Johannes Iber

A Virtual Fault Injection Framework for Reliability-Aware Software Development

Ever more dependable embedded systems are built with commercial off-the-shelf hardware components that are not intended for highly reliable applications. Consequently, software-based fault tolerance techniques have to maintain a safe operation despite underlying hardware faults. In order to efficiently develop fault tolerant software, fault injection is needed in early development stages. However, common fault injection approaches require manufactured products or detailed hardware models. Thus, these techniques are typically not applicable if software and hardware providers are separate vendors. Additionally, the rise of third-party OTS software components limits the means to inject faults. In this paper, we present a virtual fault injection framework that simulates safety-standard aligned fault models and supports OTS software components as well as widely-used embedded processors such as ARM cores. Additionally, we show how to integrate the framework into various software development stages. Finally, we illustrate the practicability of the approach by exemplifying the integration of the framework in the development of an industrial safety-critical system.

QEMU-Based Fault Injection for a System-Level Analysis of Software Countermeasures Against Fault Attacks

Physical attacks, such as fault attacks, pose a decisive threat for the security of devices in the Internet of Things. An important class of countermeasures for fault attacks is fault tolerant software that is applicable for systems based on COTS hardware. In order to evaluate software countermeasures against fault attacks, fault injection is needed. However, established fault injection approaches require manufactured products or hardware details (e.g. netlists, RTL models), which are not available when using COTS hardware. In this paper, we present a QEMU-based fault injection platform that supports commercial COTS processors that are widely-used in the embedded domain. This framework allows a system-level analysis of software countermeasures by featuring the simulation of high-level hardware faults targeting, for example, memory cells, register cells, or the correct execution of instructions. The framework supports the generation of realistic fault attack scenarios. We illustrate the practicability of the approach by presenting two exemplary use cases.

Integration of Integrity Enforcing Technologies into Embedded Control Devices: Experiences and Evaluation

Security is a vital property of SCADA systems, especially in critical infrastructure. An important aspect is maintaining (sub-)system integrity in networks of embedded control devices. One technology that is used to achieve this is remote attestation. It is used to prove the integrity of one system (prover) to another (challenger). However, due to the complexity of the maintenance of reference measurement, it is seen as impractical in such constrained distributed systems. In this work, we show how recent advances such as privilege-based attestation enable an architecture that is more feasible to use. Based on real control systems used for hydro-electric power plants, we evaluate the impact of the proposed infrastructure on the device performance and discuss our experiences with the consequences of using such technologies for the production and development processes of such systems.

The Potential of Self-Adaptive Software Systems in Industrial Control Systems

New generations of industrial control systems offer higher performance, are networked and can be controlled remotely. Following this progress, the complexity of such systems increases through heterogeneous systems, hardware and more capable software. This may lead to an increase of unreliability and insecurity. Self-adaptive software systems offer a mean of dealing with complexity by monitoring a control system, detecting anomalies and adapting the control system to problems. Regarding such methods, industrial control systems have the advantage of being less dynamic. The network topology is fixed, devices rarely change, and the functionality of all the resources is known in principle. In this work, we examine this advantage and present the potential of self-adaptive software systems. The context of the presented work is control systems for hydropower units.

Development and Production Processes for Secure Embedded Control Devices

Security is a vital property of SCADA systems, especially in the context of critical infrastructure. In this work, we focus on distributed control devices for hydro-electric power plants. Much work has been done for specific lifecylce phases of distributed control devices such as development or operational phase. Our aim here is to consider the entire product lifecycle and the consequences of security feature implementations for a single lifecycle stage on other stages. In particular, we discuss the security concept used to secure our control devices in the operational stage and show how these concepts result in additional requirements for the development and production stages. We show how we meet these requirements and focus on a production process that enables the commissioning of secrets such as private keys during the manufacturing phase. We show that this can be done both, securely and with acceptable overhead even when the manufacturing process is handled by a contract manufacturer that is not under full control of the OEM.

