Community Research and Development Information Service - CORDIS

H2020

SHARCS Report Summary

Project ID: 644571
Funded under: H2020-EU.2.1.1.

Periodic Reporting for period 1 - SHARCS (Secure Hardware-Software Architectures for Robust Computing Systems)

Reporting period: 2015-01-01 to 2016-06-30

Summary of the context and overall objectives of the project

Through tremendous changes such as Medical IoT, Smart Cars, Smarter Cities, Smarter Grids etc., society as a whole and individual citizens rely more and more on critical applications that sense and control systems in the physical environment.
Such “Cyber Physical Systems” (CPS) use a blend of embedded devices and traditional computing systems, and a variety of communication channels.
CPS mandate higher assurances of trust and cyber-security compared to those presently available in State-of-the-Art ICT systems.
The inevitable adoption of CPS offers a unique opportunity for revisiting the security stack to ensure that the new era of devices and services encompass lessons learned as part of the ICT cyber-security battles of the last decades.
New regulations and standards for both hardware and software are needed to address threats against the integrity of society and human life, which are the direct consequence of the blossoming of CPS.

Current security research, as well as security solutions, is largely top-down and demand driven.
Security-critical applications, software components, services or protocols, either known to be vulnerable or not, are protected with piece-meal security tools.
The most exposed layers tend to be the ones that are user and network facing.
These layers are typically protected by a plethora of different, often ad hoc, security tools and architectures, providing the largest attack surface and as such they will be exposed to the majority of malicious attacks.
For such security solutions to be effective, they must be based on solid foundations.
Attackers will often try to bypass strong security protections by redirecting their attack to software layers that lay below a seemingly strong defensive mechanism.
So, as a chain of software components, a system is as secure as the weakest link and thus for a system to really be secure, every layer of the software stack must be secure.
The application, compiler, libraries, operating system, drivers and the hypervisors must all be hardened.
However, even this may not be sufficient.
The hardware itself must be secure and provide the appropriate primitives and capabilities for all the software layers built on top of it to be secure.

To address the above problems one has to start by pushing security mechanisms down the system stack, from software to hardware.
Hardware security mechanisms have the advantage of being hard, if not impossible, to be bypassed by attackers.
The primary reason for this is that hardware is not typically modifiable as is the case with software.
Also, hardware security mechanisms have the advantage of being more efficient in terms of performance, simplicity, and power usage.
Finally, the hardware layer has a complete overview of the state of the entire system.
Building solid and secure foundations is an important first step towards a complete secure system solution.

Starting from this secure hardware foundation, one needs to continue with a series of bottom-up design and implementation choices to explore the entire system stack, and the interactions between the various components.
Some of the challenges include: how to utilize the new functionality, how legacy applications will operate in this new environment, what happens with interactions between different administrative domains
e.g., one that has high security requirements and one with low security expectations, how to dynamically recover from errors, how to least burden software developers and users, and many more.

SHARCS aims at designing, building and demonstrating secure-by-design system architectures that achieve end-to-end security for their users.
SHARCS will achieve this by systematically analyzing and extending, as necessary, every hardware and software layer in a computing system.
The new technologies developed will be directly utilizable by applications and services that require end-to-end security.

At the societal level SHARCS will increase the trust of citizens in ICT products and services.
The promotion of new standards and regulations for building hardware and software systems, coupled with the new technologies invented, will be beneficial to the consumer, who will reap the rewards of more secure consumer goods.
The technologies coming out of SHARCS will be applicable to both large companies as well as SMEs, leveling the playing field in the race to introduce new products.
Overall, the outcomes will have a positive impact on society as a whole.

The specific objectives of the project are to:
1. Extend existing hardware and software platforms towards developing secure-by-design enabling technologies.
2. Leverage hardware technology features present in today’s processors and embedded de- vices to facilitate software-layer security.
3. Build methods and tools for providing maximum possible security-by-design guarantees for legacy systems.
4. Evaluate acceptance, effectiveness and platform independence of SHARCS technologies and processes.
5. Create high impact in the security and trustworthiness of ICT systems.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

"The work performed in SHARCS focused on inventing and building end-to-end security technologies and solutions, to provide security-by-design.
Beyond simply developing these technologies and solution, the are also being applied on actual use cases in three diverse domains: medical, cloud and automotive.

