References of "Graczyk, Rafal 50035495"
     in
Bookmark and Share    
Full Text
See detailConsensual Resilient Control: (Don’t let the hackers spill your coffee) - Demo Poster
Matovic, Aleksandar UL; Graczyk, Rafal UL; Lucchetti, Federico UL et al

Poster (2023, July 13)

Detailed reference viewed: 31 (3 UL)
Full Text
See detailCritiX Space Safety and Security Lab: a path towards trustworthy space systems
Graczyk, Rafal UL

Speeches/Talks (2023)

Space systems security is an emerging discipline in cyberphysical systems security domain. The research conducted in the field has to be done using realistic assumptions and pieces of equipment that take ... [more ▼]

Space systems security is an emerging discipline in cyberphysical systems security domain. The research conducted in the field has to be done using realistic assumptions and pieces of equipment that take into account multi-disciplinary character of space systems. In CritiX, we've built the Space Systems Safety and Security lab to facilitate the research on space systems and to support the education of future generation of space systems security specialists. [less ▲]

Detailed reference viewed: 78 (2 UL)
Full Text
Peer Reviewed
See detailToward resilient autonomous driving—An experience report on integrating resilience mechanisms into the Apollo autonomous driving software stack
Lucchetti, Federico UL; Graczyk, Rafal UL; Volp, Marcus UL

in Frontiers in Computer Science (2023), 5

Detailed reference viewed: 34 (0 UL)
Full Text
Peer Reviewed
See detailSecurity Modeling and Analysis of Moving Target Defense in Software Defined Networks
Rodrigues de Mendonça Neto, Júlio UL; Kim, Minjune; Graczyk, Rafal UL et al

in Security Modeling and Analysis of Moving Target Defense in Software Defined Networks (2022, November 28)

The use of traditional defense mechanisms or intrusion detection systems presents a disadvantage for defenders against attackers since these mechanisms are essentially reactive. Moving target defense (MTD ... [more ▼]

The use of traditional defense mechanisms or intrusion detection systems presents a disadvantage for defenders against attackers since these mechanisms are essentially reactive. Moving target defense (MTD) has emerged as a proactive defense mechanism to reduce this disadvantage by randomly and continuously changing the attack surface of a system to confuse attackers. Although significant progress has been made recently in analyzing the security effectiveness of MTD mechanisms, critical gaps still exist, especially in maximizing security levels and estimating network reconfiguration speed for given attack power. In this paper, we propose a set of Petri Net models and use them to perform a comprehensive evaluation regarding key security metrics of Software-Defined Network (SDNs) based systems adopting a time-based MTD mechanism. We evaluate two use-case scenarios considering two different types of attacks to demonstrate the feasibility and applicability of our models. Our analyses showed that a time-based MTD mechanism could reduce the attackers’ speed by at least 78% compared to a system without MTD. Also, in the best-case scenario, it can reduce the attack success probability by about ten times. [less ▲]

Detailed reference viewed: 115 (14 UL)
Full Text
Peer Reviewed
See detailMethods for increasing the dependability of High-performance, Many-core, System-on-Chips
Graczyk, Rafal UL; Memon, Md Saad UL; Volp, Marcus UL

in Graczyk, Rafal; Memon, Md Saad; Volp, Marcus (Eds.) IAC 2022 congress proceedings, 73rd International Astronautical Congress (IAC) (2022, September 21)

Future space exploration and exploitation missions will require significantly increased autonomy of operation for mission planning, decision-making, and adaptive control techniques. Spacecrafts will ... [more ▼]

