-
Qualitative Analysis for Validating IEC 62443-4-2 Requirements in DevSecOps
Authors:
Christian Göttel,
Maëlle Kabir-Querrec,
David Kozhaya,
Thanikesavan Sivanthi,
Ognjen Vuković
Abstract:
Validation of conformance to cybersecurity standards for industrial automation and control systems is an expensive and time consuming process which can delay the time to market. It is therefore crucial to introduce conformance validation stages into the continuous integration/continuous delivery pipeline of products. However, designing such conformance validation in an automated fashion is a highl…
▽ More
Validation of conformance to cybersecurity standards for industrial automation and control systems is an expensive and time consuming process which can delay the time to market. It is therefore crucial to introduce conformance validation stages into the continuous integration/continuous delivery pipeline of products. However, designing such conformance validation in an automated fashion is a highly non-trivial task that requires expert knowledge and depends upon the available security tools, ease of integration into the DevOps pipeline, as well as support for IT and OT interfaces and protocols.
This paper addresses the aforementioned problem focusing on the automated validation of ISA/IEC 62443-4-2 standard component requirements. We present an extensive qualitative analysis of the standard requirements and the current tooling landscape to perform validation. Our analysis demonstrates the coverage established by the currently available tools and sheds light on current gaps to achieve full automation and coverage. Furthermore, we showcase for every component requirement where in the CI/CD pipeline stage it is recommended to test it and the tools to do so.
△ Less
Submitted 23 October, 2023; v1 submitted 13 October, 2023;
originally announced October 2023.
-
Attestation Mechanisms for Trusted Execution Environments Demystified
Authors:
Jämes Ménétrey,
Christian Göttel,
Anum Khurshid,
Marcelo Pasin,
Pascal Felber,
Valerio Schiavoni,
Shahid Raza
Abstract:
Attestation is a fundamental building block to establish trust over software systems. When used in conjunction with trusted execution environments, it guarantees the genuineness of the code executed against powerful attackers and threats, paving the way for adoption in several sensitive application domains. This paper reviews remote attestation principles and explains how the modern and industrial…
▽ More
Attestation is a fundamental building block to establish trust over software systems. When used in conjunction with trusted execution environments, it guarantees the genuineness of the code executed against powerful attackers and threats, paving the way for adoption in several sensitive application domains. This paper reviews remote attestation principles and explains how the modern and industrially well-established trusted execution environments Intel SGX, Arm TrustZone and AMD SEV, as well as emerging RISC-V solutions, leverage these mechanisms.
△ Less
Submitted 23 September, 2022; v1 submitted 8 June, 2022;
originally announced June 2022.
-
An Exploratory Study of Attestation Mechanisms for Trusted Execution Environments
Authors:
Jämes Ménétrey,
Christian Göttel,
Marcelo Pasin,
Pascal Felber,
Valerio Schiavoni
Abstract:
Attestation is a fundamental building block to establish trust over software systems. When used in conjunction with trusted execution environments, it guarantees that genuine code is executed even when facing strong attackers, paving the way for adoption in several sensitive application domains. This paper reviews existing remote attestation principles and compares the functionalities of current t…
▽ More
Attestation is a fundamental building block to establish trust over software systems. When used in conjunction with trusted execution environments, it guarantees that genuine code is executed even when facing strong attackers, paving the way for adoption in several sensitive application domains. This paper reviews existing remote attestation principles and compares the functionalities of current trusted execution environments as Intel SGX, Arm TrustZone and AMD SEV, as well as emerging RISC-V solutions.
△ Less
Submitted 15 April, 2022; v1 submitted 14 April, 2022;
originally announced April 2022.
-
Scrooge Attack: Undervolting ARM Processors for Profit
Authors:
Christian Göttel,
Konstantinos Parasyris,
Osman Unsal,
Pascal Felber,
Marcelo Pasin,
Valerio Schiavoni
Abstract:
Latest ARM processors are approaching the computational power of x86 architectures while consuming much less energy. Consequently, supply follows demand with Amazon EC2, Equinix Metal and Microsoft Azure offering ARM-based instances, while Oracle Cloud Infrastructure is about to add such support. We expect this trend to continue, with an increasing number of cloud providers offering ARM-based clou…
▽ More
Latest ARM processors are approaching the computational power of x86 architectures while consuming much less energy. Consequently, supply follows demand with Amazon EC2, Equinix Metal and Microsoft Azure offering ARM-based instances, while Oracle Cloud Infrastructure is about to add such support. We expect this trend to continue, with an increasing number of cloud providers offering ARM-based cloud instances.
