Job Noorman - Academia.edu (original) (raw)
Papers by Job Noorman
Low-end embedded devices and the Internet of Things (IoT) are becoming increasingly important for... more Low-end embedded devices and the Internet of Things (IoT) are becoming
increasingly important for our lives. They are being used in domains such
as infrastructure management, and medical and healthcare systems, where
business interests and our security and privacy are at stake. Yet, security
mechanisms have been appallingly neglected on many IoT platforms. In this
paper we present a secure access control mechanism for extremely
lightweight embedded microcontrollers. Being based on Sancus, a
hardware-only Trusted Computing Base and Protected Module Architecture for
the embedded domain, our mechanism allows for multiple software modules on
an IoT-node to securely share resources. We implement and evaluate our
approach for two application scenarios, a shared memory system and a shared
flash drive. Our implementation is based on a Sancus-enabled TI MSP430
microcontroller. We show that our mechanism can give high security
guarantees at small runtime overheads and a moderately increased
size of the Trusted Computing Base.
ABSTRACT In this paper we propose Sancus, a security architecture for networked embedded devices.... more ABSTRACT In this paper we propose Sancus, a security architecture for networked embedded devices. Sancus supports extensibility in the form of remote (even third-party) software installation on devices while maintaining strong security guarantees. More specifically, Sancus can remotely attest to a software provider that a specific software module is running uncompromised, and can authenticate messages from software modules to software providers. Software modules can securely maintain local state, and can securely interact with other software modules that they choose to trust. The most distinguishing feature of Sancus is that it achieves these security guarantees without trusting any infrastructural software on the device. The Trusted Computing Base (TCB) on the device is only the hardware. Moreover, the hardware cost of Sancus is low. We describe the design of Sancus, and develop and evaluate a prototype FPGA implementation of a Sancus-enabled device. The prototype extends an MSP430 processor with hardware support for the memory access control and cryptographic functionality required to run Sancus. We also develop a C compiler that targets our device and that can compile standard C modules to Sancus protected software modules.
Lecture Notes in Computer Science, 2012
Despite the large number of proposed countermeasures against control-flow hijacking attacks, thes... more Despite the large number of proposed countermeasures against control-flow hijacking attacks, these attacks still pose a great threat for today's applications. The problem with existing solutions is that they either provide incomplete probabilistic protection (e.g., stack canaries) or impose a high runtime overhead (e.g., bounds checking). In this paper, we show how the concept of program-part duplication can be used to protect against control-flow hijacking attacks and present two different instantiations of the duplication concept which protect against popular attack vectors. First, we use the duplication of functions to eliminate the need of return addresses and thus provide complete protection against attacks targeting a function's return address. Then we demonstrate how the integrity of function pointers can be protected through the use of data duplication. We test the combined effectiveness of our two methods and experimentally show that they provide an almost complete protection against control-flow hijacking attacks with only a low runtime overhead in real-world applications.
ISSE 2013 Securing Electronic Business Processes, 2013
Protected Module Architectures are a new brand of security ar-chitectures whose main objective is... more Protected Module Architectures are a new brand of security ar-chitectures whose main objective is to support the secure isolated execution of software modules with a minimal Trusted Computing Base (TCB) – several prototypes for embedded systems (and also the Intel Software Guard eXtensions for higher-end systems) ensure isolation with a hardware-only TCB. However, while these architectures offer strong confidentiality and integrity guarantees for software modules, they offer no availability (let alone real-time) guarantees. This paper reports on our work-in-progress towards extending a protected module architecture for small microprocessors with availability and real-time guarantees. Our objective is to maintain the existing security guarantees with a hardware-only TCB, but to also guarantee availability (and even real-time properties) if one can also trust the scheduler. The scheduler, as any software on the platform, remains untrusted for confidentiality and integrity – but it is sufficient to trust the scheduler module to get availability guarantees even on a partially compromised platform.
In this paper we describe a novel approach to securely obtain measurements with respect to the in... more In this paper we describe a novel approach to securely obtain measurements
with respect to the integrity of software running on a low-cost and
low-power computing node autonomously or on request. We propose to use
these measurements as an indication of the trustworthiness of that node.
Our approach is based on recent developments in Program Counter Based
Access Control. Specifically, we employ Sancus, a light-weight
hardware-only Trusted Computing Base and Protected Module Architecture, to
integrate trust assessment modules into an untrusted embedded OS without
using a hypervisor. Sancus ensures by means of hardware extensions that
code and data of a protected module cannot be tampered with, and that the
module's data remains confidential. Sancus further provides cryptographic
primitives that are employed by our approach to enable the trust management
system to verify that the obtained trust metrics are authentic and fresh.
Thereby, our trust assessment modules can inspect the OS or application
code and securely report reliable trust metrics to an external trust
management system. We evaluate a prototypic implementation of our approach
that integrates Sancus-protected trust assessment modules with the Contiki
OS running on a Sancus-enabled TI MSP430 microcontroller.