In the context of the above, he end-to-end solution oriented on protecting against a number of specific attack scenarios:
1. Unauthorized code execution – modification of a normal application flow in a way that causes an application to execute arbitrary code (usually having a malicious behaviour).
There are two widely known ways to perform this attack, depending on where the malicious code comes from.
(a) Code injection – introduction of a code snippet that will be executed by the application, as if it was the native application code.
The purpose of the introduced code is to change the course of the application’s execution in a way that will lead to a result desired by the intruder.
(b) Code reuse – the malicious code is constructed of "gadgets" – carefully chosen code sequences of machine instructions from the application binary code itself.
Gadgets are chosen in such a way that, when chained together, perform an operation that is desired by the attacker (see, e.g. Return-oriented programming attack .)
2. Data manipulation – malicious read or write actions performed on an application’s data, e.g. overwriting entries in the application memory, or unauthorized access to the sensitive data.
3. Denial of Service (DoS) via software crash – change of the course of the application execution in a way that leads to a crash of the application software.
4. Authentication-protocol violation – bypassing the standard authentication mechanism of the application, resulting in gaining extra privileges without providing the required credentials.

The work performed in SHARCS, towards achieving end-to-end security, focused on the following three variations, depending on the layer our proposed security mechanisms are implemented on:

A full-featured SHARCS stack, which incorporates security changes in all layers.
This model offers security guarantees for critical applications, such as a medical implant and follows a clean-slate approach.
Specifically, progress has been made on a "bulletproof" custom System on Chip (SoC) which incorporates techniques that detect and prevent malicious code execution and reuse in the processing core,
and a communication co-processor that can handle encryption/decryption and secure communication protocols more efficiently.
Furthermore, measures have been taken in order to preserve the operation of a critical application when a security threat is detected.

A hardware-assisted approach, which incorporates changes in both hardware and existing software in order to provide security guarantees for applications such as, control over critical infrastructure, and smart cars.
In this case, existing hardware (e.g. soft-cores) has been modified, but the modifications are less intrusive, so that existing applications would require as little modifications as possible, in order to utilize and benefit from the new security mechanisms.
In particular, code injection and code reuse prevention techniques have been implemented in an open-source processor that require slight modifications and recompilation of an application in order to be deployed.

Since neither a clean-slate approach, nor the modification of hardware, is always feasible, due to the wide use of legacy hardware and software,
in SHARCS, work was also done towards utilizing standard hardware, where the hardware modifications have been replaced with hypervisor modifications.
This relaxed model is suitable for applications such as secure cloud, a critical infrastructure, where enhanced SHARCS hardware cannot be used.
This model has also been applied in cases where existing hardware like General Purpose Graphics Processing Systems (GPGPUs), Trusted Platform Modules (TPMs) and cryptographic accelerators (e.g. AES-NI) were leveraged in security applications.
Specifically:
1. An alternative approach to the problem of protecting a server’s cryptographic keys has been explored,
which takes advantage of the graphics card to exclusively (a) store cryptographic keys and other sensitive information, and (b) carry out all cryptographic operations, without involving the CPU.
2. A mechanism that utilizes a TPM is used to attest the correct configuration hypervisors and virtual machines.
3. A software-based scheme that ensures that the sensitive data of an application will always be encrypted in main memory, utilizes the AES-NI cryptographic instruction set, which is present in nearly every modern processor.

