Periodic Reporting for period 2 - SAFURE (SAFety and secURity by design for interconnected mixed-critical cyber-physical systems)
Período documentado: 2016-08-01 hasta 2018-05-31
SAFURE targets the design of cyber-physical systems by implementing a methodology that ensures safety and security "by construction". This methodology is enabled by a framework developed to extend system capabilities to control the concurrent effects of security threats on the system behaviour.
SAFURE addressed the security of safety-critical cyber-physical systems by implementing a holistic approach to safety and security by construction, limiting the impact of security on safety when using common shared resources such as networks and processors, preserving the system from attacks that could affect the overall system safety.
At the base of the SAFURE solution is the development of a set of extensions of tools and system capabilities (referred to as the reference SAFURE Framework) able to prevent, detect and protect possible vulnerabilities and attacks through efficient system configurations and reconfigurations, keeping critical subsystems within their safety and security boundaries, without inflicting performance impairments for best-effort applications.
This framework extends system capabilities to preserve the system integrity from time starvation, massive energy dissipation and data corruption, seamlessly integrating security requirements into safety systems in a way that has never been done before. These extensions are applicable from design and development stages to application deployment and execution on multi-core chips and high performance distributed systems. The extended analysis methods, development tools and execution capabilities provided by the framework are supported by a set of guidelines (referred to as the SAFURE Methodology) to assist the designer and the developer to
• address security in a safety context,
• integrate heterogeneous security and safety requirements in the overall system architecture,
• open subsystems to resource sharing and communication,
• detect potential attacks on system integrity (timing, energy/temperature and data),
• prevent potential attacks through efficient system configuration (off-line),
• enhance mixed-criticality and reconfiguration capabilities (on-line and off-line), keeping security in mind, and
• enhance performance and resource usage on complex systems with safety and security constraints.
SAFURE addressed the security of safety-critical cyber-physical systems by implementing a holistic approach to safety and security by construction, limiting the impact of security on safety when using common shared resources such as networks and processors, preserving the system from attacks that could affect the overall system safety.
At the base of the SAFURE solution is the development of a set of extensions of tools and system capabilities (referred to as the reference SAFURE Framework) able to prevent, detect and protect possible vulnerabilities and attacks through efficient system configurations and reconfigurations, keeping critical subsystems within their safety and security boundaries, without inflicting performance impairments for best-effort applications.
This framework extends system capabilities to preserve the system integrity from time starvation, massive energy dissipation and data corruption, seamlessly integrating security requirements into safety systems in a way that has never been done before. These extensions are applicable from design and development stages to application deployment and execution on multi-core chips and high performance distributed systems. The extended analysis methods, development tools and execution capabilities provided by the framework are supported by a set of guidelines (referred to as the SAFURE Methodology) to assist the designer and the developer to
• address security in a safety context,
• integrate heterogeneous security and safety requirements in the overall system architecture,
• open subsystems to resource sharing and communication,
• detect potential attacks on system integrity (timing, energy/temperature and data),
• prevent potential attacks through efficient system configuration (off-line),
• enhance mixed-criticality and reconfiguration capabilities (on-line and off-line), keeping security in mind, and
• enhance performance and resource usage on complex systems with safety and security constraints.
For the three industrial use cases, the respective use case definitions and safety and security requirements were specified and the general structure of the SAFURE Framework was defined.
Architectural patterns for security and safety were modelled based on the AUTOSAR standard.
Timing integrity algorithms include system-wide event-model propagation for worst-case timing analysis and worst-case Ethernet analysis. Lightweight cryptographic algorithms for data integrity were implemented. Covert channels using temperature and processor frequency were researched. Task interference using temperature sensor readings was examined.
The microkernel PikeOS was ported to a multicore ARM platform (Juno board). Security components were ported to PikeOS, to be run in a separate compartment (outside Linux/Android). The processor’s Performance Monitoring Counters (PMCs) were tested to evaluate energy consumption and timing. Integration on AURIX TC27x board was contributed. METrICS, a measurement environment on top of PikeOS allowing online profiling, and the Budget-Based Runtime Engine (BB-RTE), a regulation solution controlling the impact of timing interference in a mixed-critical context, were developed.
Algorithms for worst-case timing analysis for Ethernet were implemented as a prototype. Algorithms for encryption and integrity protection were implemented to ensure secure, predictable communication and secure updates for firmware. ABV worst case latency analysis was finalised. A new combined analysis of safety and security for TSN networks was finalised. The network demonstrator (FPGA implementation) and security analysis of deterministic Ethernet were finalised.
The three industrial demonstrators were integrated and evaluated. For the telecommunication use case, secure Bluetooth-based communication between several devices on different physical architectures was developed. For the automotive multicore use case, the most critical test (checking the PMC infrastructure on the board) was successful. For the combined automotive use case, secure communication between a powertrain ECU (connected using CAN) and a PC (connected using Ethernet) was realised using a HW gateway. WCRT analysis reports were obtained by the simulation of the automotive multi-core architecture using the SymTA/S tool.
The first iterations of the demonstrators were presented at the Embedded World, HiPEAC, DATE, and DAC conferences. Algorithms and scheduling schemes were integrated into the commercial tool SymTA/S. BSC contention models and contention prediction technology has reached a commercial degree of maturity.