Future space exploration and exploitation missions will require significantly increased autonomy of operation for mission planning, decision-making, and adaptive control techniques. Spacecrafts will integrate new processing and compression algorithms that are often augmented with machine learning and artificial intelligence capabilities. This functionality will have to be provided with high levels of robustness, reliability, and dependability for conducting missions successfully. High-reliability requirements for space-grade processors have led to trade-offs in terms of costs, energy efficiency, and performance to obtain robustness. However, while high-performance / low-robustness configurations are acceptable in the Earth's vicinity, where assets remain protected by the planet's magnetosphere, they cease to work in more demanding environments, like cis-lunar or deep space, where high-energy particles will affect modern components heavily, causing temporary or permanent damage and ultimately system failures. The above has led to a situation where state-of-the-art processing elements (processors, co-processors, memories, special purpose accelerators, and field-programmable-gate arrays (FPGAs), all possibly integrated into System-on-a-Chip (SoC) designs) are superior to their high reliability, space-qualified counterparts in terms of processing power or energy efficiency. For example, from modern, state-of-the-art (SOTA) devices, one can expect a 2-3 order-of-magnitude performance per Watts improvement over space-grade equipment. Likewise, one finds a gap of approximately nine technology nodes between devices, which translates into a factor 25 decrease in operations per Watts. In this paper, we demonstrate how to utilize part of this enormous performance advantage to increase the robustness and resilience of otherwise susceptible semiconductor devices while harnessing the remaining processing power to build affordable space systems capable of hosting the compute-intensive functionality that future space missions require. We are bridging this performance-reliability gap by researching the enabling building blocks for constructing reliable and secure, space-ready Systems-on-a-Chip from SOTA processing elements. [less ▲]

Detailed reference viewed: 137 (43 UL)
Full Text
Peer Reviewed
See detailFrom Graphs to the Science Computer of a Space Telescope. The power of Petri Nets in Systems Engineering
Graczyk, Rafal UL; Bujwan, Waldemar; Darmetko, Marcin et al

in Graczyk, Rafal; Bujwan, Waldemar; Darmetko, Marcin (Eds.) et al From Graphs to the Science Computer of a Space Telescope. The power of Petri Nets in Systems Engineering (2022, June 23)

Space system engineering has to follow a rigorous design process to manage performance/risk trade-offs at each development stage and possibly across several functional and organizational domains. The ... [more ▼]

Space system engineering has to follow a rigorous design process to manage performance/risk trade-offs at each development stage and possibly across several functional and organizational domains. The process is further complicated by the co-development of multiple solutions, each contributing differently to the goal and with different tradeoffs. Moreover, the design process is iterative, involving both changing requirements and specifications along the different ways that lead to the set goal of the mission. The above requires rigorous modeling that, in addition, must be easily extendible and maintainable across organizational units. On the example of the PROBA-3 science computer (instrument control unit, CCB DPU), we show how Petri Nets can serve as such a simple-to-maintain, holistic model, combining finite-state characterizations with dynamic system behavior caused by hardware-software interactions, to express the component-state dependent end-to-end performance characteristics of the system. The paper elaborates on how the proposed Petri-Net modeling scheme allows for system architecture optimization that result in safely reduced technical margins and in turn substantial savings in components costs. We show that performance metrics, obtained from simulation, correlate well with the real performance characteristics of the flight model of PROBA-3's science computer. [less ▲]

Detailed reference viewed: 80 (6 UL)
Full Text
Peer Reviewed
See detailConsent To Shoot – Rethinking The Anti-satellite Weapon Versus Space Debris Dilemma
Graczyk, Rafal UL; Rodrigues de Mendonça Neto, Júlio UL; Volp, Marcus UL

Scientific Conference (2022, March 02)

Space debris, whether caused by anti-satellite weapons or from collisions with defunct vehicles, has become a serious threat to the safe and sustainable use of space. Technologies have been proposed to ... [more ▼]

Space debris, whether caused by anti-satellite weapons or from collisions with defunct vehicles, has become a serious threat to the safe and sustainable use of space. Technologies have been proposed to mitigate this problem by actively removing debris (ADR) by capturing and de-orbiting the targets (e.g., rendezvous operations, tethers, or harpoons) or by indirectly affecting the target’s orbit (e.g., using lasers). However, rather sooner than later, deploying ADR technologies against healthy satellites turns the tools for making space safer into anti-satellite weapons, capable of crippling other nations’ infrastructure. In an attempt to resolve the tool-versus-weapon dilemma, we discuss in this paper technical solutions that involve a paradigm shift in the Concept of Operations, but that also have the potential to avoid political implications and many concerns that currently prevent us from solving the space-debris problem. The solutions we advocate require consensus between involved stakeholders for all critical operations of an ADR system. We show it is technologically possible and, in fact, already well understood how to enforce that such operations can only be performed consensually. We sketch a distributed infrastructure, capable of supporting such operations among all stakeholders, enforcing agreement in international cooperation about where and for how long an ADR system gets activated, what targets it follows and where safety zones and objects are. In this way, stakeholders have to validate every piece of information to remove single points of failures, but more importantly to put the required mutual trust on solid and technologically enforced foundations. [less ▲]

