Person has left EURECOM
- CORTEGGIANI Nassim
Thesis
Towards System-Wide Dynamic Analysis of Embedded Systems
Software security and system resiliency against vulnerability exploita-
tion has seen a huge evolution in the past 10 to 15 years. While desktops
and server systems have seen their level of resistance to attacks (e.g. bu
er
over
ow attacks) improved, this is not true at all for most embedded sys-
tems. Security in embedded systems mostly focused on performing secure
cryptographic computation (e.g., resistance to side channels and faults
attacks) or to secure very small and closed platforms (JavaCard). On the
other hand there is an important need for techniques that can be applied
to embedded devices that are not security devices but devices we have to
rely on nevertheless. Such devices often cannot a
ord high end hardware
security measures or have to provide many features, making code bases
larger and security more dicult. Finally, the hardening techniques avail-
able in general purpose systems are often dicult to port to embedded
systems, either they need to be adapted or new techniques needs to be
designed taking those as inspiration.
1 Thesis Context
Software security became a major problem in the past 15 years, and at-
tracted a lot of attention to academia, the hacking community and in-
dustry in designing both new attacks and mitigation techniques. Several
directions have been explored such as formally proving software [9], de-
signing safer programming languages [12], better detecting vulnerabilities
in existing code [15, 7] and improving the resiliency of systems against
attacks [1]. Such approaches are complementary and have their bene
ts
and drawbacks. In the context of this thesis the last two approaches are of
greater interest, in particular because they
t well the industrial context
of the thesis.
First, detecting vulnerabilities is important as the earlier they are
detected the less expensive it is to deploy a correction. For example,
detecting a vulnerability during development will have a minor cost to be
xed while
xing a vulnerability while a product is widely deployed may
will expose users and can be very expensive to
x. Embedded devices
contain many custom software stacks and protocols, exposing them to
1
external threats. Such interfaces (WIFI, ethernet, bluetooth. . . ) are more
present today and increase the possible attack surface on the device.
Another approach to improve systems security is to make them more
resistant to exploitation attempts. Indeed, the total absence of vulnera-
bilities can rarely be proven and is often incompatible with feature rich
systems and cost constraints. Therefore, such systems need to be resilient
to attack attempts by implementing generic mitigation techniques. While
this does not prevent attacks it makes the systems a lot more resistant
to an exploitation attempt. For example today's exploits often carefully
chain many vulnerabilities in order to be e
ective and reliable [11]. In
this respect, an important advantage of embedded systems is that hard-
ware is very often custom which allows to realistically propose hardware
modi
cations to support for software security (e.g., like proposed in [5]
or [4]).
This thesis will essentially be focused on those two, complementary,
aspects of the problem.
2 Maxim Integrated objectives
La Ciotat team is considered as the technical expertise center for Maxim
Integrated for the software and hardware security. It is the home of the
Security Excellence Lab. We intervene within our Business Unit, but also
at the corporate level, answering to all Maxim Integrated BUs requests
in security. In order to strengthen our positioning and improve our skills,
considered as strategic at Maxim Integrated, we intend to deeply invest
in advanced research projects, related to software security. The objectives
are to propose solutions that will be embedded in our next generation of
secure microcontrollers.
Maxim Integrated is a company having about 9300 employees, 4500
being in the US, the others spread all over the world. Its revenues are
about $2.4 billions for 2013. The La Ciotat Design Center, formerly In-
nova Card, a start-up that developed a secure SoC, based on a 32-bit mi-
crocontroller, targeting the payment market, has been acquired by Maxim
Integrated in 2008.
The La Ciotat team is made of 20 employees, covering di
erent activ-
ities: security, electronic circuits design, semiconductor design, software
and application development, customer support, and marketing. These
employees often have a pro
le focused on security (paytv, smart card, . . . ).
This large scope of skills allows us to consider the security as a whole, with
a system-based approach. Today, the market using our products and our
expertise are focused on payment terminals market and more generally,
nancial transactions protection. New markets having similar security re-
quirements are about to appear (industrial, medical). Our ambition is to
target these new markets and to propose to the Maxim Integrated group
the tools, the libraries, the methodologies . . . that will make integrated
solutions possible.
