Tobias Rauter

A Virtual Fault Injection Framework for Reliability-Aware Software Development

Ever more dependable embedded systems are built with commercial off-the-shelf hardware components that are not intended for highly reliable applications. Consequently, software-based fault tolerance techniques have to maintain a safe operation despite underlying hardware faults. In order to efficiently develop fault tolerant software, fault injection is needed in early development stages. However, common fault injection approaches require manufactured products or detailed hardware models. Thus, these techniques are typically not applicable if software and hardware providers are separate vendors. Additionally, the rise of third-party OTS software components limits the means to inject faults. In this paper, we present a virtual fault injection framework that simulates safety-standard aligned fault models and supports OTS software components as well as widely-used embedded processors such as ARM cores. Additionally, we show how to integrate the framework into various software development stages. Finally, we illustrate the practicability of the approach by exemplifying the integration of the framework in the development of an industrial safety-critical system.

QEMU-Based Fault Injection for a System-Level Analysis of Software Countermeasures Against Fault Attacks

Physical attacks, such as fault attacks, pose a decisive threat for the security of devices in the Internet of Things. An important class of countermeasures for fault attacks is fault tolerant software that is applicable for systems based on COTS hardware. In order to evaluate software countermeasures against fault attacks, fault injection is needed. However, established fault injection approaches require manufactured products or hardware details (e.g. netlists, RTL models), which are not available when using COTS hardware. In this paper, we present a QEMU-based fault injection platform that supports commercial COTS processors that are widely-used in the embedded domain. This framework allows a system-level analysis of software countermeasures by featuring the simulation of high-level hardware faults targeting, for example, memory cells, register cells, or the correct execution of instructions. The framework supports the generation of realistic fault attack scenarios. We illustrate the practicability of the approach by presenting two exemplary use cases.

FIES: A Fault Injection Framework for the Evaluation of Self-Tests for COTS-Based Safety-Critical Systems

Safety-critical systems have to satisfy ever-growing demands for high computing performance and cost-efficiency. This leads to a move to commercial off-the-shelf hardware components that are not hardened. Unfortunately, these components are becoming increasingly vulnerable to operational faults and the manufacturers do not guarantee a certain level of dependability. However, in order to maintain a high integrity, safety-critical systems have to ensure the correct functionality of hardware components during operation. Besides redundancy techniques, this is typically realized with build-in self-tests implemented at software level. Safety-standards, such as the IEC 61508 standard, prescribe certain fault models that should be used to assess the diagnostic coverage of self-tests with fault injection experiments. Typical fault injection frameworks use gate-level net lists or RTL models. However, these hardware models are not publicly available for most COTS processors. In this paper we present a Fault Injection framework for the Evaluation of software-based Self-tests (FIES) according to the safety standard IEC 61508. This virtual platform supports widely-used embedded COTS processors, such as ARM cores, and provides feedback about the diagnostic coverage of self-tests in early design stages. It supports the simulation of faults in the control and execution path of an ARM processor and features an extended fault model to simulate memory coupling faults. The applicability of the approach is shown by using it for the evaluation of a memory test.

Asset-Centric Security Risk Assessment of Software Components.

Risk management is a crucial process for the development of secure systems. Valuable objects (assets) must be identified and protected. In order to prioritize the protection mechanisms, the values of assets need to be quantified. More valuable or exposed assets require more powerful protection. There are many risk assessment approaches that aim to provide a metric to generate this quantification for different domains. In software systems, these assets are reflected in resources (e.g., a file with important information) or functional software components (e.g., performing a bank transfer). To protect the assets from different threats like unauthorized access, other software components (e.g., an authenticator) are used. These components are essential for the asset’s security properties and should therefore be considered for further investigation such as threat modeling. Evaluating assets only at system level may hide threats that originate from vulnerabilities in software components while doing an extensive threat analysis for all the system’s components without prioritization is not feasible all the time. In this work, we propose a metric that quantifies software components by the assets they are able to access. Based on a component model of the software architecture, it is possible to identify trust domains and add filter components that split these domains. We show how the integration of the methodology into the development process of a distributed manufacturing system helped us to identify critical sections (i.e., components whose vulnerabilities may enable threats against important assets), to reduce attack surface, to find isolation domains and to implement security measures at the right places.

