TrustCS: 基於 Trusted Firmware-M 的安全 CubeSat 韌體更新機制

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：156

、訪客IP：18.223.241.186

姓名

葉文(Wen Yeh) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

TrustCS: 基於 Trusted Firmware-M 的安全 CubeSat 韌體更新機制
(TrustCS: A firmware update mechanism of secure CubeSat based on Trusted Firmware-M)

相關論文

★ 基於OP-TEE的可信應用程式軟體生態系統	★ SeFence: 基於安全感測的可信任周邊存取控制
★ 高解析度二維地理影像的三維建模：旋轉變換投影與傳統方法的比較研究	★ 在低軌道衛星無線通訊中的CSI預測方法
★ 為多流量低軌道衛星系統提出的動態換手策略	★ 基於Trustzone的智慧型設備語音隱私保護系統
★ 一種減輕LEO衛星網路干擾的方案	★ TruzGPS:基於TrustZone的位置隱私權保護系統
★ 衛星地面整合網路之隨機接入前導訊號設計與偵測	★ SatPolicy: 基於Trustzone的衛星政策執行系統
★ TruzMalloc: 基於TrustZone 的隱私資料保護系統	★ 衛星地面網路中基於物理層安全的CSI保護方法
★ 低軌道衛星地面整合網路之安全非正交多重存取傳輸	★ 低軌道衛星地面網路中的DRX機制設計
★ 衛星地面整合網路之基於集合系統的前導訊號設計	★ 基於省電的低軌衛星網路路由演算法

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

近年來，立方體衛星的開發越來越受到商業和教育機構的青睞。然而，現有的衛星安全大多側重於如何保護物理通信，很少討論如何保護衛星系統本身的安全。為了增強立方體衛星系統的安全性，我們提出了TrustCS（Trusted CubeSat），它基於立方體衛星On-Board Computer（OBC）系統中的TrustedFirmware-M（TF-M）可信執行環境。與通過地面站發送遠程命令來重啟系統和驗證圖像不同，TrustCS能使立方體衛星系統自動重啟並自動驗證圖像。我們還在SecureProcessing Environment（SPE）中對內部存儲記憶元件的寫入和擦除功能實施了區域檢查機制，使其不會被惡意程序不當操作和使用。此外，我們還為立方體衛星選擇了更新映像的方法，該方法在更新映像的同時確保了系統的穩定性，如果更新過程因斷電或高能粒子穿透而失敗，仍可恢復。最後，我們評估了在STM32L5開發板上的實現情況，證明了其可靠性、低開銷和安全性。

摘要(英)

In recent years, the development of CubeSats has become more and more popular among commercial and educational institutions. However, most of the existing satellite security focuses on how to protect the physical com munication, and rarely discusses how to protect the security of the satellite system itself. In order to enhance the security of the system on CubeSats, we propose TrustCS (Trusted CubeSat), which is based on the Trusted Execu tion Environment of Trusted Firmware-M (TF-M)intheOn-BoardComputer (OBC) system of the CubeSat. Unlike sending remote commands through the ground station to restart the system and image verification, TrustCS en ables the CubeSat system to automatically restart and automatically verify images. We also implement a region check mechanism in the Secure Pro cessing Environment (SPE) for the write and erase functions of the internal storage memorycomponents, sothattheywillnotbeimproperlyoperatedand used by malicious programs. In addition, we choose the method for updating the image for CubeSat, which ensures the system stability while updating the image, and can still recover if the update process fails due to power outage or high-energy particle penetration. Finally, we evaluate the implementation on the STM32L5developmentboard, demonstratingits reliability, low overhead and security.

關鍵字(中)

★ 韌體更新
★ 平台安全架構
★ TrustedFirmware-M
★ 可信執行環境
★ ARMTrustZone-M

關鍵字(英)

★ FirmwareUpdate
★ PSA
★ ARMTrustedFirmware-M
★ Trusted Execution Environment
★ ARM TrustZone-M

