Printer-friendly version

Browse the glossary using this index

Special | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | ALL

Page:  1  2  (Next)
  ALL

C

Picture of Yee Wei Law

CCSDS File Delivery Protocol

by Yee Wei Law - Sunday, 21 May 2023, 3:44 PM
 

The CCSDS File Delivery Protocol (CFDP) is standardised in

CFDP has existed for decades, and it is intended to enable packet delivery services in space (space-to-ground, ground-to-space, and space-to-space) environments [CCS20, Sec. 1.1].

CFDP defines 1️⃣ a protocol suitable for the transmission of files to and from spacecraft data storage, and 2️⃣ file management services to allow control over the storage medium [CCS20, Sec. 2.1].

CFDP assumes a virtual filestore and associated services that an implementation must map to the capabilities of the actual underlying filestore used [CCS20, Sec. 1.1].

File transfers can be either unrealiable (class 1) or reliable (class 2):

Class 1 [CCS20, Sec. 7.2]

All file segments are transferred without the possibility of retransmission.

End of file (EOF) is not acknowledged by the receiver.

When the flag Closure Requested is set, the receiver is required to send a Finished PDU upon receiving all file segments (or when the request is cancelled), but the sender does not need to acknowledge the Finished PDU.

The Closure Requested flag is useful when the underlying communication protocol is reliable.

Class 2 [CCS20, Sec. 7.3]

The receiver is required to acknowledge the EOF PDU and the sender has to acknowledge the Finished PDU.

Sending a PDU that requires acknowledgment triggers a timer.

When the timer expires and if the acknowledgment has not been received, the relevant file segment PDU is resent.

This repeats until the ACK Timer Expiration Counter [CCS21b, Sec. 4.4] reaches a predefined maximum value.

Finally, if the counter has reached its maximum value and the acknowledgment has still not been received, a fault condition is triggered which may cause the transfer to be abandoned, canceled or suspended.

The receiver can also indicate missing metadata or data by sending NAK PDUs.

Fig. 2 shows a sample class-2 Copy File transaction between two entities.

Fig. 2: A sample Copy File transaction where an NAK is sent once the (N+1)th File Data PDU is found missing [CCS20, Sec. 3.3]. Additionally, the source user replies with an ACK PDU upon receiving a Finished PDU from the destination user.

Fig. 3 summarises 1️⃣the operation primitives and PDUs in CFDP, as well as 2️⃣ the relationships of these primitives and PDUs to the operational process from initiation through termination.

Fig. 3: An operations view of CFDP: a summary of CFDP operation primitives, PDUs and their relationships to the operational process [CCS21b, Figure 2-1].

Watch an introduction to the CFDP on YouTube:

There are several open-source implementations of CFDP, e.g.,

References

[CCS20] CCSDS, CCSDS File Delivery Protocol (CFDP), Recommended Standard CCSDS 727.0-B-5, The Consultative Committee for Space Data Systems, July 2020. Available at https://public.ccsds.org/Pubs/727x0b5.pdf.
[CCS21a] CCSDS, CCSDS File Delivery Protocol (CFDP) — Part 1: Introduction and Overview, Informational Report CCSDS 720.1-G-4, The Consultative Committee for Space Data Systems, May 2021. Available at https://public.ccsds.org/Pubs/720x1g4.pdf.
[CCS21b] CCSDS, CCSDS File Delivery Protocol (CFDP) — Part 2: Implementers Guide, Informational Report CCSDS 720.2-G-4, The Consultative Committee for Space Data Systems, May 2021. Available at https://public.ccsds.org/Pubs/720x2g4.pdf.
Picture of Yee Wei Law

CCSDS optical communications physical layer

by Yee Wei Law - Saturday, 19 August 2023, 8:10 PM
 
Coming soon.

References

[] .
Picture of Yee Wei Law

CCSDS publications naming convention

by Yee Wei Law - Wednesday, 11 January 2023, 2:51 PM
 

Publications from the Consultative Committee for Space Data Systems (CCSDS) can be found here.

Each publication has an identifier of the form MMM.MM-A-N, where

  • The alphabet A is “B” for blue book (recommended standard), “M” for magenta book (recommended practice), and “G” for green book (informational report).
  • The suffix N is the issue number.
Picture of Yee Wei Law

CCSDS RF communications physical layer

by Yee Wei Law - Friday, 8 March 2024, 3:20 PM
 

The International Telecommunication Union (ITU) has defined a series of regulations or recommendations for space research, space operations and Earth exploration-satellite services [ITU20, Recommendation ITU-R SA.1154-0], but CCSDS has tweaked these recommendations for their purposes [CCS21, Sec. 1.5].

CCSDS has defined two mission categories [CCS21, Sec. 1.5]:

  • Category A for missions having an altitude above the Earth of < 2 million km.
  • Category B for missions having an altitude above the Earth of ≥ 2 million km.

