Researchers break the security guarantees of TTE networks used in spacecraft

People look inside a simulator of the Orion spacecraft, which is used to train to dock with the Gateway space station, at the Johnson Space Center's Systems Engineering Simulator facility in Houston.
Enlarge / People look inside a simulator of the Orion spacecraft, which is used to train to dock with the Gateway space station, at the Johnson Space Center’s Systems Engineering Simulator facility in Houston.

fake images

NASA’s scheduled Wednesday launch of the Artemis I mission will be the first integrated test of the agency’s SLS rocket and Orion spacecraft, which have been in development for 16 years and are expected to mark the beginning of a new era of space exploration. The unmanned mission will also be only the second time a networking standard known as time-gated Ethernet has been taken into space, the first being Orion. orbital test flight in 2014.

Time-triggered Ethernet (TTE) is an example of a mixed criticality network, which is capable of routing traffic with different time levels and different fault tolerance requirements on the same set of hardware. Until now, spacecraft have typically relied on one network to carry safety-critical or mission-critical messages and one or more fully segregated ones to conduct video conferencing and other less-critical traffic.

Illustration of how time-triggered Ethernet works.
Enlarge / Illustration of how time-triggered Ethernet works.

TTTech

The engineers built a better mousetrap. The mice defeat him anyway.

Orion is the first spacecraft to rely on a TTE network to route mixed criticality traffic, either, NASA says, it’s for vital systems like navigation and life support, file transfers that are critical to delivery but not synchronization, or non-critical tasks like crew video conferencing. TTE, which will also be used on NASA’s Lunar Gateway space station and ESA’s Ariane 6 launcher, is crucial to reducing the size, weight, cost and power requirements of modern spacecraft.

Example of TTE data flow in a spacecraft.
Enlarge / Example of TTE data flow in a spacecraft.

POT

Safety-critical systems, such as engine control and steering, often work only when network messages are sent and received at intervals as small as 40 to 50 milliseconds. Delayed or missed messages can be catastrophic. The other end of the criticality spectrum contains messages sent by scientific instruments, which often come in the form of commercial off-the-shelf devices and are provided by universities or outside researchers with minimal security review by NASA. Although it is 100 percent compatible with the Ethernet standard, TTE can also deliver messages that engineers normally reserve for special-purpose networks.

To prevent less important messages from interfering with critical ones, TTE provides two key benefits not available in regular Ethernet. Is it so:

  • A time-triggered paradigm in which all devices are tightly synchronized and send messages on a predetermined schedule. This can reduce latency to hundreds of microseconds and jitter to near zero.
  • Fault tolerance: TTE replicates the entire network on multiple planes and forwards messages across all planes at the same time. The TTE network on board the Gateway has three planes.

TTTech

On Tuesday, the researchers published findings which, for the first time, break TTE’s isolation guarantees. The result is PCspooF, an attack that allows a single non-critical device attached to a single plane to disrupt synchronization and communication between TTE devices on all planes. The attack works by exploiting a vulnerability in the TTE protocol. The work was completed by researchers from the University of Michigan, the University of Pennsylvania and NASA’s Johnson Space Center.

“Our assessment shows that successful attacks are possible in seconds and that each successful attack can cause TTE devices to lose synchronization for up to a second and drop dozens of TT messages, which can result in the failure of critical systems such as aircraft. or cars. ”, the researchers wrote. “We also show that, in a simulated space flight mission, PCspooF causes uncontrolled maneuvers that threaten the safety and success of the mission.”

Artemis Network Validation and Integration Laboratory (ANVIL) at NASA Johnson Space Center, where much of the research on PCspooF was conducted.
Enlarge / Artemis Network Validation and Integration Laboratory (ANVIL) at NASA Johnson Space Center, where much of the research on PCspooF was conducted.

POT

PCspooF can be installed in an area as small as 2.5 cm × 2.5 cm on a single-layer PCB and requires minimal power and network bandwidth, allowing a rogue device to Mix in with all other network-connected best-effort devices. the net. The researchers privately reported their findings to NASA and other large TTE stakeholders. In an email, a NASA representative wrote: “NASA teams are aware of the TTE research findings and have taken proactive steps to ensure potential risks to spacecraft are appropriately mitigated.”

Leave a Reply

Your email address will not be published. Required fields are marked *