論文目次

中文摘要 i
Abstract ii
致謝 iii
Contents iv
ListofFigures vii
ListofTables ix
1 Introduction 1
2 Background 7
2.1 TrustedExecutionEnvironment 7
2.2 ARMTrustZone 7
2.2.1 TrustZone-A 8
2.2.2 TrustZone-M 8
2.2.3 TrustedFirmware-MFirmwareUpdate 10
3 RelatedWorks 12
3.1 TEEfirmwareupdatemechanism 12
3.2 Thefirmwareupdatemechanismforremoterecovery 14
4 SystemModel 17
4.1 CubeSatOBCFirmwareUpdateSystem 17
4.2 ThreatModel 18
4.2.1 Softwareandfirmwaredesigndefects 19
4.2.2 Malwaresattacker 19
5 FirmwareUpdateDesign 20
5.1 SystemArchitecture 20
5.2 FlashlayoutandSecureBoot 22
5.2.1 Flashlayout 22
5.2.2 MCUBoot 25
5.3 Non-secureProcessingEnvironment 27
5.3.1 ReceivecommandTask&FirmwareupdateTaskdesign 27
5.3.2 FlashDriverOperation 28
5.4 Securememory 30
5.4.1 non-securecallablecommunication 30
5.4.2 Secureservices 31
5.5 TrustCSDataandControlFlow 31
6 FirmwareUpdateImplementation 34
6.1 Flashlayout 34
6.2 ReceiveTask 36
6.3 FirmwareupdateTask 38
6.4 Modifyflashoperation 38
6.4.1 EraseStep 39
6.4.2 WriteStep 39
6.5 CreateaNewSecureServiceconnection 40
6.6 FlashareaVerificationAPI 41
7 Evaluation 44
7.1 SecurityAnalysis 44
7.1.1 Firmwareupdatewithsecurearchitecture 44
7.1.2 ImageAuthentication 44
7.1.3 VulnerableDeviceDrivers 45
7.1.4 TrustedComputingBase 45
7.2 PerformanceEvaluation 46
7.2.1 Filesizecomparison 46
7.2.2 Erasingexecutiontimecomparison 47
7.2.3 Writingexecutiontimecomparison 48
7.2.4 ExecutionTimeofUpdate 48
8 Conclusion 50
Bibliography 51

