Embed Size (px)
Citation preview
Sibin Mohan’s Research Statementhttp://sibin.cs.illinois.edu
1 IntroductionMy research interests lie in the area of Computer Systems. In particular, my work focuses on improving theresiliency of systems with a special focus on cyber-physical, real-time and embedded systems (including IoT). A commonthread is to use the innate properties of such systems (viz., timing) to improve resiliency along the following lines:
1. Improve Security: integrating security as a first-class principle during design of, and behavior-basedintrusion-detection for, real-time cyber-physical systems (CPS).
2. Resilient Network Architectures: using software-defined networking for better management, improved QoSguarantees and failure tolerance for CPS and IoT systems.
A cyber-physical system (CPS) is a system of collaborating computational elements controlling physical enti-ties. Many such systems have real-time (RT) properties1 and find use in various safety-critical domains such asavionics, medical devices, automobiles, power grids and other infrastructures, space vehicles, etc. The increas-ing complexity and inter-connectivity of such systems, as well as the proliferation of newer architectures, COTScomponents and the Internet-of-Things (IoT) introduce new failures and communication problems. In addition,systems that were previously considered to be invulnerable to security threats have now been compromised asshown by recent attacks on industrial control systems [5], modern automobiles [3, 8], avionics systems [24] andunmanned aerial vehicles (UAVs) [22]. Failures (both on the nodes and networks) and successful attacks in thisdomain will not only lead to the loss of critical data but could also result in harm to human life, the environmentas well as critical infrastructures – this can even have serious implications for national security.Hence, my research aims to analyze, model, design, deploy and manage computer systems (especially CPS/RT/IoT systems)to make them more resilient (i.e., predictable and secure).The impact of my research, thus far, can be summarized as follows:
1. My prior work on system composition (called “virtual integration”) reduces the complexity of designingsafety-critical CPS (e.g., avionics); since we collaborated with Rockwell Collins and Lockheed Martin onthis project, there is a good chance that this research will directly influence how future avionics systems aredesigned. A workshop2, based on this work run successfully for a few years. [Section 5].
2. Designers of CPS can (a) quantify (ahead of time) the effects of integrating security in legacy and futuresystems and (b) ensure they more tolerant to intrusions and zero-day attacks. Some of these ideas wereapplied to Android platforms by Qualcomm research as part of our collaboration. [Section 2].
3. Novel use of software-defined networks (SDNs) will enable better management of critical traffic in CPS,thus reducing complexity and improving failure tolerance for such systems. We are currently working withsmart grid vendors and utilities to transition this work to their systems. [Section 3].
I am the PI for multiple grants, from NSF, ONR, DoE, NSA and industry. I actively collaborate with researchersfrom the University of Illinois, University of Waterloo, Oregon State University, University of Michigan, CornellUniversity, University of Wisconsin, University of Toronto, Visa Research and Boeing Research. In the past I’veworked with people from Air Force Research Labs, Qualcomm Research, Intel Research, NCSU, FSU, U Penn,SEI-CMU, Microsoft Research, Lockheed Martin, Rockwell Collins and Massachusetts General Hospital.
Sections 2 and 3 present current (funded) projects while Section 4 is a discussion on future research ideas.
2 Security for Real-Time CPSOne way to improve the resiliency of CPS is to ensure that attackers cannot compromise the safety of such systems.On the other hand, cyber-physical systems are becoming increasingly complex, often opening up new attacksurfaces. Until recently, such systems (a) used specialized protocols, (b) were physically isolated from the externalworld and/or (c) executed on specialized hardware. Now such systems are increasingly being connected toeach other, using COTS components, oftentimes using unsecured networks such as the Internet. Moreover,adversaries are increasing in sophistication and are able to bridge air gaps. Zero-day attacks make these issuesmuch worse. Any vulnerabilities (and effects of attacks) in CPS differ from those of traditional enterprise systems.