Using Model-Based Testing for Manufacturing and Integration-Testing of Embedded Control Systems

Implementing integration tests into to the manufacturing process of embedded devices is a crucial development for dealing with component deviations and production flaws. Especially control devices that interact with the physical world demand on a functional verification since malfunctions have a potentially enormous impact. In this domain, devices are often configured based on the customer needs during the production process. Different sub-components of the same product family are thus assembled into one single device. The high number of possible product configurations requires complex manufacturing processes. In this work, we use Model-Based Test (MBT) concepts to implement a manufacturing and test system that generates executable assembly-and test-procedures from an abstract test procedure model and a model of the actual manufactured device. We demonstrate how our approach helps in handling the complexity of the manufacturing process with an actual implementation in a productive manufacturing system for embedded control devices.

Diverse Compiling for Software-Based Recovery of Permanent Faults in COTS Processors

Digital systems used in critical infrastructures have to fulfill ever higher demands on performance and cost efficiency. Thus, there is the trend to commercial off-the-shelf processors. To ensure a correct functioning of such devices, even after a long time of operation, mechanisms to recover from permanent hardware faults (e.g. due to wear-out effects) are needed. However, there is a lack of flexible low-cost software-based fault mitigation approaches that do not base on a costly exhaustive redundancy. To address this challenge, we show how to adapt the software execution such that the faulty hardware resource is no longer used. We propose to update the embedded device with an adapted binary that is generated on a remote server with diverse compiling. Our experiments demonstrate that this approach allows recovering from 99% of internal memory and 52% of register faults.

Towards Dynamic Software Diversity for Resilient Redundant Embedded Systems

Faults in embedded systems are on the rise due to shrinking hardware feature sizes, increasing software complexity, and security vulnerabilities. Since such faults cannot be completely prevented, systems have to cope with their effects. Frequently, redundancy is used to achieve fault tolerance. However, with homogeneous redundancy common-cause faults such as software bugs or hardware faults in shared resources are not tolerated - diversity is needed. In this paper, we highlight the potential of automatically introducing diversity via dynamic software diversity techniques. Recently, these techniques have attracted attention in the security domain. Furthermore, we present the idea of using such dynamic software diversity methods to create feedback-based systems that are able to adapt the execution of the program in such a way that the consequences of faults are leveraged. Finally, we demonstrate the approach with two use cases. We show that by using address space layout randomization - a widespread technique to prevent malicious attacks - it is possible to detect memory-related software bugs during runtime. Additionally, we illustrate the idea of adaptive dynamic software diversity by showing a simple example of how to recover from common-cause faults in the address decoder via software by inserting memory gaps with adjustable size.

Ubtl UML testing profile based testing language

The continuous increase of software complexity is one of the major problems associated with the development of todays complex technical systems. In particular, for safety-critical systems, which usually require to be thoroughly verified and validated, managing such a complexity is of high importance. To this end, industry is utilizing Model-Driven Development (MDD) in many aspects of systems engineering, including verification and validation activities. Until now many specifications and standards have been released by the MDD community to support those activities by putting models in focus. The general problem is, however, that applying those specifications is often difficult, since they comprise a broader scope than usually required to solve specific problems. In this paper we propose a domain-specific language (DSL) that allows to specify tests from the UML Testing Profile (UTP). The main contribution is that only particular aspects of UTP are captured, thereby allowing the MDD process to be narrowed to specific needs, such as supporting code generation facilities for certain types of tests or even specific statements in tests. In the end we show the application of the DSL using a simple example within a MDD process, and we report on performance of that process.

Patterns for software integrity protection

Protecting the integrity of software modules is a critical task on all secure systems. Although many different technologies exist to examine and ensure software integrity, to the best of our knowledge, no security patterns that describe the underlying concepts exist yet. This work provides two new patterns that aim to provide solutions for examining, enforcement and attestation of software integrity. The application of the patterns is shown in a practical example that also illustrates the importance of these concepts.