Integrity Verification of Distributed Nodes in Critical Infrastructures
Abstract
:1. Introduction
- a remote attestation architecture with a modified workflow to monitor the current configuration of the GNSS receiver;
- the integration of a new attestation workflow in Keylime, a Cloud Native Computing Foundation-backed remote attestation framework supporting both TPM 2.0 specifications and the Integrity Measurement Architecture (IMA) Linux security module;
- the analysis and evaluation of the proposed approach by leveraging an effective testbed.
2. Related Works
3. GNSS-Based Time Distribution Networks
- Jamming, the blocking of the reception of GNSS signals by intentionally introducing a powerful RF signal to overwhelm the signal used by the receiver; this threat is classified as a “Denial of Service” (DoS) attack, since it denies the service to all nodes within the interference range;
- Meaconing, this corresponds to the interception and rebroadcasting of GNSS signals on the same transmission frequency, typically with a higher power than the original signal, in order to confuse the data acquired by the victim receiver;
- Spoofing, this refers to the transmission of counterfeit GNSS-like signals with the intent to fool the victim receiver with a false position and/or time data.
- attacks targeting PTP over the network, such as packet content manipulation, packet removal, packet delay manipulation and packet replay; these attacks are categorized as DoS and “Man-In-The-Middle” (MITM) attacks;
- attacks against the integrity of PTP (both software and configuration) running on each node.
Threat Model
- a hardware adversary can physically tamper with the host’s System on Chip (SoC) or other hardware devices present on the board, such as the Trusted Platform Module (TPM) or the GNSS receiver, and can interfere with the communication among them by injecting unauthorized signals on platform buses;
- a software adversary can remotely take control of the nodes in order to infect them with malware, modify their executable and configuration files, and corrupt portions of the host’s RAM.
4. Trusted Computing: Motivation and Technologies
4.1. Trusted Platforms
- : the new value of the PCR after the extend operation;
- : cryptographic hash algorithm associated with a specific PCR bank;
- : the value of the PCR before the extend operation;
- : a new integrity measurement that is concatenated to value and the resulting concatenation is hashed to produce the result of the extend operation.
4.2. TPM 2.0
4.3. Integrity Measurement Architecture (IMA)
- IMA Measurement extends the Trusted Boot principles into the Linux kernel; it is responsible for determining the files to be measured, performing measurements on them and maintaining those measurements in a secure way;
- IMA Appraisal extends the Secure Boot principles into the Linux kernel; it is responsible for locally comparing file measurements against trusted values stored in the file’s security extended attributes, denying access to files in case of measurement mismatch;
- IMA Audit is responsible for including IMA-specific records in the system audit logs, used to enhance system security analytics/forensics [29].
4.4. Remote Attestation
5. Design of the Solution
5.1. Configuration of Nodes in a PTP Network
- a textual interface over a serial communication protocol, which provides PVT data coded according to the National Marine Electronics Association (NMEA) 0183 standard [33];
- a 1 Pulse-Per-Second (1PPS) interface, which provides a high precision analog signal, with a width of less than one second and a rising or falling edge that is accurately synchronous with the beginning of each second of the time scale.
5.2. Solution Architecture
6. Implementation of the Solution
- the Keylime Agent is a service running on the remote platform; it performs the enrollment protocol with the Registrar by sending it the TPM credentials (EKcert and AKpub) and responding to its challenge to demonstrate that AK is resident on the same TPM as EK; then, it waits for attestation requests, to which it responds with an IR containing a TPM quote and the IMA ML;
- the Registrar stores the TPM credentials received from the Keylime Agent and sends them to the Verifier and Tenant, allowing them to verify the authenticity of the TPM quotes and the EK certificate;
- the Tenant is the component that initiates the framework; it sends to the Keylime Agent an encrypted payload, typically containing identity keys, certificates and scripts used for handling revocation events; then, it registers the Keylime Agent to the Verifier, providing it the whitelist, the TPM policy (i.e., the list of PCRs) and other information needed to attest the integrity status of the platform; finally, it verifies the authenticity of the TPM installed on the remote device by checking the validity of the EK certificate;
- the Verifier is the core component of the Keylime architecture, since it is responsible for assessing the trustworthiness level of the remote device; it periodically sends attestation requests to the Keylime Agent, with a frequency that can be configured using a specific parameter, and verifies the IRs on the basis of the whitelist and TPM policy received from the Tenant and the AKpub received from the Registrar;
- the Software CA is a certification authority whose goal is to link Trusted Computing functionalities with higher-level security services; if used for creating the certificates related to software identity keys of the nodes monitored by the Verifier, it will revoke the certificates as soon as the nodes become untrusted by publishing a new Certificate Revocation List (CRL);
- the Revocation Notifier completes the link between Trusted Computing and higher-level security services. When the Verifier detects an untrusted node, the Revocation Notifier sends a “revocation event” to the Software CA and the Keylime Agents that are registered to this service. Upon receipt of this event, the Software CA will update its CRL, while the Keylime Agents will execute the specific scripts received in the encrypted payload or those configured on the nodes, thus, allowing higher-level security services to automatically react to failed attestation events by ring-fencing the untrusted nodes; for example, by closing all TLS connections and VPN tunnels, or updating IP tables.
