David Whelihan

Secure architecture for embedded systems

Devices connected to the internet are increasingly the targets of deliberate and sophisticated attacks [1]. Embedded system engineers tend to focus on well-defined functional capabilities rather than “obscure” security and resilience. However, “after-the-fact” system hardening could be prohibitively expensive or even impossible. The co-design of security and resilience with functionality has to overcome a major challenge; rarely can the security and resilience requirements be accurately identified when the design begins. This paper describes an embedded system architecture that decouples secure and functional design aspects.

Systems design of cybersecurity in embedded systems

Mission critical embedded systems should be capable of performing intended functions with resiliency against cyberattacks. The methodology of design-for-cybersecurity is now widely recognized, in which the effects of cybersecurity, or lack thereof, on system objectives must be determined. However, developers are often challenged by the difficulty of analyzing a system-under-design without complete specifics. In this paper, we describe a systems design approach, which incrementally models the cybersecurity architecture, components, and interfaces of an embedded system for analysis and demonstration. We have applied this approach to analyze the mission resiliency of an avionic computer being developed and demonstrate its operations in a scenario when the system is under attack.

A key-centric processor architecture for secure computing

We describe a novel key-centric processor architecture in which each piece of data or code can be protected by encryption while at rest, in transit, and in use. Using embedded key management for cryptographic key handling, our processor permits mutually distrusting software written by different entities to work closely together without divulging algorithmic parameters or secret program data. Since the architecture performs encryption, decryption, and key management deeply within the processor hardware, the attack surface is minimized without significant impact on performance or ease of use. The current prototype implementation is based on the Sparc architecture and is highly applicable to small to medium-sized processing loads.

Instruction set extensions for photonic synchronous coalesced accesses

Microprocessors have evolved over the last forty-plus years from purely sequential single operation machines, to pipelined super-scalar, to threaded and SIMD, and finally to multi-core and massive multi-core/thread machines. Despite these advances, the conceptual model programmers use to program them is still that of a single threaded register file bound math unit that can only be loosely synchronized with other such processors. This lack of explicit synchrony, caused by limitations of metal interconnect, limits parallel efficiency. Recent advances in silicon photonic-enabled architectures [1, 5, 7] promise to greatly enable high synchrony over long distances (centimeters or more). In this paper, it is shown that global synchrony changes the way computers can be programmed by introducing a new class of ISA level instruction: the globally-synchronous load-store. In the context of multiple load-store machines, the globally synchronous load-store architecture allows the programmer to think about a collection of independent load-store machines as a single load-store machine. This operation is described, and its ISA implications explored in the context of the distributed matrix transpose, which exhibits a high degree of data non-locality, and is difficult to efficiently parallelize on modern architectures.

POSTER: SHAMROCK: self contained cryptography and key management processor

In this poster, we describe a one-size-fits-many Intellectual Property (IP) core which integrates advanced key management technology and streaming encryption into a single component to protect data in-transit.

Designing agility and resilience into embedded systems

Cyber-Physical Systems (CPS) such as Unmanned Aerial Systems (UAS) sense and actuate their environment in pursuit of a mission. The attack surface of these remotely located, sensing and communicating devices is both large, and exposed to adversarial actors, making mission assurance a challenging problem. While best-practice security policies should be followed, they are rarely enough to guarantee mission success as not all components in the system may be trusted and the properties of the environment (e.g., the RF environment) may be under the control of the attacker. CPS must thus be built with a high degree of resilience to mitigate threats that security cannot alleviate. In this paper, we describe the Agile and Resilient Embedded Systems (ARES) methodology and metric set. The ARES methodology pursues cyber security and resilience (CSR) as high level system properties to be developed in the context of the mission. An analytic process guides system developers in defining mission objectives, examining principal issues, applying CSR technologies, and understanding their interactions.

SHAMROCK: A Synthesizable High Assurance Cryptography and Key management coprocessor

For performance, maintainability and usability, military communications systems must properly integrate and coordinate cryptographic primitives and use adequate key management schemes. In this paper, we present a SHAMROCK (Synthesizable High Assurance Management/Reservation/Operation of Cryptography and Keys) coprocessor. Being self-contained and synthesizable, SHAMROCK empowers designers to readily and correctly incorporate cryptography and key management into embedded systems. SHAMROCK has been incorporated in multiple mission critical systems to enable secure computing and communications.