1Systems with temporal constraints (called deadlines) in addition to functional correctness requirements.2Analytic Virtual Integration for Cyber-Physical Systems (AVICPS): http://analyticintegration.org
1
2.1 Integrating Timing-based Security in CPSMy work in this domain has three goals: (a) gain an understanding of the security issues that affect cyber-physical sys-tems with real-time properties; (b) demonstrate how to integrate security requirements into such systems and (c) quantifythe effects of such integration so that designers of real-time systems can design the systems with security inmind. At a low level, we look at the holistic integration of security into the design of real-time resource managementalgorithms. This is particularly important since simply tacking on security mechanisms that provide confidential-ity (e.g., encryption), integrity protection (e.g., message authentication) and availability (e.g., replication) withoutconsidering the real-time and embedded nature of such systems will not be effective. We explore methods tointegrate security in two types of systems: (i) legacy and (ii) future systems.
Legacy Systems: A legacy real-time system (RTS) is one where modification or perturbation of parameters(such as run-times, period, task execution order, etc.) for existing real-time tasks is not always feasible. Therefore,any security mechanisms that are introduced not only have to co-exist with legacy tasks without violating theirreal-time and safety constraints but also the parameters of such tasks cannot be adjusted to accommodate the securitytasks. Our work takes advantage of the slack between the execution of critical tasks to allow security tasks (e.g.,Tripwire, Bro, etc.) to run [6]. This paper won the best student paper award at the IEEE RTSS 2016 conference3 andwas also listed in the outstanding papers list at the same venue. We also developed a metric4 that shows howclose our solutions were to a desired “monitoring frequency” – required so that the security tasks could workeffectively. We further generalized this to an adaptive framework, Contego [7], that can switch the security tasksinto an active mode5 when attacks are detected. Contego combines opportunistic execution with hierarchicalscheduling to maintain compatibility with legacy systems while still providing flexibility by allowing securitytasks to operate in different modes. We evaluated this work an ARM CPU running a real-time variant of Linux.
Future Systems: We focused on the problem of preventing information leakage in real-time systems. The leak-age could occur through shared storage channels (e.g., caches) and be carried out either by covert or side channelattacks. We focus on the resource management algorithms that are at the heart of most real-time systems. Theidea is to introduce notions of security into these algorithms and then quantify the effect of such change [17, 18]by: (i) recasting security requirements as constraints on real-time scheduling algorithms and (ii) introduce the concept of“flushing” shared resources to avoid the leakage of information through them. Hence, we are (a) able to reuse theextensive mathematical tools already developed by the real-time community and (b) precisely quantify the effectof integrating the security requirement – by analyzing the effects on schedulability4. This was further general-ized [20] to a new security model (“vendor-based model”) that can describe security relationships between anytwo generic pairs of real-time tasks and was demonstrated on a hardware-in-the-loop UAV platform.
Designers of CPS can quantify the effects of security integration in their systems. I have received positivefeedback for this project from the research community, government sponsors and industry contacts.
Project funded by the Office of Naval Research (ONR) [$600K] and the National Science Foundation (NSF) [$500K].
2.2 Behavior-Based Intrusion Detection for Real-Time SystemsQuick detection of zero day intrusions, i.e., as soon as they happen (when they are still in the latent stages)is important. One defining characteristic of CPS, especially those with hard real-time constraints is that theyare predictable by design. In fact, engineers extensively analyze CPS to gauge their performance profiles (e.g.,execution times of tasks, scheduling of memory requests, interrupts, system calls and even I/O) in order tocapture the deterministic execution patterns of such systems. Any intruder must typically either add to or evenmodify existing software or system state6. Such actions will show up as changes to the aforementioned executionprofiles and this allows for the use of runtime detection methods.
We developed methods that use the properties of real-time CPS to detect inconsistencies in their behavior and hencedetect malicious actions. This is coupled with (a) the Simplex architecture [21] for detecting safety violations and(b) an online, real-time, multicore-based monitoring system. This method is effective because any deviations from the
3The top conference in the field of real-time embedded systems4The development of metrics for security is hard in general but headway can be made in specialized domains, as we demonstrate.5Where security tasks are provided with more resources to either perform more extensive checks or react to the detected attack(s).6Note: we are not considering sensor attacks yet.
