Publications

Abstract not provided.

Abstract not provided.

Graph analysis in large integrated circuit (IC) designs is an essential tool for verifying design logic and timing via dynamic timing analysis (DTA). IC designs resemble graphs with each logic gate as a vertex and the conductive connections between gates as edges. Using DTA digital statistical correlations, graph condensation, and graph partitioning, it is possible to identify high-entropy component centers and paths within an IC design. Identification of high-entropy component centers (HECC) enables focused DTA, effectively lowering the computational complexity of DTA on large integrated circuit graphs. In this paper, a devised methodology termed IC layout subgraph component center identification (CCI) is described. CCI lowers DTA computational complexity by condensing IC graphs into reduced subgraphs in which dominant logic functions are verified.

The use of untrusted design tools, components, and designers, coupled with untrusted device fabrication, introduces the possibility of malicious modifications being made to integrated circuits (ICs) during their design and fabrication. These modifications are known as hardware trojans. The widespread use of commercially purchased 3rd party intellectual property (3PIP) and commercial design tools extends even into trusted design flows. Unfortunately, due to the theoretical result that there is no program that can decide whether any other program will eventually halt, we know that the properties of a program, or circuit, cannot be known in advance of running it. While we can design a circuit to meet some functional specification and generate a simulation or test suite to obtain at least probabilistic confidence that the circuit implements the intended functionality, we cannot test a circuit for unintended functionality due to the combinatorially large state space. To address these concerns, we have developed a design-time method for automatically and systematically modifying portions of a design that exhibit characteristics of hardware trojans. After each modification, the functionality of the design is verified against a comprehensive simulation suite to ensure that the intended circuit functionality has not been changed. Finally, this approach can be applied to any digital circuit and does not rely on secret keys or obfuscation.

Abstract not provided.

In this work we examine approaches for using implementation diversity to disrupt or disable hardware trojans. We explore a variety of general frameworks for building diverse variants of circuits in voting architectures, and examine the impact of these on attackers and defenders mathematically and empirically. This work is augmented by analysis of a new majority voting technique. We also describe several automated approaches for generating diverse variants of a circuit and empirically study the overheads associated with these. We then describe a general technique for targeting functional circuit modifications to hardware trojans, present several specific implementations of this technique, and study the impact that they have on trojanized benchmark circuits.

Abstract not provided.

Critical infrastructure systems continue to foster predictable communication patterns and static configurations over extended periods of time. The static nature of these systems eases the process of gathering reconnaissance information that can be used to design, develop, and launch attacks by adversaries. In this research effort, the early phases of an attack vector will be disrupted by randomizing application port numbers, IP addresses, and communication paths dynamically through the use of overlay networks within Industrial Control Systems (ICS). These protective measures convert static systems into "moving targets," adding an additional layer of defense. Additionally, we have developed a framework that automatically detects and defends against threats within these systems using an ensemble of machine learning algorithms that classify and categorize abnormal behavior. Our proof-of-concept has been demonstrated within a representative ICS environment. Performance metrics of our proof-of-concept have been captured with latency impacts of less than a millisecond, on average.

Counterfeiting or surreptitious modification of electronic systems is of increasing concern, particularly for critical infrastructure and national security systems. Such systems include avionics, medical devices, military systems, and utility infrastructure. We present experimental results from an approach to uniquely identify printed circuit boards (PCBs) on the basis of device unique variations in surface mount passive components and wire trace patterns. We also present an innovative approach for combining measurements of each of these quantities to create unique, random identifiers for each PCB and report the observed entropy, reliability, and uniqueness of the signatures. These unique signatures can be used directly for verifying the integrity and authenticity of the PCBs, or can serve as the basis for generating cryptographic keys for more secure authentication of the devices during system acquisition or field deployment. Our results indicate that the proposed approaches for measuring and combining these quantities are capable of generating high-entropy, unique signatures for PCBs. The techniques explored do not require system designers to utilize specialized manufacturing processes and implementation is low-cost.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