- check_GNSS_config, a boolean that will be set to True on the Master Clocks and to False on the Slave Clocks;
- GNSS, a string that specifies the path to the character special file representing the GNSS receiver.
7. Testbed Setting
7.1. Hardware Components
- a desktop PC Dell Precision 3440 (Intel Core i7-10700 CPU 2.9 GHz, 16 GB RAM, 512 GB HDD), that acts as the Verifier in the RA workflow;
- Raspberry Pi® 4 (RPi4) Model B [37], a flexible and high-performance Single Board Computer with a well-supported set of software libraries and tools for Linux;
- mosaicHAT [38], an open source hat compatible with RPi4. It is based on the Septentrio’s mosaic-X5® receiver [39], a multi-band, multi-constellation GNSS module representative of the state of the art (i.e., supporting newest Galileo signals, including the Open Service Navigation Message Authentication-OSNMA [40,41]);
- Infineon OPTIGA™ TPM SLI 9670 Iridium board [42], an evaluation board with the widely used TPM2.0 chip.
- the desktop PC, used as Verifier for the RA workflow;
- two RPi4 configured as Slave nodes (i.e., Slave 4 and 5) with the TPM only, without a GNSS module;
- two RPi4 configured as Master nodes (i.e., labeled as Master 1 and 3, respectively), including both a GNSS module and a TPM stacked on top of it. For the sake of simplicity, this setup adopts two Master nodes instead of three, as in [9] (i.e., without previous Master 2). Only the Master 1 is equipped with the mosaicHAT [38], while the Master 3 has a low-cost GNSS module (i.e., Adafruit Ultimate GPS HAT [43]).
7.2. Software Configuration and Attacks Emulation
8. Analysis of the Experimental Results
- In order to limit the potential impact of an advanced attack, the attestation period (P) must be configured to the lowest possible value (e.g., less than 1 min). Obviously, this design parameter typically results from a trade-off between security requirements and complexity (i.e., a larger attestation period can be desirable to limit the use of computational and communication resources);
- In addition, a randomization of the attestation period could be another potential solution in order to limit the capability of the attacker to estimate the beginning of each attestation period;
- Finally, a secure communication channel between the GNSS receiver module and the CPU of the node is another viable solution to solve this category of attack, so that the GNSS receiver would only execute authorized commands.
9. Conclusions and Future Work
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
Abbreviations
1PPS | 1 Pulse-Per-Second |
5G | Fifth Generation of cellular network |
AK | Attestation Key |
CA | Certificate Authority |
CNCF | Cloud Native Computing Foundation |
CPU | Central Processing Unit |
CRL | Certificate Revocation List |
CRTM | Core Root of Trust for Measurement |
DoS | Denial of Service |
EK | Endorsement Key |
GNSS | Global Navigation Satellite System |
IAK | Initial Attestation Key |
IEEE | Institute of Electrical and Electronics Engineers |
IMA | Integrity Measurement Architecture |
IP | Internet Protocol |
IR | Integrity Report |
LAK | Local Attestation Key |
LAN | Local Area Network |
LINKS | Leading Innovation & Knowledge for Society |
LTE-FDD | Long-Term Evolution-Frequency Division Duplex |
MDPI | Multidisciplinary Digital Publishing Institute |
MITM | Man-In-The-Middle |
ML | Measurement Log |
NMEA | National Marine Electronics Association |
NTS | Network Time Security |
OSNMA | Open Service Navigation Message Authentication |
PCR | Platform Configuration Register |
PTP | Precision Time Protocol |
PVT | Position, Velocity and Time |
RA | Remote Attestation |
RAN | Radio Access Network |
RF | Radio-Frequency |
ROOT | Rolling Out OSNMA for the secure synchronization of Telecom networks |
RoTs | Roots of Trust |
RTM | Root of Trust for Measurement |
RTR | Root of Trust for Reporting |
