TrustFURE: 軟體定義衛星之防竄改系統

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：35

、訪客IP：13.59.9.236

姓名

盧俊安(Chun-An Lu) 查詢紙本館藏

畢業系所

軟體工程研究所

論文名稱

TrustFURE: 軟體定義衛星之防竄改系統
(TrustFURE: A Tamper Resistance System for Software Defined Satellite)

相關論文

★ 低軌衛星網路之分散式路由演算法	★ 基於OP-TEE的可信應用程式軟體生態系統
★ 在低軌道衛星無線通訊中的CSI預測方法	★ 為多流量低軌道衛星系統提出的動態換手策略
★ 基於Trustzone的智慧型設備語音隱私保護系統	★ 一種減輕LEO衛星網路干擾的方案
★ TruzGPS:基於TrustZone的位置隱私權保護系統	★ 衛星地面整合網路之隨機接入前導訊號設計與偵測
★ SatPolicy: 基於Trustzone的衛星政策執行系統	★ TruzMalloc: 基於TrustZone 的隱私資料保護系統
★ 衛星地面網路中基於物理層安全的CSI保護方法	★ 低軌道衛星地面整合網路之安全非正交多重存取傳輸
★ 低軌道衛星地面網路中的DRX機制設計	★ 衛星地面整合網路之基於集合系統的前導訊號設計
★ 基於省電的低軌衛星網路路由演算法	★ 衛星上可重組化計算之安全FPGA動態部分可重組架構

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

軟體定義衛星透過更新FPGA韌體執行不同的衛星任務。為了遠端更新的安全性，我們提出了軟體定義衛星的防竄改系統TrustFURE。現有的更新方案致力於可恢復性、動態更新和傳輸安全，但是對韌體的攻擊缺乏考量。 TrustFURE禁用豐富執行環境（REE）中的FPGA配置介面。 TrustFURE還在可信執行環境（TEE）中實現用於FPGA更新的可信應用程式和安全驅動程式，以防止攻擊者竄改或竊取韌體。此外，為了使衛星運作可靠，TrustFURE還整合故障恢復機制，使衛星能夠自我檢測故障並恢復正常運作。最後，我們在Xilinx的ARM/FPGA系統晶片開發板上實驗並分析了我們的實作，證明了它的安全性、可靠性和低開銷。

摘要(英)

Software defined satellites perform different space missions by updating the FPGA firmware. To perform the secure remote update, we propose TrustFURE, a tamper resistance system on software defined satellite. Existing update schemes are dedicated to recoverability, dynamic updates and transport security, but they do not consider attacks on the firmware. TrustFURE disables the FPGA configuration interface in Rich Execution Environment (REE). TrustFURE also includes trusted applications and security drivers for FPGA updates, which are implemented in Trusted Execution Environment (TEE) to prevent attackers from tampering with or stealing firmware. In addition, to make the satellite operation reliable, TrustFURE also integrates failure recovery mechanism, so that the satellite can detect its failure and return to normal operation. Finally, we evaluated our implementation on Xilinx ARM/FPGA SoC development board, illustrating its security, reliability and low overhead.

關鍵字(中)

★ FPGA更新
★ 故障恢復
★ 軟體定義衛星
★ 可信執行環境
★ ARM TrustZone

關鍵字(英)

★ FPGA Update
★ Failure Recovery
★ Software Defined Satellite
★ Trusted Execution Environment
★ ARM TrustZone

論文目次

中文摘要 i
Abstract ii
致謝 iii
Contents iv
List of Figures viii
List of Tables ix
1 Introduction 1
2 Related Works and Preliminary 4
2.1 Preliminary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1 Trusted Execution Environment . . . . . . . . . . . . . . . . . . 4
2.1.2 ARM TrustZone . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.3 Zynq UltraScale+ Architecture . . . . . . . . . . . . . . . . . . . 7
2.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.1 Firmware Update Mechanism . . . . . . . . . . . . . . . . . . . 9
2.2.2 PL Firmware Update Mechanism . . . . . . . . . . . . . . . . . 10
2.2.3 MPSoC (ARM Processor + FPGA) Risk Analysis . . . . . . . . . 12
3 System Model 14
3.1 Satellite Firmware Update System . . . . . . . . . . . . . . . . . . . . . 14
3.2 System Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3.1 Physical factor . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.3.2 Personal factor . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4 Secure PL Firmware Update Design 19
4.1 System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2 Restricting Configuration Interfaces . . . . . . . . . . . . . . . . . . . . 20
4.2.1 Disable access to sensitive PM services . . . . . . . . . . . . . . 21
4.2.2 Disable PL configuration from Normal World by removing Xilfpga library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.3 Normal World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.3.1 Remove FPGA Manager Driver and FPGA Utility . . . . . . . . 22
4.3.2 Trigger PL update . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.4 Secure World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.4.1 PL Updater Trusted Application . . . . . . . . . . . . . . . . . . 23
4.4.2 Bitstream Downloader . . . . . . . . . . . . . . . . . . . . . . . 23
4.4.3 PL Manager Pseudo Trusted Application . . . . . . . . . . . . . 23
4.4.4 Secure Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.5 TrustFURE Data and Control Flow . . . . . . . . . . . . . . . . . . . . . 24
5 Secure PL Firmware Update Implementation 27
5.1 Custom PMU firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.2 PL Updater Trusted Application . . . . . . . . . . . . . . . . . . . . . . 28
5.2.1 Detail of secure memory . . . . . . . . . . . . . . . . . . . . . . 29
5.2.2 Detail of OP-TEE page tables . . . . . . . . . . . . . . . . . . . 29
5.2.3 Details of Performance Optimization . . . . . . . . . . . . . . . 30
5.3 Bitstream Downloader . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.4 PL Manager PTA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.5 PCAP Secure Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.5.1 Pre-processing of PL firmware . . . . . . . . . . . . . . . . . . . 32
5.6 DMA Secure Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.6.1 Detail of cache coherence . . . . . . . . . . . . . . . . . . . . . 33
6 Automatic Failure Recovery Mechanism 35
6.1 Application Layer Failure . . . . . . . . . . . . . . . . . . . . . . . . . . 36
6.2 System and Hardware Layer Failure . . . . . . . . . . . . . . . . . . . . 37
6.2.1 System Watchdog Timer . . . . . . . . . . . . . . . . . . . . . . 39
7 Evaluation 40
7.1 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
7.1.1 PL Configuration Interfaces . . . . . . . . . . . . . . . . . . . . 40
7.1.2 PL Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
7.1.3 Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7.1.4 Trusted Computing Base . . . . . . . . . . . . . . . . . . . . . . 42
7.1.5 Minimize modification . . . . . . . . . . . . . . . . . . . . . . . 43
7.1.6 Side Channel Attacks on DDR Memory . . . . . . . . . . . . . . 43
7.2 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7.2.1 Invoke Execution Time . . . . . . . . . . . . . . . . . . . . . . . 43
7.2.2 Execution Time of PL Update . . . . . . . . . . . . . . . . . . . 44
7.2.3 Compare Update Speed with Xilinx Solution . . . . . . . . . . . 44
7.3 Analysis of Failure Recovery . . . . . . . . . . . . . . . . . . . . . . . . 46
8 Conclusion 47
Bibliography 48
Appendices 56
A Remove PMU firmware from Xilfpga . . . . . . . . . . . . . . . . . . . 57
B Bitstream Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
C Parallelized startup of systemd . . . . . . . . . . . . . . . . . . . . . . . 60
D System Watchdog Timer (SWDT) . . . . . . . . . . . . . . . . . . . . . 60
E PMU handling of timeout signals and robustness . . . . . . . . . . . . . 61

參考文獻

[1] nasaspaceflight.com, “Group 4-10 brings starlink to over 2,000 operational satellites,” 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://www.nasaspaceflight.com/2022/03/starlink-group-4-10/
[2] space.com, “Solar geomagnetic storms spacex starlink threat,” 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://www.space.com/solargeomagnetic-storms-spacex-starlink-threat
[3] M. Tehranipoor and F. Koushanfar, “A survey of hardware trojan taxonomy and detection,” IEEE Design & Test of Computers, vol. 27, no. 1, pp. 10–25, 2010.
[4] Microchip, “Ug0753 user guide polarfire fpga security,” 2021, [Online; accessed 30-May-2022]. [Online]. Available: https://www.microsemi.com/document-portal/doc_download/1245814-PolarFire-FPGA-and-PolarFire-SoC-FPGA-Security-User-Guide
[5] Xilinx, “Ug1209 zynq ultrascale+ mpsoc: Embedded design tutorial,” 2021, [Online; accessed 30-May-2022]. [Online]. Available: https://docs.xilinx.com/v/u/en-US/ug1209-embedded-design-tutorial
[6] Trusted Execution Environment, [Online; accessed 30-May-2022]. [Online]. Available: https://en.wikipedia.org/wiki/Trusted_execution_environment
[7] CVE Details, “Linux kernel vulnerability statistics,” 2021, [Online; accessed 30-May-2022]. [Online]. Available: https://www.cvedetails.com/product/47/LinuxLinux-Kernel.html?vendor?id=33
[8] ARM.org, “Arm trustzone technology,” 2022, [Online; accessed 30-May2022]. [Online]. Available: https://developer.arm.com/Processors/TrustZone%20for%20Cortex-A
[9] Intel Software Guard Extension, 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://www.intel.com/content/www/us/en/developer/tools/softwareguard-extensions/overview.html
[10] OP-TEE.org, “Open portable trusted execution environment,” 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://www.optee.org
[11] Qualcomm.org, “Qualcomm’s “secure world＂,” 2019, [Online; accessed 30-May-2022]. [Online]. Available: https://www.qualcomm.com/media/documents/files/guard-your-data-with-the-qualcomm-snapdragon-mobile-platform.pdf
[12] Samsung.org, “Samsung teegris,” 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://developer.samsung.com/teegris/overview.html
[13] J. Reardon, Á. Feal, P. Wijesekera, A. E. B. On, N. Vallina-Rodriguez, and S. Egelman, “50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system,” in 28th {USENIX} Security Symposium ({USENIX} Security 19), 2019, pp. 603–620.
[14] Common Vulnerabilities and Exposures, “Cve in android,” 2021, [Online; accessed 30-May-2022]. [Online]. Available: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Android
[15] CVE Details, “Google’s android vulnerability statistics,” 2021, [Online; accessed 30-May-2022]. [Online]. Available: https://www.cvedetails.com/product/19997/Google-Android.html?vendor?id=1224
[16] OMTP.org, “Omtp advanced trusted environment omtp tr1 v1.1,” 2009, [Online; accessed 30-May-2022]. [Online]. Available: http://www.omtp.org/OMTP_Advanced_Trusted_Environment_OMTP_TR1_v1_1.pdf
[17] GlobalPlatform.org, 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://globalplatform.org/
[18] ——, “Tee system architecture v1.2,” 2018, [Online; accessed 30-May-2022]. [Online]. Available: https://globalplatform.org/specs-library/tee-system-architecturev1-2/
[19] ——, “Tee client api specification v1.0,” 2010, [Online; accessed 30-May2022]. [Online]. Available: https://globalplatform.org/specs-library/tee-client-apispecification/
[20] ——, “Tee internal core api specification v1.3.1,” 2021, [Online; accessed 30-May-2022]. [Online]. Available: https://globalplatform.org/specs-library/teeinternal-core-api-specification/
[21] AMD Secure Encrypted Virtualization, 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://developer.amd.com/sev/
[22] ARM Limited, “Building a secure system using trustzone technology,” 2009, [Online; accessed 30-May-2022]. [Online]. Available: https://documentationservice.arm.com/static/5f212796500e883ab8e74531
