skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: The PIT-Cerberus Framework: Preventing Device Tampering During Transit
When a computing device, such as a server, workstation, laptop, tablet, etc. is shipped from one site to another (for example, from a vendor to a customer or from one branch location of an organization to another) it can potentially be subjected to unauthorized firmware modifications. The industry has sought to partially address this issue by focusing on securing the boot process. Secure boot provides attestation methods by a hardware root-of-trust to confirm the integrity of the device’s BIOS/UEFI firmware. However, once a device boots up, it is relatively easy for a malicious adversary to tamper with the firmware. In this paper, we address this problem by preventing a secure boot unless done by an authorized user. We extend a hardware root of trust (HRoT) processor’s ability to perform secure attestation by implementing a new functionality to securely lock and unlock the BIOS/UEFI or the BMC (Baseboard Management Controller) and implementing an authentication mechanism in the HRoT for determining authorized users. This ensures that the secure boot process won’t commence unless authorized appropriately and provides a robust mechanism for securing the device’s firmware during transit. The proposed PIT-Cerberus framework (PIT = Protection In Transit) leverages strong cryptographic techniques and has been implemented within a trusted microcontroller. We have contributed the PIT-Cerberus framework’s libraries to Project Cerberus, an open-source project that offers a security platform for server hardware.  more » « less
Award ID(s):
1822118
PAR ID:
10581414
Author(s) / Creator(s):
; ; ; ;
Publisher / Repository:
IEEE
Date Published:
ISBN:
979-8-3503-6563-4
Page Range / eLocation ID:
584 to 595
Subject(s) / Keyword(s):
Firmware Security BIOS/BMC Hardware Root of Trust Secure Boot
Format(s):
Medium: X
Location:
Cambridge, United Kingdom
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ; (, ACM/SIGDA International Symposium on Field-Programmable Gate Arrays (FPGA))
    Modern CPU designs are beginning to incorporate secure hardware features, but leave developers with little control over both the set of features and when and whether updates are available. Reconfigurable logic (e.g., FPGAs) has been proposed as an alternative as it is both hardware, so can have similar capabilities at a reasonable performance degradation, and programmable, allowing customization of the secure hardware. This programmability, however, opens new attack vectors that allow an adversary to re-program the FPGA. Past attempts to solve this rely on a party maintaining a shared key with the FPGA, but these business processes to keep that key secret have been shown to be quite vulnerable. In this paper, we propose a new mechanism which eliminates the trust dependence on third party processes. This new mechanism consists of a self-provisioning stage, where keys are generated internal to the FPGA and never exposed externally, coupled with a secure update mechanism which allows updates to be governed by a policy defined by the secure hardware application. To demonstrate, we fully implemented these mechanisms on a Xilinx Zynq UltraScale+ FPGA along with an example secure co-processor with remote attestation with a flexible root of trust (in contrast to Intel SGX which fixes the root of trust to be Intel). Our performance evaluation of two applications, a password manager and a contact matching application, illustrates using FPGAs is practical. 
    more » « less
  2. ; (, 28th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS))
    Complex embedded systems are now supporting the co-existence of multiple OSes to manage services once assigned to separate embedded microcontrollers. Automotive systems, for example, now use multiple OSes to consolidate electronic control unit (ECU) functions on a centralized embedded computing platform. Such platforms have the complexity of an industrial embedded PC, with multiple cores and hardware virtualization capabilities. This enables a partitioning hypervisor to spatially and temporally share the physical machine with separate guest OSes, which manage services of different criticality levels. However, PC-class hardware incurs a large latency to bootstrap an OS and associated application-level services. A firmware BIOS performs a power-on-self-test, and then loads OS images into memory from a bootable storage device. This latency is unacceptable in time-critical embedded systems, where important services must be operational within milliseconds of starting the system. In this paper, we present Jumpstart, a PC-class power management approach that minimizes the wakeup delay of a partitioning hypervisor for use in embedded systems. We show how Jumpstart resumes critical OS services and tasks from a low power suspended state in approximately 600 milliseconds, and reduces full system startup delay by a factor of 23. Additionally, Jumpstart consumes minimal power compared to approaches requiring a system boot from a previously powered-off state. By comparison, an alternative firmware-optimized bootloader, called Slim, reduces boot latency by a factor of 1.8. 
    more » « less
  3. ; ; ; ; ; ; (, Multilayer Camouflaged Secure Boot for SoCs)
    Reconfigurable logic enables architectural updates for embedded devices by providing the ability to reprogram partial or entire device. However, this flexibility can be leveraged by the adversary to compromise the device boot process by modifying the bitstream or the boot process with physical or remote access of device placed in a remote field. We propose a novel multilayer secure boot mechanism for SoCs with a two-stage secure boot process. First stage uses device bound unique response as a key to decrypt application logic. The security function is extended at runtime by integrating intermittent architecture and application locking mechanism to reveal correct functionality. 
    more » « less
  4. ; ; ; (, Springer Nature Switzerland)
    Modern vehicles are largely controlled by many embedded computers, known as Electronic Control Units (ECUs). The increased use of ECUs has brought many in-vehicle security concerns. Specifically, injection of malware into ECUs poses a significant risk to vehicle operation. Indeed, many ECU malware injection attacks have been performed, and much work has been introduced towards mitigating these vulnerabilities. A main defense is for ECUs to perform a self-attestation over their firmware state. However, most current self-attestation solutions do not enable runtime checking due to their high computational cost. Additionally, existing solutions mostly do not incorporate any ECU self-repairing in coordination with the attestation mechanisms. In this work, we have designed FSAVER, a highly efficient self-attestation and self-repair framework for in-vehicle ECUs. For the self-attestation, we adapt highly efficient spot-checking techniques, so that the firmware can be checked periodically at runtime. To perform these attestations, we rely on the TEE already equipped within each ECU. For self-repair, we take advantage of the isolated flash memory controller (FMC) in the storage device. Specifically, we coordinate it with the update mechanism and self-attestations to guarantee that the latest benign firmware version can always be restored. To realize this while malware is running, a special mechanism has been carefully developed to notify the FMC of the malicious presence. 
    more » « less
  5. ; ; ; ; (, 2020 IEEE 26th International Conference on Parallel and Distributed Systems (ICPADS))
    null (Ed.)
    In this paper, we explore the use of microcontrollers (MCUs) and crypto coprocessors to secure IoT applications, and show how developers may implement a low-cost platform that provides protects private keys against software attacks. We first demonstrate the plausibility of format string attacks on the ESP32, a popular MCU from Espressif that uses the Harvard architecture. The format string attacks can be used to remotely steal private keys hard-coded in the firmware. We then present a framework termed SIC 2 (Securing IoT with Crypto Coprocessors), for secure key provisioning that protects end users' private keys from both software attacks and untrustworthy manufacturers. As a proof of concept, we pair the ESP32 with the low-cost ATECC608A cryptographic coprocessor by Microchip and connect to Amazon Web Services (AWS) and Amazon Elastic Container Service (EC2) using a hardware-protected private key, which provides the security features of TLS communication including authentication, encryption and integrity. We have developed a prototype and performed extensive experiments to show that the ATECC608A crypto chip may significantly reduce the TLS handshake time by as much as 82% with the remote server, and it may lower the total energy consumption of the system by up to 70%. Our results indicate that securing IoT with crypto coprocessors is a practicable solution for low-cost MCU based IoT devices. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email