High-Assurance Cyber Space Systems (HACSS) for Small Satellite Mission Integrity

Similar documents
Towards Effective Cybersecurity for Modular, Open Architecture Satellite Systems

High-assurance software for autonomous ground systems

Security: The Key to Affordable Unmanned Aircraft Systems

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Cyber Moving Targets. Yashar Dehkan Asl

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Secure Product Development With Rapid Start Get started now and launch your secure product on-time. Hal Aldridge

Systems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities

A Secure Architecture for the Range-Level Command and Control System of a National Cyber Range Testbed

Procurement Language for Supply Chain Cyber Assurance

Applying MILS to multicore avionics systems

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Engineering Your Software For Attack

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

Programming Languages for High-Assurance Autonomous Vehicles

Formal methods for software security

Catalog of Control Systems Security: Recommendations for Standards Developers. September 2009

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Smart Grid Embedded Cyber Security: Ensuring Security While Promoting Interoperability

Medical Device Safety in a Connected World

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cybersecurity, safety and resilience - Airline perspective

The Perfect Storm Cyber RDT&E

18-642: Security Mitigation & Validation

Safety Assurance in Software Systems From Airplanes to Atoms

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Cybersecurity of Space Missions

Improving Security in Embedded Systems Felix Baum, Product Line Manager

IC32E - Pre-Instructional Survey

UAS Operation in National Air Space (NAS) Secure UAS Command and Control

High Assurance Cyber Military Systems (HACMS)

McAFEE PROFESSIONAL SERVICES. Unisys ClearPath OS 2200 Security Assessment White Paper

RiskSense Attack Surface Validation for IoT Systems

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

A Better Space Mission Systems threat assessment by leveraging the National Cyber Range

INFORMATION ASSURANCE DIRECTORATE

Cybersecurity in Acquisition

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Critical Systems. Objectives. Topics covered. Critical Systems. System dependability. Importance of dependability

MASP Chapter on Safety and Security

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

Addressing Future Challenges in the Development of Safe and Secure Software Components The MathWorks, Inc. 1

Automating the Top 20 CIS Critical Security Controls

Innovation policy for Industry 4.0

Technical Brief Distributed Trusted Computing

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

Addressing Cybersecurity in Infusion Devices

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

UEFI and the Security Development Lifecycle

ICS Penetration Testing

T Salausjärjestelmät (Cryptosystems) Introduction to the second part of the course. Outline. What we'll cover. Requirements and design issues

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

PROTECTING INFORMATION ASSETS NETWORK SECURITY

90% of data breaches are caused by software vulnerabilities.

Nanosatellite Communication Constellation Testbed for Autonomous Scheduling Algorithms to Enable Mission Performance Analysis and Demonstration

CS 356 Operating System Security. Fall 2013

FAA Cybersecurity Test Facility (CyTF) By: Enterprise Information Security Team ANG-B31 Patrick Hyle, William J Hughes Technical Center

Systems 2020 Strategic Initiative Overview

Lecture Embedded System Security Introduction to Trusted Computing

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

The Honest Advantage

Secure Development Lifecycle

align security instill confidence

Virtual Dispersive Networking Spread Spectrum IP

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Green Lights Forever: Analyzing the Security of Traffic Infrastructure

Application Security Approach

Cybersecurity & Risks Analysis

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

The University of Queensland

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Resilient IoT Security: The end of flat security models

CIP Security Pull Model from the Implementation Standpoint

Automotive Cyber Security

Cyber Threat Assessment and Mitigation for Power Grids Lloyd Wihl Director, Application Engineering Scalable Network Technologies

Information Security Controls Policy

C1: Define Security Requirements

Air Force Test Center

Creating a Practical Security Architecture Based on sel4

Identity-Based Cyber Defense. March 2017

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

Professional Services Overview

Operating System Security

Pass, No Record: An Android Password Manager

General Framework for Secure IoT Systems

Choosing the Right Security Assessment

An ICS Whitepaper Choosing the Right Security Assessment

IPM Secure Hardening Guidelines

Advanced Systems Security: Ordinary Operating Systems

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Network Security. Thierry Sans

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Transcription:

Distribution A: SSC17-V-01 High-Assurance Cyber Space Systems (HACSS) for Small Satellite Mission Integrity Daria C. Lane, Enrique S. Leon, Francisco C. Tacliad, Dexter H. Solio, Ian L. Rodney, Dmitriy I. Obukhov, Daniel E. Cunningham SPAWAR Systems Center Pacific 53560 Hull Street, San Diego, CA 92152 daria.lane@navy.mil 619-553-8679

Small Satellite System Cyber Physical Security The demand for low cost, rapid fielding and fault tolerance can lead to compromising security for usability Furthermore, as systems become increasingly networked, the attack surface also grows Small satellite cybersecurity challenges closely parallel Industrial Control Systems (ICS) CIA vs AIC conflicts Secure networking practices follow Confidentiality, Integrity, and Availability (CIA) ICS and Small Satellite Systems often reprioritize as Availability, Integrity, Confidentiality (AIC) Source: https://ics-cert.us-cert.gov/sites/default/files/factsheets/ics-cert_factsheet_ir_pie_chart_fy2016_s508c.pdf 2

Hardware Threat Landscape COTS/GOTS hardware components and payloads may be vulnerable or compromised Critical safety resources may be exploited by an attacker Physical interfaces may be vulnerable to data extraction and code injection Common insecure interfaces include Ethernet, JTAG, serial, microusb, UART and SPI Side channels may be vulnerable to exploitation Caches, power consumption, electromagnetic radiation and acoustics may be analyzed for leaked information In some cases an attacker may be able to cause bit flips The findings discovered from Rowhammer suggest that an attacker may be able to cause targeted bit flips in order to gain kernel privileges. 3

