# **C**yber**S**hield # Intrusion Tolerant Flight Computing Through Hardware Obfuscation #### **CySER Summer Workshop** May 26, 2023 #### **Chris Major** Research Assistant, Electrical and Computer Engineering # Types of Cybersecurity Attacks # Types of Cybersecurity Attacks ## The Malware Challenge - The nation's cyber infrastructure consists of a massive number of identical computer systems. - This homogeneity is advantageous because a single piece of software can be deployed across millions of systems to increase capacity. ## The Malware Challenge However, this gives an attacker a significant advantage in terms of effort relative to system defenders by re-using their attack across numerous systems. # The Embedded Advantage Personal Computers **400M** sold in 2018. # The Embedded Advantage Personal Computers 400M sold in 2018. **Smart Phones 1.5B** sold in 2018. # The Embedded Advantage Personal Computers 400M sold in 2018. **Smart Phones 1.5B** sold in 2018. #### **Embedded Computers** **25B** sold in 2018. ## Our Approach - Our focus is on diversifying embedded computers (not infrastructure). - Embedded systems have ... - Smaller physical dimensions (sometimes 8-pin packages) - Lower Clock Frequencies (1MHz 16MHz) - Smaller memories (256k to 1M) - Dedicated software, not general-purpose - Often no OS other than real-time scheduler - Embedded systems are often homogenous processor families. # Removing The Advantage If **homogeneity** gives the attacker an advantage, **diversify the network** and **randomize the hardware**. # **Diversifying Hardware** Most computer hardware is **fixed** and takes months/years to fabricate. There has been some prior work in the area of randomization of instructions sets in **Virtual Machines**, with promising results. #### Field Programmable Gate Arrays (FPGAs) - FPGAs are digital logic devices that can be configured into any computational architecture. - Logic Matrix - Reconfigurable - FPGAs can take advantage of parallelism and redundancy for hardware acceleration. - Commercial availability and extensive development support make FPGAs easy to access and implement. ### Field Programmable Gate Arrays (FPGAs) - FPGA hardware is designed using a Hardware Description Language (HDL). - Once we have a design in an HDL, we can use scripts to create versions of it with alterations. - The HDL can be created at compile-time. # Field Programmable Gate Arrays - HDL is generated into Real-Time Logic (RTL) - RTL is generated through the FPGA vendor's synthesis and implementation suite. - A bitstream is generated that can translate the RTL into logic block placement within the FPGA. #### **Baseline Computer** - Original Processor - Open-Source Doc - Known Opcodes - Compiler Supported ``` HDL Generation Scripts ``` ``` adding_proc: process (acir, cik) process (acLr, cLk) begin if (scLr = '1') then q s = (others => '6'); clsif rising_odge(clk) then q.s = ('0'&signed(a)) + ('0'&signed(b)); end if; - clk'd ``` ``` Synthesis / Implementation ``` #### **Baseline Computer** - Original Processor - Open-Source Doc - Known Opcodes - Compiler Supported HDL Generation Scripts ``` eqin if (aclr = '1') then q s <= (others => '0'); clsif rising_edge(clk) then q.s <= ('0'&signed(a)) + ('0'&signed(b)); end if'; = clk'd adding_proc: process (acir, cik) ``` ``` We can create copies of the baseline computer with <u>different</u> instruction opcodes before synthesis. ``` ``` Synthesis / Implementation ``` #### **Baseline Computer** - Original Processor - Open-Source Doc - Known Opcodes - Compiler Supported HDL Generation Scripts ``` __ougu(vin) then )'&signed(a)) + ('0'&signed(b)); segin if (ucir = '1') then q s <= (others >= '0'); claif rising_edge(clk) then q.s <= ('0'asigned(a)) + ('0'asigned(b)); end if; -- clk'd</pre> ndding_proc: process (acir, cik) ``` We can create copies of the baseline computer