RTS | Root of Trust for Storage |
SoC | System on Chip |
TCB | Trusted Computing Base |
TCG | Trusted Computing Group |
TDD | Time Division Duplex |
TLS | Transport Layer Security |
TP | Trusted Platform |
TPM | Trusted Platform Module |
VPN | Virtual Private Network |
WR-PTP | White Rabbit extension of Precision Time Protocol |
References
- Falletti, E.; Margaria, D.; Marucco, G.; Motella, B.; Nicola, M.; Pini, M. Synchronization of Critical Infrastructures Dependent Upon GNSS: Current Vulnerabilities and Protection Provided by New Signals. IEEE Syst. J. 2019, 13, 2118–2129. [Google Scholar] [CrossRef]
- Pini, M.; Falletti, E.; Nicola, M.; Margaria, D.; Marucco, G. Dependancy of power grids to satellite-derived time: Vulnerabilities and new protections. In Proceedings of the 2018 IEEE International Telecommunications Energy Conference (INTELEC), Torino, Italy, 7–11 October 2018; pp. 1–8. [Google Scholar] [CrossRef]
- Pini, M.; Minetto, A.; Vesco, A.; Berbecaru, D.; Contreras Murillo, L.M.; Nemry, P.; De Francesca, I.; Rat, B.; Callewaert, K. Satellite-derived Time for Enhanced Telecom Networks Synchronization: The ROOT Project. In Proceedings of the 2021 IEEE 8th International Workshop on Metrology for AeroSpace (MetroAeroSpace), Naples, Italy, 23–25 June 2021; pp. 288–293. [Google Scholar] [CrossRef]
- Council of the European Union, Brussels, Belgium. Council Directive 2008/114/EC of 8 December 2008 on the Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve Their Protection. 2008. Available online: https://eur-lex.europa.eu/eli/dir/2008/114/oj (accessed on 8 June 2022).
- Boyle, K. 5G Is All in the Timing. Available online: https://www.ericsson.com/en/blog/2019/8/what-you-need-to-know-about-timing-and-sync-in-5G-transport-networks (accessed on 8 June 2022).
- DeCusatis, C.; Lynch, R.M.; Kluge, W.; Houston, J.; Wojciak, P.A.; Guendert, S. Impact of Cyberattacks on Precision Time Protocol. IEEE Trans. Instrum. Meas. 2020, 69, 2172–2181. [Google Scholar] [CrossRef]
- Dovis, F. GNSS Interference Threats and Countermeasures; Artech House: Norwood, MA, USA, 2015; p. 216. [Google Scholar]
- Margaria, D.; Motella, B.; Anghileri, M.; Floch, J.; Fernandez-Hernandez, I.; Paonni, M. Signal Structure-Based Authentication for Civil GNSSs: Recent Solutions and Perspectives. IEEE Signal Process. Mag. 2017, 34, 27–37. [Google Scholar] [CrossRef]
- Margaria, D.; Vesco, A. Trusted GNSS-Based Time Synchronization for Industry 4.0 Applications. Appl. Sci. 2021, 11, 8288. [Google Scholar] [CrossRef]
- Jiang, Y.; Wu, S.; Yang, H.; Luo, H.; Chen, Z.; Yin, S.; Kaynak, O. Secure Data Transmission and Trustworthiness Judgement Approaches Against Cyber-Physical Attacks in an Integrated Data-Driven Framework. IEEE Trans. Syst. Man Cybern. Syst. 2022, 1–11. [Google Scholar] [CrossRef]
- Ren, Y.; Liu, W.; Liu, A.; Wang, T.; Li, A. A privacy-protected intelligent crowdsourcing application of IoT based on the reinforcement learning. Future Gener. Comput. Syst. 2022, 127, 56–69. [Google Scholar] [CrossRef]
- Guo, J.; Wang, H.; Liu, W.; Huang, G.; Gui, J.; Zhang, S. A lightweight verifiable trust based data collection approach for sensor–cloud systems. J. Syst. Archit. 2021, 119, 102219. [Google Scholar] [CrossRef]
- Mo, W.; Wang, T.; Zhang, S.; Zhang, J. An active and verifiable trust evaluation approach for edge computing. J. Cloud Comput. 2020, 9, 1–19. [Google Scholar] [CrossRef]
- Bacci, G.; Falletti, E.; Fernández-Prades, C.; Luise, M.; Margaria, D.; Zanier, F. Chapter 2-Satellite-Based Navigation Systems. In Satellite and Terrestrial Radio Positioning Techniques; Dardari, D., Falletti, E., Luise, M., Eds.; Academic Press: Oxford, UK, 2012; pp. 25–74. [Google Scholar] [CrossRef]
- Dovis, F.; Margaria, D.; Mulassano, P.; Dominici, F. Chapter 20—Overview of Global Positioning Systems. In Handbook of Position Location; John Wiley and Sons, Ltd.: Hoboken, NJ, USA, 2018; pp. 655–705. [Google Scholar] [CrossRef]
