Bill L'HommedieuACR Chief Engineer96th Cyber Test Group7 May 2018

Air Force Test Center

1

Avionics Cyber Range(ACR)

DISTRIBUTION STATEMENT A. Approved for public release; distribution is unlimited.

Mission: An AFTC test range providing a mission based infrastructure, interfacing with other facilities ranging from controlled, secure offensive cyberspace systems to emulations of uncontrolled, non-secure, and adversary networks

ACR Overview

2

ACR will support Cyberspace testing for:Aircraft, Logistics systems, C2 Systems, Space and Nuclear platforms

Susceptibilities found though• Binary Analysis

• Fuzz testing across trust boundaries

• Fuzz testing of code processes and output

• Binary Hardening

Susceptibilities exercised on individual components • Functional Security testing• Penetration testing

• Subsystem Fuzzing

Residual Susceptibilities • Known Susceptibilities• Zero-Day “Hacks”

Validated Susceptibilities

Susceptibilities exercised in System of Systems testing for evaluation of mission effects in an operationally representative, multiple platform environment

Mission - ValidatedVulnerabilities

Vulnerabilities validated and TTP exercised on Operational platforms• Anechoic Chamber Testing• Flight line testing• Mobile test Kits

ACR Concept of Operations

ACR will consist of three strategic capability areas:Avionics Cyber Test Lab, Cyber Threat Development, and National Cyber Range Complex

Component Test

SIL/HWILTest

Operational Test

Avionics Cyber Lab

4

Connects avionics hardware to a test capability with the necessary elements tocover the end-to-end communications associated with a typical weapon system

• Avionics Test Bench - well-defined hardware interfaces and software API’s

– Allows new technology to be validated/demonstrated in flight representative environment– Enable connection with remote elements for example with ground based related testbeds

• Weapon systems Racks/Pylons• Maintenance equipment (for example CMBRE/CAPRE)

• LRU Virtualization - High-fidelity emulations of an LRU’s architecture, native processor, memory layout, etc. providing representative hardware/software environment

• Reverse Engineering Laboratory - hardware andsoftware reverse engineering of embedded systemsincluding avionics and weapon systems

Cyber Threat Development

5

Provides representation of the actions of adversaries whose ability and intent is to adversely affect an automated system, facility, or operation

• Threat Environment - threat representations that are intelligence-informed cyber threatTTPs, equipment, or adversarial command and control networks

– Representative Threats - threats across the spectrum from hacker to nation state-sponsored cyber attackers, provided through threat scripts and recognized threat vectors

– Cyber Effects Emulation - capability to inject hostile activity (malformed messages, malware, etc.) into embedded system data buses and cyber-attack surfaces

• Threat Modeling - Automated modeling tools to assist the test engineer quickly defining a set of possible attacks

• RF threat injection and tools - injection of cyber effects though RF channels within the mission kill chain

• Common Cyber Testing Ontology, Taxonomy, and Lexicon – How we communicate

• Common Concept of Operations– How the cyber ranges operate

• Common Cyber Test Data Model– How to describe a cyber test

• Common Cyber Descriptions (Object Definition and Transforms)– How components of the cyber test are defined

• Common Cyber Universe Description– How the environment that surrounds the components of the

cyber test are defined• Common Instrumentation and Control

– How data is collected and assessed– How cyber tests are controlled

TECHNICAL CHARACTERISTICS• Realistic: Large-scale, high-fidelity virtualized cyber environments operating actual software integrated with hardware-in-the-loop capabilities

• Repeatable: Archived, reusable environments, procedures, parameters, and event restoration checkpoints to facilitate test-fix-test verification

• Rapid: Standard tools and processes to automatically create, re-create, and modify mission-specific environments

• Isolation: Cryptographic segregation of multiple, concurrent cyber environments at varying security classifications

• Sanitization: Restore all assets to a known, clean state – not just range infrastructure, but also mission system equipment

E n a b l e d b y a C y b e r - S a v v y W o r k f o r c e

National Cyber Range, Eglin AFBA secure hosting workspace with the capability to emulate systems under test in a real world,

operational environment, in order to perform “live fire” cyber-attacks

Avionics Cyber Range Multi-level Network (ACRMN) JMETC Multi Level Network (JMN)

