Logo PTB

Embedded Metrological Systems

Working Group 8.54

Profile

The working group focuses on IT security research for embedded metrological systems and supports
the working groups of the department that fulfill legal.
In particular, research topics are identified on the basis of economically relevant technological developments,
focussing on basic technologies that are drivers of whole technology fields.
A main task is the development and application of the necessary test environments as well as their continuous development and maintenance.  
Other tasks are:

  • Supporting Department Q5 (International Cooperation),
  • Representating the PTB in DIN committees (Software Engineering),
  • Developing reference architectures in the context of the technology transfer for SME promotion.

To top

Research/Development

A Reference Architecture for Secure Embedded Systems

 

Using microkernels to securely encapsulate software into modules

 

Measuring instruments often use large standard operating systems as their software foundation. These operating systems hinder software testing because they contain numerous "bugs". A new software reference architecture developed at the PTB makes use of the benefits standard operating systems have, such as the greater functionality, a familiar user interface and many drivers, but still ensures security due to the encapsulation and modularization of the software.

This configurable software reference architecture is based on a microkernel. The microkernel is software that runs on the lowest level, under the actual operating systems. These operating systems in turn, are encapsulated into modules, so-called virtual machine (VM). The operating systems can continue to load their usual programs and drivers, but are obligated to communicate via the microkernel with each other and the hardware. The system architecture is based on a modular design that fulfils the requirements of the Measuring Instruments Directive of the European Union (MID) and the WELMEC 7.2 Software Guides. These can be seen in the figure and are as follows: displaying data (Secure GUI), data protection (Key & Signature Manager), storing data (Storage Manager), executing downloads (Download Manager), transferring data (Connection Manager), and internal data processing (Communication Monitor). Hence, the reference architecture ensures that all legally relevant measurement functions can be monitored safely. In addition, the architecture separates non-legally relevant software (N) and legally relevant software (L). All calculations that fall under legal control are carried out in the L-VM, everything else in the N-VM. This strict separation ensures that legally relevant software is not irregularly affected.

 

 

Fig.: Communication between the individual modules within the system architecture

 

The project will be continued in cooperation with the Technical University of Berlin, which is developing a new microkernel that will be mathematically formally verified, showing that typical operating system vulnerabilities are not present. This is important for instruments that need to judicially prove their correctness (e.g. traffic enforcement cameras). With this microkernel, the proposed framework has been implemented on a demonstrator. In addition, the system architecture is being adapted for specific measuring instruments, which have to fulfill different tasks, in cooperation with two SMEs. These measuring instruments are a medical device and a traffic enforcement camera.

 

 

Contact

 

 

   Dr. Ing. Daniel Peters

   Department 8.5 Metrological Information Technology

   Phone: +49 (0)30 3481-7916

   EMail: daniel.peters@ptb.de

 

 

 

Scientific Publications

 

  1. D. Peters, M. Peter , J.-P. Seifert, F. Thiel: A Secure System Architecture for Measuring Instruments in Legal Metrology. Computers - Open Access Journal 4(2), 61-86, 2015
  2. D. Peters, U. Grottker, F. Thiel, M. Peter, J.-P. Seifert, Achieving Software Security for Measuring Instruments under Legal Control, FedCSIS (EAIS), Warsaw, Poland, 7-10 September, 2014
  3. D. Peters, F. Thiel, M. Peter, J.-P. Seifert, A Secure Software Framework for Measuring Instruments in Legal Metrology, IEEE International Instrumentation and Measurement Technology Conference (I2MTC), Pisa, Italy, May 11-14, 2015
  4. J. Fischer, D. Peters, A Practical Succinct Data Structure for Tree-Like Graphs, WALCOM: Algorithms and Computation, LNCS, Springer International Publishing, ISBN: 978-3-319-15611-8

Reference Architectures for Secure Cloud-Computing in Legal Metrology

 

The reference architecture is intended to serve as a framework for securely performing all met-rologically relevant functions in the cloud. This is intended to guarantee security for the con-formity assessment body, the measuring instrument manufacturers, the measuring instrument users and the market surveillance authorities when implementing a cloud-based measuring instrument solution and to create corresponding confidence in this new technology. This con-fidence in the accuracy of the measurement and billing in turn leads to technology acceptance by the consumer, who must be protected here.

