Trustworthy Embedded Networked Systems (TENSE)
The goal of this research project is to enhance the security of networked, embedded computing devices. A networked, embedded computing device consists of a hardware part and a software part; both components play an essential role in the overall security of a device. The hardware typically implements low-level security building blocks such as high-speed cryptographic transformations, or memory protection logic. The software builds on these to provide higher-level guarantees such as process isolation, secure communication, or even application-specific security guarantees such as non-repudiation of transactions.
In the early days of general-purpose computer systems, the design of security features in hardware and the design of the operating system software running on top of that hardware went hand-in-hand. The different privilege levels in processors and the memory protection hardware were designed to support the implementation of process isolation in the operating system. However, on the general-purpose computing side, hardware soon became de facto standardized, and research on system security treated the underlying hardware as a given. System security was achieved in software, building on the standard hardware building blocks.
Now that embedded devices are becoming more and more networked, and hence face new security threats, it is again important to look at the interaction between hardware security features and software security. For such small embedded devices, heterogeneity is the norm. Many embedded platforms lack the standard security features (such as privilege levels or advanced memory management units) present in high-end processors, and extending such hardware platform with custom instructions or coprocessors to achieve better security guarantees for the overall system is a sensible and feasible path. Depending on the overall system security goals, as well as the context in which the system must operate, different systems may benefit most from different hardware extensions. Several recent results show that researchers are exploring this idea in a variety of settings. But there is so far little fundamental research on what the advantages, limits and trade-offs are of co-designing hardware and software for security purposes. The TENSE project aims to fill this void.
Since software and hardware are subject to different classes of attacks, it is to be expected that the security of the overall system varies as security feature implementations are moved from software to hardware or vice-versa. Software is for instance easier to modify and hence harder to make tamperresistant, whereas hardware is harder to adapt to a changing context. Both software and hardware are vulnerable to active and passive side channel attacks. A fundamental question is: what is the optimal distribution of responsibilities between software and hardware to achieve the best system security, while maintaining other important desirable system characteristics such as performance, usability, manageability and so forth? This is the key research question addressed by this project. To answer this question, the project will perform fundamental research on hardware security and software security as well as on the interaction between these two fields. The project will build a model of adaptive embedded networked systems that makes explicit the division between what is implemented in hardware and what in software.
It will analyze the attacks that are possible against the hardware part and against the software part. The insights gained by this analysis will drive the design of new hardware security features, and their use in software. In addition, the project will develop new lightweight cryptographic algorithms and protocols to support these security features.
Additional challenges and opportunities arise for networked embedded systems. The communication facilities offered by networked devices give rise to new threats (such as for instance increased attack surface), but also to new security enforcement techniques, as devices may now rely on trusted third parties reachable over the network. This opens the door for remote verification of configuration and execution by trusted parties or by other devices in a mesh-type network. However, this remote verification brings also specific privacy risks; lightweight cryptographic protocols are required that allow for verification while protecting privacy.
Another dimension that will be explored is adaptivity: most IT systems have static defences, while biological defences are adaptive: increasing security may present a high overhead and therefore an optimal security system can adjust itself to the threat environment and the context. As networked embedded systems are typically deployed in not completely known and often varying environments, they need to be adaptable to the changing context in terms of the functionality offered, changing security requirements, and due to new code dynamically added to the device. It is clear of course that care is needed when adding adaptivity, as this opens the door to new attack vectors.