CAMURATI Giovanni

Person has left EURECOM

Name : CAMURATI Giovanni

Thesis

Security threats emerging from the interaction between digital activity and radio transceivers

1 Introduction

In a world of ubiquitous connected smart devices and pervasive computing, several security

issues that deeply aect people's lives arise. In particular the tension between safety and secu-

rity, liability and the contrast between trust and veriability are major concerns. A Copernican

revolution putting users at the center and enabling them to trust devices is fundamental. Concil-

iating their interests with the ones of the manufacturers is of great importance too. A systematic,

analytical approach is required to achieve design for user trust. In particular challenging goals

reside at the architectural level, at the hardware-software interface, without forgetting low-level

hardware security issues.

2 Scientic context

We live in a world of interconnected smart devices, i.e., an ecosystem of objects able to sense,

connect and control the environment in which they are embedded. These objects already prop-

agate our daily life, yet their role in the society of the future has still an enormous margin of

growth (e.g., in intelligent transport systems, wearables, health, smart cities, industry). The list

is virtually innite as research is simply trying to bring computing power inside every human

activity to enhance it 1. In such a world, several security issues with these embedded devices

arise [1], many are still open problems and new ones arise with every new system deployed.

One of the main directions to build a secure ecosystem of connected computing objects is "trusted

computing" 2. The main goal is to obtain a guarantee that a certain system is not compromised

or at least to be able to tell if it has been compromised. This is called trust and it is based on

a Root Of Trust, i.e., hardware, rmware, and/or software that is inherently trusted to perform

a vital security function, thanks for instance to signature verication on software performed by

specic hardware modules.

3 Scientic contents

3.1 Motivations

Trusted computing seems the perfect systematic solution to security for such systems. However,

several issues arise and must be solved to let it reach its great potential.

Trust is something that is not blindly granted but that is earned by verifying it. Currently,

trusted computing mechanisms often rely on unconditional trust on the systems manufacturer

since users have too few ways to verify them. There comes the importance of designing systems

where the users can decide whom (for instance a community of experts and independent author-

ities) and what to trust. We call this Design For User Trust. Unfortunately, the rst security

measures that are implemented in embedded systems often prevent such an independent analysis

(e.g., deactivation of a debug port, secure boot, encrypted le system, obfuscation). Moreover,

documentation is condential. Such measures are more hiding the problems (making it dicult

to discover hardware or software vulnerabilities) than solving them. These are violations of the

Kerckhos's principle. Lack of veriable trust leads to a lemons market ([2]). The manufacturer

(may) know if the product is secure or not, but buyers cannot tell. Thus they are not willing to

pay much more than for a lemon (i.e., an insecure one). This essentially remove quality (secure)

goods from the market, because they are not worth selling at a low price [3].

Complexity of trustworthy environments is an obstacle for their use in simple cheap embed-

ded architectures. Several papers try to address this problem through smart usage of existing

resources and minor hardware modications [4, 5, 6, 7]. Also, more and more secure trusted

systems move the security problem at the lower layers, i.e., at the rmware level of the com-

ponents and at the physical hardware level. The importance of side-channel and semi-invasive

attacks is thus increasing and must be considered during higher-layer design too. This research

shows several ways to defeat secure boot and they mostly are at very low level 3.

3.2 Main goals, expected innovation and approach

The main goal is to contribute with a breaking impulse to the development of an healthy

ecosystem of ubiquitous connected devices with an enhanced user control", and where security

is no more an obstacle to safety.

Addressing this issue is a great challenge, that envisages the development of a new hard-

ware/software architecture to support design for user trust. Our approach will be based on

an holistic view of the embedded world and on an analytical, systematic, cross-disciplinary ap-

proach. It will enable the design of cheap, simple, smart architectures including features such as

safety, trustworthiness veriability and control in the hands of the user. A further goal will be

to test this methodology on real-life applications and develop eective solutions. Last but not

least, this research aims at putting the basis for further works in a general view of embedded

systems.

More precisely, our approach will be as follows:

1. Detailed bibliography on trusted platforms and architectures for a wide range of systems

(i.e., information systems, cloud services, embedded systems) considering open platforms

oriented towards user trust. This shall also emphasize the current limitations that have

lead manufacturers not to settle current trusting solutions.

2. Proposal of a mixed hardware/software open architecture, in terms of dedicated hardware

blocks (e.g., hardware accelerators, specic CPU support, debug capabilities) and in terms

of software elements (e.g., boot code, drivers).

3. Verication of the solution in terms of security, trust, and implementability. At a platform

level, the TTool / SysML-Sec environment from Telecom ParisTech shall be used (and

enhanced if necessary).

3https://conference.hitb.org/hitbsecconf2013kul/materials/D2T3%20-%20Job%20de%20Haas%20-%

2020%20Ways%20Past%20Secure%20Boot.pdf

4. Prototyping of the solution in the scope of Internet of Things, using a well-know IoT

platform (e.g., STM Nucleo, Intel solution) or open source soft cores (e.g., OpenMSP430,

pulpino), and demonstration of a user trust mechanism.

5. Publications in well know conferences/journals, and dissemination among industrial part-

ners, rst locally (e.g, Intel has a IoT branch in Sophia-Antipolis), and more broadly (see

section 3.7).

