Michael LeMay

An Integrated Architecture for Demand Response Communications and Control

In the competitive electricity structure, demand response programs enable customers to react dynamically to changes in electricity prices. The implementation of such programs may reduce energy costs and increase reliability. To fully harness such benefits, existing load controllers and appliances need around-the-clock price information. Advances in the development and deployment of advanced meter infrastructures (AMIs), building automation systems (BASs), and various dedicated embedded control systems provide the capability to effectively address this requirement. In this paper we introduce a meter gateway architecture (MGA) to serve as a foundation for integrated control of loads by energy aggregators, facility hubs, and intelligent appliances. We discuss the requirements that motivate the architecture, describe its design, and illustrate its application to a small system with an intelligent appliance and a legacy appliance using a prototype implementation of an intelligent hub for the MGA and ZigBee wireless communications.

Unified Architecture for Large-Scale Attested Metering

We introduce a secure architecture called an attested meter/or advanced metering that supports large-scale deployments, flexible configurations, and enhanced protection for consumer privacy and metering integrity. Our study starts with a threat analysis for advanced metering networks and formulates protection requirements for those threats. The attested meter satisfies these through a unified set of system interfaces based on virtual machines and attestation for the software agents of various parties that use the meter. We argue that this combination provides a well-adapted architecture for advanced metering and we take a step towards demonstrating its feasibility with a prototype implementation based on the trusted platform module (TPM) and Xen virtual machine monitor (VMM). This is the first effort to use virtual machines and attestation in an advanced meter

Cumulative Attestation Kernels for Embedded Systems

To mitigate the threat of malware intrusions on networked embedded systems, it is desirable to provide remote attestation assurances for them. Embedded systems have special limitations concerning cost, power efficiency, computation, and memory that influence how this goal can be achieved. Moreover, many types of applications require integrity guarantees for the system over an interval of time rather than just at a given instant. We propose a Cumulative Attestation Kernel (CAK) that addresses these concerns. We demonstrate the value of CAKs for Advanced Metering Infrastructure (AMI) and show how to implement a CAK in less than one quarter of the memory available on low end flash MCUs similar to those used in AMI deployments. Regarding this prototype, we present the first formal proof we are aware of that a system is tolerant to power supply interruptions. We also discuss how to provide cumulative attestation for devices with tighter memory constraints by offloading computation and storage onto a Cumulative Attestation Coprocessor (CAC).

Cumulative attestation kernels for embedded systems

There are increasing deployments of networked embedded systems and rising threats of malware intrusions on such systems. To mitigate this threat, it is desirable to enable commonly-used embedded processors known as flash MCUs to provide remote attestation assurances like the Trusted Platform Module (TPM) provides for PCs. However, flash MCUs have special limitations concerning cost, power efficiency, computation, and memory that influence how this goal can be achieved. Moreover, many types of applications require integrity guarantees for the system over an interval of time rather than just at a given instant. The aim of this paper is to demonstrate how an architecture we call a Cumulative Attestation Kernel (CAK) can address these concerns by providing cryptographically secure firmware auditing on networked embedded systems. To illustrate the value of CAKs, we demonstrate practical remote attestation for Advanced Metering Infrastructure (AMI), a core technology in emerging smart power grid systems that requires cumulative integrity guarantees. To this end, we show how to implement a CAK in less than one quarter of the memory available on low end AVR32 flash MCUs similar to those used in AMI deployments. We analyze one of the specialized features of such applications by formally proving that remote attestation requirements are met by our implementation even if no battery backup is available to prevent sudden halt conditions.

Collaborative Recommender Systems for Building Automation

Building Automation Systems (BASs) can save building owners money by reducing energy consumption while simultaneously preserving occupant comfort. There are algorithms that optimize this tradeoff, such as detecting which appliances are turned on without requiring expensive status detectors to be attached to each appliance. However, better ways are needed to determine which algorithms are best-suited to a particular building. This paper explores the idea of allowing building managers to automatically communicate among themselves and exchange ratings of individual monitoring and control algorithms in such a way that each building manager can then obtain predicted ratings for all algorithms that he has not yet tried personally. We allow individual algorithms to be replaced by using a blackboard architecture to loosen the coupling between them. We propose a recommender system that operates on a database of contributed ratings to predict ratings of untried algorithms. To explore this approach, we developed a prototype that seamlessly interacts with both emulated physical buildings and buildings simulated in software and we implemented several of the control algorithms described in previous works. We demonstrate a recommender system that selects between algorithms in various types of buildings.