2
previously analyzed behavior (for CPS), seen at runtime, is usually an indication of something going wrong7.Early work [30] used the worst-case execution time (WCET) of real-time code to detect intrusions. This wasextended to the Secure System Simplex Architecture (S3A) [12]. We used precise timing information for each ofthe code paths in the real time task. A decision module, on a separate FPGA, would check whether the real-timecontroller code was exceeding its ‘measured’ execution times. If so, control was immediately transferred to atrusted controller (on the FPGA) that would then actuate the plant.
Fig. 1: SecureCore Architecture.
A statistical learning-based execution time profile and in-trusion detection method was developed – it can detect, atrun-time, perturbations in execution time (due to variationsin inputs, programmatic paths, etc.) and account for theircauses [29]. We also developed an architectural framework(“SecureCore” – Figure 1) for capturing the behavioral pro-files and also detecting the intrusions at runtime.
To date, we have been able to show success using proper-ties such as execution time [12, 29, 30], control flow graphs ofprograms [1], system call distributions [26] and memory traf-fic [27]. The techniques were then extended to more generalpurpose systems such as Linux [28]. We developed the above
methods in conjunction with machine learning/statistical analyses to obtain the behavioral profiles while adapt-ing the SecureCore architecture for each signal/property that we monitor. We also demonstrated different meth-ods of implementation – from pure software to separate FPGA boards, from architectural simulators (for themulticore modifications) to softcores on FPGA fabric. This highlights the potential diversity for applicability ina variety of systems. This idea has great potential and can improve the security of existing and future CPS.
I recently received funding from the Department of Energy to apply these techniques to detecting anomalous behaviorin distributed energy resources (DERs) e.g., pluggable electric vehicles, smart buildings, solar farms, etc. We intendto apply the behavioral intrusion detection mechanisms to the communication protocols between the DERs andaggregators (third party or utility-led entities that manage the charging/discharging of power for DERs).
This project is funded by the National Science Foundation (NSF) [500K].
3 Software Defined Networking in Safety-Critical Cyber-Physical SystemsSoftware-Defined Networking (SDN) [11] changed networking concepts – especially network management andmaintenance – by decoupling the control plane from the data plane. SDN provides lot of flexibility and powerfulcapabilities to many network applications, e.g., virtual machine migrations, traffic engineering, access control,server load balancing, etc. My work focuses on how to adapt SDNs for use in safety-critical CPS.
Current SDN technology is not very good at reasoning about end-to-end delays for network flows across anetwork (CPS with real-time requirements often require such guarantees for critical network packets). In earlywork, we ensure that high priority flows in CPS and IoT systems (i.e., flows that require strict end-to-end timingguarantees) can meet their requirements without interference from lower priority traffic [9]. This is a staticadmission control scheme that over-provisions resources to meet the QoS and priority constraints. We alsotackled the issue of correctness of network updates in SDNs, especially in critical systems [10] – i.e., updating rulesfor various flows in the network without breaking the security/isolation/institutional policies as set up by theoperators. A lack of consistency during the network update process can not only adversely impact the stabilityand availability of the network (by causing transient black holes and loops) but also its security.
This work is based on funding from the Dept. of Energy (DoE) as part of the larger CREDC Center at UIUC.
4 Future WorkI plan to continue working in the Computer Systems area; in particular, improving the resiliency for CPS/RTS/IoTsystems by focusing on security, robust networking architectures and platform-level solutions. My immediate
7While it could be due to a fault instead of malicious activity, this method has the double advantage of protecting against bugs as wellas attacks; it is often the case that attackers use bugs as a means to gain entry into the system.
3
research focus will be,
1. Integration of Security in Real-Time Systems: the work described in Section 2 is just the tip of the iceberg. Thereare other potential attack scenarios and solutions to be developed. In recent (early) work, we demonstratedthe existence of a new side channel in real-time systems [4]. Other early work [25] shows how randomization ofreal-time tasks can thwart attackers. Another area ripe for research is that of multicore-based real-time systemswhere leakage and side-channel attacks become more problematic. I intend to further explore these topicsand also demonstrate these attacks/solutions on realistic systems such as autonomous vehicles (e.g., UAVs).