參考文獻

[1] J. Puig-Suari, C. Turner, and W. Ahlgren, “Development of the standard cubesat deployer and a cubesat class picosatellite,” in 2001 IEEE Aerospace Conference Proceedings (Cat. No.01TH8542), vol. 1, 2001, pp. 1/347–1/353 vol.1.
[2] P. I. Theoharis, R. Raad, F. Tubbal, M. U. Ali Khan, and S. Liu, “Software-defined radios for cubesat applications: A brief review and methodology,” IEEE Journal on Miniaturization for Air and Space Systems, vol. 2, no. 1, pp. 10–16, 2021.
[3] nanosats.eu, “Nanosats database,” 2023, [Online; accessed 19-June-2023]. [Online]. Available: https://www.nanosats.eu/
[4] D. J. Barnhart, “Very small satellite design for space sensor networks,” 06 2008, ph.D. dissertation, Faculty Eng. Phys. Sci., Univ. Surrey, Guildford.
[5] W.Shiroma, L. Martin, J. Akagi, J. Akagi, B. Wolfe, B. Fewell, and A. Ohta, “Cube sats: A bright future for nanosatellites,” Open Engineering, vol. 1, pp. 9–15, 03 2011.
[6] S. M. Shah, J. Shah, A. Nasir, and H. Ahmed, “A survey paper on security issues in satellite communication network infrastructure,” International Journal Of Engi neering Research and General Science, vol. 2, 10 2014.
[7] L. Wouters, “Glitched on earth by humans: A black-box security evaluation of the spacex starlink user terminal,” black Hat USA 2022, 8 2022.
[8] A.Alharam, Y.Alqassab, R. Senan, M.Almalki, andW.Elmedany, “Reconfigurable cyber-security architecture for small satellite with low complexity and power,” in 2022International Conference on Innovation and Intelligence for Informatics, Com puting, and Technologies (3ICT), 2022, pp. 245–249.
[9] C.-Y. Yang, J.-F. J. Yao, C.-E. Yen, and M.-S. Hwang, “Overview on physical layer security in low earth orbit (leo) satellite system,” in 2021 IEEE International Con ference on Consumer Electronics-Taiwan (ICCE-TW), 2021, pp. 1–2.
[10] D. K. Nilsson, L. Sun, and T. Nakajima, “A framework for self-verification of firmware updates over the air in vehicle ecus,” in 2008 IEEE Globecom Workshops, 2008, pp. 1–5.
[11] R. Dhobi, S. Gajjar, D. Parmar, and T. Vaghela, “Secure firmware update over the air using trustzone,” in 2019 Innovations in Power and Advanced Computing Tech nologies (i-PACT), vol. 1, 2019, pp. 1–4.
[12] M. Huber, S. Hristozov, S. Ott, V. Sarafov, and M. Peinado, “The lazarus effect: Healing compromised devices in the internet of small things,” in Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ser. ASIA CCS ’20. Association for Computing Machinery, 2020, p. 6–19. [Online]. Available: https://doi.org/10.1145/3320269.3384723
[13] K. V. C. K. de Souza, Y. Bouslimani, and M. Ghribi, “Flight software development for a cubesat application,” IEEE Journal on Miniaturization for Air and Space Sys tems, vol. 3, no. 4, pp. 184–196, 2022.
[14] docs.kubos.com, “Kubos,” 2017, [Online; accessed 19-June-2023]. [Online]. Available: https://docs.kubos.com/1.5.0/index.html
[15] L. S. F. . U. of Patras, “Upsat,” 2017, [Online; accessed 19-June-2023]. [Online]. Available: https://upsat.gr/
[16] AMD, “Xqr versal™ ai core xqrvc1902,” 2022, [Online; accessed 19-June-2023]. [Online]. Available: https://www.amd.com/en/newsroom/press-releases/2022-11 15-amd-announces-completion-of-class-b-qualification-.html
[17] ARM, “Trustzone technology for armv8-m architecture,” 2018, [Online; accessed 19-June-2023]. [Online]. Available: https://developer.arm.com/documentation/ 100690/latest/
[18] ARM, “Arm cortex-a series programmer’s guide for armv8-a,” 2015, [On line; accessed 19-June-2023]. [Online]. Available: https://developer.arm.com/ documentation/den0024/a/Security/TrustZone-hardware-architecture
[19] ——, “Psa certified firmware update api,” 2023, [Online; accessed 19-June-2023]. [Online]. Available: https://arm-software.github.io/psa-api/fwu/1.0/overview/intro. html
[20] trustedfirmware.org, “Trusted firmware m,” 2023, [Online; accessed 19 June-2023]. [Online]. Available: introduction/readme.html https://tf-m-user-guide.trustedfirmware.org/
[21] J. Reardon, Á. Feal, P. Wijesekera, A. E. B. On, N. Vallina-Rodriguez, and S. Egelman, “50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system,” in 28th USENIX Security Symposium (USENIX Security 19). Santa Clara, CA: USENIX Association, Aug. 2019, pp. 603 620. [Online]. Available: https://www.usenix.org/conference/usenixsecurity19/ presentation/reardon
[22] amazon.com, “Common vulnerabilities and exposures,” 2021, [Online; accessed 19-June-2023]. [Online]. Available: https://aws.amazon.com/tw/freertos/security updates/
[23] OMTP.org, “Omtp advanced trusted environment omtp tr1 v1.1,” 2009, [On line; accessed 19-June-2023]. [Online]. Available: http://www.omtp.org/OMTP_ Advanced_Trusted_Environment_OMTP_TR1_v1_1.pdf
