Critical Message Integrity Over A Shared Network

Cost and efficiency concerns can force distributed embedded systems to use a single network for both critical and non-critical messages. Such designs must protect against masquerading faults caused by defects in and failures of non-critical network processes. Cyclic Redundancy Codes (CRCs) offer protection against random bit errors caused by environmental interference and some hardware faults, but typically do not defend against most design defects. A way to protect against such arbitrary, non-malicious faults is to make critical messages cryptographically secure. An alternative to expensive, full-strength cryptographic security is the use of lightweight digital signatures based on CRCs for critical processes. Both symmetric and asymmetric key digital signatures based on CRCs form parts of the cost/performance tradeoff space to improve critical message integrity. cause one node or process to send a message that is incorrectly attributed to another node or process. A software defect masquerade fault occurs when a software defect causes one node or process to masquerade as another (Morris and Koopman, 2003). One example is a software defect that causes one process to send a message with the header identification field of a different process. Another example is a software defect that causes one node to send a message in another node’s time slot on a TDMA network. A software defect masquerade fault is not caused by transient anomalies such as random bit flips, but rather is the result of design defects (e.g., the software sends the message with the incorrect header x instead of the correct header y). Fault tolerance methods designed to catch random bit flips may not sufficiently detect software defect masquerade faults. This paper describes six successively more expensive levels of protection that can be used to guard against masquerade faults. Rather than limiting the analysis to malicious faults, the gradations presented recognize that many embedded systems have reasonable physical security. Therefore it is useful to have design options available that present tradeoff points between the strength of assurance against masquerading faults and the cost of providing that assurance.