Software Threat Landscape Software can be a heterogeneous mix of trusted and untrusted code Including drivers, preloaded libraries/modules and mission payloads Software heritage and chain of custody may be unknown Source code may contain exploitable bugs Undefined behaviors and weak data type controls Memory management safety and illegal inter-process communication Poor protocol implementations may allow Denial-of-Service (DoS) attacks Protocol code must sanitize input to protect against invalid or malformed messages Poorly implemented encryption may allow an attacker to decrypt data or extract exploitable information 4

Network Threat Landscape Full network connectivity between client nodes, combined with sloppy network implementations, can trivialize system exploitation. Air-gapped networks can be compromised by features that allow zone transferring and open port access. Once in the network, an attacker may eavesdrop on traffic or inject commands or spoofed telemetry. Small satellite vehicles may be sensitive to interference. Without capabilities to mitigate signal disruption, Quality of Service (QoS) and throughput can be degraded by an attacker equipped with commodity hardware. 5

Space Systems Security Assumptions Our Small Satellite Security Concept of Operations (CONOPS) starts with worst case assumptions: 1. The system consists of COTS/GOTS software and hardware. 2. An attacker has physical access to the space vehicle and payloads (insider threat, malicious hardware, untrusted supply chain, etc.). 3. An attacker has software access to flight software and/or mission payload. 4. An attacker has network access to space-to-ground and client-to-server node communication. 6

Red Team Assessment: Attack Methodology Hardware Firmware extraction via open interface (i.e. Ethernet, JTAG, serial, UART, microusb, etc.) Firmware modification and injection (i.e. interrupt boot process, inject malicious code) Kernel privileges via targeted bit flips (i.e. repeated memory accesses in DRAM) Software Static and dynamic analysis of target source code to identify undefined behavior Analyze encrypted data at rest for weak encryption implementations Network Analyze system for vulnerable access points, misconfigured firewall policies, and permissive routing policies Fuzz target for undefined behavior and undocumented features in protocol implementation Analyze traffic for vulnerabilities in protocol and encryption implementation

High-Assurance Cyber Space Systems Approach Leverage DARPA High Assurance Cyber Military Systems (HACMS) tool stack Working from the hardware baseline up to ensure integrity Model-Based Engineering (Architecture Description Language) An accurate model allows for conclusions of High-Assurance Using code generation to ensure implementation matches the interfaces defined in the model Secure Programs Secure OS Secure Hardware Secure Satellite 8

High-Assurance Cyber Space Systems Approach Formal Verification of Space System, including: Architecture Flight Software Ground Station Software Defined guarantees in system behavior such as hardware and software access, Inter-process communication (IPC) Illustration courtesy of Johns Hopkins University Applied Physics Laboratory 9

HACSS Software Architecture Architecture Analysis & Design Language(AADL) is used to represent software and (computing) system architecture Verified System Architecture Reason about system component interactions Ensure architecture guarantees adherence to system requirements and constraints Code Generation Generate component interfaces from verified architecture Foundation of the HACSS architecture Verified microkernel Formally verified via mathematical proof for correctness Ensures memory isolation between components Domain specific language (DSL) for control components» Embedded in Haskell Pure functional programming language C code is synthesized from the DSL component implementation High Assurance: Ensure Correctness, Safety and Security 10

HACSS Architecture Process Component Implementation in DSL AADL Verified Architecture Code Generator Code Generator Secure Separation Kernel Synthesized C Implementation Secure Software Components Synthesized Component C Interfaces Secure Binary

High-Assurance Space Vehicle Approach Maintain interoperability, while designing and testing for functional correctness and high security Focus on system-level integrity, even if allowing certain subcomponents to function as black boxes Design flight processor interfaces to limit and/or mitigate side-channel monitoring and attack Design hardware interfaces with an arbiter to mediate access Perfect Security NO Functionality Functional Correctness as key building block of Security 12

Isolated Software Components

High Assurance Ground Station Ground system hardware and software will be included in the systems AADL model. The functional correctness of the ground station behavior will be verified using theorem provers like Coq. Ground station software leverages programming languages that guarantee memory and type safety. A high-assurance stateful firewall implements packet forward and drop policies that are formally verified. Physical hardware interfaces shall be secured or closed. Access may only be granted by a trusted arbiter. 14

Goal: HACSS Nanosat Mission Objectives Improve cyber resilience by constructing highassurance cyber-physical systems aboard nanosatellite platforms for future DoD Space Missions Approach: Identify, obtain, and evaluate the performance of available COTS & GOTS nanosatellite flight processors/software and ground station architectures to determine viability for use with HACMS tools Implement HACSS architecture aboard flight computers, bus subsystems, and ground segments Employ penetration testing as part of vulnerability assessment strategy HACSS technologies and methodologies promote functionally correct high-assurance cyber-physical nanosat systems. 15

Summary Low-cost COTS/GOTS hardware and software used in small satellite systems introduces inherent cybersecurity risks Formal verification may be integrated into the system life-cycle to enhance assurance of mission critical functionality Architecture Analysis & Design Language (AADL) can increase confidence in system behavior Languages such as Rust and Haskell s Ivory library can increase confidence in memory and type safety Additional assurance may be achieved by isolating mission critical components and incrementally verifying non-critical components 16

Questions? 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback