YOLO: frequently resetting cyber-physical systems for security

A Cyber-Physical System (CPS) is defined by its unique interactions between digital (cyber) computation and physical motion. Their hybrid nature introduces new attack vectors, but also provides an opportunity to design new security defenses. In this paper, we present a new domain-specific security mechanism, YOLO, that leverages physical properties such as inertia to improve security. YOLO is simple to describe. It goes through two operations: Reset and Diversify, as frequently as possible – typically in the order of a few seconds. Resets mitigate attacks that aim to achieve persistence and enhance the power of diversification techniques. Due to inertia, CPSs can remain safe even under frequent resets. We introduce an analytical approach to evaluate the feasibility of a YOLO-ized system. Using this analytical model we define the constraints on reset periods in order to maintain the CPS’s stability. We evaluate our approach in simulation and on two real systems: an engine control unit (ECU) of a car and a flight controller (FC) of a quadcopter. From our experiments, we determine that resets can be triggered frequently, as fast as every 125ms for the ECU and every second for the FC, without violating safety.

[1]  Naresh K. Sinha,et al.  Modern Control Systems , 1981, IEEE Transactions on Systems, Man, and Cybernetics.

[2]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[3]  Bo Hu,et al.  Stability analysis of switched systems with stable and unstable subsystems: An average dwell time approach , 2001, Int. J. Syst. Sci..

[4]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[5]  Daniel Liberzon,et al.  Switching in Systems and Control , 2003, Systems & Control: Foundations & Applications.

[6]  Archana Ganapathi,et al.  Why Do Internet Services Fail, and What Can Be Done About It? , 2002, USENIX Symposium on Internet Technologies and Systems.

[7]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[8]  George Candea,et al.  Microreboot - A Technique for Cheap Recovery , 2004, OSDI.

[9]  Hai Lin,et al.  Stability and Stabilizability of Switched Linear Systems: A Survey of Recent Results , 2009, IEEE Transactions on Automatic Control.

[10]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[11]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[12]  Anh Nguyen-Tuong,et al.  Effectiveness of Moving Target Defenses , 2011, Moving Target Defense.

[13]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[14]  Florian Dörfler,et al.  Attack Detection and Identification in Cyber-Physical Systems -- Part II: Centralized and Distributed Monitor Design , 2012, ArXiv.

[15]  Ehab Al-Shaer,et al.  Moving Target Defense for Hardening the Security of the Power System State Estimation , 2014, MTD '14.

[16]  Per Larsen,et al.  SoK: Automated Software Diversity , 2014, 2014 IEEE Symposium on Security and Privacy.

[17]  Paulo Tabuada,et al.  Secure Estimation and Control for Cyber-Physical Systems Under Adversarial Attacks , 2012, IEEE Transactions on Automatic Control.

[18]  Mani Srivastava,et al.  PyCRA: Physical Challenge-Response Authentication For Active Sensors Under Spoofing Attacks , 2015, CCS.

[19]  Ahmad-Reza Sadeghi,et al.  Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming , 2015, NDSS.

[20]  William W. Streilein,et al.  Timely Rerandomization for Mitigating Memory Disclosures , 2015, CCS.

[21]  Per Larsen,et al.  Leakage-Resilient Layout Randomization for Mobile Devices , 2016, NDSS.

[22]  Hao Wu,et al.  Controlling UAVs with Sensor Input Spoofing Attacks , 2016, WOOT.

[23]  Henrik Sandberg,et al.  Limiting the Impact of Stealthy Attacks on Industrial Control Systems , 2016, CCS.

[24]  Junfeng Yang,et al.  Shuffler: Fast and Deployable Continuous Code Re-Randomization , 2016, OSDI.

[25]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[26]  Marco Caccamo,et al.  Guaranteed Physical Security with Restart-Based Design for Cyber-Physical Systems , 2018, 2018 ACM/IEEE 9th International Conference on Cyber-Physical Systems (ICCPS).

[27]  J. Sukarno Mertoguno,et al.  A physics‐based strategy for cyber resilience of CPS , 2019, Defense + Commercial Sensing.