- IEEE Std 1588-2008 (Revision of IEEE Std 1588-2002); IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems. IEEE: Piscataway, NJ, USA, 2008; pp. 1–300. [CrossRef]
- IEEE Std 1588-2019 (Revision IEEE Std 1588-2008); IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems. IEEE: Piscataway, NJ, USA, 2020; pp. 1–499. [CrossRef]
- Girela-López, F.; López-Jiménez, J.; Jiménez-López, M.; Rodríguez, R.; Ros, E.; Díaz, J. IEEE 1588 High Accuracy Default Profile: Applications and Challenges. IEEE Access 2020, 8, 45211–45220. [Google Scholar] [CrossRef]
- Lipiński, M.; Włostowski, T.; Serrano, J.; Alvarez, P. White rabbit: A PTP application for robust sub-nanosecond synchronization. In Proceedings of the 2011 IEEE International Symposium on Precision Clock Synchronization for Measurement, Control and Communication, Munich, Germany, 12–16 September 2011; pp. 25–30. [Google Scholar] [CrossRef]
- Pini, M.; Minetto, A.; Nemry, P.; Rat, B.; Contreras Murillo, L.M.; De Francesca, I.; Margaria, D.; Vesco, A.; Berbecaru, D.; Callewaert, K.; et al. Protection of GNSS-based Synchronization in Communication Networks: The ROOT project. In Proceedings of the European Navigation Conference & International Navigation Conference (Navigation 2021), Virtually, 15–18 November 2021. [Google Scholar]
- Arnold, D.; Langer, M. Adapting NTS to PTP. In Proceedings of the 2020 International Timing and Sync Forum (ITSF), Online, 3–5 November 2020. [Google Scholar]
- PaX Team. Address Space Layout Randomization (ASLR). Available online: https://pax.grsecurity.net/docs/aslr.txt (accessed on 8 June 2022).
- Trusted Computing Group. Trusted Platform Module Library, Part 1: Architecture, Specification, Family 2.0, Level 00, Revision 01.59. 2019. Available online: https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part1_Architecture_pub.pdf (accessed on 8 June 2022).
- Challener, D.; Yoder, K.; Catherman, R.; Safford, D.; Doom, L.V. A Practical Guide to Trusted Computing; IBM Press: Indianapolis, IN, USA, 2007. [Google Scholar]
- Pedone, I.; Canavese, D.; Lioy, A. Trusted Computing Technology and Proposals for Resolving Cloud Computing Security Problems. In Cloud Computing Security: Foundations and Challenges; Vacca, J.R., Ed.; CRC Press: Boca Raton, FL, USA, 2020; pp. 373–386. [Google Scholar] [CrossRef]
- Trusted Computing Group. TPM 2.0 Library. 2019. Available online: https://trustedcomputinggroup.org/resource/tpm-library-specification/ (accessed on 8 June 2022).
- Arthur, W.; Challener, D. A Practical Guide to TPM 2.0; Apress Open: New York, NY, USA, 2015. [Google Scholar]
- Trusted Computing Group. TCG Algorithm Registry; TCG Published: Beaverton, OR, USA, 2020. [Google Scholar]
- Integrity Measurement Architecture (IMA). Available online: https://sourceforge.net/p/linux-ima/wiki/Home/ (accessed on 8 June 2022).
- Sfyrakis, I.; Gross, T. A Survey on Hardware Approaches for Remote Attestation in Network Infrastructures. arXiv 2020, arXiv:2005.12453. [Google Scholar] [CrossRef]
- Trusted Computing Group. TCG Trusted Attestation Protocol Information Model. 2019. Available online: https://trustedcomputinggroup.org/resource/tcg-tap-information-model/ (accessed on 8 June 2022).
- Trusted Computing Group. TCG Infrastructure Working Group Integrity Report Schema. 2011. Available online: https://trustedcomputinggroup.org/wp-content/uploads/IWG_Integrity_Report_Schema_v2.0.r5.pdf (accessed on 8 June 2022).
- National Marine Electronics Association. NMEA 0183 Interface Standard, Version 4.11. 2018. Available online: https://www.nmea.org/content/STANDARDS/NMEA_0183_Standard (accessed on 8 June 2022).
- The NTP (R&D) Project. ntpd-Network Time Protocol (NTP) Daemon. 2022. Available online: http://doc.ntp.org/documentation/4.2.8-series/ntpd/ (accessed on 8 June 2022).
