## CS 453/698: Software and Systems Security ## **Module: Research Lecture** Lecture: Research in Software and Systems Security Adam Caulfield *University of Waterloo*Spring 2025 # Reminders & Recap #### **Reminders:** - Mini Research Project is due tomorrow! - Course Evaluations → "Student Course Perceptions" ## Reminders & Recap ### Student Course Perceptions status: make your voices heard! **Note:** There are two for this course (one per half), so make sure to do both! ## Reminders & Recap #### **Reminders:** - Mini Research Project is due tomorrow! - Course Evaluations → "Student Course Perceptions" #### Recap – last time we covered: Ethics, legal issues, laws, compliance #### SONY Press release from over the weekend SONY Press Centre (UK) #### SONY Press release from over the weekend Weybridge, June 26, 2025 – Today, Sony announced the beta release of Camera Verify, a new feature of its Camera Authenticity Solution<sup>1</sup>, that enables external sharing of image authenticity information via a dedicated URL. This has been developed to help news organisations address the growing challenge of verifying the authenticity of digital images in the age of generative AI. As Al-generated and manipulated content becomes increasingly sophisticated, the need for trusted, verifiable imagery has never been greater, especially for media professionals. Sony's Camera Authenticity Solution is designed to meet this need by embedding C2PA (Coalition for Content Provenance and Authenticity)<sup>2</sup> digital signatures and Sony's proprietary 3D depth information directly into the image at the moment of capture. This solution records C2PA digital signatures and Sony's proprietary 3D depth information in the camera at the moment of capture, allowing the image's authenticity information to be verified on the Image Validation site<sup>3</sup>. With the newly added "Camera Verify" (beta), news organisations can now issue external sharing URLs for images with embedded digital signatures allowing third parties to view verification results through reliable URLs directly issued by the verification site<sup>4</sup>. With this feature, organisations can select specific authenticity items to share during the content publication and distribution process, enabling faster dissemination of credible, verifiable content. #### SONY Press release from over the weekend Weybridge, June 26, 2025 – Today, Sony announced the beta release of Camera Verify, a new feature of its Camera Authenticity Solution<sup>1</sup>, that enables external sharing of image authenticity information via a dedicated URL. This has been developed to help news organisations address the growing challenge of verifying the authenticity of digital images in the age of generative AI. As Al-generated and manipulated content becomes increasingly sophisticated, the need for trusted, verifiable imagery has never been greater, especially for media professionals. Sony's Camera Authenticity Solution is designed to meet this need by embedding C2PA (Coalition for Content Provenance and Authenticity)<sup>2</sup> digital signatures and Sony's proprietary 3D depth information directly into the image at the moment of capture. This solution records C2PA digital signatures and Sony's proprietary 3D depth information in the camera at the moment of capture, allowing the image's authenticity information to be verified on the Image Validation site<sup>3</sup>. With the newly added "Camera Verify" (beta), news organisations can now issue external sharing URLs for images with embedded digital signatures allowing third parties to view verification results through reliable URLs directly issued by the verification site<sup>4</sup>. With this feature, organisations can select specific authenticity items to share during the content publication and distribution process, enabling faster dissemination of credible, verifiable content. #### SONY Press release from over the weekend Weybridge, June 26, 2025 – Today, Sony announced the beta release of Camera Verify, a new feature of its Camera Authenticity Solution<sup>1</sup>, that enables external sharing of image authenticity information via a dedicated URL. This has been developed to help news organisations address the growing challenge of verifying the authenticity of digital images in the age of generative AI. As Al-generated and manipulated content becomes increasingly sophisticated, the need for trusted, verifiable imagery has never been greater, especially for media professionals. Sony's Camera Authenticity Solution is designed to meet this need by embedding C2PA (Coalition for Content Provenance and Authenticity)<sup>2</sup> digital signatures and Sony's proprietary 3D depth information directly into the image at the moment of capture. This solution records C2PA digital signatures and Sony's proprietary 3D depth information in the camera at the moment of capture, allowing the image's authenticity information to be verified on the Image Validation site<sup>3</sup>. With the newly added "Camera Verify" (beta), news organisations can now issue external sharing URLs for images with embedded digital signatures allowing third parties to view verification results through reliable URLs directly issued by the verification site<sup>4</sup>. With this feature, organisations can select specific authenticity items to share during the content publication and distribution process, enabling faster dissemination of credible, verifiable content. ## Outline ### Other Research in Systems and Software Security #### **Embedded Systems** - How does the system model change? - What type of system-level support is available in today's devices? - Availability mechanisms - How to build into a system? - Advancing attestation protocols - "Run-time" attestation - From attestation to auditing ## Outline #### Other Research in Systems and Software Security #### **Embedded Systems** - How does the system model change? - Custom Hardware Extensions in Research - What type of system-level support is available in today's devices? - TrustZone in Cortex-M - Availability mechanisms - How to build into a system? → GAROTA - Advancing attestation protocols - "Run-time" attestation → C-FLAT #### What changes in the microcontroller model? #### What changes in the microcontroller model? **No MMUs** What changes in the microcontroller model? What changes in the microcontroller model? Not always having cache #### Software adversary $\rightarrow$ all memory could be accessible Some research takes the form of developing custom hardware extensions or monitors (or classified as both depending on the abstraction) #### **RISC-V** - RISC: reduced instruction set computing - V: fifth generation from UC Berkeley - Open ISA → no licensing fees, full specification access - Modular designs → ISA can be easily extended - Built in support for custom extensions → (sometimes) - Minimal cores #### **Examples: PULPino** $\rightarrow$ 32-bit 4 pipeline MCU model **Examples: PULPissimo** $\rightarrow$ further support for external hardware engines #### **Examples: Ibex Core** ## Other open cores: #### Examples: openMSP430: 16-bit, 2-stage microcontroller #### 2. Core #### 2.1 Design structure The following diagram shows the openMSP430 design structure: ## Commercial extensions for MCUs #### General purpose hardware controllers #### **Memory Protection Units** - Provide configuration for "privilege" and "unprivileged" mode - Also r-w-x permissions on address ranges - Some limitations on implementations #### Company-specific features - Intellectual Property Encapsulation (TI MSP430) - ARM TrustZone-M ## Commercial extensions for MCUs Recall from the previous lecture... ## **ARM Cortex-M Processors** ### Follow the same simple computer model ## **ARM Cortex-M Processors** #### Follow the same simple computer model ## ARM Cortex-M Processors ### Follow the same simple computer model ## ARM Cortex-M Processors ### Follow the same simple computer model #### First, let's look from the software point of view. First, let's look from the software point of view. ### First, no MMU ### First, no MMU #### What about safe invocation of the Secure World? ### Non-Secure Callable (NCS) Region Contains "secure gateway" instructions → launch point into SW ### **Contains "secure gateway" instructions →** launch point into SW #### What about isolation? #### **Hardware Controllers:** - Implementation-Defined Attribution Unit (IDAU) → enforces fixed SW definition - Secure Attribution Unit (SAU) → extends SW definition, enforces isolation - Assign an "attribution bit" (i.e., NS bit) to each address. Allow access is addresses match #### **Secure World boots first!** • Can configure the SAU to setup Secure and Normal Worlds #### Final notes: Other components that are "split" - Peripherals (I/O) - Dedicated interrupt controller (NVIC) #### **Done TrustZone-M!