Cloud solutions are modern, efficient and cost-effective IT strategies and stand in stark con-trast to the classic IT infrastructure. Cost efficiency is achieved through increased utilization of server hardware as well as the simultaneous use of multiple services by different users. This avoids hardware idle times and increases productive times. On the other hand, centralization can guarantee cost-efficient and competent support for data centers and IT infrastructure. Outsourcing means that expensive hardware no longer has to be purchased, but only compu-ting time is paid for. The difficulty of companies to find suitable specialists in the field of IT security and to secure IT systems against current threats is also adequately countered by centralization in data centers.

 

 

Figure 1: Scheme of the reference architecture for secure and trustworthy cloud computing.

 

In cooperation with the Technical University of Berlin, system architectures are developed that benefit from a modular design. These implement the requirements of the Measuring In-struments Directive of the European Union (MID) by applying the WELMEC 7.2 Software Guide. Furthermore, a chain of trust is established between the modules in which a "Trusted Execution Environment" (TEE) is used, which can guarantee a secure system status. The rese-arch on Fully Homomorphic Encryption (FHE) should additionally protect the virtual machi-nes against unauthorized attacks as well as the system as a whole against an insider attack, e.g. by the administrator. FHE enables encrypted data processing without having to know the ac-tual data. The cloud reference architecture is based on a software separation core architecture developed in Department 8.5 (Peters, 2015). The measuring device is already encapsulated in modules at the lowest level and processes the data for encryption and transport. This data is then securely sent to the cloud via the Internet, where it is received by the dedicated virtual machine (VM) and transferred to other VMs for further processing (see Figure 1). In particu-lar, these are legally relevant tasks (L), key and signature management (K), data storage ma-nagement (S), connection management (C), download management (D), legally irrelevant tasks (N).

 

Contact

   Alexander Oppermann

   Fachbereich 8.5 Metrologische Informationstechnik

   Telefon: (030) 3481-7483

   E-Mail: alexander.oppermann@ptb.de

 

 

 

 

Scientific Publications

A. Oppermann, F. Grasso Toro, F. Thiel, J.-P. Seifert, Secure Cloud Computing: Continuous Anomaly Detection Approach in Legal Metrology. 2018 IEEE International Instrumentation and Measurement Technology Conference (I2MTC 2018), May 14-17, 2018 ISBN:978-1-5386-2222-3/18

A. Oppermann, F. Grasso Toro, F. Thiel, J.-P. Seifert, Secure Cloud Computing: Reference Architecture for Measuring Instrument under Legal Control. Journal Security and Privacy 2018;e18. DOI: 10.1002/spy2.18

Oppermann, A., Toro, F., Thiel, F. and Seifert, J-P., Anomaly Detection Approaches for Secure Cloud Reference Architectures in Legal Metrology. In Proceedings of the 8th International Conference on Cloud Computing and Services Science (CLOSER 2018), pages 549-556 ISBN: 978-989-758-295-0

A.Oppermann, F. Grasso Toro, A. Yurchenko, J.-P.Seifert, Secure Cloud Computing: Communication Protocol for Multithreaded Fully Homomorphic Encryption for Remote Data Processing in IEEE International Symposium on Parallel and Distributed Processing with Applications (IEEE ISPA 2017) (pp. 503-510), DOI: 10.1109/ISPA/IUCC.2017.00084

A. Oppermann, A. Yurchenko, M .Esche, J.-P. Seifert, Secure Cloud Computing: Multithreaded Fully Homomorphic Encryption for Legal Metrology, in International Conference on Intelligent, Secure, and Dependable Systems in Distributed and Cloud Environments (ISDDC 2017) 2017 Oct 25 (pp. 35-54), DOI: doi.org/10.1007/978-3-319-69155-8_3, (Best Paper Award)