[23] ——, “Smc calling convention 1.4 bet1,” 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://documentation-service.arm.com/static/622799018804d00769e9b345
[24] Trustedfirmware.org, “Trusted firmware-a,” 2022, [Online; accessed 30-May2022]. [Online]. Available: https://trustedfirmware-a.readthedocs.io/_/downloads/en/v2.7/pdf/
[25] Xilinx, “Ug1085 zynq ultrascale+ device technical reference manual,” 2020, [Online; accessed 30-May-2022]. [Online]. Available: https://docs.xilinx.com/v/u/en-US/ug1228-ultrafast-embedded-design-methodology-guide
[26] A. Kolehmainen, “Secure firmware updates for iot: A survey,” in 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), 2018, pp. 112–117.
[27] D. K. Nilsson, L. Sun, and T. Nakajima, “A framework for self-verification of firmware updates over the air in vehicle ecus,” in 2008 IEEE Globecom Workshops, 2008, pp. 1–5.
[28] R. Dhobi, S. Gajjar, D. Parmar, and T. Vaghela, “Secure firmware update over the air using trustzone,” in 2019 Innovations in Power and Advanced Computing Technologies (i-PACT), vol. 1, 2019, pp. 1–4.
[29] IEEE, “Ieee std. 1149.1 - standard test access port,” 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://grouper.ieee.org/groups/1149/1/
[30] J. Vliegen, N. Mentens, and I. Verbauwhede, “Secure, remote, dynamic reconfiguration of fpgas,” ACM Trans. Reconfigurable Technol. Syst., vol. 7, no. 4, dec 2014. [Online]. Available: https://doi.org/10.1145/2629423
[31] J. Vliegen, M. M. Rabbani, M. Conti, and N. Mentens, “Sacha: Self-attestation of configurable hardware,” in 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 2019, pp. 746–751.
[32] R. Kuramoto, “Xapp1081(v1.3) quickboot method for fpga design remote update,” 2014, [Online; accessed 30-May-2022]. [Online]. Available: https://docs.xilinx.com/v/u/en-US/xapp1081-quickboot-remote-update
[33] Xilinx, “Solution zynqmp pl programming,” 2022, [Online; accessed 30-May2022]. [Online]. Available: https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18841847/Solution+ZynqMP+PL+Programming
[34] ——, “Ug1228(v1.0) zynq ultrascale+ mpsoc embedded design methodology guide,” 2017, [Online; accessed 30-May-2022]. [Online]. Available: https://docs.xilinx.com/v/u/en-US/ug1228-ultrafast-embedded-design-methodology-guide
[35] ——, “Ug1137 zynq ultrascale+ mpsoc software developer guide,” 2020, [Online; accessed 30-May-2022]. [Online]. Available: https://www.xilinx.com/support/documents/user_guides/ug1137-zynq-ultrascale-mpsoc-swdev.pdf
[36] ——, “Xapp1323(v1.1) developing tamper-resistant designs with zynq ultrascale+ devices application note,” 2018, [Online; accessed 30-May-2022]. [Online]. Available: https://docs.xilinx.com/v/u/en-US/xapp1323-zynq-usp-tamperresistant-designs
[37] N. Khan, S. Nitzsche, A. G. López, and J. Becker, “Utilizing and extending trusted execution environment in heterogeneous socs for a pay-per-device ip licensing scheme,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 2548–2563, 2021.
[38] Xilinx, “Xapp1320(v4.0) isolation methods in zynq ultrascale+ mpsocs,” 2021, [Online; accessed 30-May-2022]. [Online]. Available: https://docs.xilinx.com/v/u/en-US/xapp1320-isolation-methods
[39] ——, “Partial reconfiguration controller v1.3,” 2018, [Online; accessed 30-May-2022]. [Online]. Available: https://docs.xilinx.com/v/u/en-US/pg193-partialreconfiguration-controller
[40] ——, “Vivado design suite user guide: Partial reconfiguration v2020.1,” 2020, [Online; accessed 30-May-2022]. [Online]. Available: https://docs.xilinx.com/v/u/2020.1-English/ug909-vivado-partial-reconfiguration
[41] ——, “Ug947 vivado design suite tutorial: Partial reconfiguration,” 2019, [Online; accessed 30-May-2022]. [Online]. Available: https://docs.xilinx.com/v/u/2019.1-English/ug947-vivado-partial-reconfiguration-tutorial
[42] C. Marchand, A. Aubert, L. Bossuet et al., “On the security evaluation of the arm trustzone extension in a heterogeneous soc,” in 2017 30th IEEE International System-on-Chip Conference (SOCC). IEEE, 2017, pp. 108–113.