** ## Outline ### Other Research in Systems and Software Security #### **Embedded Systems** - How does the system model change? - Custom Hardware Extensions in Research Done! - What type of system-level support is available in today's devices? - TrustZone in Cortex-M Done! - Availability mechanisms - How to build into a system? → GAROTA - Advancing attestation protocols - "Run-time" attestation → C-FLAT ### **Outline** ### Other Research in Systems and Software Security #### **Embedded Systems** - How does the system model change? - Custom Hardware Extensions in Research Done! - What type of system-level support is available in today's devices? - TrustZone in Cortex-M Done! - Availability mechanisms - How to build into a system? → GAROTA Assuming no system support (custom hardware ext.) TrustZone-M - Advancing attestation protocols - "Run-time" attestation → C-FLAT — #### GAROTA -> Generalized Active Root of Trust - Goal: - Provide a mechanisms to ensure some critical action always executes - Make it generalizable - Any general-purpose peripheral on the device can be used - E.g., GPIO-triggered active root of trust - Make low-cost for MCUs - Formally verified ### Start with the following address space ### Also have GAROTA hardware monitoring MCU signals ### **GAROTA Splits Program Memory into two regions:** - Trusted (and protected) code - Untrusted (and unprotected) code #### The trusted code has: - Boot → sequence to initialize the system - TCB $\rightarrow$ GAROTA Trusted Computing Base $\rightarrow$ the action whose availability is protected ### TCB is paired with a particular general-purpose IO device It's configs are also monitored by GAROTA #### **Execution has the following flow:** GAROTA guarantees: (1) IRQ from TCB-based I/O will always trigger TCB GAROTA guarantees: (2) TCB will always execute after boot/reset **GAROTA guarantees:** (3) Attempts to disable IRQ will cause HW-reset **GAROTA guarantees:** (3) Attempts to disable IRQ will cause HW-reset GAROTA guarantees: (4) Tampering or interrupting TCB results in HW-reset #### **GAROTA** specifications: ``` Definition 2. Guaranteed Trigger: G:\{\text{trigger} \rightarrow \mathbf{F}(PC = TCB_{min})\} Definition 3. Re-Trigger on Failure: G: \{PC \in TCB \rightarrow [(\neg irq \land \neg dma_{en} \land PC \in TCB) \mid W \mid (PC = TCB_{max} \lor F(PC = TCB_{min})]\} Figure 5: Formal Specification of GAROTA end-to-end goals. Definition 4. LTL Sub-Properties implemented & enforced by GAROTA. Trusted PMEM Updates: G: \{ [\neg (PC \in TCB) \land W_{en} \land (D_{addr} \in PMEM)] \lor [DMA_{en} \land (DMA_{addr} \in PMEM)] \rightarrow reset \} (6) IRQ Configuration Protection: G: \{ [\neg (PC \in TCB) \land W_{en} \land (D_{addr} \in IRQ_{cfo})] \lor [DMA_{en} \land (DMA_{addr} \in IRQ_{cfo})] \rightarrow reset \} (7) Interrupt Disablement Protection: G: \{\neg reset \land gie \land \neg X(gie) \rightarrow (X(PC) \in TCB) \lor X(reset)\}\ (8) TCB Execution Protection: G: \{\neg reset \land (PC \in TCB) \land \neg (\mathbf{X}(PC) \in TCB) \rightarrow PC = TCB_{max} \lor \mathbf{X}(reset) \} (9) G: \{\neg reset \land \neg (PC \in TCB) \land (\mathbf{X}(PC) \in TCB) \rightarrow \mathbf{X}(PC) = TCB_{min} \lor \mathbf{X}(reset)\}\ (10) G: \{(PC \in TCB) \land (irq \lor dma_{en}) \rightarrow reset\} (11) Figure 6: Formal specification of sub-properties verifiably implemented by GAROTA hardware module. ``` From the GAROTA paper (USENIX Security 2022) ## Outline #### Other Research in Systems and Software Security #### **Embedded Systems** - How does the system model change? - Custom Hardware Extensions in Research Done! - What type of system-level support is available in today's devices? - TrustZone in Cortex-M Done! - Availability mechanisms - How to build into a system? → GAROTA Done! - Advancing attestation protocols - "Run-time" attestation → C-FLAT COLS TrustZone-M #### **Recall this Attestation Protocol** - Require Prover to attest to - The correct system state (e.g., program is installed) - The system behaved at run-time in a valid way - First proposed in C-FLAT - Control Flow Attestation - C-FLAT: Requires an MCU Prover to attest to: - It is executing the correct software - It executed it following valid control flow paths ## Control Flow Attestation (4) Verify the result: $Verify_k(H, chal, PMEM)$ #### Control Flow Attestation (4) Verify the result: Verify<sub>k</sub>(H, chal, PMEM) #### C-FLAT proposes a TrustZone-M based approach: #### Before installing the program, first static analysis and instrumentation #### **Every branch instruction is redirected to a NSC** Once arrived inside the SW, compute running hash $H_i$ = hash(addr, $H_{i-1}$ ) One note! This requires protecting the normal world app with the MPU After execution has ended, attest by producing $sig = auth_k(chal, H)$ **NOTE:** Assumes Prover was installed with a key (MCU assumption) #### C-FLAT #### More details on C-FLAT in the