Advanced IoT, Real-Time, and Embedded Systems Security, Fall 2019

Instructor: Ning Zhang, zhang.ning@wustl.edu, public key
TA: Fangchen Li, fangchen.li@wustl.edu,
Meeting: Tue, Thurs: 10:00 am - 11:20 am
Classroom: Lopata Hall 101
Canvas: https://wustl.instructure.com/courses/24226
Piazza: https://piazza.com/wustl/fall2019/cse569s
Blogs: https://bearshell.blogspot.com/

Announcement


Course Description


This class focus on the theory and practice of secure embedded/IoT system. Students will be exploring security and privacy issues in deployed or emerging IoT systems, examining a rich variety of devices from drones and self-driving cars to smart home light bulbs and implanted pacemakers, across different layers of computing from network to wireless signal, from application to device kernel and driver. This class is organized with a set of pre-selected topics, with lecture and discussion on those topics. It is a project oriented class, where each student or teams of student will pick a topic of their interest within the scope of the class, then develop a project to a real world security issue on IoT/embedded system.

Recommended Pre-req:
- Solid programming skill, Basic Networking and OS concepts (CSE 361S,422S,433S,473S,523S)
- Feel free to join the class without pre-req as long as you are willing to pick up the system knowledge in the first several weeks of the class.

Textbook


There is no textbook for the class. We will use research papers for some of the topics. However, the following references can be helpful.

Grading


There is no exam in this class, evaluation will be based on class participation and final projects.

Class Participation
10% -- Blog
5% -- Studio
5% -- Discussion
20 %
Projects
15% -- Round 1 AI/ML Dev
20% -- Round 2 AI/ML Bug Find
15% -- Round 3 TEE Migration
30% -- Round 4 Final Project
80%


Schedule


Slides, Lab Assignments and QA are in the WUSTL backboard system.
Date Topics HW/Lab Assignment
8/27/2019 Course Overview - Embracing IoT and Insecurity
Reflections on Trusting Trust
Round 1
8/29/2019 Software Security Review - Application Level
Smashing the stack for fun and profit
9/3/2019 Cryptography Review, Part 1
A Graduate Course in Applied Cryptography
9/5/2019 Cryptography Review, Part 2
9/10/2019 Demo - AI/ML Module Round 2
9/12/2019 Cryptography Review Part 3
9/17/2019 Attack Demo & Rootkit (User land, Kernel land)
The Rootkit Arsenal - Chp 1, 2
Understanding Linux Malware
9/19/2019 System Level Threats and Defense Mechanisms
Bootstrapping Trust in Modern Computers
Isolation and Sandboxing
The protection of information in computer systems
9/24/2019 Minimization / Introspection
Sok: Introspections on trust and the semantic gap
9/26/2019 Remote attestation
Attestation in Wireless Sensor Networks: a Survey
10/1/2019 Intel SGX and its application
Intel SGX Explained
10/3/2019 Studio - SGX Programmig Model
Lab
10/8/2019 Demo - Attack on AI/ML Module Round 3
10/10/2019 ARM TrustZone and its application
Demystifying Arm TrustZone: A Comprehensive Survey
10/15/2019 Studio - OPTEE Programming Model
Lab
10/17/2019 Fall Break
10/22/2019 Keystone - the open source initiative for TEE
Keystone: A Framework for Architecting TEE
10/24/2019 Demo - TEE protected AL/ML Module Final Project
10/29/2019 Challenges in hardware-assisted security
In Hardware We Trust
10/31/2019 Information Side Channel
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds
Proposal Due
11/5/2019 Speculative execution side channel and defense
Meltdown: Reading Kernel Memory from User Space
Spectre Attacks: Exploiting Speculative Execution
A Systematic Evaluation of Transient Execution Attacks and Defenses
11/7/2019 Spectre/Meltdown Studio Lab
11/12/2019 Hardware Security - Intro
A Primer on Hardware Security: Models, Methods, and Metrics
11/14/2019 Hardware Security
Hardfails
Clkskew
11/19/2019 Security of Real Time Scheduler
On the Pitfalls and Vulnerabilities of Schedule Randomization against Schedule-Based Attacks
Project Checkpoint
11/21/2019 Smart Home and IoT Security
SoK: Security Evaluation of Home-Based IoT Deployments
11/26/2019 Cyber-physical Information Leakage
SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks
Hard Drive of Hearing: Disks that Eavesdrop with a Synthesized Microphone
Oligo-Snoop: A Non-Invasive Side Channel Attack Against DNA Synthesis Machines
11/28/2019 Thanksgiving Break
12/3/2020 Cyber-physical Signal Injection
Compromising Computers with Synthesized DNA, Privacy Leaks, and More
Ghost Talk: Mitigating EMI Signal Injection Attacks against Analog Sensors
DolphinAttack: Inaudible Voice Commands
12/5/2020 Final Project Demo Writeup Due

Blogs



This assignment has two parts
If you need a suggestion, the topic can be one of the following
Log and lightning talk signup is here.
Our class blog is here

Projects


Format:The class project will be carried out by a team of 2 - 4 students, and is divided into four rounds with the last found being the final project. We will have demo/presentation after each round.