Evaluation of diverse compiling for software-fault detection

Although software fault prevention techniques improve continually, faults remain in every complex software system. Thus safety-critical embedded systems need mechanisms to tolerate software faults. Typically, these systems use static redundancy to detect hardware faults during operation. However, the reliability of a redundant system not only depends on the reliability of each version, but also on the dissimilarity between them. Thus, researchers have investigated ways to automatically add cost-efficient diversity to software to increase the efficiency of redundancy strategies. One of these automated software diversification methods is diverse compiling, which exploits the diversity introduced by different compilers and different optimization flags. Today, diverse compiling is used to improve the hardware fault tolerance and to avoid common defects from compilers. However, in this paper we show that diverse compiling also enhances the software fault tolerance by increasing the chance of finding defects in the source code of the executed software during runtime. More precisely, the memory is organized differently, when using different compilers and compiler flags. This enhances the chance of detecting memory-related software bugs, such as missing memory initialization, during runtime. Here we experimentally quantify the efficiency of diverse compiling for software fault tolerance and we show that diverse compiling can help to detect up to about 70% of memory-related software bugs.

Integration of Integrity Enforcing Technologies into Embedded Control Devices: Experiences and Evaluation

Security is a vital property of SCADA systems, especially in critical infrastructure. An important aspect is maintaining (sub-)system integrity in networks of embedded control devices. One technology that is used to achieve this is remote attestation. It is used to prove the integrity of one system (prover) to another (challenger). However, due to the complexity of the maintenance of reference measurement, it is seen as impractical in such constrained distributed systems. In this work, we show how recent advances such as privilege-based attestation enable an architecture that is more feasible to use. Based on real control systems used for hydro-electric power plants, we evaluate the impact of the proposed infrastructure on the device performance and discuss our experiences with the consequences of using such technologies for the production and development processes of such systems.

The Potential of Self-Adaptive Software Systems in Industrial Control Systems

New generations of industrial control systems offer higher performance, are networked and can be controlled remotely. Following this progress, the complexity of such systems increases through heterogeneous systems, hardware and more capable software. This may lead to an increase of unreliability and insecurity. Self-adaptive software systems offer a mean of dealing with complexity by monitoring a control system, detecting anomalies and adapting the control system to problems. Regarding such methods, industrial control systems have the advantage of being less dynamic. The network topology is fixed, devices rarely change, and the functionality of all the resources is known in principle. In this work, we examine this advantage and present the potential of self-adaptive software systems. The context of the presented work is control systems for hydropower units.

Development and Production Processes for Secure Embedded Control Devices

Security is a vital property of SCADA systems, especially in the context of critical infrastructure. In this work, we focus on distributed control devices for hydro-electric power plants. Much work has been done for specific lifecylce phases of distributed control devices such as development or operational phase. Our aim here is to consider the entire product lifecycle and the consequences of security feature implementations for a single lifecycle stage on other stages. In particular, we discuss the security concept used to secure our control devices in the operational stage and show how these concepts result in additional requirements for the development and production stages. We show how we meet these requirements and focus on a production process that enables the commissioning of secrets such as private keys during the manufacturing phase. We show that this can be done both, securely and with acceptable overhead even when the manufacturing process is handled by a contract manufacturer that is not under full control of the OEM.

Using Model-Based Testing for Manufacturing and Integration-Testing of Embedded Control Systems

Implementing integration tests into to the manufacturing process of embedded devices is a crucial development for dealing with component deviations and production flaws. Especially control devices that interact with the physical world demand on a functional verification since malfunctions have a potentially enormous impact. In this domain, devices are often configured based on the customer needs during the production process. Different sub-components of the same product family are thus assembled into one single device. The high number of possible product configurations requires complex manufacturing processes. In this work, we use Model-Based Test (MBT) concepts to implement a manufacturing and test system that generates executable assembly-and test-procedures from an abstract test procedure model and a model of the actual manufactured device. We demonstrate how our approach helps in handling the complexity of the manufacturing process with an actual implementation in a productive manufacturing system for embedded control devices.

Diverse Compiling for Software-Based Recovery of Permanent Faults in COTS Processors

Digital systems used in critical infrastructures have to fulfill ever higher demands on performance and cost efficiency. Thus, there is the trend to commercial off-the-shelf processors. To ensure a correct functioning of such devices, even after a long time of operation, mechanisms to recover from permanent hardware faults (e.g. due to wear-out effects) are needed. However, there is a lack of flexible low-cost software-based fault mitigation approaches that do not base on a costly exhaustive redundancy. To address this challenge, we show how to adapt the software execution such that the faulty hardware resource is no longer used. We propose to update the embedded device with an adapted binary that is generated on a remote server with diverse compiling. Our experiments demonstrate that this approach allows recovering from 99% of internal memory and 52% of register faults.