[43] A. Moradi, A. Barenghi, T. Kasper, and C. Paar, “On the vulnerability of fpga bitstream encryption against power analysis attacks: Extracting keys from xilinx virtex-ii fpgas,” in Proceedings of the 18th ACM Conference on Computer and Communications Security, ser. CCS ’11. New York, NY, USA: Association for Computing Machinery, 2011, p. 111–124. [Online]. Available: https://doi.org/10.1145/2046707.2046722
[44] M. Ender, A. Moradi, and C. Paar, “The unpatchable silicon: A full break of the bitstream encryption of xilinx 7-series {FPGAs},” in 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 1803–1819.
[45] NASA.gov, “Will computer crash because of a solar storm?” 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://image.gsfc.nasa.gov/poetry/ask/a11800.html
[46] Prof. Phil Koopman, “A case study of toyota unintended acceleration and software safety,” 2014, [Online; accessed 30-May-2022]. [Online]. Available: https://users.ece.cmu.edu/~koopman/ece649/lectures/08_toyota_ua.pdf
[47] The New York Times, “F.a.a. orders fix for possible power loss in boeing 787,” 2015, [Online; accessed 30-May-2022]. [Online]. Available: https://www.nytimes.com/2015/05/01/business/faa-orders-fix-for-possible-power-loss-in-boeing-787.html
[48] Alan Nishioka, “Amba axi protocol specification v2.0,” 2010, [Online; accessed 30-May-2022]. [Online]. Available: https://documentation-service.arm.com/static/5f915971f86e16515cdc34a6
[49] OP-TEE, “Long-descriptor translation table format,” 2021, [Online; accessed 30-May-2022]. [Online]. Available: https://optee.readthedocs.io/en/latest/architecture/core.html#long-descriptor-translation-table-format
[50] ARM Limited, “Aarch64-instructions,” 2021, [Online; accessed 30-May-2022]. [Online]. Available: https://developer.arm.com/documentation/ddi0595/2021-06/AArch64-Instructions/DC-CVAC--Data-or-unified-Cache-line-Clean-by-VAto-PoC
[51] Freedesktop.org, “systemd system and service manager,” 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://www.freedesktop.org/wiki/Software/systemd/
[52] ——, “sd_notify,” 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://www.freedesktop.org/software/systemd/man/sd_notify.html
[53] S. Pinto and N. Santos, “Demystifying arm trustzone: A comprehensive survey,” ACM Comput. Surv., vol. 51, no. 6, jan 2019. [Online]. Available: https://doi.org/10.1145/3291047
[54] G. Gogniat, T. Wolf, W. Burleson, J.-P. Diguet, L. Bossuet, and R. Vaslin, “Reconfigurable hardware for high-security/ high-performance embedded systems: The safes perspective,” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 16, no. 2, pp. 144–155, 2008.
[55] J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten, “Lest we remember: cold-boot attacks on encryption keys,” Communications of the ACM, vol. 52, no. 5, pp. 91–98, 2009.
[56] Y. Li, L. Lei, Y. Wang, J. Jing, and Q. Zhou, “Trustsamp: Securing streaming music against multivector attacks on arm platform,” IEEE Transactions on Information Forensics and Security, vol. 17, pp. 1709–1724, 2022.
[57] P. Colp, J. Zhang, J. Gleeson, S. Suneja, E. De Lara, H. Raj, S. Saroiu, and A. Wolman, “Protecting data on smartphones and tablets from memory attacks,” in Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, 2015, pp. 177–189.
[58] J. M. Dolan, “Linux sysrq,” 2020, [Online; accessed 30-May-2022]. [Online]. Available: https://www.xilinx.com/support/documents/user_guides/ug1137-zynqultrascale-mpsoc-swdev.pdf
[59] Alan Nishioka, “The .bit file format,” 2001, [Online; accessed 30-May-2022]. [Online]. Available: http://www.fpga-faq.com/FAQ_Pages/0026_Tell_me_about_bit_files.htm
[60] Apple Inc., “launchd,” 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://opensource.apple.com/tarballs/launchd/
[61] J. Lamberson, “Single and multistage watchdog timers,” PDF). Sensoray. Retrieved, vol. 10, 2013.

指導教授

張貴雲(Guey-Yun Chang)

審核日期

2022-9-7

推文