Behavior-based Intrusion Detection: extend methods from Section 2.2 to other “signals” such as I/O, sensorydata, etc. Develop methods for multivariate analysis that will combine the various data streams to find hardto detect anomalies. Analyze distributed CPS for characterizing “normal behavior” (e.g., flocks of UAVs) –this project recently received funding from Boeing Research [$100K].
2. SDN for Safety-Critical, Real-Time & IoT Systems: develop mechanisms to ensure end-to-end timing andbandwidth guarantees, isolation and fast failover (for increased resiliency in the face of node/link failures)methods for use in cyber-physical systems. Mixing multiple priorities of traffic in SDN networks. Integratewith realistic applications such as avionics and automobiles.
Extend the use of SDNs to IoT systems to provide QoS and security guarantees across wide-area networks – weare collaborating with Visa Research to implement these ideas on IoT-based mobile payment systems.
In the longer term, I intend to work on (from medium to longer term as indicated),
1. Software Defined Control (SDC): developing manufacturing CPS of the future by applying lessons learnedfrom the SDN domain. At the high level, a global “controller” will coordinate the movement of parts8
through the plant. Develop high-fidelity modeling frameworks for the centralized controller, anomalydetection mechanisms, automatic reprogramming and re-routing of the plant (in response to events likefailures, security incidents, etc.). Apply to distributed manufacturing systems. This was recently funded as anNSF CPS “Frontiers” project [total: $4.25M, UIUC: $1.25M]. [Medium-term]
2. Isolation and Security for Lightweight Cloud Computing Systems: My work on security for real-time systemsprovided insights on how hardware+software techniques can be used to improve the security for moregeneral purpose systems, viz., lightweight cloud computing systems [23]. As a result, we recently receivedfunding from ONR [total: $6.1M, UIUC: $1M] for improving the security of containers and operating sys-tems – essentially, “de-bloating” code to reduce the attack surfaces in cloud systems by carrying out late-stage (deployment-time) customization that reduces the size of the binaries and/or the OS. [Medium-term]
3. A Calculus of Trust for CPS: identify what it is that can increase/decrease trust in a CPS – either at the in-dividual node level or among nodes in a distributed CPS (say a flock of coordinating UAVs). Develop amathematical framework for capturing/analyzing such trust relationships; develop trust-enhancing archi-tectures for individual nodes as well as distributed CPS. [Longer-term]
Many of the solutions that we intend to develop for CPS can also translate to the Internet-of-Things (IoT) domain– with the caveat that IoT systems have larger scale, greater diversity of component devices (often with morelimited resources), softer real-time guarantees and different interfaces. Hence, I intend to explore this domainas well. Finally, I intend to work with various industry partners (from avionics, automotive, power systems,medical devices, space vehicles, etc.) to apply all of these methods to realistic systems and transition to practice.
5 Prior Work: Virtual Integration & WCET Analysis of Contemporary Processors[This section provides a brief overview of some prior projects. A more detailed listing of projects can be found in my CV.]
Virtual Integration: A typical large passenger aircraft contains hundreds of processors, thousands of softwaretasks and many other hardware components. This presents a problem not just at the design stage but also duringthe final system integration. I developed an end-to-end analysis framework (called virtual integration) [2, 15, 16]to address these issues. This framework performs (a) WCET analysis, (b) schedulability analysis and (c) busdelay analysis, ahead of time, on models of the hardware and software – before any concrete hardware/softwareimplementations exist. We collaborated with Rockwell Collins and Lockheed Martin who are applying these
8Analogous to network packets in an SDN data plane.
