Issue link: https://read.uberflip.com/i/1427516
WHITE PAPER Building Safe and Secure Processing Systems for Future Autonomous Platforms mrcy.com 6 Mercur y 's rugged OpenVPX blades and servers with BuiltSECURE feature secure boot, cr yptography and physical protection technologies that mitigate reverse engineering and stay ahead of threats. PADDING ORACLE ATTACK Padding Oracle attacks use the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. Reducing exposure with attack-surface minimization Tamper protection, secure storage and secure communications are optimized by reducing the number of device entry points that can be attacked. Least privilege and MAC are part of a greater "attack-surface minimization" security strategy. This strategy, like safety-critical systems, requires the removal of any code, access rights, features or behaviors that are not strictly necessary for the system to achieve its purpose. Another form of attack-surface minimization is storing critical data directly on module microprocessors to minimize data movement around a circuit board, thus reducing exposure to probing attacks. However, even an effective cryptographic implementation cannot keep data safe from a malicious user who has acquired valid credentials or tricked the system into believing they have the appropriate credentials. The concepts of "least privilege" and "mandatory access control" (MAC) are used to combat this threat by restricting each system entity to the minimum access required to execute its function. Each time an entity seeks to utilize a resource, the request is first verified against the access policy to determine if the action is permissible. Securing communications with key management Communications to and from system devices should be protected from interception and malicious alteration. Key management involves multiple-party communications that sometimes "leak " sensitive routing and transmission timing information. Cryptographic firmware and software algorithms can work together to encrypt and secure data packets before sending and after receiving them. Protecting communications offers resistance against side-channel attack, channel key rolling, mitigation of padding/timing oracles and transmission timing controls. Any or all of these may be necessary to provide security in a practical attack context. TRUSTED PLATFORM MODULE Trusted platform modules (TPMs) are specialized chip or microcontrollers with secure crypto capabilities defined by ISO/IEC 11889. A TPM's primary function is to aid system integrity by ensuring the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. CHALLENGES TO BUILDING SAFE AND SECURE SYSTEMS The development of system security and safety share some design approach commonality. For example, blocking cyber threats and reducing potential malicious points of entry help a system remain safe and secure. For commercial aviation, the FAA has approached security as it does flight-safety certification. DO-326 and DO-355 define the FAA's required security processes to assign security hazard levels, analyze security requirements, develop artifacts and run tests. However, these standards do not detail security steps nor how to implement security technology. Instead, the scope of DO-326 and DO-355 closely reflects the definition of cybersecurity given above, leaving the trickier aspects of physical security, including the detect and react paradigm, unaddressed. The challenges to coordinating safety and security stem from some basic differences in the underlying problems they address. Security prefers privacy and must address a continually evolving threat environment. Therefore, many cyber strategies diligently monitor vulnerabilities and provide a continuous stream of software patches into the field. Safety thrives in transparency that avoids both hardware and software changes to proven-safe systems. Changes to these systems can introduce unforeseen operational errors or additional failure modes. Changes also result in a recertification process that is time-consuming and expensive.