ARM processors are more energy-efficient leading to substantial electricity savings for cloud providers. However, a malicious cloud provider could intentionally reduce the CPU voltage to further lower its costs. Running applications malfunction when the undervolting goes below critical thresholds. By avoiding critical voltage regions, a cloud provider can run undervolted instances in a stealthy manner.
This practical experience report describes a novel attack scenario: an attack launched by the cloud provider against its users to aggressively reduce the processor voltage for saving energy to the last penny. We call it the Scrooge Attack and show how it could be executed using ARM-based computing instances. We mimic ARM-based cloud instances by deploying our own ARM-based devices using different generations of Raspberry Pi. Using realistic and synthetic workloads, we demonstrate to which degree of aggressiveness the attack is relevant. The attack is unnoticeable by our detection method up to an offset of -50mV. We show that the attack may even remain completely stealthy for certain workloads. Finally, we propose a set of client-based detection methods that can identify undervolted instances. We support experimental reproducibility and provide instructions to reproduce our results.
△ Less
Submitted 12 May, 2022; v1 submitted 1 July, 2021;
originally announced July 2021.
-
Security, Performance and Energy Implications of Hardware-assisted Memory Protection Mechanisms on Event-based Streaming Systems
Authors:
Christian Göttel,
Rafael Pires,
Isabelly Rocha,
Sébastien Vaucher,
Pascal Felber,
Marcelo Pasin,
Valerio Schiavoni
Abstract:
Major cloud providers such as Amazon, Google and Microsoft provide nowadays some form of infrastructure as a service (IaaS) which allows deploying services in the form of virtual machines, containers or bare-metal instances. Although software-based solutions like homomorphic encryption exit, privacy concerns greatly hinder the deployment of such services over public clouds. It is particularly diff…
▽ More
Major cloud providers such as Amazon, Google and Microsoft provide nowadays some form of infrastructure as a service (IaaS) which allows deploying services in the form of virtual machines, containers or bare-metal instances. Although software-based solutions like homomorphic encryption exit, privacy concerns greatly hinder the deployment of such services over public clouds. It is particularly difficult for homomorphic encryption to match performance requirements of modern workloads. Evaluating simple operations on basic data types with HElib, a homomorphic encryption library, against their unencrypted counter part reveals that homomorphic encryption is still impractical under realistic workloads.
△ Less
Submitted 9 April, 2021; v1 submitted 8 April, 2021;
originally announced April 2021.
-
TZ4Fabric: Executing Smart Contracts with ARM TrustZone
Authors:
Christina Müller,
Marcus Brandenburger,
Christian Cachin,
Pascal Felber,
Christian Göttel,
Valerio Schiavoni
Abstract:
Blockchain technology promises to revolutionize manufacturing industries. For example, several supply-chain use-cases may benefit from transparent asset tracking and automated processes using smart contracts. Several real-world deployments exist where the transparency aspect of a blockchain is both an advantage and a disadvantage at the same time. The exposure of assets and business interaction re…
▽ More
Blockchain technology promises to revolutionize manufacturing industries. For example, several supply-chain use-cases may benefit from transparent asset tracking and automated processes using smart contracts. Several real-world deployments exist where the transparency aspect of a blockchain is both an advantage and a disadvantage at the same time. The exposure of assets and business interaction represent critical risks. However, there are typically no confidentiality guarantees to protect the smart contract logic as well as the processed data. Trusted execution environments (TEE) are an emerging technology available in both edge or mobile-grade processors (e.g., Arm TrustZone) and server-grade processors (e.g., Intel SGX). TEEs shield both code and data from malicious attackers. This practical experience report presents TZ4Fabric, an extension of Hyperledger Fabric to leverage Arm TrustZone for the secure execution of smart contracts. Our design minimizes the trusted computing base executed by avoiding the execution of a whole Hyperledger Fabric node inside the TEE, which continues to run in untrusted environment. Instead, we restrict it to the execution of only the smart contract. The TZ4Fabric prototype exploits the open-source OP-TEE framework, as it supports deployments on cheap low-end devices (e.g., Raspberry Pis). Our experimental results highlight the performance trade-off due to the additional security guarantees provided by Arm TrustZone. TZ4Fabric will be released as open-source.
△ Less
Submitted 23 November, 2020; v1 submitted 26 August, 2020;
originally announced August 2020.
