|
This project develops new ways to defend critical infrastructure systems, such as factory control networks, medical devices, or power plants, against attacks. These systems directly interact with the physical world, so a successful attack can have serious consequences: for instance, a compromised chemical plant could have severe environmental consequences, and a compromised medical device could result in injury or death. Contemporary security mechanisms, however, can be inadequate for at two reasons. First, current defenses tend to be quite heavyweight, which makes them difficult to apply to resource-constrained infrastructure systems. And second, timing is critical: current defenses tend to focus on preventing systems from 'doing the wrong thing' or 'failing to do the right thing', as opposed to preventing systems from 'doing the right thing at the wrong time', which is often just as damaging. To address this problem, this project creates stronger defense mechanisms tailored specifically for infrastructure systems. The new mechanisms explicitly take timing into account, are expected to have lower cost, and will initially be applied to automotive systems in collaboration with a major car manufacturer. The principal investigator will organize tutorials for practitioners, and will enhance the curriculum of the Master's in Embedded Systems program at the University of Pennsylvania with more coverage of Internet-of-Things security. She is also developing a series of outreach activities to improve the representation of women and minorities in the real-time systems community. Collaborations with the law school and the medical school at the University of Pennsylvania will investigate how to use the new techniques to improve the legal framework for infrastructure systems, by offering better accountability for product defects, for example, and how to apply them to improve the security of medical systems.
This project pursues an approach called bounded-time recovery. Unlike many existing techniques, bounded time recovery does not attempt to mask all symptoms of an attack, which existing defenses do at great cost; rather, it leverages the fact that many systems cannot change their state arbitrarily quickly, due to properties such as inertia or thermal capacity, and can thus already tolerate brief disruptions, provided the system quickly returns to a correct state. This approach seeks guarantees that 1) the system will meet its timing requirements in the absence of an attack, and that 2) when under attack, the system will return to a correct state within a bounded amount of time, potentially after reconfiguring itself to exclude compromised nodes. The goal is to provide these guarantees in the Byzantine model, that is, without a priori knowledge of what the attacks will look like, or which nodes will be attacked. To achieve this goal, the project will construct practical algorithms for (provably) detecting attacks within bounded time, based on techniques such as tamper-evident logs and cryptographic evidence; create methods for recovering from detected attacks within bounded time, using ideas from multi-mode systems; and produce reusable implementations of the new techniques that will be widely disseminated and made available under an open-source license.
|
CAREER: Resilient Execution with Bounded-Time Recovery (REBOUND)