Michael Vai

Secure architecture for embedded systems

Devices connected to the internet are increasingly the targets of deliberate and sophisticated attacks [1]. Embedded system engineers tend to focus on well-defined functional capabilities rather than “obscure” security and resilience. However, “after-the-fact” system hardening could be prohibitively expensive or even impossible. The co-design of security and resilience with functionality has to overcome a major challenge; rarely can the security and resilience requirements be accurately identified when the design begins. This paper describes an embedded system architecture that decouples secure and functional design aspects.

Systems design of cybersecurity in embedded systems

Mission critical embedded systems should be capable of performing intended functions with resiliency against cyberattacks. The methodology of design-for-cybersecurity is now widely recognized, in which the effects of cybersecurity, or lack thereof, on system objectives must be determined. However, developers are often challenged by the difficulty of analyzing a system-under-design without complete specifics. In this paper, we describe a systems design approach, which incrementally models the cybersecurity architecture, components, and interfaces of an embedded system for analysis and demonstration. We have applied this approach to analyze the mission resiliency of an avionic computer being developed and demonstrate its operations in a scenario when the system is under attack.

A key-centric processor architecture for secure computing

We describe a novel key-centric processor architecture in which each piece of data or code can be protected by encryption while at rest, in transit, and in use. Using embedded key management for cryptographic key handling, our processor permits mutually distrusting software written by different entities to work closely together without divulging algorithmic parameters or secret program data. Since the architecture performs encryption, decryption, and key management deeply within the processor hardware, the attack surface is minimized without significant impact on performance or ease of use. The current prototype implementation is based on the Sparc architecture and is highly applicable to small to medium-sized processing loads.

POSTER: SHAMROCK: self contained cryptography and key management processor

In this poster, we describe a one-size-fits-many Intellectual Property (IP) core which integrates advanced key management technology and streaming encryption into a single component to protect data in-transit.

Designing agility and resilience into embedded systems

Cyber-Physical Systems (CPS) such as Unmanned Aerial Systems (UAS) sense and actuate their environment in pursuit of a mission. The attack surface of these remotely located, sensing and communicating devices is both large, and exposed to adversarial actors, making mission assurance a challenging problem. While best-practice security policies should be followed, they are rarely enough to guarantee mission success as not all components in the system may be trusted and the properties of the environment (e.g., the RF environment) may be under the control of the attacker. CPS must thus be built with a high degree of resilience to mitigate threats that security cannot alleviate. In this paper, we describe the Agile and Resilient Embedded Systems (ARES) methodology and metric set. The ARES methodology pursues cyber security and resilience (CSR) as high level system properties to be developed in the context of the mission. An analytic process guides system developers in defining mission objectives, examining principal issues, applying CSR technologies, and understanding their interactions.

Towards a universal CDAR device: A high-performance adapter-based inline media encryptor

As the rate at which digital data is generated continues to grow, so does the need to ensure that data can be stored securely. The use of an NSA-certified Inline Media Encryptor (IME) is often required to protect classified data, as its security properties can be fully analyzed and certified with minimal coupling to the environment in which it is embedded. However, these devices are historically purpose-built and must often be redesigned and recertified for each target system. This tedious and costly (but necessary) process limits the ability for an information system architect to leverage advances made in storage technology. Our universal Classified Data At Rest (CDAR) architecture represents a modular approach to reduce this burden and maximize interface flexibility. The core module is designed around NVMe, a high-performance storage interface built directly on PCIe. Interfacing with non-NVMe interfaces such as SATA is achieved with adapters which are outside the certification boundary and therefore can be less costly and leverage rapidly evolving commercial technology. This work includes an analysis for both the functionality and security of this architecture. A prototype was developed with peak throughput of 23.9 Gb/s at a power consumption of 8.5W, making it suitable for a wide range of storage applications.

Optical physical unclonable function

Many military and commercial systems require a unique digital identification for authentication, key derivation, and other purposes. Our approach uses an optical physical unclonable function (PUF) that can be implemented on printed circuit boards (PCB). Various environmental factors, such as physical stress, temperature, heat dissipation, and aging, affect the effectiveness of such a PUF. This paper will discuss our recent research in addressing these and other concerns by advancing in the areas of waveguide construction, system longevity, and PCB cooling. We will also discuss the enhanced capability of differentiating between intact and disturbed systems.

Fabrication security and trust of domain-specific ASIC processors

Application specific integrated circuits (ASICs) are commonly used to implement high-performance signal-processing systems for high-volume applications, but their high development costs and inflexible nature make ASICs inappropriate for algorithm development and low-volume DoD applications. In addition, the intellectual property (IP) embedded in the ASIC is at risk when fabricated in an untrusted foundry. Lincoln Laboratory has developed a flexible signal-processing architecture to implement a wide range of algorithms within one application domain, for example radar signal processing. In this design methodology, common signal processing kernels such as digital filters, fast Fourier transforms (FFTs), and matrix transformations are implemented as optimized modules, which are interconnected by a programmable wiring fabric that is similar to the interconnect in a field programmable gate array (FPGA). One or more programmable microcontrollers are also embedded in the fabric to sequence the operations. This design methodology, which has been termed a coarse-grained FPGA, has been shown to achieve a near ASIC level of performance. In addition, since the signal processing algorithms are expressed in firmware that is loaded at runtime, the important application details are protected from an unscrupulous foundry.

SHAMROCK: A Synthesizable High Assurance Cryptography and Key management coprocessor

For performance, maintainability and usability, military communications systems must properly integrate and coordinate cryptographic primitives and use adequate key management schemes. In this paper, we present a SHAMROCK (Synthesizable High Assurance Management/Reservation/Operation of Cryptography and Keys) coprocessor. Being self-contained and synthesizable, SHAMROCK empowers designers to readily and correctly incorporate cryptography and key management into embedded systems. SHAMROCK has been incorporated in multiple mission critical systems to enable secure computing and communications.