Project Scenario: On a sunny Saturday morning, you are sitting in your backyard in University City thinking about your strategies for the new startup on billion-dollar business of IoT. And you realize IoT really are nothing but decade-old sensors connected via mesh network without the intelligence behind. To be successful, you need to be able to understand your customer's preference and correctly predict that they actually want to have lasagna instead of fried rice such that you can put up the right suggestion of restaurants for them tonight and collect the referral fees. To gain that intelligence, you need computation power, lots of them, but then you are a startup that can't afford significant up front investment on just the infrastructure, so you decided to turn to the Cloud - the platform that solves all the problems. Our story begins here...


Round 1: Development of AI/ML module


Develop an AI/ML module of your choice that will perform the following. You could use our skeleton or not. However, no question will be answered regarding any code or internal design decisions of the skeleton. In the real world, you often won't have answers to code you borrow from other projects.
The provided skeleton contain four main components:
  1. main function - contains the CLI of the program
  2. crypto - contains cryptographic functions such as encryption and key generation
  3. access control - contains user account control
  4. ml - contains the functionality to train and use a model
You are encouraged to modify the provide skeleton code to fit the goal of your startup. If you consider the provided skeleton perfectly secure, you can keep everything. For AI/ML modules, kmeans is used in the provided example. It is recommended that you choose a different AI/ML module, i.e. either libSVM or CNN. You are welcome to use AI/ML modules of your own choice. However, keep in mind that if you choose to do so, TA might not be able to help you with porting it to the provided framework. Moreover, you are responsible for providing the training and testing datasets, their descriptions, and detailed documentation on how to run it.

Demo should show Submission should contain Evaluation: There are two parts of evaluation in this step:

Round 2: Attack of AI/ML module


Attack your opponent's software - your goal to violate any of the security assumption in the first round. You can assume you have program running on the same Linux machine of the target, but you may need to deploy different tactics according to your privilege levels. This includes but not limited to the following There are three types scenario you should be launching the attack, with increasing difficulty. Assuming you have
Evaluation: 20 pt - Able to demonstrate attack at any of three privilege levels - present at least three attacks, grading will be based on the novelty of the attack as well as the discovered attack vectors. You need to submit the following
For extra credit:
For each vulnerability you submit, there should be proof of concept (PoC) attack code as well as procedure to go with it. Up till 9/24, vulnerability you found on your opponent team belongs to you. However, after 9/24, you can work on any team and it is based on the order of discovery. You can find the current list of disclosed vulnerability here .

To submit a vulnerability, send your docmentation, PoC source code in an email to TA and cc me, with CSE 569S VD - "name" - "PoC name" in the title. TA will attempt to keep the spreadsheet updated daily. There could be a maximum delay of two days. Let the instructor know if there is any significant delay on your submission.

Round 3: Defend Module with TEE


Build your defense against the previous round of attack using TEE
You are also required to mitigate all the attacks discovered in the previous round

Evaluation will consist of two parts:

Round 4: Final Project - Futher Attack or Your Choice


The final project is an open ended project, where students are encourage to take on challenging project ideas by expanding on the previous rounds, this can be
Evaluation: Your grade will be evaluated by the novelty of the attack or defense(can be a failure), and the steps you took towards the goal. This project has to be a group project. There is no limitation on the size of the group, though groups with 3 - 5 students are often most effective. There are three checkpoints of the project Please note that reproducibility will be a key evaluation criteria, make sure all the submitted materials are clearly documented.

Ethics


With greater power, comes greater responsibility. In this course, we will be learning about and exploring some vulnerabilities that could be used to attack systems. Students are expected to behave responsibly and ethically. You may not attack any system prior approval of the site owners, and may not use anything you learn in this class to disrupt services or harm others. If you have any doubts about whether or not something you want to do is ethical and legal, you should check with the course instructor.

Advanced IoT, Real-Time, and Embedded Systems Security, Fall 2019, Ning Zhang