Evolvable Approaches to Software Verification and Validation

Integrated software-hardware methods protect against attacks.

Research was conducted to integrate and advance current techniques in compilers, hardware architectures, and security to develop novel techniques to protect against physical attacks on encrypted embedded systems. The innovation in the approach was in exploiting the power of integrated software-hardware methods that do not require processor re-design. The hardware side of the innovation comes from using reconfigurable logic to implement security techniques in hardware. The reconfigurable logic in hardware, when combined with the ability of the compiler to instrument the code, can be used in powerful ways to strengthen the security of computing platforms. Several techniques were proposed and designed to address these objectives.

The domain of embedded systems and applications includes avionics, communications equipment, unmanned vehicles or devices, sensors, and electronic control systems. In a typical attack, a device is captured and probed in a sophisticated laboratory. It is the combination of vulnerabilities in hardware — usually embedded processors — and software that forms the basis of these attacks.

Two broad types of attacks are possible on an encrypted execution and data (EED) platform: attacks on structural integrity and attacks on the data. For each type of attack, how an attacker could disrupt the execution was studied.

The approach augments the back end of the compiler to instrument each code block of the executable code (and data) with security-related labels that are then examined by a secure hardware component that sits between memory and the processor.

The main technique works as follows: First, the back-end of the compiler module instruments the executable code by inserting integrity checking labels into each code block. Second, the secure hardware component implemented in the field-programmable gate array (FPGA) logic, called the Guard, intercepts cache block read and write requests from the memory controller. The Guard processes each encrypted code block, using the inserted labels to conduct authorization and integrity checking to detect and prevent memory spoofing attacks, and passes on the decrypted code block to the processor’s cache.

One particularly attractive feature of the approach is that a single piece of information (the signature encapsulated in the label) is used to detect all three types of memory spoofing attacks. This signature essentially embeds the program control flow into the binaries and thus can prevent and detect code injection and changes to the program control flow that are forced by the attacker. A second advantage is that the labels are easily inserted post-compilation and, therefore, the approach can be applied to legacy binaries. A third advantage arises from using FPGA hardware, leaving the standard processor components unmodified. Because the FPGA is reprogrammable, encryption algorithms can be changed post-deployment, and be cause FPGAs are widely used, chip man ufacturers are increasing resistance to physical attacks.