Periodic Reporting for period 2 - ORSHIN (Open-source ReSilient Hardware and software for Internet of thiNgs)
Reporting period: 2024-04-01 to 2025-09-30
Embedded systems including Internet of Things (IoT) and industrial IoT devices are typically built in closed environments and using closed-source components. This makes their design, implementation and the rest of their life cycle opaque. Moreover, it reduces the trustworthiness of a device, as the user must trust the device manufacturers and nullifies its auditability. At the same time even essential security and privacy requirements impose additional cost, while devices need to be extremely cost competitive. Therefore constrained embedded devices routinely lack essential security and privacy guarantees, like confidentiality of data in transit and at rest. This may go unnoticed because of the opaque life cycle mentioned above.
More and more of our private information is processed by IoT devices such as smart wearables or smart home applications. An increasing share of our daily life is managed by smart devices, and our life can depend on smart devices such as medical implants, cars, etc. Industrial control processes are already largely automated, and more and more critical infrastructure is made “smart” for efficiency purposes. In all these contexts essential and verifiable privacy and security guarantees are a must in order to protect our society.
In the last two decades we have witnessed how the open-source approach revolutionized the software world. The overall goal of the ORSHIN project is to push toward a similar revolution in the hardware do-main. First of all the ORSHIN project developed an open and transparent secure device lifecycle explicitly tailored to using open-source hardware components, which we call the Trusted Life Cycle. Next ORSHIN enables the formal verification of security properties of hardware and software open-source components and devises effective security audits for firmware (which is low-level software) and at the silicon level (that is how chips are built). Furthermore the project focuses on open, efficient, secure and privacy preserving ways for devices to communicate. Eventually the project will demonstrate the developed technologies and techniques, will promote the results widely and will discuss with policy makers and standardization bodies the implications of using an open-source approach.
More and more of our private information is processed by IoT devices such as smart wearables or smart home applications. An increasing share of our daily life is managed by smart devices, and our life can depend on smart devices such as medical implants, cars, etc. Industrial control processes are already largely automated, and more and more critical infrastructure is made “smart” for efficiency purposes. In all these contexts essential and verifiable privacy and security guarantees are a must in order to protect our society.
In the last two decades we have witnessed how the open-source approach revolutionized the software world. The overall goal of the ORSHIN project is to push toward a similar revolution in the hardware do-main. First of all the ORSHIN project developed an open and transparent secure device lifecycle explicitly tailored to using open-source hardware components, which we call the Trusted Life Cycle. Next ORSHIN enables the formal verification of security properties of hardware and software open-source components and devises effective security audits for firmware (which is low-level software) and at the silicon level (that is how chips are built). Furthermore the project focuses on open, efficient, secure and privacy preserving ways for devices to communicate. Eventually the project will demonstrate the developed technologies and techniques, will promote the results widely and will discuss with policy makers and standardization bodies the implications of using an open-source approach.
To lay the ORSHIN foundations we developed a novel Trusted Life Cycle (TLC) that we use as the base to develop and manage an ORSHIN device. The life cycle is modeled after a chain that is as safe as its weakest link and embeds secure- and privacy-preserving by-design aspects. Therefore it begins with threat modeling and risk assessment which are continuously repeated.
Based on the TLC we developed new solutions in three key areas for constrained devices: formal verification, security testing, and privacy-preserving and secure communications. We now provide an example of scientific contribution for each area (for more information, including a list of publications, please visit our website at https://horizon-orshin.eu/)(opens in new window):
1. Formal verification: in a paper titled “ProSpeCT: Provably Secure Speculation for the Constant-Time Policy” we propose a generic formal processor model providing provably secure speculation for the constant-time policy. For example, in some scenario we can guarantee no microarchitectural leaks from speculative or out of order execution. The paper was presented at the 2023 USENIX Security symposium together with an available, functional, and reproducible artifact.
2. Security testing: in a paper titled “Lightweight Countermeasures Against Original Linear Code Extraction (LCE) attacks on a RISC-V Core” we study Linear Code Extraction attacks, which are a class of invasive hardware attacks capable of extracting a protected firmware. We develop three novel and effective hardware-level countermeasures to detect ongoing LCE by monitoring specific execution traces. We tested our lightweight solutions on a RISC-V core running on an FPGA. The paper was presented at the 2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) and won the best demo award.
