Bespoke Security for Resource Constrained Cyber-Physical Systems Miguel A. Arroyo Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy under the Executive Committee of the Graduate School of Arts and Sciences COLUMBIA UNIVERSITY 2021 © 2020 Miguel A. Arroyo All Rights Reserved Abstract Bespoke Security for Resource Constrained Cyber-Physical Systems Miguel A. Arroyo Cyber-Physical Systems (CPSs) are critical to many aspects of our daily lives. Autonomous cars, life sav- ing medical devices, drones for package delivery, and robots for manufacturing are all prime examples of CPSs. The dual cyber/physical operating nature and highly integrated feedback control loops of CPSs means that they inherit security problems from traditional computing systems (e.g., software vulnerabilities, hard- ware side-channels) and physical systems (e.g., theft, tampering), while additionally introducing challenges of their own. The challenges to achieving security for CPSs stem not only from the interaction of the cyber and physical domains, but from the additional pressures of resource constraints imposed due to cost, limited energy budgets, and real-time nature of workloads. Due to the tight resource constraints of CPSs, there is often little headroom to devote for security. Thus, there is a need for low overhead deployable solutions to harden resource constrained CPSs. This dissertation shows that security can be effectively integrated into re- source constrained cyber-physical system devices by leveraging fundamental physical properties, & tailoring and extending age-old abstractions in computing. To provide context on the state of security for CPSs, this document begins with the development of a unifying framework that can be used to identify threats and opportunities for enforcing security policies while providing a systematic survey of the field. This dissertation characterizes the properties of CPSs and typical components (e.g., sensors, actuators, computing devices) in addition to the software commonly used. We discuss available security primitives and their limitations for both hardware and software. In particular, we focus on software security threats targeting memory safety. The rest of the thesis focuses on the design and implementation of novel, deployable approaches to combat memory safety on resource constrained devices used by CPSs (e.g., 32-bit processors and microcontrollers). We first discuss how cyber-physical system properties such as inertia and feedback can be used to harden software efficiently with minimal modification to both hardware and software. We develop the framework You Only Live Once (YOLO) that proactively resets a device and restores it from a secure verified snapshot. YOLO relies on inertia, to tolerate periods of resets, and on feedback to rebuild state when recovering from a snapshot. YOLO is built upon a theoretical model that is used to determine safe operating parameters to aid a system designer in deployment. We evaluate YOLO in simulation and two real-world CPSs, an engine and drone. Second, we explore how rethinking of core computing concepts can lead to new fundamental abstractions that can efficiently hide performance overheads usually associated with hardening software against memory safety issues. To this end, we present two techniques: (i) The Phantom Address Space (PAS) is a new architec- tural concept that can be used to improve N-version systems by (almost) eliminating the overheads associated with handling replicated execution. Specifically, PAS can be used to provide an efficient implementation ofa diversification concept known as execution path randomization aimed at thwarting code-reuse attacks. The goal of execution path randomization is to frequently switch between two distinct program variants forc- ing the attacker to gamble on which code to reuse. (ii) Cache Line Formats (Califorms) introduces a novel method to efficiently store memory in caches. Califorms makes the novel insight that dead spaces in program data due to its memory layout can be used to efficiently implement the concept of memory blacklisting, which prohibits a program from accessing certain memory regions based on program semantics. Califorms not only consumes less memory than prior approaches, but can provide byte-granular protection while limiting the scope of its hardware changes to caches. While both PAS and Califorms were originally designed to target resource constrained devices, its worth noting that they are widely applicable and can efficiently scale up to mobile, desktop, and server class processors. As CPSs continue to proliferate and become integrated in more critical infrastructure, security is an in- creasing concern. However, security will undoubtedly always play second fiddle to financial concerns that affect business bottom lines. Thus, it is important that there be easily deployable, low-overhead solutions that can scale from the most constrained of devices to more featureful systems for future migration. This disserta- tion is one step towards the goal of providing inexpensive mechanisms to ensure the security of cyber-physical system software. Contents List of Figures v List of Tables vi Acknowledgements viii Part I. Cyber-Physical Systems 1 1 Introduction 2 1.1 What are Cyber-Physical Systems? .................................. 2 1.2 How is Security different from Safety? ................................ 4 1.3 How is Cyber-Physical System Security Different? ......................... 4 1.3.1 Software Security ........................................ 4 1.3.2 Physical Security ........................................ 7 1.3.3 Why has security lagged behind? ............................... 8 1.4 Contributions .............................................. 10 1.4.1 Leveraging Physical Properties for Software Security ................... 10 1.4.2 Revisiting Age-old Computing Abstractions for Efficient Security ........... 11 2 A Cyber-Physical System Framework 14 2.1 The Origins of Cyber-Physical Systems ................................ 14 2.2 CPS Properties .............................................. 15 2.3 Framework ................................................ 16 2.3.1 Cyber Layer ........................................... 18 2.3.2 Cyber-Physical Layer ..................................... 18 2.3.3 Physical Layer .......................................... 19 2.3.4 External Layer ......................................... 19 2.4 Framework Case-Study: Industrial Robot .............................. 20 3 Characterizing Cyber-Physical Systems 23 3.1 Sensing & Actuation ........................................... 23 3.2 Control .................................................. 25 3.2.1 Computational Resources ................................... 26 3.2.2 Software Stack ......................................... 32 4 Cyber-Physical System Security 36 4.1 Leveraging the CPS Framework .................................... 36 4.1.1 Individual Component Security ............................... 36 4.1.2 Emergent System Security ................................... 37 4.2 Prominent Threats ............................................ 38 i Contents 4.2.1 Cyber-Physical Layer ..................................... 38 4.2.2 Cyber Layer ........................................... 40 4.2.3 Across Layers .......................................... 41 4.3 Defensive Opportunities ........................................ 43 4.3.1 Leveraging Physical Properties ................................ 43 4.3.2 Revisiting Computing Abstractions ............................. 45 4.4 Challenges ................................................ 45 4.4.1 Physical Limitations ...................................... 45 4.4.2 Resource Limitations ..................................... 46 4.4.3 Adoption ............................................ 46 4.4.4 Testability ............................................ 47 Part II. Leveraging Physical Properties for Software Security 48 5 You Only Live Once (YOLO) 49 5.1 Overview ................................................. 49 5.2 Threat Model ............................................... 52 5.3 Security Discussion ........................................... 53 5.3.1 Memory ............................................. 53 5.3.2 Timeliness ............................................ 54 5.4 Theoretical Analysis ........................................... 56 5.4.1 Problem Formulation ..................................... 56 5.4.2 Stability Analysis ........................................ 57 5.4.3 Case Study: DC Motor .................................... 59 5.5 Experimental Analysis ......................................... 62 5.5.1 Case Study: Engine Control Unit ............................... 62 5.5.2 Case Study: Flight Controller ................................. 65 5.6 Limitations ................................................ 69 5.7 Related Work ............................................... 70 Part III. Revisiting Age-old Computing Abstractions for Efficient Security 72 6 Phantom Address Space (PAS) 73 6.1 Overview ................................................. 73 6.2 Threat Model ............................................... 75 6.3 Framework ................................................ 76 6.4 Construction ............................................... 77 6.5 Correctness ................................................ 79 6.6 Code Reuse Protection ......................................... 80 6.6.1 TRAP Instructions ......................................