Lastly, SHARCS incorporated software only changes, in order to harden cases where neither the hardware nor hypervisor software may be enhanced.
These software-only techniques consist of tools that:
1. Harden an applications source code (e.g. as compiler extensions).
These are suitable for applications developed under the SHARCS framework, SHARCS use case applications, and widely used open-source applications.
2. Operate on binaries, by enhancing them with additional security checks. These are suitable when software recompilation is not possible.
3. Perform offline source code screening, with a tool capable of finding security vulnerabilities in code, as well as proving to some extent that some of the code’s components are clean of specific types of vulnerabilities (e.g. memory safety issues)."

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

SHARCS proposes new paradigms for the adoption and enforcement of end-to-end security.
Its focus is distributed throughout the Information and Communication Technology (ICT) ecosystem, creating solutions in both software and hardware,
from Systems-on-a-Chip, running without an operating system present, to major cloud infrastructures with multiple levels of abstraction.
The impact foreseen, and that the SHARCS project has set out to achieve, is well on its way, with new technologies making headway on the SHARCS project’s use-cases (Implant, Automotive, Cloud).
In more detail, the progress beyond the State-of-the-Art is as follows:

* New paradigms for the design and implementation of ICT technology:
Through modifying or completely redesigning existing technologies, the SHARCS project guarantees end-to-end security for secure execution and communications.
For example, the Cloud platform is making changes to expose hardware security functions to the entire platform.
The Implantable Medical Device (IMD) is being redesigned to enforce safe execution and safe communication with the outside world.
The Automotive use-case is modifying its software and hardware stack, to enforce safe execution and communications.

* ICT designed in Europe offering a higher level of security and/or privacy compared to non-European ICT products and services:
The Cloud platform is adopting security techniques, eclipsing the security offered by other Cloud providers.
The IMD use-case is the first of its kind to readily adopt security-by-design, guaranteeing the safety and privacy of the user.
The Automotive platform will be the first to offer end-to-end security.

* ICT products and services compliant with Europe’s security and privacy regulation:
The Cloud platform has already adopted new features, like two-factor authentication, to mitigate the effect of security breaches.
The IMD is adopting secure execution technologies as well as secure communication protocols, hindering attacks on the device.
The Automotive use-case is also adopting secure execution technologies, protecting the system against attacks.
* ICT with a measurably higher level of security and/or privacy, at marginal additional cost compared to ICT technology following the traditional designs (i.e. implementing security as add-on functionality):
By exposing already present hardware security features to the end user, the Cloud platform is enforcing security with no significant cost overhead.
The IMD is being redesigned with security in mind.
While the Automotive platform is focusing on automated software protections.

* Increase user trust in ICT and online services:
By exposing security features directly to the clients, Cloud becomes more trustworthy, since the clients can be assured that the data centre’s machines, and by extension their data, are not compromised.
With the protections added to the IMD and Automotive cases, users will be able to trust their privacy and well-being is in good hands.

* Improve users’ ability to detect breaches of security and privacy:
Through secure boot mechanisms and remote attestation, users will be able to check and isolate security breaches.
In the IMD and Automotive cases, the technologies applied are transparent to the user.

* Improved protection of the user’s privacy, in compliance with applicable legislation:
By verifying that the virtualisation platform is working as intended, users can be assured that their machines are isolated from other, possibly malicious, users.
The secure communication protocols being implemented in the IMD platform, guarantee the end-user’s privacy.

* More resilient critical infrastructures and services:
Through improvements in the security of the Cloud platform, users can be certain that their workloads are running safely and without interruptions.
The IMD and Automotive platforms are hardened against tampering that could result in malicious behaviour, or denial of service.

* Provides security and privacy as a built-in feature, simpler to understand and manage for the user compared to traditional ICT.
The UI design of the Cloud platform is being improved, to provide an easier and simpler rundown of the security features provided, and how to utilize them.
In the IMD and Automotive cases, the technologies applied are transparent to the user.

* ICT technology that is proven to be more secure than ICT designed the traditional way:
This will be determined through the automated testing and the evaluation work.

Related information

Record Number: 192930 / Last updated on: 2016-12-15
Follow us on: RSS Facebook Twitter YouTube Managed by the EU Publications Office Top