A tool to make the Internet of Things safer

June 4, 2014

Is your car hackable? Cadillac XTS instrument panel with dual LCDs. (Credit: General Motors)

Computer scientists at the University of California, San Diego have developed a tool that allows hardware designers and system builders to test security — a first for the field.

One of the tool’s potential uses is described in the May–June issue of IEEE Micro magazine.

“The stakes in hardware security are high,” said Ryan Kastner, a professor of computer science at the Jacobs School of Engineering at UC San Diego.

There is a big push to create the “Internet of Things,” where all devices are connected and communicate with one another. As a result, embedded systems — small computer systems built around microcontrollers — are becoming more common.

But they remain vulnerable to security breaches. Some examples of devices that may be hackable: medical devices, cars, cell phones, and smart grid technology.

“Engineers traditionally design devices to be fast and use as little power as possible,” said Jonathan Valamehr, a postdoctoral researcher in the Department of Computer Science and Engineering at UC San Diego. “Oftentimes, they don’t design them with security in mind.”

The two main threats

There are two main threats in hardware security:

  • Confidentiality: in some types of hardware, one can determine a device’s cryptographic key based on the amount of time it takes to encrypt information. The tool can detect these so-called timing channels that can compromise a device’s security.
  • Integrity: where a critical subsystem within a device can be affected by non-critical ones. For example, a car’s brakes can be affected by its CD player. The tool can detect these integrity violations as well.

Gate-level information flow tracking

Gate level information flow tracking (GLIFT) (credit: Jason Oberg et al./IEEE Micro)

The team has developed at tool based on the team’s research on Gate-level Information Flow Tracking, or GLIFT, which tags critical pieces in a hardware’s security system and tracks them.

The tool leverages this technology to detect security-specific properties within a hardware system. For example, the tool can make sure that a cryptographic key does not leak outside a chip’s cryptographic core.

“The techniques developed allow designers to test and provably verify that their computing systems adhere to security properties,” computer science professor Ryan Kastner, Jacobs School of Engineering, University of California, San Diego told KurzweilAI.

“This creates assurances that critical computing systems, which are increasing governing our lives, have fewer safety and security flaws. For example, the technology can be used to prove that personal information, e.g., a credit card, does not leak to an untrusted app on your phone, or that your radio can never affect the braking system in your car.

“We have developed the first technology that enables the testing and verification of hardware, and the software that runs upon it. The technology is being commercialized by the startup company Tortuga Logic, which consists of four of the key contributors and innovators of the research. This includes Prof. Tim Sherwood from UC Santa Barbara, Prof. Ryan Kastner from UC San Diego, Dr. Jonathan Valamehr, and Dr. Jason Oberg. We are working with several top semiconductor companies to beta test our technology.”

Their next step is to focus on medical devices, computers in cars, and military applications.

The team was recently awarded a $150,000 grant from the National Science Foundation to grow their business and further their research.

* Tortuga Logic is a member of the Medical Device Innovation Safety and Security committee, a nonprofit professional organization and of the Vehicle Electrical System Security Committee.

References:

  • Jason Oberg, Timothy Sherwood, Ryan Kastner, Eliminating Timing Information Flows in a Mix-trusted System-on-Chip, IEEE, 2014, in press