ACR OV-1

7

Hardware In the LoopFacilities

Anechoic Chamber

TestTest

Test Instrumentation

Traffic Generation

Virtual Machines

National Cyber Range, Eglin

Sanitization Server

National Cyber Range Complex

Threat Environment Avionics Buss

Fuzzing ToolsReverse

Engineering Lab

Avionics Cyber Test LabCyber Threat Development

RF Threat Injection& Tools

Threat Models & Simulation

Open Air Ranges

Avionics Test Bed

LRU Virtualization Test Instrumentation

Proposed Test Capabilities @ FOC

8

LRU Emulation

System Under Test (SUT) Instrumentation & Debugging

Avionics Cyber TestBench

Avionics Bus Sniffer/Analyzer

RF threat injection

Avionics Subsystem Fuzzing

Threat Development

SILs/HWIL Integration

Automatic Exploit Generation

National Cyber Range Complex

Planned ACR Connectivity

9

Edwards AFB 47th OL-BIFASTBAF

Joint Base San Antonio47th Test Squadron

Eglin AFB 96th Cyber Test GroupAvionics Cyber Range

JPRIMES

Redstone ArsenalRTC

• JMETC MILS Network (JMN) will provide connections to remote sites• ACR will be integrated with the Nation Cyber Range Complex • Any test site requiring ACR resources can connect though JMN

NAS PAX River

NCRC Orlando

SPAWARCharleston

Aberdeen Proving Grounds

Avionics Test Bed

10

Project Objectives:- Capabilities for rapid integration of avionics subsystems- Capabilities for rapid reconfiguration to support different air

platforms and any number of real/emulated/simulated avionics systems

- Repeatable processes to monitor, stimulate and perform test and evaluation

- Capabilities to monitor or record inputs from real weapon systems, replay the data back to a weapon system, or fuzz the inputs to a weapon system

- Capabilities for integration of modern Aircraft Avionics

Focus Areas:- A modular architecture with a standardized set of interfaces

that allows rapid reconfiguration and expansion using a combination of real, emulated and simulated avionics subsystems technology

- Platform Agnostic - Emulated Hardware with operational software

- AFRL Avionics Vulnerability Assessment System (AVAS) -allows for rapid integration of simulation models and avionics

- Protocol Development for avionics systems- Aircraft LRU Integration

Capability to emulate avionics architectures including the necessary elements to cover the end-to-end communications associated with a typical weapon system

DIUX VOLTRON Project

11

Focus Areas:• Autonomous vulnerability detection and code hardening of

x86 and ARM Linux based avionics and sensor fusion software.

• Autonomous vulnerability detection and code hardening x64 Windows based mission planning and support systems. (Joint Mission Planning Software)(JMPS)

• Autonomous vulnerability detection and code hardening of PowerPC VxWorks.

• Autonomous vulnerability detection and offensive weaponization on software of interest to the offensive cyber community.

Defense Innovation Unit Experimental (DIUX)VOLTRON Project

Automated vulnerability detection and remediation would result in a revolution in securing mission-critical systems and in the development of offensive capabilities against

targets of interest

Project Objectives:- Demonstrate the efficacy of autonomous tools in

performing vulnerability assessments of DoD weaponsystems without the use of external threat/vulnerabilityinformation

- Identify and remediate vulnerabilities in productionsoftware, including the generation of working exploits toprevent false positives

- Build autonomous capabilities into tools already used bygovernment vulnerability researchers to meet bothoffensive and defensive mission needs

- With a successful prototype, deliver a system that worksagainst a variety of architectures of interest to the DoD

Contractor Product Architectures

ForAllSecure MAYHEMx86 Linux, ARM Linux, x64 Windows

GrammaTech Proteus x64 Windows

Trail of Bits PowerPC on VxWorks 5.5

Kudu Dynamics

PASSEDPAWN

ArduPilot and Pixhawk(open source autopilot software)

Participating Contractors

This capability was first demonstrated in August 2016 at the DARPA Cyber Grand Challenge

T&E/S&T Program FY2016 End-of-Year Program Execution Review

Cyber Threat Automation & Monitoring (CTAM)

Project Objectives: Developing technologies to detect, monitor, and analyze malware behavior during cyber attacks in a virtualized T&E environmentEnables: • Fine-grain introspection/data collection/monitoring• Machine Learning and Advanced Cyber Analytics• Analysis and threat assessment to understand impacts to

systems under test• Project Completion May 2020

Florida International University-ARC Miami FL

Focus Areas:• Capability to create System Under Test (SUT) virtual

machines on XEN and KVM platforms and perform Introspection

• Optimize traditional machine learning algorithms and implementation of deep learning algorithm for accurate prediction to identify the impact of test vectors on defined mission

• Implementation of deep learning algorithms using CNTK and TensorFlow framework

• Implementation of Stream processing /Distributed computing using SPARK and Kafka

Questions/Discussion?

13