Periodic Reporting for period 1 - ORSHIN (Open-source ReSilient Hardware and software for Internet of thiNgs)
Reporting period: 2022-10-01 to 2024-03-31
Embedded systems including Internet of Things (IoT) and industrial IoT devices are typically built in closed environments and using closed-source components. This makes their design, implementation and the rest of their life cycle opaque and reduces the trustworthiness of a device, as the user must trust the device manufacturers and their complex relations. It also nullifies auditability of a device. At the same time even essential security and privacy requirements impose additional cost, while devices need to be extremely cost competitive. Therefore constrained embedded devices with for example limited computation power or limited energy budget routinely lack essential security and privacy guaran-tees. This may go unnoticed because of the opaque life cycle mentioned above.
More and more of our private information is processed by IoT devices such as smart wearables or smart home applications. An increasing share of our daily life is managed by smart devices, and our life can depend on smart devices such as medical implants, cars, etc. Industrial control processes are already largely automated, and more and more critical infrastructure is made “smart” for efficiency purposes. In all these contexts essential and verifiable privacy and security guarantees are a must in order to protect our society.
In the last two decades we have witnessed how the open-source approach revolutionized the software world. The overall goal of the ORSHIN project is to push toward a similar revolution in the hardware do-main. First of all the ORSHIN project will develop an open and transparent secure device lifecycle explicitly tailored to using open-source hardware components, which we call the Trusted Life Cycle (TLC). Next the project will enable, support and improve the formal verification of security properties of open-source components. The project’s 3rd objective is to devise effective security audits for firmware (which is low-level software) and at the silicon level (that is how chips are built). Furthermore the project will also develop open, efficient, secure and privacy preserving ways for devices to communicate. Eventually the project will demonstrate the developed technologies and techniques, will promote the results widely and will discuss with policy makers and standardization bodies the implications of using an open-source approach. Last but not least all work in the project will be driven by real-world challenges.
More and more of our private information is processed by IoT devices such as smart wearables or smart home applications. An increasing share of our daily life is managed by smart devices, and our life can depend on smart devices such as medical implants, cars, etc. Industrial control processes are already largely automated, and more and more critical infrastructure is made “smart” for efficiency purposes. In all these contexts essential and verifiable privacy and security guarantees are a must in order to protect our society.
In the last two decades we have witnessed how the open-source approach revolutionized the software world. The overall goal of the ORSHIN project is to push toward a similar revolution in the hardware do-main. First of all the ORSHIN project will develop an open and transparent secure device lifecycle explicitly tailored to using open-source hardware components, which we call the Trusted Life Cycle (TLC). Next the project will enable, support and improve the formal verification of security properties of open-source components. The project’s 3rd objective is to devise effective security audits for firmware (which is low-level software) and at the silicon level (that is how chips are built). Furthermore the project will also develop open, efficient, secure and privacy preserving ways for devices to communicate. Eventually the project will demonstrate the developed technologies and techniques, will promote the results widely and will discuss with policy makers and standardization bodies the implications of using an open-source approach. Last but not least all work in the project will be driven by real-world challenges.
To lay the ORSHIN foundations we developed a novel TLC that we use as the base to develop and manage an ORSHIN device. The life cycle is modeled after a chain that is as safe as its weakest link and embeds secure- and privacy-preserving by-design aspects. Therefore it begins with threat modeling and risk assessment which are continuously repeated.
Based on the TLC we developed new solutions in three key areas: formal verification, security testing, and constrained secure communications. We now provide an example of scientific contribution for each area (for more information, including a list of publications, please visit our website at https://horizon-orshin.eu/)(opens in new window):
1. Formal verification: in a paper titled “ProSpeCT: Provably Secure Speculation for the Constant-Time Policy” we propose a generic formal processor model providing provably secure speculation for the constant-time policy. For example, in some scenario we can guarantee no microarchitectural leaks from speculative or out of order execution. The paper was presented at the 2023 USENIX Security symposium together with an available, functional, and reproducible artifact.
2. Security testing: in a paper titled “Lightweight Countermeasures Against Original Linear Code Extraction (LCE) attacks on a RISC-V Core” we study Linear Code Extraction attacks, which are a class of invasive hardware attacks capable of extracting a protected firmware. We develop three novel and effective hardware-level countermeasures to detect ongoing LCE by monitoring specific execution traces. We tested our lightweight solutions on a RISC-V core running on an FPGA. The paper was presented at the 2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) and won the best demo award.