Detailed reference viewed: 71 (9 UL)
Full Text
Peer Reviewed
See detailTo verify or tolerate, that’s the question
Pinto Gouveia, Ines UL; Sakr, Mouhammad UL; Graczyk, Rafal UL et al

Scientific Conference (2021, December 06)

Formal verification carries the promise of absolute correctness, guaranteed at the highest level of assurance known today. However, inherent to many verification attempts is the assumption that the ... [more ▼]

Formal verification carries the promise of absolute correctness, guaranteed at the highest level of assurance known today. However, inherent to many verification attempts is the assumption that the underlying hardware, the code-generation toolchain and the verification tools are correct, all of the time. While this assumption creates interesting recursive verification challenges, which already have been executed successfully for all three of these elements, the coverage of this assumption remains incomplete, in particular for hardware. Accidental faults, such as single-event upsets, transistor aging and latchups keep causing hardware to behave arbitrarily in situations where such events occur and require other means (e.g., tolerance) to safely operate through them. Targeted attacks, especially physical ones, have a similar potential to cause havoc. Moreover, faults of the above kind may well manifest in such a way that their effects extend to all software layers, causing incorrect behavior, even in proven correct ones. In this position paper, we take a holistic system-architectural point of view on the role of trusted-execution environments (TEEs), their implementation complexity and the guarantees they can convey and that we want to be preserved in the presence of faults. We find that if absolute correctness should remain our visionary goal, TEEs can and should be constructed differently with tolerance embedded at the lowest levels and with verification playing an essential role. Verification should both assure the correctness of the TEE construction protocols and mechanisms as well as help protecting the applications executing inside the TEEs. [less ▲]

Detailed reference viewed: 87 (3 UL)
Full Text
Peer Reviewed
See detailEphemeriShield - Defence Against Cyber-Antisatellite Weapons
Graczyk, Rafal UL; Volp, Marcus UL

Scientific Conference (2021, October 14)

Mitigating the risks associated with space system operations, especially in Low Earth Orbit, requires a holistic approach, which addresses, in particular, cybersecurity challenges, in addition to meeting ... [more ▼]

Mitigating the risks associated with space system operations, especially in Low Earth Orbit, requires a holistic approach, which addresses, in particular, cybersecurity challenges, in addition to meeting the data acquisition requirements the mission needs. Space traffic management systems form no exception to this rule, but are further constrained by backward compatibility requirements that sometimes are based on decades old foundations. As a result, some space situational awareness systems continue to operate with object catalogues and data dissemination architectures that are prone to failures, not to mention adversarial actions. Proof-of-Concept papers, demonstrating this vulnerability in example attacks on space object ephemerides distribution channels have already been published and show the urgency in rethinking the way we build such high-critical infrastructure. Leveraging recent developments of distributed systems theory and concepts from multi-party consensus in limited-trust environments and in the presence of malicious actors, we designed a more secure system for orbital object ephemerides distribution, ultimately targeting at increasing the safety of satellite operations. This paper presents EphemeriShield, a distributed ephemerides storage and distribution system, aiming at maintaining safety and security guarantees in presence of active attacker or unfortunate fault. Using our EphemeriShield prototype setup, we were able to prove its ability to mask attacks and local faults that otherwise would lead to unnecessary maneuvers. Wide adoption of EphemeriShield may help satellite system operations to become safer and less vulnerable to intentionally adversarial activities, which improves the overall sustainability of space. [less ▲]

Detailed reference viewed: 79 (15 UL)
Full Text
Peer Reviewed
See detailThreat Adaptive Byzantine Fault Tolerant State-Machine Replication
Simoes Silva, Douglas UL; Graczyk, Rafal UL; Decouchant, Jérémie et al

Scientific Conference (2021, September)

Critical infrastructures have to withstand advanced and persistent threats, which can be addressed using Byzantine fault tolerant state-machine replication (BFT-SMR). In practice, unattended cyberdefense ... [more ▼]

