RUB » Bibliotheksportal

Robert Kaster, Di Ma, Ashish Behl, Bartosz Bakalarczyk

• Secure boot has enabled computer systems to verify software integrity for decades but these proven techniques cost too much in terms of time and processing power for automotive safety controllers. Low power microcontrollers with unforgiving real-time requirements have limited time available to complete the image check and must efficiently use on-chip memory. Functional safety systems restrict when the check may be conducted in cyber-physical systems. And lastly, the system must be able to maintain security through multiple cycles of remote, unsupervised operation. Safety architectures push towards checking the memory for the next boot cycle, but sampling-based authentication speeds the process to allow verification of the current boot cycle. We consider challenges with maintaining fingerprint efficacy over time with efficient memory usage.We propose Sliced Secure Boot (SSB): treat the memory as a series of blocks, build fingerprints by slicing through the blocks, read one cell from each block, and protect each cell by exactly one reusable fingerprint. We consider an adversary with physical access to the system who wants to maintain normal system operation, but add features, disable protections, or modify specific behaviors. We describe the relation between the number of slices and the number and size of the modifications on the escape rate and verify this with simulation. We identify the upper limit for the detection escape rate with meticulous observation of multiple boot cycles. We improve the weakness caused by low-entropy fingerprint patterns, using a seed to provide a unique pattern with ordered fingerprint generation. Our goal is not to demonstrate that sampled checks offer equivalent protection to exhaustive checks, but where exhaustive checks are not feasible, SSB offers a statistically sufficient level of protection. We tested SSB on five different microcontrollers and reduced the image check time by a factor of 9 on one family and 23 on the other, allowing us to achieve our goal of verifying the system memory before starting the boot cycle.