Orthogonal to the preceding classification, CCSDS has also divided their recommendations into these six categories [CCS21, Sec. 2]:

  1. earth-to-space RF
  2. telecommand
  3. space-to-earth RF

  4. telemetry

    Here, “telemetry” encompasses spacecraft housekeeping data and mission data (e.g., video) transmitted from the spacecraft directly to an Earth station or via another spacecraft (space-to-space return link).
  5. radio metric
  6. spacecraft

For example, the recommendations for telemetry RF comm are summarised in Table 1.

Table 1: Telemetry recommendation summary [CCS13a, p. 2.0-5], where NRZ = non-return-to-zero, PCM = pulse code modulation, QPSK = quadrature phase-shift keying,  OQPSK = offset quadrature phase-shift keying, BPSK = binary phase-shift keying, GMSK = Gaussian minimum shift keying, APSK = amplitude and phase-shift keying.

Note:

  • For Category-A missions [CCS21, Sec. 2.4.12A], filtered OQPSK and GMSK modulations are recommended for high-rate telemetry in 1️⃣ the 2-GHz and 8-GHz Space Research bands, 2️⃣ the 8-GHz Earth Exploration-Satellite band, and 3️⃣ the 26-GHz Space Research band.

    Filtered 8PSK modulation is also recommended for the 8-GHz Earth Exploration-Satellite band.

    2 GHz, 8 GHz and 26 GHz are part of the L/S, X and Ka bands respectively.

    This knowledge base entry discusses usage of different frequency bands.

  • For Category-B missions [CCS21, Sec. 2.4.12B], GMSK is recommended for high-rate telemetry in the 2-GHz, 8-GHz and 32-GHz bands.

  • The 25.5–27.0 GHz band (part of K band) is already being used for high-rate transmission in many missions, and usage is expected to rise [CCS21, Sec. 2.4.23].

  • The 32-GHz band (part of Ka band) is planned to become the backbone for communications with high-rate Category-B missions [CCS21, Sec. 2.4.20B].

The Proximity-1 physical layer is separate from all the above.

References

[CCS13a] CCSDS, Proximity-1 Space Link Protocol—Physical Layer, Recommended Standard CCSDS 211.1-B-4, The Consultative Committee for Space Data Systems, December 2013. Available at https://public.ccsds.org/Pubs/211x1b4e1.pdf.
[CCS21] CCSDS, Radio Frequency and Modulation Systems—Part 1 Earth Stations and Spacecraft, Recommended Standard CCSDS 401.0-B-32, The Consultative Committee for Space Data Systems, October 2021. Available at https://public.ccsds.org/Pubs/401x0b32.pdf.
[ITU20] ITU, Radio regulations, 2020. Available at https://www.itu.int/hub/publication/r-reg-rr-2020/.
[McC09] D. McClure, Overview of satellite communications, slides, 2009. Available at https://olli.gmu.edu/docstore/800docs/0909-803-Satcom-course.pdf.
Picture of Yee Wei Law

Complexity theory

by Yee Wei Law - Sunday, 14 July 2024, 2:05 PM
 

The attachment covers the following topics:

  • Complexity and asymptotic notation.
  • Complexity classes.
PDF document l_complex.pdf
Picture of Yee Wei Law

Cryptography: introductory overview

by Yee Wei Law - Thursday, 27 June 2024, 8:28 PM
 
See 👇 attachment or the latest source on Overleaf.
PDF document l_crypto.pdf
Tags:
Picture of Yee Wei Law

CWE-1037

by Yee Wei Law - Wednesday, 29 March 2023, 10:37 AM
 

This is a student-friendly explanation of the hardware weakness CWE-1037 “Processor Optimization Removal or Modification of Security-critical Code”, which is susceptible to

  • CAPEC-663 “Exploitation of Transient Instruction Execution”

While increasingly many security mechanisms have been baked into software, the processors themselves are optimising the execution of the programs such that these mechanisms become ineffective.

Example 1

The most high-profile exploits are known as Meltdown and Spectre (🖱 click links for details).

🛡 General mitigation

Software fixes exist but are partial as the use of speculative execution remains a favourable way of increasing processor performance.

Fortunately, the likelihood of successful exploitation is considered to be low.

References

[KHF+20] P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom, Spectre attacks: Exploiting speculative execution, Commun. ACM 63 no. 7 (2020), 93 – 101. https://doi.org/10.1145/3399742.
Picture of Yee Wei Law

CWE-1189

by Yee Wei Law - Wednesday, 29 March 2023, 9:56 AM
 

This is a student-friendly explanation of the hardware weakness CWE-1189 “Improper Isolation of Shared Resources on System-on-a-Chip (SoC)”, which is susceptible to

  • CAPEC-124 “Shared Resource Manipulation”.

A system-on-a-chip (SoC) may have many functions but a limited number of pins or pads.

A pin can only perform one function at a time, but it can be configured to perform multiple functions; this technique is called pin multiplexing.

Similarly, multiple resources on the chip may be shared to multiplex and support different features or functions.

When such resources are shared between trusted and untrusted agents, untrusted agents may be able to access assets authorised only for trusted agents.

Consider the generic SoC architecture in Fig. 1 below:

Fig. 1: A generic SoC architecture. Diagram from MITRE.