Oppermann, Alexander and Seifert, Jean-Pierre and Thiel, Florian. 2016.  Secure Cloud Reference Architectures for Measuring Instruments under Legal Control, accepted for Closer 2016, 6th  International Conference on Cloud Computing and Services Science, 23.-25. April, (2016)

Oppermann, Alexander and Seifert, Jean-Pierre and Thiel, Florian. 2016. Distributed Metrological Sensors managed by a secure Cloud-Infrastructure, accepted for 18. GMA/ITG Fachtagung, Sensoren und Messsysteme 2016, Nürnberg, 10.-11. Mai, (2016)

 

AnGeWaNt

AnGeWaNt

The AnGeWaNt joint project is aimed at tapping the potential of digitization for the hybridization of business models, for the further development of work design and for calibration processes (metrology). To this end, procedures for the hybridization of business models are being developed and used as examples by manufacturers and users of commercial vehicles and add-on parts with calibrated scales. This applies accordingly to the digital support of metrolo-gy. Two compatible software platforms are being developed for this purpose: one for hybrid ser-vices and one for metrology. Procedures for the socio-technical adaptation of operational structures and procedures as well as corresponding learning concepts will be developed. The results will be prepared for transfer in the form of training concepts and action-guiding bro-chures with checklists and examples.

Duration: January 2019 to January 2022

 

Contact

   Alexander Oppermann

   Fachbereich 8.5 Metrologische Informationstechnik

   Telefon: (030) 3481-7483

   E-Mail: alexander.oppermann@ptb.de

 

 

 

 

Scientific Publications

A. Oppermann, F. Grasso Toro, F. Thiel, J.-P. Seifert, Secure Cloud Computing: Continuous Anomaly Detection Approach in Legal Metrology. 2018 IEEE International Instrumentation and Measurement Technology Conference (I2MTC 2018), May 14-17, 2018 ISBN:978-1-5386-2222-3/18

A. Oppermann, F. Grasso Toro, F. Thiel, J.-P. Seifert, Secure Cloud Computing: Reference Architecture for Measuring Instrument under Legal Control. Journal Security and Privacy 2018;e18. DOI: 10.1002/spy2.18

Oppermann, A., Toro, F., Thiel, F. and Seifert, J-P., Anomaly Detection Approaches for Secure Cloud Reference Architectures in Legal Metrology. In Proceedings of the 8th International Conference on Cloud Computing and Services Science (CLOSER 2018), pages 549-556 ISBN: 978-989-758-295-0

A.Oppermann, F. Grasso Toro, A. Yurchenko, J.-P.Seifert, Secure Cloud Computing: Communication Protocol for Multithreaded Fully Homomorphic Encryption for Remote Data Processing in IEEE International Symposium on Parallel and Distributed Processing with Applications (IEEE ISPA 2017) (pp. 503-510), DOI: 10.1109/ISPA/IUCC.2017.00084

A. Oppermann, A. Yurchenko, M .Esche, J.-P. Seifert, Secure Cloud Computing: Multithreaded Fully Homomorphic Encryption for Legal Metrology, in International Conference on Intelligent, Secure, and Dependable Systems in Distributed and Cloud Environments (ISDDC 2017) 2017 Oct 25 (pp. 35-54), DOI: doi.org/10.1007/978-3-319-69155-8_3, (Best Paper Award)

Oppermann, Alexander and Seifert, Jean-Pierre and Thiel, Florian. 2016.  Secure Cloud Reference Architectures for Measuring Instruments under Legal Control, accepted for Closer 2016, 6th  International Conference on Cloud Computing and Services Science, 23.-25. April, (2016)

Oppermann, Alexander and Seifert, Jean-Pierre and Thiel, Florian. 2016. Distributed Metrological Sensors managed by a secure Cloud-Infrastructure, accepted for 18. GMA/ITG Fachtagung, Sensoren und Messsysteme 2016, Nürnberg, 10.-11. Mai, (2016)

 

Technology transfer

Network security for communicative medical devices (NetMed)

The TransMeT cooperation project with Xiralite GmbH started in April 2017 and will continue until March 2020 to develop a novel, secure system software architecture for the Xiralite® medical device of the same name, which is connected to the network.