Designing chips to be used in highly secure applications (smart card
readers, defense products, . . . ), we face components certi
cations (PCI
PTS, Common Criteria, . . . ). Note these evaluations evolve all the time,
2
following the attacks state-of-the-art. A major target for our company is
then to quickly bring software and hardware solutions, that will anticipate
and counter these new attacks. In that perspective, we are equipped
with code analysis tools, that we integrate in our standard development
process. Moreover, we're currently working on improving the robustness
of a TLS/SSL library. As this communication standard is widely used
in payment terminals and more generally in the IoT, its availability will
be worthwhile in the secure communications domain if and only if its
robustness level is high, in order to not become the attack path.
This thesis proposal is therefore fully consistent with the most recent
requests from standardization bodies and expectations of our customers.
Since its acquisition, the La Ciotat team has
led about ten patents in the
security
eld, most of them being used in our products. The La Ciotat
Design Center is a member of the SCS cluster and uses the CIMPACA
platform for security characterization. We have also been member of the
GESTe project, subsidized by the FUI, about payment terminals security,
in the context of the JTEMS european standardization initiative. This
project allowed us to de
ne new attacks and develop associated counter-
measures in our products. This thesis proposal is then a consistent step
in our strategy.
3 Preliminary work plan
This section describes a preliminary work plan, which seems as of today
an interesting path, that both corresponds to the expectations of Maxim
Integrated and has a big potential for research contributions. It is however
clear that it is inherent to the research process to deviate from original
plans and to explore interesting ideas that are discovered but may not
have been foreseen initially [2]. As such, this plan is an initial goal from
which the actual work may deviate1 as we jointly identify and agree on
interesting problems to solve.
As typically done in a PhD, the student will start by a state of the
art phase where he will get comfortable with the
eld of software security
and exploitation. There is quite a lot of literature on the topic, therefore
the student will start with survey papers [10, 16, 6, 15] on the topic, then
dive into more speci
c papers. Some focus will then be given in under-
standing what can be done in embedded systems. In particular, a good
exercise will be to start with experimenting with Linux kernel patch GR-
Security/PAX 2 on ARM. This could be done on a platform from Maxim
integrated (e.g., a base platform for point of sale devices). Many of the
today's techniques present in most systems where pioneered by GRSe-
curity/PAX, like Address Space Layout Randomization (ASLR) [13] and
making memory writable or executable (NX" or WX techniques [14]).
There are many other more recent techniques present to prevent many
classes of bugs like integer over
ows, kernel or userspace stack over
ow
(not to be confused with stack based bu
er over
ow), kernel null pointer
de-references, etc. Finally, lower end platforms, that are not based on
1while staying within context of this project
2https://grsecurity.net/
3
Linux but, for example, on a small RTOS, or even without an OS, also
need protection. Therefore it will be worth to evaluate how pertinent the
linux-oriented techniques are and can be applied here and if new, di
erent
techniques need to be designed speci
cally for those targets.
Another aspect will be embedded system software security testing, in-
deed communication interfaces of such systems (such as WIFI, ethernet,
bluetooth. . . ) expose an important attack surface. While, as described
before, hardening systems make attacks harder there is also a need for dis-
covering and suppressing the vulnerabilities before shipping the products.
In this respect large scale software testing has been used, for example at
Microsoft [7, 8, 3], to discover vulnerabilities in large software such as the
Oce suite. Such techniques are however dicult to use in embedded
devices [17] when little is known about the hardware and software. It is
an interesting direction to evaluate the feasibility to perform similar work
in embedded devices when hardware and software is known.
Once the state of the art will be well advanced (about 6 months), the
above directions will be explored in more details leading to the core of
the thesis contributions. Finally, the last few months will be dedicated to
writing the thesis and preparing the defense.
What is expected is to develop expertise in term of attacks in parallel
to countermeasures skills. That's a good behavior in the security domain
to be aware of attacks potentials and to behave as an attacker
rst, to be
able to develop the most accurate countermeasures.
4 Environment
The student will spend 75% of his time in Maxim Integrated and 25% of
his time at Eurecom.