3. Secure communication: in a paper titled “BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses” we present the first evaluation of the forward and future secrecy guarantees of Bluetooth. Bluetooth is daily used by billions of devices, including constrained ones, but it is unclear if a secure Bluetooth connection provides forward and future secrecy. These two essential properties protect past and future communication from key compromise attacks. In our work we discover protocol-level vulnerabilities and attacks capable of breaking forward and future secrecy of Bluetooth and we provide effective countermeasures embeddable in the Bluetooth standard or implementation-level mitigations. The paper was presented at the 2023 ACM Conference on Computer and Communications Security (CCS) and Chaos Communication Congress (37c3).
Based on the TLC we developed new solutions in three key areas for constrained devices: formal verification, security testing, and privacy-preserving and secure communications. We now provide an example of scientific contribution for each area (for more information, including a list of publications, please visit our website at https://horizon-orshin.eu/)(opens in new window):
1. Formal verification: in a paper titled “ProSpeCT: Provably Secure Speculation for the Constant-Time Policy” we propose a generic formal processor model providing provably secure speculation for the constant-time policy. For example, in some scenario we can guarantee no microarchitectural leaks from speculative or out of order execution. The paper was presented at the 2023 USENIX Security symposium together with an available, functional, and reproducible artifact.
2. Security testing: in a paper titled “Lightweight Countermeasures Against Original Linear Code Extraction (LCE) attacks on a RISC-V Core” we study Linear Code Extraction attacks, which are a class of invasive hardware attacks capable of extracting a protected firmware. We develop three novel and effective hardware-level countermeasures to detect ongoing LCE by monitoring specific execution traces. We tested our lightweight solutions on a RISC-V core running on an FPGA. The paper was presented at the 2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) and won the best demo award.
3. Secure communication: in a paper titled “BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses” we present the first evaluation of the forward and future secrecy guarantees of Bluetooth. Bluetooth is daily used by billions of devices, including constrained ones, but it is unclear if a secure Bluetooth connection provides forward and future secrecy. These two essential properties protect past and future communication from key compromise attacks. In our work we discover protocol-level vulnerabilities and attacks capable of breaking forward and future secrecy of Bluetooth and we provide effective countermeasures embeddable in the Bluetooth standard or implementation-level mitigations. The paper was presented at the 2023 ACM Conference on Computer and Communications Security (CCS) and Chaos Communication Congress (37c3).
ORSHIN's technical work packages provide research output and push the boundaries of the current scientific state of the art. This includes the creation of innovative research papers and prototypes, which are not just novel academic findings, but generate significant (industrial) impact and stimulate future research and open science.
Furthermore, the ORSHIN approach has great potential for adoption by industry as device manufacturers can leverage our Trusted Life Cycle (TLC), tools, methodologies, etc. in order to build secure and trustworthy devices. ORSHIN provides formally verified, secure, open-source hardware blocks, reproducible and efficient security testing techniques, and secure and privacy-preserving communication protocols. We value the collaboration and contributions of all stakeholders in this process.
The TLC could become the industrial standard for developing dependable open-source hardware and software devices. Moreover, our framework for threat modelling could become a standard for assessing the risks of these devices. The ORSHIN project follows a holistic approach and besides the TLC further provides concrete advice for specific TLC phases, namely: design, implementation, evaluation and maintenance.
ORSHIN is also impacting the crucial and broad discussion around moving from closed-source to open-source hardware. We are pushing this important paradigm shift via constructive and frequent discussions with European policy makers and standardization bodies like ENISA, BSI, ACN and ANSSI. We discuss shortcomings of existing security certifications methods with respect to open-source hardware as well as obstacles for the standardization of our TLC.
Furthermore, the ORSHIN approach has great potential for adoption by industry as device manufacturers can leverage our Trusted Life Cycle (TLC), tools, methodologies, etc. in order to build secure and trustworthy devices. ORSHIN provides formally verified, secure, open-source hardware blocks, reproducible and efficient security testing techniques, and secure and privacy-preserving communication protocols. We value the collaboration and contributions of all stakeholders in this process.
The TLC could become the industrial standard for developing dependable open-source hardware and software devices. Moreover, our framework for threat modelling could become a standard for assessing the risks of these devices. The ORSHIN project follows a holistic approach and besides the TLC further provides concrete advice for specific TLC phases, namely: design, implementation, evaluation and maintenance.
ORSHIN is also impacting the crucial and broad discussion around moving from closed-source to open-source hardware. We are pushing this important paradigm shift via constructive and frequent discussions with European policy makers and standardization bodies like ENISA, BSI, ACN and ANSSI. We discuss shortcomings of existing security certifications methods with respect to open-source hardware as well as obstacles for the standardization of our TLC.