4
techniques to internal projects. Hence, it is likely that this work will affect the way avionics systems are designedin the future since they simplify the task of the designers/architects of such systems. The ideas developed hereare also applicable to other cyber-physical domains, such as automobiles, medical devices, etc.WCET Analysis for Contemporary Processors: [Dissertation Work] The worst-case execution time (WCET) of allcomponent tasks in a real-time is a critical piece of information for system designers. WCET estimation is a non-trivial task due to the complexity of processors, non-determinism of input sets, etc. Hence, there is a lack of WCETanalysis techniques for processors with modern architectural features such as out-of-order (OOO) processing,multicore architectures, etc. I developed novel techniques to analyze modern processors with advanced architecturalfeatures, viz. OOO execution [13, 14]. The concept was also implemented on a Xilinx Virtex 5 FPGA [19] board toshow that it can be realized in actual hardware. The CheckerMode work ensures that designers of such systemscan now use contemporary processors with increased processing power and low power consumption.
References[1] F. A. T. Abad, J. V. D. Woude, Y. Lu, S. Bak, M. Caccamo, L. Sha, R. Mancuso, and S. Mohan. On-chip control
flow integrity check for real time embedded systems. In Cyber-Physical Systems, Networks, and Applications(CPSNA), 2013 IEEE 1st International Conference on, pages 26–31, 2013.
[2] R. Bradford, S. Fliginger, M.-Y. Nam, S. Mohan, R. Pellizzoni, C. Kim, M. Caccamo, and L. Sha. Exploringthe design space of of IMA architectures. In Digital Avionics Systems Conference, October 2010.
[3] S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner,and T. Kohno. Comprehensive experimental analyses of automotive attack surfaces. In USENIX Security,Aug 2011.
[4] C. Chen, A. Ghassami, S. Mohan, N. Kiyavash, R. B. Bobba, R. Pellizzoni, and M. Yoon. A reconnaissanceattack mechanism for fixed-priority real-time systems. CoRR, abs/1705.02561, 2017.
[5] N. Falliere, L. Murchu, and E. C. (Symantec). W32.stuxnet dossier. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf, 2011.
[6] M. Hasan, S. Mohan, R. B. Bobba, and R. Pellizzoni. Exploring opportunistic execution for integratingsecurity into legacy hard real-time systems. In 2016 IEEE Real-Time Systems Symposium, RTSS 2016, Porto,Portugal, November 29 - December 2, 2016, pages 123–134, 2016.
[7] M. Hasan, S. Mohan, R. Pellizzoni, and R. B. Bobba. Contego: An adaptive framework for integratingsecurity tasks in real-time systems. In 29th Euromicro Conference on Real-Time Systems, ECRTS 2017, June27-30, 2017, Dubrovnik, Croatia, pages 23:1–23:22, 2017.
[8] K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson,H. Shacham, and S. Savage. Experimental security analysis of a modern automobile. In Security and Privacy(SP), 2010 IEEE Symposium on, pages 447 –462, may 2010.
[9] R. Kumar, M. Hasan, S. Padhy, K. Evchenko, L. Piramanayagam, S. Mohan, and R. B. Bobba. End-to-endnetwork delay guarantees for real-time systems using sdn. In IEEE Conference Real-Time Systems Symposium(RTSS), 2017.
[10] W. Liu, R. Bobba, S. Mohan, and R. Campbell. Inter-flow consistency: A novel sdn update abstraction forsupporting inter-flow constraints. In IEEE Conference on Communications and Network Security (CNS), 2015(Accepted).
[11] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner.Openflow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review,38(2):69–74, 2008.
[12] S. Mohan, S. Bak, E. Betti, H. Yun, L. Sha, and M. Caccamo. S3A: Secure system simplex architecture for en-hanced security and robustness of cyber-physical systems. In ACM Conference on High Confidence NetworkedSystems, 2013.
5
[13] S. Mohan and F. Mueller. Hybrid timing analysis of modern processor pipelines via hardware/softwareinteractions. In IEEE Real-Time Embedded Technology and Applications Symposium, Apr. 2008.
[14] S. Mohan and F. Mueller. Merging state and preserving timing anomalies in pipelines of high-end processor.In IEEE Real-Time Systems Symposium, December 2008.