3.3 State of the art and past research

The hardware/software is the layer at which software comes to life by interacting with hardware

architecture. However, the complex interplay between several concurrent modules and the mis-

understandings among dierent disciplines make it a fertile ground for bugs and vulnerabilities.

Hardware/software interface is also a great place to eciently implement security measures (e.g.,

eXecutable disable by Intel, eXecute Never by ARM to prevent data execution).

In the last years Trusted Execution Environments provide strong guarantees for critical opera-

tions have seen important developments. Intel Soft Guard Extensions should guarantee integrity

and condentiality for sensitive operation, even when all privileged code is malicious, but this

still need further research and more openness [8]. Lightweight HW/SW trustworthiness for sim-

ple embedded systems was proposed in the SMART architecture [4]. It consists in a very eective

system-level solution, based on hardware features that can be easily added to existing devices

with minor changes at a low price. This approach was extended and improved in many follow

up works [5, 6, 7]. While those are important starting point for design for user trust as well as

for design for testability, they do not yet solve the security/safety issues, nor they consider who

should be in charge of the system (user v.s. manufacturer): this is the open problem we aim to

address in this work.

Many research work exist regarding verication of complex concurrent architectures. This as-

pect is very important for a secure design because corner cases were the device is not reliable can

be used for exploits. Interaction between hardware and software in complex concurrent struc-

tures is important for security. Embedded systems are smaller and simpler, yet SoCs commonly

include powerful and multi-core processors, several peripherals, memories and so on. Hard-

ware/rmware design can explicitly try to address security of such systems from the beginning

of their design. For instance Intel Integrated Sensor Solution [9] tries to identify a secure plat-

form for sensing IoT multi-core boards. Providing secured and veried hardware primitives for

concurrent programming and handling peripherals is useful for security.

Finally, there are some examples of designs that represent a rst, partial attempt to design for

Trust. For example, Google Nexus phones can be turned into developers phones by unlocking

the bootloader (which voids the warranty). On such developer phones it is possible to install

custom images. Nokia Maemo phones were also providing a similar developer mode, once started

with a non signed image the phone was still booting, but some (DRM) features are not available

anymore [10]. However, those approaches are giving control to the user at the cost of a very

reduced security level.

3.4 Competences and expertise

The Ph.D. is clearly ambitious, and deals with both hardware/software design and security/trust

issues. However it will be co-advised by 2 advisers with previous experience in these topics.

Aurelien Francillon will advise the Ph.D. He is an assistant professor in the digital security

department at EURECOM. Together with Davide Balzarotti he is heading the Software and

System Security (S3) group. He obtained a PhD from INRIA Grenoble and was a postdoctoral

researcher in the System Security Group at ETH Zurich. His main scientic interests are in

security of embedded systems as well as software security and network security. He has been

working on trusted computing for embedded systems security for the past 10 years and was one

of the authors of the SMART paper [4].

Ludovic Apvrille will co-advise the Ph.D. student. He leads the LabSoC group. His main re-

search interest lies in the design and analysis of safe and secure complex embedded systems. In

particular, he's part of research projects involving the security of mobile devices - he partici-

pated to the recent discovery of 15 totally unknown Android malware -, and leads a research

grant on the security - and it's impact on safety - for autonomous and connected vehicles. His

scientic contribution in the security and safety domains are around the models and verication

techniques. Last but not least, he's the leader of the SysML-Sec environment.

Thus, both advisers have expertise in hardware architectures, embedded systems verication

and software/system security, as demonstrated by several of their recent publications 4.

3.5 Ph.D. Candidate

M. Giovanni Camurati is a student in the double-diploma polito-Telecom ParisTech curriculum.

He's ranked among the top 5% of students (currently 1st of 156 Eurecom students). He obtained

excellent grades in all courses related to the Ph.D. (Operating Systems, System Security). He

demonstrated a very strong motivation for doing a PhD. He already started to read papers in

the eld of the proposition. Last but not least, he will make his internship in ARM, thus further

enhancing his current expertise in hardware and low-level software concerns.

3.6 Perspectives

This proposal is based on a vision of trustworthy embedded devices, identifying the layer which

is still largely unexplored and that has room for big developments. This project is about imple-

menting a vision of a design philosophy, namely design for user trust. It is indeed very ambitious

as it aims at proposing a set of new solutions in a broad area with a systematic analytic approach,

exploring a large research and design space and not only a single issue. One PhD position will

certainly not exhaust possible activities, rather it serves as a starting point to set up shared

knowledge and expertise and to disseminate it in the academic and the industrial environment.

3.7 International visibility

Both teams has well-established cooperative research actions with many academic partners in

the scope of security and trust. For example, Ludovic Apvrille recently participated to the

EVITA European project addressing the denition of a secure and trustable hardware/software

architecture for automotive systems. The results of this project have been embraced by several

automotive suppliers that now have products following the architecture proposition, e.g., the

AURIX solution from Inneon, or the SPC58NE84E7 from STMicroelectronics.

Aurelien has past collaborations on SMART with Gene Tsudik (University of California, Irvine)

and Kasper Rasmussen (Oxford University). Other collaborations are possible through existing

links, for example, with KU Leuven, TU Darmstadt and TU Graz which are interested in

such topics. The CRYPTACUS COST Action (for which Aurelien Francillon is a Management

Committee member for France) can also be used for fostering collaborations and for funding

short term scientic missions, as this thesis falls into the topics of interest of the COST Action

(in particular Work groups 1, 3 and 4).