PolicyMorph: interactive policy transformations for a logical attribute-based access control framework

Constraint systems provide techniques for automatically analyzing the conformance of low-level access control policies to high-level business rules formalized as logical constraints. However, there are likely to be priorities for solutions that are not easy to encode formally, so administrator input is often important. This paper introduces PolicyMorph, a constraint system that supports interactive development and maintenance of access control policies that respect both formalized and un-formalized business rules and priorities. We provide a mathematical description of the system and an architecture for implementing it. We constructed a prototype that is validated using a case study in which constraints are imposed on a building automation system that controls door locks. PolicyMorph advances the state-of-the-art in constraint systems by suggesting predictable policy model modifications that will resolve specific constraint violations and then allowing policy administrators to select the appropriate modifications using knowledge that is not formally encoded in the constraint system.

Network-on-Chip Firewall: Countering Defective and Malicious System-on-Chip Hardware

Mobile devices are in roles where the integrity and confidentiality of their apps and data are of paramount importance. They usually contain a System-on-Chip (SoC), which integrates microprocessors and peripheral Intellectual Property (IP) connected by a Network-on-Chip (NoC). Malicious IP or software could compromise critical data. Some types of attacks can be blocked by controlling data transfers on the NoC using Memory Management Units (MMUs) and other access control mechanisms. However, commodity processors do not provide strong assurances regarding the correctness of such mechanisms, and it is challenging to verify that all access control mechanisms in the system are correctly configured. We propose a NoC Firewall (NoCF) that provides a single locus of control and is amenable to formal analysis. We demonstrate an initial analysis of its ability to resist malformed NoC commands, which we believe is the first effort to detect vulnerabilities that arise from NoC protocol violations perpetrated by erroneous or malicious IP.

Power-Based Diagnosis of Node Silence in Remote High-End Sensing Systems

Our prior work suggested the use of power traces of unresponsive sensor nodes to diagnose the cause of anomalous node silence, but suffers from its limitations in scalability. To address these issues, we propose a new concept of power watermarking, a diagnostic service that actively produces unique power watermarks for each system state of interest so as to convey system information over power measurements. Failures of applications, hardware, or the watermark generator result in different watermark combinations or absence thereof. Experiments demonstrate high diagnostic accuracy and energy efficiency, even in the presence of multiple applications of similar natural power consumption patterns.

Reliable telemetry in white spaces using remote attestation

We consider reliable telemetry in white spaces in the form of protecting the integrity of distributed spectrum measurements against coordinated misreporting attacks. Our focus is on the case where a subset of the sensors can be remotely attested. We propose a practical framework for using statistical sequential estimation coupled with machine learning classifiers to deter attacks and achieve quantifiably precise outcome. We provide an application-oriented case study in the context of spectrum measurements in the white spaces. The study includes a cost analysis for remote attestation, as well as an evaluation using real transmitter and terrain data from the FCC and NASA for Southwest Pennsylvania. The results show that with as low as 15% penetration of attestation-capable nodes, more than 94% of the attempts from omniscient attackers can be thwarted.

Enforcing executing-implies-verified with the integrity-aware processor

Malware often injects and executes new code to infect hypervisors, OSs and applications. Such malware infections can be prevented by checking all code against a whitelist before permitting it to execute. The eXecuting Implies Verified Enforcer (XIVE) is a distributed system in which a kernel on each target system consults a server called the approver to verify code on-demand.We propose a new hardware mechanism to isolate the XIVE kernel from the target host. The Integrity-Aware Processor (IAP) that embodies this mechanism is based on a SPARC soft-core for an FPGA and provides high performance, high compatibility with target systems and flexible invocation options to ensure visibility into the target system. This facilitates the development of a very small trusted computing base.