The IT infrastructure, including social media accounts, was set up and maintained. Partners participated in conferences and many research studies were published (available on the SAFURE ZENODO community). A regular project newsletter was sent to interested parties. Partners attended additional workshops and SAFURE organised a workshop at the HiPEAC conference, in January 2018.
Architectural patterns for security and safety were modelled based on the AUTOSAR standard.
Timing integrity algorithms include system-wide event-model propagation for worst-case timing analysis and worst-case Ethernet analysis. Lightweight cryptographic algorithms for data integrity were implemented. Covert channels using temperature and processor frequency were researched. Task interference using temperature sensor readings was examined.
The microkernel PikeOS was ported to a multicore ARM platform (Juno board). Security components were ported to PikeOS, to be run in a separate compartment (outside Linux/Android). The processor’s Performance Monitoring Counters (PMCs) were tested to evaluate energy consumption and timing. Integration on AURIX TC27x board was contributed. METrICS, a measurement environment on top of PikeOS allowing online profiling, and the Budget-Based Runtime Engine (BB-RTE), a regulation solution controlling the impact of timing interference in a mixed-critical context, were developed.
Algorithms for worst-case timing analysis for Ethernet were implemented as a prototype. Algorithms for encryption and integrity protection were implemented to ensure secure, predictable communication and secure updates for firmware. ABV worst case latency analysis was finalised. A new combined analysis of safety and security for TSN networks was finalised. The network demonstrator (FPGA implementation) and security analysis of deterministic Ethernet were finalised.
The three industrial demonstrators were integrated and evaluated. For the telecommunication use case, secure Bluetooth-based communication between several devices on different physical architectures was developed. For the automotive multicore use case, the most critical test (checking the PMC infrastructure on the board) was successful. For the combined automotive use case, secure communication between a powertrain ECU (connected using CAN) and a PC (connected using Ethernet) was realised using a HW gateway. WCRT analysis reports were obtained by the simulation of the automotive multi-core architecture using the SymTA/S tool.
The first iterations of the demonstrators were presented at the Embedded World, HiPEAC, DATE, and DAC conferences. Algorithms and scheduling schemes were integrated into the commercial tool SymTA/S. BSC contention models and contention prediction technology has reached a commercial degree of maturity.
The IT infrastructure, including social media accounts, was set up and maintained. Partners participated in conferences and many research studies were published (available on the SAFURE ZENODO community). A regular project newsletter was sent to interested parties. Partners attended additional workshops and SAFURE organised a workshop at the HiPEAC conference, in January 2018.
In the security domain, state-of-the-art lightweight cryptographic algorithms, a secure update process, and secure communication for embedded systems were implemented. SAFURE analysed the security implications of temperature readings, specifically the threat potential of thermal covert and side channels, but also of power and frequency covert channels. Our studies indicate that the said channels present a significant security threat and that readings such as on-chip temperature must be subject to access restrictions, which is not the current industrial practice. This study enables better understanding on the threat potential of sensor readings, enabling the design of more secure hardware/software components.
In the timing domain, a CAN-over-Ethernet timing analysis was implemented. Also, new timing analysis algorithms (including frame pre-emption) for Ethernet TSN and Software-Defined Networking were invented. Several improvements to the existing CPA method for analysing switched Ethernet were made by exploiting FIFO scheduling. Multicore contention models for COTS hardware were developed and validated, leading to commercial software enabling the use of COTS multicores in critical real-time systems by mitigating timing uncertainty and delivering evidence needed for certification, ultimately enabling the consolidation of additional critical real-time features per platform unit, paving the way towards autonomous systems within affordable development time and cost budgets. SAFURE proposed a scheme to provide thermal protection to a multicore mixed-critical system, enabling elimination of timing interference caused by high-temperature conditions. Providing thermal protection and isolation between criticalities is essential for the design of mixed-critical systems and the developed technology enables this design. The METrICS environment tool suite is in the process of being transferred to SYSGO for a stronger integration into the PikeOS product. The Budget-Based Runtime Engine is evaluated in an avionic context and in a space context.
In the timing domain, a CAN-over-Ethernet timing analysis was implemented. Also, new timing analysis algorithms (including frame pre-emption) for Ethernet TSN and Software-Defined Networking were invented. Several improvements to the existing CPA method for analysing switched Ethernet were made by exploiting FIFO scheduling. Multicore contention models for COTS hardware were developed and validated, leading to commercial software enabling the use of COTS multicores in critical real-time systems by mitigating timing uncertainty and delivering evidence needed for certification, ultimately enabling the consolidation of additional critical real-time features per platform unit, paving the way towards autonomous systems within affordable development time and cost budgets. SAFURE proposed a scheme to provide thermal protection to a multicore mixed-critical system, enabling elimination of timing interference caused by high-temperature conditions. Providing thermal protection and isolation between criticalities is essential for the design of mixed-critical systems and the developed technology enables this design. The METrICS environment tool suite is in the process of being transferred to SYSGO for a stronger integration into the PikeOS product. The Budget-Based Runtime Engine is evaluated in an avionic context and in a space context.