Xiralite GmbH is the market and innovation leader for optical imaging in rheumatology and, with the Xiralite® X5, has created a fluorescence camera system that represents microcirculation in the hands in order to detect centres of inflammation. For this purpose, the fluorescent dye indocyanine green, which is approved for microcirculation diagnostics in Europe, is incorporated during an examination. The XiraView® diagnostic software controls the examination and assists in the subsequent evaluation.

The new software concept is based on a software reference architecture that has been researched and tested in Department 8.5 and uses separation or microkernels and virtualization techniques. In order to adapt and further develop these for this special medical device, the risk analysis methods also developed in Department 8.5 were initially used and, together with the MPG, the BDSG, various DIN and FDA recommendations, new protection targets, threats and concrete attack vectors in the medical field were identified.

Based on the security analysis for the Xiralite® X5, a software system was selected with lower but sufficient security compared to the microkernel reference architecture, which considers handling and user friendliness for later use. The developments are also intended to promote a later expansion of the device into the US market. The basis of the software implementation is a Linux Ubuntu with poor functionality and therefore less susceptible to errors, including the latest security updates. Xen is used as a hypervisor for establishing, controlling and monitoring two virtual machines. One virtual machine is provided for legally relevant purposes such as the XiraView® diagnostic software and another for legally irrelevant purposes in order to update the software contained therein without re-certification. In addition, intrinsic software security is established inside the legally relevant virtual machine through restrictions, guidelines and rights management at operating system level.

UEFI uses Secure Boot, which guarantees a signed and authenticated, secure boot sequence until the virtual machines start. By two 1 TB hard disks, which are organized to a RAID 1, mirroring of the non removable disks, a high Resilienz of the system data and thus the later patient data as worth protecting good is reached.

A secured access from external serves as maintenance access and in a more restrictive variant with limited rights also as remote session for later training of the medical personnel and as remote diagnosis support services for physicians.

 

System for individual diagnosis and therapy control of rheumatic complaints of the hands (RheumaScan.net)

The approx. three-year BMBF cooperation project, which is expected to take place at the end of 2019 together with Xiraltie GmbH, TH Wildau and Charitè, is part of the topic complex "Chronic pain - innovative medical solutions for improving prevention, diagnostics and therapy".

In the course of life, chronic pain occurs in the hands of about 10% of the population. It is important to make the correct diagnosis at an early stage and to start therapy quickly in order to avoid permanent damage to the joints and bones as well as chronic pain. In this project, a bioinformatics platform for the diagnosis of inflammation in the hands is being researched and developed. This platform will ultimately bring together knowledge from the individual, distributed medical devices in order to support medical personnel in differential diagnosis and the subsequent monitoring of the course of therapy.

The Xiralite® fluorescence camera system for the diagnosis of inflammatory diseases on hands, which is internationally approved as a medical device, forms the peripheral basis of the platform. In Germany alone, more than 40 initial network users are available. The newly developed XiraViewTM 4.0 software reduces the amount of image data generated per examination and generates standardized, quantitative information on the extent of inflammation on the hands.

In the course of the project, the implementation of a public key infrastructure will ensure anonymisation and pseudonymisation of the various medical data, including for the transfer from and to the peripheries. In this way, authenticity checks of the participants and encryption of all data traffic will be made possible. The actual challenge is the various data formats such as hand photographs, patient-related data, computer system relevant data as well as machine learning and smart data. In addition, an integrity check of the data is to be established through the use of tried and tested hash algorithm procedures, and thus security against manipulation and data error recognition.

The risk analysis procedure developed at PTB and adapted for medical devices will be used to identify attack scenarios and countermeasures for the bioinformatics platform. In the later course of the project, the effectiveness of the established measures will be validated by concrete attacks on a server clone of the platform.