Critical infrastructures have to withstand advanced and persistent threats, which can be addressed using Byzantine fault tolerant state-machine replication (BFT-SMR). In practice, unattended cyberdefense systems rely on threat level detectors that synchronously inform them of changing threat levels. How- ever, to have a BFT-SMR protocol operate unattended, the state- of-the-art is still to configure them to withstand the highest possible number of faulty replicas f they might encounter, which limits their performance, or to make the strong assumption that a trusted external reconfiguration service is available, which introduces a single point of failure. In this work, we present ThreatAdaptive the first BFT-SMR protocol that is automatically strengthened or optimized by its replicas in reaction to threat level changes. We first determine under which conditions replicas can safely reconfigure a BFT-SMR system, i.e., adapt the number of replicas n and the fault threshold f, so as to outpace an adversary. Since replicas typically communicate with each other using an asynchronous network they cannot rely on consensus to decide how the system should be reconfigured. ThreatAdaptive avoids this pitfall by proactively preparing the reconfiguration that may be triggered by an increasing threat when it optimizes its performance. Our evaluation shows that ThreatAdaptive can meet the latency and throughput of BFT baselines configured statically for a particular level of threat, and adapt 30% faster than previous methods, which make stronger assumptions to provide safety. [less ▲]

Detailed reference viewed: 281 (41 UL)
Full Text
Peer Reviewed
See detailBridging the space systems performance-reliability gap for future deep space resources exploration and exploitation.
Pinto Gouveia, Ines UL; Graczyk, Rafal UL; Volp, Marcus UL

Poster (2021, April)

In building equipment for space exploitation, one has to trade system robustness for the high processing capabilities and low energy consumption. The high performance, low robustness approach, is ... [more ▼]

In building equipment for space exploitation, one has to trade system robustness for the high processing capabilities and low energy consumption. The high performance, low robustness approach, is acceptable, especially in Earths’ vicinity. However, in more demanding (especially high-radiation) environments, attempts had disappointing outcomes. The processing-reliability gap, between highly reliable and highly performant systems, spans 2-3 orders of magnitude. This gap brings hope, that some of this excess processing power can be utilized, in building a combination of hardware and software mechanisms that is capable of increasing robustness and resilience of otherwise susceptible semiconductor devices, while allowing to harness the remaining processing power to build affordable space systems with large degrees of autonomy, rich functionality and high bandwidth. At the CritiX research group, we aim to bridge this performance-reliability gap, by researching the enabling building blocks for constructing more reliable and more secure System-on-Chips. [less ▲]

Detailed reference viewed: 91 (16 UL)
Full Text
See detailPriLok:Citizen-protecting distributed epidemic tracing
Esteves-Verissimo, Paulo UL; Decouchant, Jérémie UL; Volp, Marcus UL et al

E-print/Working paper (2020)

Contact tracing is an important instrument for national health services to fight epidemics. As part of the COVID-19 situation, many proposals have been made for scaling up contract tracing capacities with ... [more ▼]

Contact tracing is an important instrument for national health services to fight epidemics. As part of the COVID-19 situation, many proposals have been made for scaling up contract tracing capacities with the help of smartphone applications, an important but highly critical endeavor due to the privacy risks involved in such solutions. Extending our previously expressed concern, we clearly articulate in this article, the functional and non-functional requirements that any solution has to meet, when striving to serve, not mere collections of individuals, but the whole of a nation, as required in face of such potentially dangerous epidemics. We present a critical information infrastructure, PriLock, a fully-open preliminary architecture proposal and design draft for privacy preserving contact tracing, which we believe can be constructed in a way to fulfill the former requirements. Our architecture leverages the existing regulated mobile communication infrastructure and builds upon the concept of "checks and balances", requiring a majority of independent players to agree to effect any operation on it, thus preventing abuse of the highly sensitive information that must be collected and processed for efficient contact tracing. This is enforced with a largely decentralised layout and highly resilient state-of-the-art technology, which we explain in the paper, finishing by giving a security, dependability and resilience analysis, showing how it meets the defined requirements, even while the infrastructure is under attack. [less ▲]

Detailed reference viewed: 96 (5 UL)