- Owczarek, W.; Kreuzer, S.; Neville-Neil, G.V. PTPd Official Source- Precision Time Protocol Daemon (1588-2008). 2019. Available online: https://github.com/ptpd/ptpd (accessed on 8 June 2022).
- Yao, J.; Zimmer, V. Building Secure Firmware; Apress: New York, NY, USA, 2020. [Google Scholar] [CrossRef]
- Raspberry Pi® Trading Ltd. Raspberry Pi® 4 Computer Model B, Product Brief. 2021. Available online: https://datasheets.raspberrypi.org/rpi4/raspberry-pi-4-product-brief.pdf (accessed on 8 June 2022).
- Sa’d, J. MosaicHAT: An Open Source Raspberry Pi HAT Based on Septentrio’s Mosaic-X5. 2020. Available online: https://github.com/septentrio-gnss/mosaicHAT (accessed on 8 June 2022).
- Septentrio NV. Mosaic-X5®: Compact, Multi-Constellation GNSS Receiver Module. 2021. Available online: https://www.septentrio.com/en/products/gnss-receivers/rover-base-receivers/receivers-module/mosaic (accessed on 8 June 2022).
- European Union Agency for the Space Programme. Galileo Open Service Navigation Message Authentication (OSNMA) Info Note. 2021. Available online: https://www.gsc-europa.eu/sites/default/files/sites/all/files/Galileo_OSNMA_Info_Note.pdf (accessed on 8 June 2022).
- Septentrio NV. Septentrio Brings OSNMA Anti-Spoofing Security to Mmarket. 2022. Available online: https://www.septentrio.com/en/company/news/septentrio-brings-osnma-anti-spoofing-security-market (accessed on 8 June 2022).
- Infineon Technologies AG. OPTIGA™ TPM Application Note. Integration of an OPTIGA™ TPM SLx 9670 TPM2.0 with SPI Interface in a Raspberry Pi® 4 Linux Environment. 2019. Available online: https://www.infineon.com/dgdl/Infineon-OPTIGA_SLx_9670_TPM_2.0_Pi_4-ApplicationNotesv07_19-EN.pdf?fileId=5546d4626c1f3dc3016c3d19f43972eb (accessed on 8 June 2022).
- Adafruit Industries. Ultimate GPS HAT for Raspberry Pi. 2021. Available online: https://cdn-learn.adafruit.com/downloads/pdf/adafruit-ultimate-gps-hat-for-raspberry-pi.pdf?timestamp=1627027424 (accessed on 8 June 2022).
- Tallysman®. VSP6037L VeroStar™ Full GNSS Precision Antenna Plus L-Band. 2021. Available online: https://www.tallysman.com/product/vsp6037l-verostar-full-gnss-antenna-l-band/ (accessed on 8 June 2022).
- The NTP (R&D) Project. ntpq-Standard NTP Query Program. 2022. Available online: https://doc.ntp.org/documentation/4.2.8-series/ntpq/ (accessed on 8 June 2022).
- Septentrio N.V. Mosaic-X5® Reference Guide, version 4.8.2; Septentrio N.V.: Leuven, Belgium, 2020. [Google Scholar]
- Trusted Computing Group. TCG Trusted Attestation Protocol (TAP) Information Model for TPM Families 1.2 and 2.0 and DICE Family 1.0. 2019. Available online: https://trustedcomputinggroup.org/wp-content/uploads/TNC_TAP_Information_Model_v1.00_r0.36-FINAL.pdf (accessed on 8 June 2022).
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Sisinni, S.; Margaria, D.; Pedone, I.; Lioy, A.; Vesco, A. Integrity Verification of Distributed Nodes in Critical Infrastructures. Sensors 2022, 22, 6950. https://doi.org/10.3390/s22186950
Sisinni S, Margaria D, Pedone I, Lioy A, Vesco A. Integrity Verification of Distributed Nodes in Critical Infrastructures. Sensors. 2022; 22(18):6950. https://doi.org/10.3390/s22186950
Chicago/Turabian StyleSisinni, Silvia, Davide Margaria, Ignazio Pedone, Antonio Lioy, and Andrea Vesco. 2022. "Integrity Verification of Distributed Nodes in Critical Infrastructures" Sensors 22, no. 18: 6950. https://doi.org/10.3390/s22186950
APA StyleSisinni, S., Margaria, D., Pedone, I., Lioy, A., & Vesco, A. (2022). Integrity Verification of Distributed Nodes in Critical Infrastructures. Sensors, 22(18), 6950. https://doi.org/10.3390/s22186950