paper #### Outline #### Other Research in Systems and Software Security #### **Embedded Systems** - How does the system model change? - Custom Hardware Extensions in Research Done! - What type of system-level support is available in today's devices? - TrustZone in Cortex-M Done! - Availability mechanisms - How to build into a system? → GAROTA Done! - Advancing attestation protocols - "Run-time" attestation → C-FLAT Done! #### Concluding remarks... - Memory Vulnerability - 2 Integrity Violation - 3 Exploit Payload - 4 Exploit Dispatch - 5 Exploit Execution - 6 Attack - MemoryVulnerability - 2 Integrity Violation - 3 Exploit Payload - 4 Exploit Dispatch - 5 Exploit Execution 6 Attack Memory Vulnerability **Software Testing:** Fuzzing, symbolic exec., sanitizers **Memory safety:** Static analysis, safe languages - 2 Integrity Violation - 3 Exploit Payload - 4 Exploit Dispatch - 5 Exploit Execution 6 Attack Memory Vulnerability **Software Testing:** Fuzzing, symbolic exec., sanitizers **Memory safety:** Static analysis, safe languages 2 Integrity Violation **Software Compartmentalization:** Code Integrity, Pointer integrity, Memory Management - 3 Exploit Payload - Exploit Dispatch - 5 Exploit Execution 6 Attack 87 Memory Vulnerability **Software Testing:** Fuzzing, symbolic exec., sanitizers **Memory safety:** Static analysis, safe languages 2 Integrity Violation **Software Compartmentalization:** Code Integrity, Pointer integrity, Memory Management - 3 Exploit Payload - Exploit Dispatch - 5 Exploit Execution - Software Diversification: ASLR, ISR, DSR Use of corrupt Indirect jump to Return to corrupted addr. data corrupted addr. Execute data-Execute Execute injected Execute code modified code code fragment oriented gadget gadget **Malicious execution** Information leak 6 Attack 88 Information leak Memory Vulnerability **Software Testing:** Fuzzing, symbolic exec., sanitizers **Memory safety:** Static analysis, safe languages 2 Integrity Violation Software Compartmentalization: Code Integrity, Pointer integrity, Memory Management 3 Exploit Payload Software Diversification: ASLR, ISR, DSR 4 Exploit Dispatch Run-time Integrity: Control Flow Integrity, Data flow integrity 5 Exploit Execution Execute injected modified code code fragment gadget Execute dataoriented gadget 6 Attack **Malicious execution** Memory Vulnerability **Software Testing:** Fuzzing, symbolic exec., sanitizers **Memory safety:** Static analysis, safe languages 2 Integrity Violation **Software Compartmentalization:** Code Integrity, Pointer integrity, Memory Management 3 Exploit Payload Software Diversification: ASLR, ISR, DSR 4 Exploit Dispatch Run-time Integrity: Control Flow Integrity, Data flow integrity 5 Exploit Execution Last line of defense: W+X, DEP, Static/Run-time Attestation 6 Attack Memory Vulnerability **Software Testing:** Fuzzing, symbolic exec., sanitize **Memory safety:** Static analysis, safe languages Root of Trust (RoT) 2 Integrity Violation **Software Compartmentalization:** Code Integrity, Poi integrity, Memory Management Secure Boot 3 Exploit Payload Software Diversification: ASLR, ISR, DSR OS's Exploit Dispatch Run-time Integrity: Control Flow Integrity, Data flow integrity **TPMs** 5 Exploit Execution Last line of defense: W+X, DEP, Static/Run-time Attestation TEEs 6 Attack **Information leak** **Malicious execution** 6 Attack Information leak **Malicious execution** Information leak Attack **Malicious execution** 93 Information leak Attack 94 #### Concluding thoughts... #### What is Software and System Security? Mechanisms combining software AND roots of trust to: - Detect memory vulnerabilities via software testing and memory safety - Prevent integrity violations via compartmentalization, access control, memory management - Prevent exploiting vulnerabilities with software diversification - Prevent dispatching of payloads via run-time defenses - Prove/ensure execution itself is valid #### Concluding thoughts... #### What is Software and System Security? Mechanisms combining software AND roots of trust to: - Detect memory vulnerabilities via software testing and memory safety - Prevent integrity violations via compartmentalization, access control, memory management - Prevent exploiting vulnerabilities with software diversification - Prevent dispatching of payloads via run-time defenses - Prove/ensure execution itself is valid Thank you for a great term! Wish you all the best! #### That's all for today! #### **Resources:** - SONY Press Centre (UK) - PULPino - PULPissimo - Ibex - openMSP430 - MSP430 IPE - TrustZone-M Basics - GAROTA - C-FLAT