The SRAM in the hardware root of trust (HRoT) is mapped to the core{0-N} address space accessible by the untrusted part of the system.

The HRoT interface (hrot_iface in Fig. 1) mediates access to private memory ranges, allowing the SRAM to function as a mailbox for communication between the trusted and untrusted partitions.

  • Assuming a malware resides in the untrusted partition, and has access to the core{0-N} memory map.
  • The malware can read from and write to the mailbox region of the SRAM access-controlled by hrot_iface.
  • Security prohibits information from entering or exiting the mailbox region of the SRAM through hrot_iface when the system is in secure or privileged mode.
Example 1

An example of CWE-1189 in the real world is CVE-2020-8698 with the description: “Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access”.

  • A list of the affected Intel processors is available here.
  • Industrial PCs and CNC devices using the affected Intel processors were naturally affected, e.g., some industrial controllers made by Siemens, which fortunately could be patched by updating the BIOS.
🛡 General mitigation

Untrusted agents should not share resources with trusted agents, so when sharing resources, avoid mixing agents of varying trust levels.

Picture of Yee Wei Law

CWE-1191

by Yee Wei Law - Wednesday, 29 March 2023, 9:57 AM
 

This is a student-friendly explanation of the hardware weakness CWE-1191 “On-Chip Debug and Test Interface With Improper Access Control”, which is susceptible to

  • CAPEC-1 “Accessing Functionality Not Properly Constrained by ACLs” and
  • CAPEC-180 “Exploiting Incorrectly Configured Access Control Security Levels”.

The internal information of a device may be accessed through a scan chain of interconnected internal registers, typically through a Joint Test Action Group (JTAG) interface.

  • The JTAG interface provides access to these registers in a serial fashion in the form of a scan chain for the purposes of debugging programs running on the device.
  • Since almost all information contained within a device may be accessed over this interface, device manufacturers typically implement some form of access control — debug authorisation being the simplest form — in addition to on-chip protections, to prevent unintended use of this sensitive information.
  • If access control is not implemented or not implemented correctly, a user may be able to bypass on-chip protection mechanisms through the debug interface.

The JTAG interface is so important in the area of hardware security that you should make sure you read the knowledge base entry carefully.

Sometimes, designers choose not to expose the debug pins on the motherboard.

  • Instead, they choose to hide these pins in the intermediate layers of the board, to work around the lack of debug authorisation inside the chip.
  • In this scenario (without debug authorisation), when the debug interface is exposed, chip internals become accessible to an attacker.
Example 1

Barco’s ClickShare family of products is designed to provide end users with wireless presenting capabilities, eliminating the need for wired connections such as HDMI [Wit19].

ClickShare Button R9861500D01 devices, before firmware version 1.9.0, were vulnerable to CVE-2019-18827.

  • These devices were equipped with an i.MX28 System-on-Chip (SoC), which in turn was equipped with a JTAG interface for debugging [Wit19].

  • JTAG access protection could be enabled by setting the JTAG_SHIELD bit in the HW_DIGCTRL_CTRL register, which had to be done by an user application, and on system reset, JTAG access became enabled.

  • One way of exploiting this was booting the SoC in the “wait for JTAG” boot mode, where the ROM code entered an infinite loop that could only be broken by manipulating certain registers via JTAG.
  • Therefore on these devices, although JTAG access was disabled after ROM code execution, JTAG access was possible when the system was running code from ROM before handing control over to embedded firmware.
🛡 General mitigation

Disable the JTAG interface or implement access control (at least debug authorisation).

Authentication logic, if implemented, should resist timing attacks.

Security-sensitive data stored in registers, such as keys, should be cleared when entering debug mode.

References

[Wit19] WithSecure Labs, Multiple Vulnerabilities in Barco ClickShare, advisory, 2019. Available at https://labs.withsecure.com/advisories/multiple-vulnerabilities-in-barco-clickshare.
Picture of Yee Wei Law

CWE-125

by Yee Wei Law - Tuesday, 2 May 2023, 5:25 PM
 

This is a student-friendly explanation of the software weakness CWE-125 “Out-of-bounds Read”, where the vulnerable entity reads data past the end, or before the beginning, of the intended buffer. This weakness is susceptible to

This and CWE-787 are two sides of the same coin.

Typically, this weakness allows an attacker to read sensitive information from unexpected memory locations or cause a crash.

Example 1

A high-profile vulnerability is CVE-2014-0160, infamously known as the Heartbleed bug.

Watch an accessible explanation given by Computerphile:

🛡 General mitigation
  • Use a safe programming language that provides appropriate memory abstractions.

  • Assume all inputs are malicious. Where possible, apply the “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications; and reject any input that does not strictly conform to specifications, or transform it into something that does.

  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules.

    Example of business-rule logic: “John” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue”.

  • Ensure correct calculation of variables related to length, size, dimension, offset, etc. Be especially cautious of relying on a “sentinel” (e.g., NUL or any other special character) in untrusted inputs.

References

[] .

Page:  1  2  (Next)
  ALL