-
Hermes: Enabling Energy-efficient IoT Networks with Generalized Deduplication
Authors:
Christian Göttel,
Lars Nielsen,
Niloofar Yazdani,
Pascal Felber,
Daniel E. Lucani,
Valerio Schiavoni
Abstract:
With the advent of the Internet of Things (IoT), the ever growing number of connected devices observed in recent years and foreseen for the next decade suggests that more and more data will have to be transmitted over a network, before being processed and stored in data centers. Generalized deduplication (GD) is a novel technique to effectively reduce the data storage cost by identifying similar d…
▽ More
With the advent of the Internet of Things (IoT), the ever growing number of connected devices observed in recent years and foreseen for the next decade suggests that more and more data will have to be transmitted over a network, before being processed and stored in data centers. Generalized deduplication (GD) is a novel technique to effectively reduce the data storage cost by identifying similar data chunks, and able to gradually reduce the pressure from the network infrastructure by limiting the data that needs to be transmitted.
This paper presents Hermes, an application-level protocol for the data-plane that can operate over generalized deduplication, as well as over classic deduplication. Hermes significantly reduces the data transmission traffic while effectively decreasing the energy footprint, a relevant matter to consider in the context of IoT deployments. We fully implemented Hermes and evaluated its performance using consumer-grade IoT devices (e.g., Raspberry Pi 4B models). Our results highlight several trade-offs that must be taken into account when considering real-world workloads.
△ Less
Submitted 20 July, 2020; v1 submitted 22 May, 2020;
originally announced May 2020.
-
LEGaTO: Low-Energy, Secure, and Resilient Toolset for Heterogeneous Computing
Authors:
B. Salami,
K. Parasyris,
A. Cristal,
O. Unsal,
X. Martorell,
P. Carpenter,
R. De La Cruz,
L. Bautista,
D. Jimenez,
C. Alvarez,
S. Nabavi,
S. Madonar,
M. Pericas,
P. Trancoso,
M. Abduljabbar,
J. Chen,
P. N. Soomro,
M Manivannan,
M. Berge,
S. Krupop,
F. Klawonn,
Al Mekhlafi,
S. May,
T. Becker,
G. Gaydadjiev
, et al. (20 additional authors not shown)
Abstract:
The LEGaTO project leverages task-based programming models to provide a software ecosystem for Made in-Europe heterogeneous hardware composed of CPUs, GPUs, FPGAs and dataflow engines. The aim is to attain one order of magnitude energy savings from the edge to the converged cloud/HPC, balanced with the security and resilience challenges. LEGaTO is an ongoing three-year EU H2020 project started in…
▽ More
The LEGaTO project leverages task-based programming models to provide a software ecosystem for Made in-Europe heterogeneous hardware composed of CPUs, GPUs, FPGAs and dataflow engines. The aim is to attain one order of magnitude energy savings from the edge to the converged cloud/HPC, balanced with the security and resilience challenges. LEGaTO is an ongoing three-year EU H2020 project started in December 2017.
△ Less
Submitted 1 December, 2019;
originally announced December 2019.
-
iperfTZ: Understanding Network Bottlenecks for TrustZone-based Trusted Applications
Authors:
Christian Göttel,
Pascal Felber,
Valerio Schiavoni
Abstract:
The growing availability of hardware-based trusted execution environments (TEEs) in commodity processors has recently advanced support (i.e., design, implementation and deployment frameworks) for network-based secure services. Examples of such TEEs include ARM TrustZone or Intel SGX, largely available in embedded, mobile and server-grade processors. TEEs shield services from compromised hosts, mal…
▽ More
The growing availability of hardware-based trusted execution environments (TEEs) in commodity processors has recently advanced support (i.e., design, implementation and deployment frameworks) for network-based secure services. Examples of such TEEs include ARM TrustZone or Intel SGX, largely available in embedded, mobile and server-grade processors. TEEs shield services from compromised hosts, malicious users or powerful attackers. TEE-enabled devices are largely being deployed on the edge of the network, paving the way for large-scale deployments of trusted applications. These applications allow processing and disseminating sensitive data without having to trust cloud providers. However, uncovering network performance limitations of such trusted applications is difficult and currently lacking, despite the interest and reliance by developers and system deployers.
iperfTZ is an open-source tool to uncover network performance bottlenecks rooted at the design and implementation of trusted applications for ARM TrustZone and underlying runtime systems. Our evaluation based on micro-benchmarks shows current trade-offs for trusted applications, both from a network as well as an energy perspective; an often overlooked yet relevant aspect for edge-based deployments.
△ Less
Submitted 23 December, 2019; v1 submitted 14 September, 2019;
originally announced September 2019.
