Rafal Graczyk

Saad Memon, Rafal Graczyk, Tomasz Rajkowski et al.

Linux is increasingly deployed in Low Earth Orbit on commercial off the shelf systems on chip that were not designed for space radiation. Ionizing particles can trigger single event functional interrupts that crash the kernel without warning. Prior work mainly measured board level cross sections, leaving unclear which Linux subsystems fail and how a single upset propagates into an operating system wide failure across architectures, stress conditions, and irradiation conditions. We address this gap by subjecting three Linux platforms to proton irradiation in the 20 to 58 MeV range: a Raspberry Pi Zero 2W with a 40 nm planar ARM Cortex A53, an NXP i MX 8M Plus with a 14 nm FinFET ARM Cortex A53, and an OrangeCrab ECP5 FPGA hosting a VexRiscV RV32I soft core at 40 nm. Through kernel log forensics, we trace all 133 observed Linux failures, most of which have not been previously reported, to their originating kernel handlers. Failure profiles differ sharply across nodes. On the two 40 nm platforms, memory management and driver handlers account for 67 to 78% of events, while on the 14 nm SoC approximately 90% of failures funnel through a single eMMC storage path, comprising 56% filesystem failures and 34% driver failures. This shows that a SEFI susceptible peripheral can strongly dictate system reliability. The 14 nm SoC also shows roughly an order of magnitude lower Linux SEFI cross section, although irradiation geometry and DRAM exposure differences preclude isolating the contribution of process scaling. Reconstructed propagation chains show that faults can cascade through up to six kernel subsystems before terminal failure in severe events. Rather than motivating blanket redundancy, these results identify the kernel subsystem boundaries where radiation induced faults originate, enabling targeted mitigations for hardening COTS Linux systems for orbit.

Rafal Graczyk, Paulo Esteves-Verissimo, Marcus Voelp

Over the last decades, space has grown from a purely scientific struggle, fueled by the desire to demonstrate superiority of one regime over the other, to an anchor point of the economies of essentially all developed countries. Many businesses depend crucially on satellite communication or data acquisition, not only for defense purposes, but increasingly also for day-to-day applications. However, although so far space faring nations refrained from extending their earth-bound conflicts into space, this critical infrastructure is not as invulnerable as common knowledge suggests. In this paper, we analyze the threats space vehicles are exposed to and what must change to mitigate them. In particular, we shall focus on cyber threats, which may well be mounted by small countries and terrorist organizations, whose incentives do not necessarily include sustainability of the space domain and who may not be susceptible to the threat of mutual retaliation on the ground. We survey incidents, highlight threats and raise awareness from general preparedness for accidental faults, which is already widely spread within the space community, to preparedness and tolerance of both accidental and malicious faults (such as targeted attacks by cyber terrorists and nation-state hackers).

Rafal Graczyk, Marcus Voelp, Paulo Esteves-Verissimo

Satellites, are both crucial and, despite common misbelieve, very fragile parts our civilian and military critical infrastructure. While, many efforts are focused on securing ground and space segments, especially when national security or large businesses interests are affected, the small-sat, newspace revolution democratizes access to, and exploitation of the near earth orbits. This brings new players to the market, typically in the form of small to medium sized companies, offering new or more affordable services. Despite the necessity and inevitability of this process, it also opens potential new venues for targeted attacks against space-related infrastructure. Since sources of satellite ephemerides are very often centralized, they are subject to classical Man-in-the-Middle attacks which open venues for TLE spoofing attack, which may result in unnecessary collision avoidance maneuvers, in best case and orchestrated crashes, in worst case. In this work, we propose a countermeasure to the presented problem that include distributed solution, which will have no central authority responsible for storing and disseminating TLE information. Instead, each of the peers participating to the system, have full access to all of the records stored in the system, and distribute the data in a consensual manner,ensuring information replication at each peer node. This way, single point of failure syndromes of classic systems, which currently exist due to the direct ephemerids distribution mechanism, are removed. Our proposed solution is to build data dissemination systems using permissioned, private ledgers where peers have strong and verifiable identities, which allow also for redundancy in SST data sourcing.

Paulo Esteves-Verissimo, Jérémie Decouchant, Marcus Völp et al.

Contact tracing is an important instrument for national health services to fight epidemics. As part of the COVID-19 situation, many proposals have been made for scaling up contract tracing capacities with the help of smartphone applications, an important but highly critical endeavor due to the privacy risks involved in such solutions. Extending our previously expressed concern, we clearly articulate in this article, the functional and non-functional requirements that any solution has to meet, when striving to serve, not mere collections of individuals, but the whole of a nation, as required in face of such potentially dangerous epidemics. We present a critical information infrastructure, PriLock, a fully-open preliminary architecture proposal and design draft for privacy preserving contact tracing, which we believe can be constructed in a way to fulfill the former requirements. Our architecture leverages the existing regulated mobile communication infrastructure and builds upon the concept of "checks and balances", requiring a majority of independent players to agree to effect any operation on it, thus preventing abuse of the highly sensitive information that must be collected and processed for efficient contact tracing. This is enforced with a largely decentralised layout and highly resilient state-of-the-art technology, which we explain in the paper, finishing by giving a security, dependability and resilience analysis, showing how it meets the defined requirements, even while the infrastructure is under attack.