logo EDITE Sujets de doctorat

Design for User Trust in an Ecosystem of Ubiquitous Internet of Things. A vision for awareness, safety and security. A systematic approach at the hardware-software interface

Sujet proposé par
Directeur de thèse:
Encadré par
Doctorant: Giovanni CAMURATI
Unité de recherche UMR 7102 Laboratoire de recherche d'EURECOM

Domaine: Sciences et technologies de l'information et de la communication


1 Introduction In a world of ubiquitous connected smart devices and pervasive computing, several security issues that deeply a ect people's lives arise. In particular the tension between safety and secu- rity, liability and the contrast between trust and veri ability are major concerns. A Copernican revolution putting users at the center and enabling them to trust devices is fundamental. Concil- iating their interests with the ones of the manufacturers is of great importance too. A systematic, analytical approach is required to achieve design for user trust. In particular challenging goals reside at the architectural level, at the hardware-software interface, without forgetting low-level hardware security issues. 2 Scienti c context We live in a world of interconnected smart devices, i.e., an ecosystem of objects able to sense, connect and control the environment in which they are embedded. These objects already prop- agate our daily life, yet their role in the society of the future has still an enormous margin of growth (e.g., in intelligent transport systems, wearables, health, smart cities, industry). The list is virtually in nite as research is simply trying to bring computing power inside every human activity to enhance it 1. In such a world, several security issues with these embedded devices arise [1], many are still open problems and new ones arise with every new system deployed. One of the main directions to build a secure ecosystem of connected computing objects is "trusted computing" 2. The main goal is to obtain a guarantee that a certain system is not compromised or at least to be able to tell if it has been compromised. This is called trust and it is based on a Root Of Trust, i.e., hardware, rmware, and/or software that is inherently trusted to perform a vital security function, thanks for instance to signature veri cation on software performed by speci c hardware modules. 3 Scienti c contents 3.1 Motivations Trusted computing seems the perfect systematic solution to security for such systems. However, several issues arise and must be solved to let it reach its great potential. Trust is something that is not blindly granted but that is earned by verifying it. Currently, trusted computing mechanisms often rely on unconditional trust on the systems manufacturer since users have too few ways to verify them. There comes the importance of designing systems where the users can decide whom (for instance a community of experts and independent author- ities) and what to trust. We call this Design For User Trust. Unfortunately, the rst security measures that are implemented in embedded systems often prevent such an independent analysis (e.g., deactivation of a debug port, secure boot, encrypted le system, obfuscation). Moreover, documentation is con dential. Such measures are more hiding the problems (making it dicult to discover hardware or software vulnerabilities) than solving them. These are violations of the Kerckho s's principle. Lack of veri able trust leads to a lemons market ([2]). The manufacturer (may) know if the product is secure or not, but buyers cannot tell. Thus they are not willing to pay much more than for a lemon (i.e., an insecure one). This essentially remove quality (secure) goods from the market, because they are not worth selling at a low price [3]. Complexity of trustworthy environments is an obstacle for their use in simple cheap embed- ded architectures. Several papers try to address this problem through smart usage of existing resources and minor hardware modi cations [4, 5, 6, 7]. Also, more and more secure trusted systems move the security problem at the lower layers, i.e., at the rmware level of the com- ponents and at the physical hardware level. The importance of side-channel and semi-invasive attacks is thus increasing and must be considered during higher-layer design too. This research shows several ways to defeat secure boot and they mostly are at very low level 3. 3.2 Main goals, expected innovation and approach The main goal is to contribute with a breaking impulse to the development of an healthy ecosystem of ubiquitous connected devices with an enhanced \user control", and where security is no more an obstacle to safety. Addressing this issue is a great challenge, that envisages the development of a new hard- ware/software architecture to support design for user trust. Our approach will be based on an holistic view of the embedded world and on an analytical, systematic, cross-disciplinary ap- proach. It will enable the design of cheap, simple, smart architectures including features such as safety, trustworthiness veri ability and control in the hands of the user. A further goal will be to test this methodology on real-life applications and develop e ective solutions. Last but not least, this research aims at putting the basis for further works in a general view of embedded systems. More precisely, our approach will be as follows: 1. Detailed bibliography on trusted platforms and architectures for a wide range of systems (i.e., information systems, cloud services, embedded systems) considering open platforms oriented towards user trust. This shall also emphasize the current limitations that have lead manufacturers not to settle current trusting solutions. 2. Proposal of a mixed hardware/software open architecture, in terms of dedicated hardware blocks (e.g., hardware accelerators, speci c CPU support, debug capabilities) and in terms of software elements (e.g., boot code, drivers). 3. Veri cation of the solution in terms of security, trust, and implementability. At a platform level, the TTool / SysML-Sec environment from Telecom ParisTech shall be used (and enhanced if necessary). . Prototyping of the solution in the scope of Internet of Things, using a well-know IoT platform (e.g., STM Nucleo, Intel solution) or open source soft cores (e.g., OpenMSP430, pulpino), and demonstration of a user trust mechanism. 5. Publications in well know conferences/journals, and dissemination among industrial part- ners, rst locally (e.g, Intel has a IoT branch in Sophia-Antipolis), and more broadly (see section 3.7). 3.3 State of the art and past research The hardware/software is the layer at which software comes to life by interacting with hardware architecture. However, the complex interplay between several concurrent modules and the mis- understandings among di erent disciplines make it a fertile ground for bugs and vulnerabilities. Hardware/software interface is also a great place to eciently implement security measures (e.g., eXecutable disable by Intel, eXecute Never by ARM to prevent data execution). In the last years Trusted Execution Environments provide strong guarantees for critical opera- tions have seen important developments. Intel Soft Guard Extensions should guarantee integrity and con dentiality for sensitive operation, even when all privileged code is malicious, but this still need further research and more openness [8]. Lightweight HW/SW trustworthiness for sim- ple embedded systems was proposed in the SMART architecture [4]. It consists in a very e ective system-level solution, based on hardware features that can be easily added to existing devices with minor changes at a low price. This approach was extended and improved in many follow up works [5, 6, 7]. While those are important starting point for design for user trust as well as for design for testability, they do not yet solve the security/safety issues, nor they consider who should be in charge of the system (user v.s. manufacturer): this is the open problem we aim to address in this work. Many research work exist regarding veri cation of complex concurrent architectures. This as- pect is very important for a secure design because corner cases were the device is not reliable can be used for exploits. Interaction between hardware and software in complex concurrent struc- tures is important for security. Embedded systems are smaller and simpler, yet SoCs commonly include powerful and multi-core processors, several peripherals, memories and so on. Hard- ware/ rmware design can explicitly try to address security of such systems from the beginning of their design. For instance Intel Integrated Sensor Solution [9] tries to identify a secure plat- form for sensing IoT multi-core boards. Providing secured and veri ed hardware primitives for concurrent programming and handling peripherals is useful for security. Finally, there are some examples of designs that represent a rst, partial attempt to design for Trust. For example, Google Nexus phones can be turned into developers phones by unlocking the bootloader (which voids the warranty). On such developer phones it is possible to install custom images. Nokia Maemo phones were also providing a similar developer mode, once started with a non signed image the phone was still booting, but some (DRM) features are not available anymore [10]. However, those approaches are giving control to the user at the cost of a very reduced security level.