This report summarizes a two-year LDRD project that investigated the problem of representing complex supply chains, identifying the worst risks and evaluating mitigation options. Our team developed a framework that includes a representation for business processes, risk assessment questions, risk indicators and methods for analyzing and summarizing the data. In our approach, the Process Matrix represents an overall supply chain for an end product in a high-level, tabular form. It connects the various touch-points of a business process including people, external vendors, tools, storage locations and transportation services while capturing the flow of both physical and intellectual artifacts. We believe these direct connections are exactly the things that a process owner can typically control. These material flows (both physical and intellectual) are also represented in a graph. This enables us to use graph-oriented analysis such as fault tree analysis and attack graph generation. Our approach is top-down, which helps users to get a more holistic understanding for a given amount of resources. Understanding the provenance of materials is difficult and it is easy to exhaust the analysts' resources. Rather than a tool to do vendor analysis or product comparison, our framework enables an enterprise-level analysis. The risk assessment questionnaires have a varying levels of detail and cover various aspects of the supply chain such as process steps, artifacts, suppliers, etc. and connections between these aspects such as artifact-storage, artifact-supplier, etc. Each question is further associated with one of seven risk indicators which can be used to summarize the risk. These risk indicators can also be weighted to reflect a user's concerns. We have successfully applied our framework to several use cases in various stages of its development and provided valuable insights to our partners, but it can also be applied to other complex systems outside of the supply chain security problem.

Moving target defense (MTD) is an emerging paradigm in which system defenses dynamically mutate in order to decrease the overall system attack surface. Though the initial concept is promising, implementations have not been widely adopted. The field has been actively researched for over ten years, and has only produced a small amount of extensively adopted defenses, most notably, address space layout randomization (ASLR). This is despite the fact that there currently exist a variety of moving target implementations and proofs-of-concept. We suspect that this results from the moving target controls breaking critical system dependencies from the perspectives of users and administrators, as well as making things more difficult for attackers. As a result, the impact of the controls on overall system security is not sufficient to overcome the inconvenience imposed on legitimate system users. In this paper, we analyze a successful MTD approach. We study the control's dependency graphs, showing how we use graph theoretic and network properties to predict the effectiveness of the selected control. Then, with this framework in place, the dynamic nature of some Moving Target Defenses opens the possibility of modeling them with dynamic systems approaches, such as state space representations familiar from control and systems theory. We then use this approach to develop state space models for Moving Target Defenses, provide an analysis of their properties, and suggest approaches for using them.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Today's globalized supply chains are complex systems of systems characterized by a conglomeration of interconnected networks and dependencies. There is a constant supply and demand for materials and information exchange with many entities such as people, organizations, processes, services, products, and infrastructure at various levels of involvement. Fully comprehending supply chain risk (SCR) is a challenging problem, as attacks can be initiated at any point within the system lifecycle and can have detrimental effects to mission assurance. Counterfeit items, from individual components to entire systems, have been found in commercial and government systems. Cyber-attacks have been enabled by suppliers' lack of security. Furthermore, there have been recent trends to incorporate supply chain security to help defend against potential cyber-attacks, however, we find that traditional supply chain risk reduction and screening methods do not typically identify intrinsic vulnerabilities of realized systems. This paper presents the application of a supply chain decision analytics framework for assisting decision makers in performing risk-based cost-benefit prioritization of security investments to manage SCR. It also presents results from a case study along with discussions on data collection and pragmatic insight to supply chain security approaches. This case study considers application of the framework in analyzing the supply chain of a United States Government critical infrastructure construction project, clarifies gaps between supply chain analysis and technical vulnerability analysis, and illustrates how the framework can be used to identify supply chain threats and to suggest mitigations.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Critical Infrastructure control systems continue to foster predictable communication paths, static configurations, and unpatched systems that allow easy access to our nation's most critical assets. This makes them attractive targets for cyber intrusion. We seek to address these attack vectors by automatically randomizing network settings, randomizing applications on the end devices themselves, and dynamically defending these systems against active attacks. Applying these protective measures will convert control systems into moving targets that proactively defend themselves against attack. Sandia National Laboratories has led this effort by gathering operational and technical requirements from Tennessee Valley Authority (TVA) and performing research and development to create a proof-of-concept solution. Our proof-of-concept has been tested in a laboratory environment with over 300 nodes. The vision of this project is to enhance control system security by converting existing control systems into moving targets and building these security measures into future systems while meeting the unique constraints that control systems face.