with <u>different</u> instruction opcodes before synthesis. This results in "functionally equivalent, heterogeneous cores" on the FPGA that run as a redundant system. We can either throw an exception or run a pre-defined routine to remove the malware. A Malware attack will insert execution binaries into each of the 3x cores' program memory on the FPGA. But since the attacker compiled the malware for the publiclyavailable Baseline computer's opcodes, it is the only one that executes the malware. Compile-time creation of obfuscated computing hardware. - Compile-time creation of obfuscated computing hardware. - But what if the attacker guesses our instruction codes? - Compile-time creation of obfuscated computing hardware. - But what if the attacker guesses our instruction codes? - What if we had TWO sets of different instruction code assignments? - Compile-time creation of obfuscated computing hardware. - But what if the attacker guesses our instruction codes? - What if we had TWO sets of different instruction code assignments? - Then we could compare opcodes between the computers and if the are ever the SAME, it is malware. - Compile-time creation of obfuscated computing hardware. - But what if the attacker guesses our instruction codes? - What if we had TWO sets of different instruction code assignments? - Then we could compare opcodes between the computers and if the are ever the SAME, it is malware. - Compile-time creation of obfuscated computing hardware. - But what if the attacker guesses our instruction codes? - What if we had TWO sets of different instruction code assignments? - Then we could compare opcodes between the computers and if the are ever the SAME, it is malware. - We could add MULTIPLE sets of instruction codes to MULTIPLE computers. - Why add more than two computing cores? - That's the flight computing component. - Why add more than two computing cores? - That's the flight computing component. UAS (RIS GPS OCX) USA (RMD Patriot) Missiles (RMD Patriot) - Why add more than two computing cores? - That's the flight computing component. USA (RMD Patriot) Missiles (RMD Patriot) # **Spaceflight Computing** MSU has a history of building and deploying space computers. #### The RadPC Architecture RadPC combines **reconfigurable logic** and **redundancy mechanisms** to protect program execution from radiation faults #### **RadPC in Space** Timeline of RadPC missions and demonstrations #### RadPC – Flight Heritage - RadPC has extensive mission history and flight heritage. - 8 high altitude balloons - 2 sounding rockets - 3 International Space Station missions - 2 Cubesat satellites - 1 upcoming lunar mission - Flight heritage determines the aerospace/defense industry's confidence in implementing hardware and software. #### Fault Resilience What is the connection between space radiation and malware? #### Fault Resilience - What is the connection between space radiation and malware? - Unexpected error injection - Manipulation of program data - Mitigation through redundancy # CyberShield + RadPC How do we leverage RadPC's fault recovery mechanisms? ### CyberShield + RadPC - How do we leverage RadPC's fault recovery mechanisms? - Use the Quad Modular Redundancy (QMR) standard from RadPC to create 4 cores. - Ensure each core only understands its own opcodes. - Add a voting mechanism to determine which core has been attacked. - Add a recovery mechanism to refresh the faulted core in hardware. ## Malware Recovery Demonstration ``` while(1){ for(index=0xFFFF;index!