M2MON: Building an MMIO-based Security Reference Monitor for Unmanned Vehicles

Unmanned Vehicles (UVs) often consist of multiple Micro Controller Units (MCUs) as peripherals to interact with the physical world, including GPS sensors, barometers, motors, etc. While the attack vectors for UV vary, a number of UV attacks aim to impact the physical world either from the cyber or the physical space, e.g., hijacking the mission of UVs via malicious ground control commands or GPS spoofing. This provides us an opportunity to build a unified and generic security framework defending against multiple kinds of UV attacks by monitoring the system’s I/O activities. Accordingly, we build a security reference monitor for UVs by hooking into the memory-mapped I/O (MMIO), namely M2MON. Instead of building upon existing RTOS, we implement M2MON as a microkernel running in the privileged mode intercepting MMIOs while pushing the RTOS and applications into the unprivileged mode. We further instantiate an MMIO firewall using M2MON and demonstrate how to implement a secure Extended Kalman Filter (EKF) within M2MON. Our evaluation on a real-world UV system shows that M2MON incurs an 8.85% runtime overhead. Furthermore, M2MON-based firewall is able to defend against different cyber and physical attacks. The M2MON microkernel contains less than 4K LoC comparing to the 3M LoC RTOS used in our evaluation. We believe M2MON provides the first step towards building a trusted and practical security reference monitor for UVs.

[1]  Frank Piessens,et al.  Release the Kraken: New KRACKs in the 802.11 Standard , 2018, CCS.

[2]  Sergey Bratus,et al.  Protecting Against Malicious Bits On the Wire: Automatically Generating a USB Protocol Parser for a Production Kernel , 2017, ACSAC.

[3]  Kang G. Shin,et al.  Viden: Attacker Identification on In-Vehicle Networks , 2017, CCS.

[4]  Eul Gyu Im,et al.  Man-in-the-Middle Attack Test-bed Investigating Cyber-security Vulnerabilities in Smart Grid SCADA Systems , 2012 .

[5]  Kevin Warwick,et al.  Failsafe Control Systems: Applications and Emergency Management , 1990 .

[6]  Gene Tsudik,et al.  Ditio: Trustworthy Auditing of Sensor Activities in Mobile & IoT Devices , 2017, SenSys.

[7]  Bobby Bhattacharjee,et al.  SeCloak: ARM Trustzone-based Mobile Peripheral Control , 2018, MobiSys.

[8]  Miao Yu,et al.  Dancing with Giants: Wimpy Kernels for On-Demand Isolated I/O , 2014, 2014 IEEE Symposium on Security and Privacy.

[9]  John Fagan,et al.  Countermeasures for GPS Signal Spoofing , 2005 .

[10]  Gang Wang,et al.  All Your GPS Are Belong To Us: Towards Stealthy Manipulation of Road Navigation Systems , 2018, USENIX Security Symposium.

[11]  Adrian Perrig,et al.  VIPER: verifying the integrity of PERipherals' firmware , 2011, CCS '11.

[12]  Jairo Giraldo,et al.  SAVIOR: Securing Autonomous Vehicles with Robust Physical Invariants , 2020, USENIX Security Symposium.

[13]  Mani Srivastava,et al.  PyCRA: Physical Challenge-Response Authentication For Active Sensors Under Spoofing Attacks , 2015, CCS.

[14]  Patrick Traynor,et al.  Making USB Great Again with USBFILTER , 2016, USENIX Security Symposium.

[15]  Jianying Zhou,et al.  NoisePrint: Attack Detection Using Sensor and Process Noise Fingerprint in Cyber Physical Systems , 2018, AsiaCCS.

[16]  Xinyan Deng,et al.  RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through Control-Guided Testing , 2019, USENIX Security Symposium.

[17]  Frank Piessens,et al.  Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 , 2017, CCS.

[18]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[19]  Jianying Zhou,et al.  Noise Matters: Using Sensor and Process Noise Fingerprint to Detect Stealthy Cyber Attacks and Authenticate sensors in CPS , 2018, ACSAC.

[20]  Kevin R. B. Butler,et al.  LBM: A Security Framework for Peripherals within the Linux Kernel , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[21]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[22]  Saurabh Bagchi,et al.  Protecting Bare-Metal Embedded Systems with Privilege Overlays , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[23]  Anton Beitler,et al.  A transparent defense against USB eavesdropping attacks , 2016, EuroSec '16.

[24]  Pieter H. Hartel,et al.  Through the eye of the PLC: semantic security monitoring for industrial processes , 2014, ACSAC.

[25]  D.K. Nilsson,et al.  Secure Firmware Updates over the Air in Intelligent Vehicles , 2008, ICC Workshops - 2008 IEEE International Conference on Communications Workshops.

[26]  John W. Betz,et al.  Overview of the GPS M Code Signal , 2000 .

[27]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[28]  Jeffrey K. Uhlmann,et al.  Unscented filtering and nonlinear estimation , 2004, Proceedings of the IEEE.

[29]  Yongdae Kim,et al.  Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors , 2015, USENIX Security Symposium.

[30]  W.A. Radasky,et al.  Introduction to the special issue on high-power electromagnetics (HPEM) and intentional electromagnetic interference (IEMI) , 2004, IEEE Transactions on Electromagnetic Compatibility.

[31]  Zhongshu Gu,et al.  Securing Real-Time Microcontroller Systems through Customized Memory View Switching , 2018, NDSS.

[32]  Kang G. Shin,et al.  Fingerprinting Electronic Control Units for Vehicle Intrusion Detection , 2016, USENIX Security Symposium.

[33]  Ingrid Verbauwhede,et al.  CANAuth - A Simple, Backward Compatible Broadcast Authentication Protocol for CAN bus , 2011 .

[34]  Srdjan Capkun,et al.  SPREE: a spoofing resistant GPS receiver , 2016, MobiCom.

[35]  Saurabh Bagchi,et al.  ACES: Automatic Compartments for Embedded Systems , 2018, USENIX Security Symposium.

[36]  Srdjan Capkun,et al.  On the requirements for successful GPS spoofing attacks , 2011, CCS '11.

[37]  Aleksandar Jovanovic,et al.  Multi-test detection and protection algorithm against spoofing attacks on GNSS receivers , 2014, 2014 IEEE/ION Position, Location and Navigation Symposium - PLANS 2014.

[38]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[39]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[40]  Paul Syverson,et al.  A Taxonomy of Replay Attacks , 1994 .

[41]  Daisuke Suzuki,et al.  Sensor CON-Fusion: Defeating Kalman Filter in Signal Injection Attack , 2018, AsiaCCS.

[42]  Haya Shulman,et al.  Internet-wide study of DNS cache injections , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[43]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.