[24] arm.com, “Platform security architectures,” 2017, [Online; accessed 19-June-2023]. [Online]. Available: https://www.arm.com/architecture/security-features/platform security
[25] ietf.org, “Arm’s platform security architecture (psa) attestation token,” 2023, [Online; accessed 19-June-2023]. [Online]. Available: https://www.ietf.org/id/draft tschofenig-rats-psa-token-11.html
[26] GlobalPlatform.org, 2022, [Online; accessed 19-June-2023]. [Online]. Available: https://globalplatform.org/
[27] GlobalPlatform.org, “Tee system architecture v1.2,” 2018, [Online; accessed 19-June-2023]. [Online]. Available: https://globalplatform.org/specs-library/tee system-architecture-v1-2/
[28] GlobalPlatform.org, “Tbsa-m,” 2019, [Online; accessed 19-June-2023]. [On line]. Available: https://www.arm.com/en/architecture/security-features/platform security
[29] GlobalPlatform.org, “Tee client api specification v1.0,” 2010, [Online; accessed 19-June-2023]. [Online]. Available: https://globalplatform.org/specs-library/tee client-api-specification/
[30] psacertified.org, “Psa certified api,” 2023, [Online; accessed 19-June-2023]. [Online]. Available: https://www.psacertified.org/getting-certified/functional-api certification/
[31] A. Limited, “Smc calling convention 1.4 bet1,” 2022, [Online; accessed 30-May-2022]. [Online]. Available: https://documentation-service.arm.com/static/ 622799018804d00769e9b345
[32] psa api, “Tf-m psa-api,” 2023, [Online; accessed 19-June-2023]. [Online]. Available: https://github.com/ARM-software/psa-api
[33] trustedfirmware.org, “Trusted firmware m firmware update,” 2023, [Online; ac cessed 19-June-2023]. [Online]. Available: https://tf-m-user-guide.trustedfirmware. org/design_docs/services/tfm_fwu_service.html
[34] STMicroelectronics, cation,” 2021, “Getting [Online; started accessed with stm32cubel5 tfm appli 19-June-2023]. [Online]. Avail able: https://www.st.com/resource/en/user_manual/um2671-getting-started-with stm32cubel5-tfm-application-stmicroelectronics.pdf
[35] space.com, “Rover team confident curiosity will bounce back from glitch,” 2018, [Online; accessed 19-June-2023]. [Online]. Available: https://www.space.com/ 41905-curiosity-mars-rover-computer-glitch.html
[36] popularmechanics.com, “The software bug that almost killed curios ity just six months in,” 2017, [Online; accessed 19-June-2023]. [On line]. Available: https://www.popularmechanics.com/space/moon-mars/a26530/ curiosity-almost-broke-down-after-six-months/
[37] qz.com, “Spacex missed a satellite collision warning due to a software bug,” 2019, [Online; accessed 19-June-2023]. [Online]. Available: https://qz.com/1701070/ spacex-missed-a-satellite-collision-warning
[38] S. Butt, V. Ganapathy, M. M. Swift, and C.-C. Chang, “Protecting commodity op erating system kernels from vulnerable device drivers,” in 2009 Annual Computer Security Applications Conference, 2009, pp. 301–310.
[39] embetronicx.com, “Bootloader in stm32f76xxx,” 2023, [Online; accessed 19-June 2023]. [Online]. Available: https://embetronicx.com/tutorials/microcontrollers/ stm32/bootloader/stm32-firmware-update-over-the-air-fota-wireless-firmware update/
[40] trustedfirmware.org, “Tf-m secure boot,” 2023, [Online; accessed 19-June 2023]. [Online]. Available: https://tf-m-user-guide.trustedfirmware.org/design_ docs/booting/tfm_secure_boot.html
[41] controllerstech.com, “Flash programming in stm32,” 2020, [Online; accessed 19 June-2023]. [Online]. Available: https://controllerstech.com/flash-programming in-stm32/
[42] C. L. Liu and J. W. Layland, “Scheduling algorithms for multiprogramming in a hard-real-time environment,” J. ACM, vol. 20, no. 1, p. 46–61, jan 1973. [Online]. Available: https://doi.org/10.1145/321738.321743
[43] trustedfirmware.org, “Ff-m threat model,” 2023, [Online; accessed 19-June-2023]. [Online]. Available: https://tf-m-user-guide.trustedfirmware.org/security/threat_ models/generic_threat_model.html?highlight=df3
[44] mouser.tw, “Ultra-low-power arm cortex-m33,” 2020, [Online; accessed 19-June 2023]. [Online]. Available: https://www.mouser.tw/datasheet/2/389/stm32l562qe 1839646.pdf
[45] ST Microelectronics, “Stm32l5 memory map and register boundary addresses,” able: 2020, [Online; accessed 19-June-2023]. [Online]. Avail https://www.st.com/resource/en/reference_manual/rm0438-stm32l552xx and-stm32l562xx-advanced-armbased-32bit-mcus-stmicroelectronics.pdf
[46] arm.com, “Arm platform security architecture firmware framework 1.0,” 2019, [Online; accessed 19-June-2023]. [Online]. Available: https://developer. arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Architect/DEN0063 PSA_Firmware_Framework-1.0.0-2.pdf?revision=2d1429fa-4b5b-461a-a60e 4ef3d8f7f4b4&hash=3BFD6F3E687F324672F18E5BE9F08EDC48087C93/

指導教授

張貴雲(Guey-Yun Chang)

審核日期

2023-8-7

推文