=0;index--){ temp = RXBUF[0]; if(temp == '1'){ set_angle = 47; }else if (temp=='2'){ set angle = 79; }else{ set angle = 61; if(rx index == 1){ rx_index=0; temp = decode_array[P1IN]; if(temp<set angle){ P2OUT &=~(BIT2); //enable stepper motor P20UT |=(BIT1); //set direction P20UT &=~(BIT5); //set direction temp = set angle-temp; }else if (temp>set angle){ P2OUT &=~(BIT2); //enable stepper motor P20UT &=~(BIT1); //set direction P20UT |=(BIT5); //set direction temp = temp-set_angle; }else{ P2OUT |=BIT2; //Disable stepper motor frequency = 4000 - 63*(temp); #pragma vector = TIMER0 B0 VECTOR; interrupt void Timer ISR(){ TB0CCR0+=frequency; P2OUT ^=BIT4; //frequency+=1; TB0CCTL0 &=~ CCIFG: TB0CCTL0 // Service UART #pragma vector = EUSCI_A1_VECTOR __interrupt void ISR_EUSCI_A1(void) { RXBUF[rx index++] = UCA1RXBUF; UCA1IFG &= ~UCRXIFG; ``` Program Vulnerabilities (Classic Buffer Overflow Attack) ``` while(1){ for(index=0xFFFF;index!=0;index--){ temp = RXBUF[0]; if(temp == '1'){ set angle = 47; }else if (temp=='2'){ set angle = 79; }else{ set angle = 61; if(rx index == 1){ rx_index=0; temp = decode_array[P1IN]; if(temp<set angle){ P2OUT &=~(BIT2); //enable stepper motor P2OUT |=(BIT1); //set direction P20UT &=~(BIT5); //set direction temp = set angle-temp; }else if (temp>set angle){ P2OUT &=~(BIT2); //enable stepper motor P20UT &=~(BIT1); //set direction P20UT |=(BIT5); //set direction temp = temp-set_angle; }else{ P2OUT |=BIT2; //Disable stepper motor frequency = 4000 - 63*(temp); #pragma vector = TIMER0 B0 VECTOR; interrupt void Timer ISR(){ TB0CCR0+=frequency; P2OUT ^=BIT4; //frequency+=1; TB0CCTL0 &=~ CCIFG: TB@CCTL@ ``` 1. When user sends new setpoint over UART, an IRQ triggers, stacks return address, and retrieves new value for RXBUF. Program Vulnerabilities (Classic Buffer Overflow Attack) RXBUF[rx index++] = UCAIRZ UCA1IFG &= ~UCRXIFG; // Service UART #pragma vector = interru value for RXBUF. ### Redundancy Advantage Each CPU's memory has the exact same malware opcodes ... #### decode\_array <u>frequency</u> **Bad Set Angle** rx index NOP NOP NOP Malware Malware Malware Malware NOP NOP **NOP** New ISR Return Addr #### **CPU 01** | decode_array | |---------------------| | frequency | | ??? | | rx index | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | New ISR Return Addr | #### **CPU 02** | decode_array | |---------------------| | frequency | | ??? | | rx index | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | New ISR Return Addr | #### **CPU 03** | decode_array | |---------------------| | frequency | | ??? | | rx index | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | ??? | | New ISR Return Addr | ### Redundancy Advantage • ... but only **one core** can actually run the malware. ## Redundancy Advantage So what kind of processor core should be used for this strategy? ### **MSP430** - The MSP430 is a 16-bit microcontroller provided by Texas Instruments. - The opcodes are widely available due to public documentation. - The processor's functions are proprietary and difficult to replicate without insider access. - No open-source softcore versions for FPGAs exist. ### The RISC-V Processor - RISC-V is an open-source Industry Standard Architecture (ISA). - Base form is a 32-bit integerbased core (RV32I). - RISC-V cores can be implemented onto FPGAs with easy access to signals. - A design must conform to the RISC-V ISA to be considered functional. ### Our RISC-V HDL Core - RISC-V RV32I ISA - 32-bit registers - IntegerOperations - VHDL Components - 4k IMEM, 4k DMEM - 2 GPIO, 2 UART,2 SPI ### Software Development - The RV32I compiler is provided by the RISC-V Collaboration - Our custom Makefile compiles C into binaries, then exports binaries to VHDL. - Minimal standard libraries are currently supported (stdint.h) in the CyberShield system. # Image Processing Demonstration ## Image Processing Demonstration - We use the RISC-V architecture to process an image from a camera. - A UART command specifies if the screen should show the image or the edge detected version. - The UART is our attack vector for our buffer overflow attack. - Each processor core has different opcodes but the same attack vector. ### **Demonstration Video** ## Questions?