Low-end embedded devices and the Internet of Things (IoT) are becoming increasingly important for... more Low-end embedded devices and the Internet of Things (IoT) are becoming
increasingly important for our lives. They are being used in domains such
as infrastructure management, and medical and healthcare systems, where
business interests and our security and privacy are at stake. Yet, security
mechanisms have been appallingly neglected on many IoT platforms. In this
paper we present a secure access control mechanism for extremely
lightweight embedded microcontrollers. Being based on Sancus, a
hardware-only Trusted Computing Base and Protected Module Architecture for
the embedded domain, our mechanism allows for multiple software modules on
an IoT-node to securely share resources. We implement and evaluate our
approach for two application scenarios, a shared memory system and a shared
flash drive. Our implementation is based on a Sancus-enabled TI MSP430
microcontroller. We show that our mechanism can give high security
guarantees at small runtime overheads and a moderately increased
size of the Trusted Computing Base.
ABSTRACT In this paper we propose Sancus, a security architecture for networked embedded devices.... more ABSTRACT In this paper we propose Sancus, a security architecture for networked embedded devices. Sancus supports extensibility in the form of remote (even third-party) software installation on devices while maintaining strong security guarantees. More specifically, Sancus can remotely attest to a software provider that a specific software module is running uncompromised, and can authenticate messages from software modules to software providers. Software modules can securely maintain local state, and can securely interact with other software modules that they choose to trust. The most distinguishing feature of Sancus is that it achieves these security guarantees without trusting any infrastructural software on the device. The Trusted Computing Base (TCB) on the device is only the hardware. Moreover, the hardware cost of Sancus is low. We describe the design of Sancus, and develop and evaluate a prototype FPGA implementation of a Sancus-enabled device. The prototype extends an MSP430 processor with hardware support for the memory access control and cryptographic functionality required to run Sancus. We also develop a C compiler that targets our device and that can compile standard C modules to Sancus protected software modules.
Lecture Notes in Computer Science, 2012
Despite the large number of proposed countermeasures against control-flow hijacking attacks, thes... more Despite the large number of proposed countermeasures against control-flow hijacking attacks, these attacks still pose a great threat for today's applications. The problem with existing solutions is that they either provide incomplete probabilistic protection (e.g., stack canaries) or impose a high runtime overhead (e.g., bounds checking). In this paper, we show how the concept of program-part duplication can be used to protect against control-flow hijacking attacks and present two different instantiations of the duplication concept which protect against popular attack vectors. First, we use the duplication of functions to eliminate the need of return addresses and thus provide complete protection against attacks targeting a function's return address. Then we demonstrate how the integrity of function pointers can be protected through the use of data duplication. We test the combined effectiveness of our two methods and experimentally show that they provide an almost complete protection against control-flow hijacking attacks with only a low runtime overhead in real-world applications.
ISSE 2013 Securing Electronic Business Processes, 2013
Protected Module Architectures are a new brand of security ar-chitectures whose main objective is... more Protected Module Architectures are a new brand of security ar-chitectures whose main objective is to support the secure isolated execution of software modules with a minimal Trusted Computing Base (TCB) – several prototypes for embedded systems (and also the Intel Software Guard eXtensions for higher-end systems) ensure isolation with a hardware-only TCB. However, while these architectures offer strong confidentiality and integrity guarantees for software modules, they offer no availability (let alone real-time) guarantees. This paper reports on our work-in-progress towards extending a protected module architecture for small microprocessors with availability and real-time guarantees. Our objective is to maintain the existing security guarantees with a hardware-only TCB, but to also guarantee availability (and even real-time properties) if one can also trust the scheduler. The scheduler, as any software on the platform, remains untrusted for confidentiality and integrity – but it is sufficient to trust the scheduler module to get availability guarantees even on a partially compromised platform.
In this paper we describe a novel approach to securely obtain measurements with respect to the in... more In this paper we describe a novel approach to securely obtain measurements
with respect to the integrity of software running on a low-cost and
low-power computing node autonomously or on request. We propose to use
these measurements as an indication of the trustworthiness of that node.
Our approach is based on recent developments in Program Counter Based
Access Control. Specifically, we employ Sancus, a light-weight
hardware-only Trusted Computing Base and Protected Module Architecture, to
integrate trust assessment modules into an untrusted embedded OS without
using a hypervisor. Sancus ensures by means of hardware extensions that
code and data of a protected module cannot be tampered with, and that the
module's data remains confidential. Sancus further provides cryptographic
primitives that are employed by our approach to enable the trust management
system to verify that the obtained trust metrics are authentic and fresh.
Thereby, our trust assessment modules can inspect the OS or application
code and securely report reliable trust metrics to an external trust
management system. We evaluate a prototypic implementation of our approach
that integrates Sancus-protected trust assessment modules with the Contiki
OS running on a Sancus-enabled TI MSP430 microcontroller.