Through this bioinformatic platform, the time until the correct diagnosis should be shortened from 2 years to less than 3 months, whereby a health-related improvement of the patient's quality of life is achieved. In addition, a cost reduction by a factor of 8 is expected for this segment of the healthcare system.

New method for validating measurement algorithms. Update without recertification.


Problem description


The advancing networking of measuring instruments not only holds numerous advantages, but also risks. While the unauthorized software modification of devices without a network connection previously required a seal break, this is often not the case with networked devices. The presence of a potentially exploitable programming error is already sufficient. In view of the increasing complexity of the measuring devices, the probability of the presence of such an error also increases.
Similar to the physical seal that confirms the integrity of the hardware, the checksum for the software components therefore represents an integrity and authenticity feature.  The comparison of a checksum with the expected value thus enables the detection of a persistent software change, but many manipulations take place in volatile memory (RAM) and therefore cannot be detected by the checksum comparison. In addition, the checksum calculation routine itself represents a point of attack whose manipulation can be used to hide the unauthorized changes to the persistent memory.  These examples show that the checksum methods offer only limited protection against possible software manipulations of the networked devices that are unwanted by the manufacturer. A further problem is the software manipulation desired by the manufacturer, which includes updates, because even the slightest change to the persistent memory leads to a change in the checksum. Since the checksum does not provide any information about the type of software change, a software update usually entails a recertification process.
One possible solution is software separation, the core idea of which involves separating the software into a legally relevant and a non-legally relevant part. This makes it possible to allow updates of the non-legally relevant part without recertification, but the technical prerequisites for such a separation represent a major hurdle, especially for smaller measuring instruments. Therefore, PTB conducts research on the development of alternative methods for software validation, which would allow updates without recertification. The approach presented here is based on a logical separation of the measurement software into core and auxiliary algorithms. The core algorithms include the methods that are directly involved in the processing of the raw measurement data into a measurement result.

 

Solution Approach

In the first step, a meta-description of the core algorithm is generated, on the basis of which a mathematical proof is constructed in the next step. The proof contains the complete logical description of the core algorithm without reference to a concrete implementation. If, for example, the software is described without changing the logic of the core algorithm, the proof remains valid. The proof itself is additionally secured by cryptographic methods and cannot be misused to reconstruct the core algorithm. The application of a proof in connection with the raw sensor data and the result displayed by the measuring device leads to a binary statement as to whether the transformation of the raw measurement data into the measurement result strictly follows the rules of the core algorithm. 
The great advantage of such a method over the checksums is its dynamic nature, so the evidence can be used to validate each individual measurement. The second and most important advantage is that the use of evidence makes software updates possible without recirculation, thus significantly improving the security of networked systems.

To top

Services

We provide technical counseling for manufacturer, national metrology institutes, market surveillance authorities and all PTB’s departments specialized on the testing of the physical properties of the measuring instruments. With this services the working group helps closing technology gaps and to support innovations.

Software Examination (DIN EN 12830):

The working group is concerned with preparing the software testing report based on DIN EN 12830 to check the suitability of the temperature recorder software in the context of verification processes in legal metrology. The standard DIN EN 12830 specifies the technical and functional characteristics of temperature recording devices intended for the transport, storage and distribution of temperature sensitive goods. Based on this standard, the working group generates the test reports by evaluating and consulting the improvement of the software documentation of the manufacturer. Therefore, the test methods used to verify the suitability of the software depending on the temperature recorder design documentation and user documentation provided by the manufacturer. The detailed checklist-based documentation review includes a series of steps – software identification to verifying the authenticity of measurement data stored. 

Protection of Windows systems according to Welmec 7.2 requirements

Working Group 8.54 offers support and advice to manufacturers of Windows-based measuring instruments on questions relating to the requirements of the Welmec 7.2 software guide.

In addition, the working group has a self-developed and constantly extended reference implementation of a rights- and rule-based security architecture. This can be used as a basis for new products that meet the requirements of Welmec 7.2, taking customer-specific requirements into account.

To top

Information

To top