[15] S. Mohan, M.-Y. Nam, R. Pellizoni, L. Sha, R. Bradford, and S. Fliginger. Rapid Early-Phase Virtual In-tegration. In Proceedings of the 30th IEEE Real-Time Systems Symposium (RTSS’09), pages 33–44. IEEE, Dec2009.
[16] S. Mohan, M.-Y. Nam, R. Pellizoni, L. Sha, R. Bradford, and S. Fliginger. Virtual integration for early analysisof safety-critical avionics systems. In Submitted to the ACM Transactions in Embedded Computing Systems(TECS). ACM, 2010.
[17] S. Mohan, M. Yoon, R. Pellizzoni, and R. B. Bobba. Integrating security constraints into fixed priority real-time schedulers. Real-Time Systems, 52(5):644–674, 2016.
[18] S. Mohan, M.-K. Yoon, R. Pellizzoni, and R. Bobba. Real-time systems security through scheduler con-straints. In Euromicro Conference on Real-Time Systems, pages 129–140, July 2014.
[19] J. Ouyang, R. Raghavendra, S. Mohan, T. Zhang, Y. Xie, and F. Mueller. Checkercore: Enhancing an fpga softcore to capture worst-case execution times. In Conference on Compilers, Architecture and Synthesis for EmbeddedSystems, 2009.
[20] R. Pellizzoni, N. Paryab, M.-K. Yoon, S. Bak, S. Mohan, and R. Bobba. A generalized model for prevent-ing information leakage in hard real-time systems. In IEEE Real-Time Embedded Technology and ApplicationsSymposium, April 2015.
[21] L. Sha. Using simplicity to control complexity. IEEE Softw., 18(4):20–28, 2001.
[22] D. Shepard, J. Bhatti, and T. Humphreys. Drone hack: Spoofing attack demonstration on a civilian un-manned aerial vehicle. GPS World, August 2012.
[23] R. Sprabery, K. Evchenko, A. Raj, R. B. Bobba, S. Mohan, and R. H. Campbell. Scheduling, isolation, andcache allocation: A side-channel defense. In 2018 IEEE International Conference on Cloud Engineering, IC2E2018, Orlando, FL, USA, April 17-20, 2018, pages 34–40, 2018.
[24] H. Teso. Aicraft hacking. In Fourth Annual HITB Security Conference in Europe, 2013.
[25] M. Yoon, S. Mohan, C. Chen, and L. Sha. Taskshuffler: A schedule randomization protocol for obfuscationagainst timing inference attacks in real-time systems. In 2016 IEEE Real-Time and Embedded Technology andApplications Symposium (RTAS), Vienna, Austria, April 11-14, 2016, pages 111–122, 2016.
[26] M. Yoon, S. Mohan, J. Choi, M. Christodorescu, and L. Sha. Learning execution contexts from system calldistribution for anomaly detection in smart embedded system. In Proceedings of the Second InternationalConference on Internet-of-Things Design and Implementation, IoTDI 2017, Pittsburgh, PA, USA, April 18-21, 2017,pages 191–196, 2017.
[27] M.-K. Yoon, J. Choi, S. Mohan, and L. Sha. Memory heat map: Anomaly detection in real-time embeddedsystems using memory behavior. In Design Automation Conference, June 2015.
[28] M.-K. Yoon, M. Christodorescu, L. Sha, and S. Mohan. A secure two-level framework for intrusion detection.In ACM Conference on Computer and Communications Security, October 2015 (submitted).
[29] M.-K. Yoon, S. Mohan, J. Choi, J.-E. Kim, and L. Sha. SecureCore: A multicore based intrusion detectionarchitecture for real-time embedded systems. In IEEE Real-Time Embedded Technology and Applications Sym-posium, 2013.
[30] C. Zimmer, B. Bhatt, F. Mueller, and S. Mohan. Time-based intrusion detection in cyber-physical systems.In International Conference on Cyber-Physical Systems, 2010.
6