3.4 Competences and expertise The Ph.D. is clearly ambitious, and deals with both hardware/software design and security/trust issues. However it will be co-advised by 2 advisers with previous experience in these topics. Aurelien Francillon will advise the Ph.D. He is an assistant professor in the digital security department at EURECOM. Together with Davide Balzarotti he is heading the Software and System Security (S3) group. He obtained a PhD from INRIA Grenoble and was a postdoctoral researcher in the System Security Group at ETH Zurich. His main scienti c interests are in security of embedded systems as well as software security and network security. He has been working on trusted computing for embedded systems security for the past 10 years and was one of the authors of the SMART paper [4]. Ludovic Apvrille will co-advise the Ph.D. student. He leads the LabSoC group. His main re- search interest lies in the design and analysis of safe and secure complex embedded systems. In particular, he's part of research projects involving the security of mobile devices - he partici- pated to the recent discovery of 15 totally unknown Android malware -, and leads a research grant on the security - and it's impact on safety - for autonomous and connected vehicles. His scienti c contribution in the security and safety domains are around the models and veri cation techniques. Last but not least, he's the leader of the SysML-Sec environment. Thus, both advisers have expertise in hardware architectures, embedded systems veri cation and software/system security, as demonstrated by several of their recent publications 4. 3.5 Ph.D. Candidate M. Giovanni Camurati is a student in the double-diploma polito-Telecom ParisTech curriculum. He's ranked among the top 5% of students (currently 1st of 156 Eurecom students). He obtained excellent grades in all courses related to the Ph.D. (Operating Systems, System Security). He demonstrated a very strong motivation for doing a PhD. He already started to read papers in the eld of the proposition. Last but not least, he will make his internship in ARM, thus further enhancing his current expertise in hardware and low-level software concerns. 3.6 Perspectives This proposal is based on a vision of trustworthy embedded devices, identifying the layer which is still largely unexplored and that has room for big developments. This project is about imple- menting a vision of a design philosophy, namely design for user trust. It is indeed very ambitious as it aims at proposing a set of new solutions in a broad area with a systematic analytic approach, exploring a large research and design space and not only a single issue. One PhD position will certainly not exhaust possible activities, rather it serves as a starting point to set up shared knowledge and expertise and to disseminate it in the academic and the industrial environment. 3.7 International visibility Both teams has well-established cooperative research actions with many academic partners in the scope of security and trust. For example, Ludovic Apvrille recently participated to the EVITA European project addressing the de nition of a secure and trustable hardware/software architecture for automotive systems. The results of this project have been embraced by several automotive suppliers that now have products following the architecture proposition, e.g., the AURIX solution from In neon, or the SPC58NE84E7 from STMicroelectronics. Aurelien has past collaborations on SMART with Gene Tsudik (University of California, Irvine) and Kasper Rasmussen (Oxford University). Other collaborations are possible through existing links, for example, with KU Leuven, TU Darmstadt and TU Graz which are interested in such topics. The CRYPTACUS COST Action (for which Aurelien Francillon is a Management Committee member for France) can also be used for fostering collaborations and for funding short term scienti c missions, as this thesis falls into the topics of interest of the COST Action (in particular Work groups 1, 3 and 4).