-
HEATS: Heterogeneity- and Energy-Aware Task-based Scheduling
Authors:
Isabelly Rocha,
Christian Göttel,
Pascal Felber,
Marcelo Pasin,
Romain Rouvoy,
Valerio Schiavoni
Abstract:
Cloud providers usually offer diverse types of hardware for their users. Customers exploit this option to deploy cloud instances featuring GPUs, FPGAs, architectures other than x86 (e.g., ARM, IBM Power8), or featuring certain specific extensions (e.g, Intel SGX). We consider in this work the instances used by customers to deploy containers, nowadays the de facto standard for micro-services, or to…
▽ More
Cloud providers usually offer diverse types of hardware for their users. Customers exploit this option to deploy cloud instances featuring GPUs, FPGAs, architectures other than x86 (e.g., ARM, IBM Power8), or featuring certain specific extensions (e.g, Intel SGX). We consider in this work the instances used by customers to deploy containers, nowadays the de facto standard for micro-services, or to execute computing tasks. In doing so, the underlying container orchestrator (e.g., Kubernetes) should be designed so as to take into account and exploit this hardware diversity. In addition, besides the feature range provided by different machines, there is an often overlooked diversity in the energy requirements introduced by hardware heterogeneity, which is simply ignored by default container orchestrator's placement strategies. We introduce HEATS, a new task-oriented and energy-aware orchestrator for containerized applications targeting heterogeneous clusters. HEATS allows customers to trade performance vs. energy requirements. Our system first learns the performance and energy features of the physical hosts. Then, it monitors the execution of tasks on the hosts and opportunistically migrates them onto different cluster nodes to match the customer-required deployment trade-offs. Our HEATS prototype is implemented within Google's Kubernetes. The evaluation with synthetic traces in our cluster indicate that our approach can yield considerable energy savings (up to 8.5%) and only marginally affect the overall runtime of deployed tasks (by at most 7%). HEATS is released as open-source.
△ Less
Submitted 26 June, 2019;
originally announced June 2019.
-
Develo** Secure Services for IoT with OP-TEE: A First Look at Performance and Usability
Authors:
Christian Göttel,
Pascal Felber,
Valerio Schiavoni
Abstract:
The implementation, deployment and testing of secure services for Internet of Things devices is nowadays still at an early stage. Several frameworks have recently emerged to help developers realize such services, abstracting the complexity of the many types of underlying hardware platforms and software libraries. Assessing the performance and usability of a given framework remains challenging, as…
▽ More
The implementation, deployment and testing of secure services for Internet of Things devices is nowadays still at an early stage. Several frameworks have recently emerged to help developers realize such services, abstracting the complexity of the many types of underlying hardware platforms and software libraries. Assessing the performance and usability of a given framework remains challenging, as they are largely influenced by the application and workload considered, as well as the target hardware. Since 15 years, ARM processors are providing support for TrustZone, a set of security instructions that realize a trusted execution environment inside the processor. OP-TEE is a free-software framework to implement trusted applications and services for TrustZone. In this short paper we show how one can leverage OP-TEE for implementing a secure service (i.e., a key-value store). We deploy and evaluate the performance of this trusted service on common Raspberry Pi hardware platforms. We report our experimental results with the data store and also compare it against OP-TEE's built-in secure storage.
△ Less
Submitted 26 June, 2019; v1 submitted 25 April, 2019;
originally announced April 2019.
-
Security, Performance and Energy Trade-offs of Hardware-assisted Memory Protection Mechanisms
Authors:
Christian Göttel,
Rafael Pires,
Isabelly Rocha,
Sébastien Vaucher,
Pascal Felber,
Marcelo Pasin,
Valerio Schiavoni
Abstract:
The deployment of large-scale distributed systems, e.g., publish-subscribe platforms, that operate over sensitive data using the infrastructure of public cloud providers, is nowadays heavily hindered by the surging lack of trust toward the cloud operators. Although purely software-based solutions exist to protect the confidentiality of data and the processing itself, such as homomorphic encryption…
▽ More
The deployment of large-scale distributed systems, e.g., publish-subscribe platforms, that operate over sensitive data using the infrastructure of public cloud providers, is nowadays heavily hindered by the surging lack of trust toward the cloud operators. Although purely software-based solutions exist to protect the confidentiality of data and the processing itself, such as homomorphic encryption schemes, their performance is far from being practical under real-world workloads.
The performance trade-offs of two novel hardware-assisted memory protection mechanisms, namely AMD SEV and Intel SGX - currently available on the market to tackle this problem, are described in this practical experience.
Specifically, we implement and evaluate a publish/subscribe use-case and evaluate the impact of the memory protection mechanisms and the resulting performance. This paper reports on the experience gained while building this system, in particular when having to cope with the technical limitations imposed by SEV and SGX.
Several trade-offs that provide valuable insights in terms of latency, throughput, processing time and energy requirements are exhibited by means of micro- and macro-benchmarks.
△ Less
Submitted 26 June, 2019; v1 submitted 11 March, 2019;
originally announced March 2019.