Enhanced Embedded Bootloader Exploits via Fault Injection and Binary Analysis" at CHES2021 Abstract The bootloader of an embedded microcontroller is responsible for guarding the device's internal (flash) memory, enforcing read/write protection mechanisms. Fault injection techniques such as voltage or clock glitching have been proven successful in bypassing such protection for specific microcontrollers, but this often requires expensive equipment and/or exhaustive search of the fault parameters. When multiple glitches are required (e.g., when countermeasures are in place) this search becomes of exponential complexity and thus infeasible. Another challenge which makes embedded bootloaders notoriously hard to analyse is their lack of debugging capabilities.This paper proposes a grey-box approach that leverages binary analysis and advanced software exploitation techniques combined with voltage glitching to develop a powerful attack methodology against embedded bootloaders. We showcase our techniques with three real-world microcontrollers as case studies: 1) we combine static and on-chip dynamic analysis to enable a Return-Oriented Programming exploit on the bootloader of the NXP LPC microcontrollers; 2) we leverage on-chip dynamic analysis on the bootloader of the popular STM8 microcontrollers to constrain the glitch parameter search, achieving the first fully-documented multi-glitch attack on a real-world target; 3) we apply symbolic execution to precisely aim voltage glitches at target instructions based on the execution path in the bootloader of the Renesas 78K0 automotive microcontroller. For each case study, we show that using inexpensive, open-design equipment, we are able to efficiently breach the security of these microcontrollers and get full control of the protected memory, even when multiple glitches are required. Finally, we identify and elaborate on several vulnerable design patterns that should be avoided when implementing embedded bootloaders. |
Type Of Material | Database/Collection of data |
Year Produced | 2021 |
Provided To Others? | Yes |
URL | https://zenodo.org/record/4726616 |
Title | Fill your Boots: Enhanced Embedded Bootloader Exploits via Fault Injection and Binary Analysis (Dataset) |
Description | This repository contains source code and data to reproduce results from our paper "Fill your Boots: Enhanced Embedded Bootloader Exploits via Fault Injection and Binary Analysis" at CHES2021 Abstract The bootloader of an embedded microcontroller is responsible for guarding the device's internal (flash) memory, enforcing read/write protection mechanisms. Fault injection techniques such as voltage or clock glitching have been proven successful in bypassing such protection for specific microcontrollers, but this often requires expensive equipment and/or exhaustive search of the fault parameters. When multiple glitches are required (e.g., when countermeasures are in place) this search becomes of exponential complexity and thus infeasible. Another challenge which makes embedded bootloaders notoriously hard to analyse is their lack of debugging capabilities.This paper proposes a grey-box approach that leverages binary analysis and advanced software exploitation techniques combined with voltage glitching to develop a powerful attack methodology against embedded bootloaders. We showcase our techniques with three real-world microcontrollers as case studies: 1) we combine static and on-chip dynamic analysis to enable a Return-Oriented Programming exploit on the bootloader of the NXP LPC microcontrollers; 2) we leverage on-chip dynamic analysis on the bootloader of the popular STM8 microcontrollers to constrain the glitch parameter search, achieving the first fully-documented multi-glitch attack on a real-world target; 3) we apply symbolic execution to precisely aim voltage glitches at target instructions based on the execution path in the bootloader of the Renesas 78K0 automotive microcontroller. For each case study, we show that using inexpensive, open-design equipment, we are able to efficiently breach the security of these microcontrollers and get full control of the protected memory, even when multiple glitches are required. Finally, we identify and elaborate on several vulnerable design patterns that should be avoided when implementing embedded bootloaders. |
Type Of Material | Database/Collection of data |
Year Produced | 2021 |
Provided To Others? | Yes |
URL | https://zenodo.org/record/4726617 |
Description | Centre-to-centre collaboration |
Organisation | Nanyang Technological University |
Country | Singapore |
Sector | Academic/University |
PI Contribution | Research activity in areas of cyber security related to the project. |
Collaborator Contribution | Research activity in areas of cyber security related to the project. |
Impact | This project led to publication outputs as listed. |
Start Year | 2020 |
Description | Centre-to-centre collaboration |
Organisation | National University of Singapore |
Country | Singapore |
Sector | Academic/University |
PI Contribution | Research activity in areas of cyber security related to the project. |
Collaborator Contribution | Research activity in areas of cyber security related to the project. |
Impact | This project led to publication outputs as listed. |
Start Year | 2020 |
Title | Pandora: Tool for Principled Symbolic Validation of Intel SGX Enclave Runtimes |
Description | Pandora is a symbolic execution tool designed for truthful validation of Intel SGX enclave shielding runtimes. Pandora is based on the fabulous angr and extends it with enclave semantics such as Intel SGX instruction support, a realistic enclave memory view, attacker taint tracking, and report generation for a set of powerful vulnerability plugins. |
Type Of Technology | Software |
Year Produced | 2023 |
Open Source License? | Yes |
Impact | Pandora is the result of our research publicationat the 45th IEEE Symposium on Security and Privacy (IEEE S&P 2024) |
URL | https://github.com/pandora-tee |
Description | CARDIS conference including CHERI/capability architecture tutorial |
Form Of Engagement Activity | Participation in an activity, workshop or similar |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | A CHERI/capability architecture half-day tutorial was successfully held at the CARDIS conference in Nov 2022 (approx. 60 participants) hosted by Oswald in Birmingham. This allowed the project team to introduce capabilities and CHERI/Morello to a broad academic and industrial audience, serving as the project's mid-term evaluation event. Industry attendees included large employees from large semiconductor vendors and security companies |
Year(s) Of Engagement Activity | 2022 |
URL | https://events.cs.bham.ac.uk/cardis2022/ |
Description | CODASIP discussions/visit |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Industry/Business |
Results and Impact | The team invited engineers from CODASIP in Nov for a half-day meeting at the University of Birmingham. This included discussions on possible use of the research outputs in industrial applications, in particular CODASIP's CHERI RISCV cores. Possible follow-up activity will be around forming a KTP or similar. Additional, separate discussions with CODASIP revolved around forming and joining a potential CHERI alliance. |
Year(s) Of Engagement Activity | 2023 |