3. Secure communication: in a paper titled “BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses” we present the first evaluation of the forward and future secrecy guarantees of Bluetooth. Bluetooth is daily used by billions of devices, including constrained ones, but it is unclear if a secure Bluetooth connection provides forward and future secrecy. These two essential properties protect past and future communication from key compromise attacks. In our work we discover protocol-level vulnerabilities and attacks capable of breaking forward and future secrecy of Bluetooth and we provide effective countermeasures embeddable in the Bluetooth standard or implementation-level mitigations. The paper was presented at the 2023 ACM Conference on Computer and Communications Security (CCS) and Chaos Communication Congress (37c3).
Based on the TLC we developed new solutions in three key areas: formal verification, security testing, and constrained secure communications. We now provide an example of scientific contribution for each area (for more information, including a list of publications, please visit our website at https://horizon-orshin.eu/)(opens in new window):
1. Formal verification: in a paper titled “ProSpeCT: Provably Secure Speculation for the Constant-Time Policy” we propose a generic formal processor model providing provably secure speculation for the constant-time policy. For example, in some scenario we can guarantee no microarchitectural leaks from speculative or out of order execution. The paper was presented at the 2023 USENIX Security symposium together with an available, functional, and reproducible artifact.
2. Security testing: in a paper titled “Lightweight Countermeasures Against Original Linear Code Extraction (LCE) attacks on a RISC-V Core” we study Linear Code Extraction attacks, which are a class of invasive hardware attacks capable of extracting a protected firmware. We develop three novel and effective hardware-level countermeasures to detect ongoing LCE by monitoring specific execution traces. We tested our lightweight solutions on a RISC-V core running on an FPGA. The paper was presented at the 2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) and won the best demo award.
3. Secure communication: in a paper titled “BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses” we present the first evaluation of the forward and future secrecy guarantees of Bluetooth. Bluetooth is daily used by billions of devices, including constrained ones, but it is unclear if a secure Bluetooth connection provides forward and future secrecy. These two essential properties protect past and future communication from key compromise attacks. In our work we discover protocol-level vulnerabilities and attacks capable of breaking forward and future secrecy of Bluetooth and we provide effective countermeasures embeddable in the Bluetooth standard or implementation-level mitigations. The paper was presented at the 2023 ACM Conference on Computer and Communications Security (CCS) and Chaos Communication Congress (37c3).
ORSHIN's technical work packages provide research output and push the boundaries of the current scientific state of the art. This includes the creation of innovative research papers and prototypes, which are not just academic exercises, but generate significant academic impact and immediately stimulate future research.
Furthermore, the ORSHIN approach has great potential for adoption by industry as device manufacturers can leverage our TLC, tools, methodologies, etc. in order to build secure and trustworthy devices. The ORSHIN project provides formally verified, secure, open-source hardware blocks, reproducible and efficient security testing techniques, and secure and privacy-preserving communication protocols. We value the collaboration and contributions of all stakeholders in this process.
The TLC could become the industrial standard for developing dependable open-source hardware and software devices. Moreover, our framework for threat modelling could become a standard for assessing the risks of these devices. The ORSHIN project follows a holistic approach and besides the TLC further provides concrete advice for specific TLC phases, namely: design, implementation, evaluation and maintenance.
ORSHIN is also impacting the crucial and broad discussion around moving from closed-source to open-source hardware. We are pushing this important paradigm shift via constructive and frequent discussions with European policy makers and standardization bodies like ENISA, BSI and ANSSI. We discuss shortcomings of existing security certifications methods with respect to open-source hardware as well as obstacles for the standardization of our TLC.
Furthermore, the ORSHIN approach has great potential for adoption by industry as device manufacturers can leverage our TLC, tools, methodologies, etc. in order to build secure and trustworthy devices. The ORSHIN project provides formally verified, secure, open-source hardware blocks, reproducible and efficient security testing techniques, and secure and privacy-preserving communication protocols. We value the collaboration and contributions of all stakeholders in this process.
The TLC could become the industrial standard for developing dependable open-source hardware and software devices. Moreover, our framework for threat modelling could become a standard for assessing the risks of these devices. The ORSHIN project follows a holistic approach and besides the TLC further provides concrete advice for specific TLC phases, namely: design, implementation, evaluation and maintenance.
ORSHIN is also impacting the crucial and broad discussion around moving from closed-source to open-source hardware. We are pushing this important paradigm shift via constructive and frequent discussions with European policy makers and standardization bodies like ENISA, BSI and ANSSI. We discuss shortcomings of existing security certifications methods with respect to open-source hardware as well as obstacles for the standardization of our TLC.