Embedded Security - Institute of Computer Engineering

Embedded Security VO Embedded Systems Engineering Armin Wasicek

Why security?  Number of network based attacks is ever increasing

 Hacking is profitable and it is difficult to get caught.

 Currently a shift from „spare time hacking“ to organized crime is observable

18.12.2012

Embedded Security

2

Why Embedded Security?  Number of embedded systems is increasing

 Embedded systems are ubiquitious

 Incorporate • useful information and • valuable services 18.12.2012

Embedded Security

3

Emerging Security Requirements Connectivity  Increasing number of devices is connected to a larger network  Vision of the “Internet of Things” Extensibility  Updating software  Plugging in additional components Complexity  Demand for increased functionality  Non–functional constraints Operation in Untrusted Environment  even the owners of a system can present a security risk 18.12.2012

Embedded Security

4

Security definitions, classifications, and taxonomies

18.12.2012

Embedded Security

5

General security definitions Security, in an objective sense, measures the absence of threats to acquired values, in a subjective sense, the absence of fear that such values will be attacked. Arnold Wolfers

”Computer security is the process of ensuring confidentiality, integrity, and availability of computers, their programs, hardware devices, and data. Lack of security results from a failure of one of these three properties.” McGraw-Hill

Security is a system property. Security is much more than a set of functions and mechanisms. IT security is a system characteristic as well as a set of mechanisms that span the system both logically and physically. NIST 18.12.2012

Embedded Security

6

Security: Primary Attributes  Confidentiality

[ disclosure]

Assets are accessible for reading, copying, locating only by authorized parties.

 Integrity

[ deception]

Assets are accessible for reading, copying, locating only by authorized parties.

 Availability

[ DoS]

Assets are ready for correct service for authorized users 18.12.2012

Embedded Security

7

Security: Secondary Attributes  Accountability availability and integrity of the person who performed the operation

 Authenticity integrity of a message content and origin, and possibly of some other information, such as time of emission

 Non-repudiability availability and integrity of the identity of the sender or receiver of a message

18.12.2012

Embedded Security

8

Relationship Safety - Security Safety Characteristics

Security Characteristics

 Protection against unintended

 Protection against unauthorized

changes within the system

modifications of the system

 Absence of catastrophic consequences of faults

 Safety boundaries ensure availability and independent behavior in case of failures

 Strongly related to fault containment and tolerance 18.12.2012

 Access policies strive to contain intrusion attempts

 Security protocols ensure that data flows are secure

 Security unifies technical, organizational, political, financial, and legal aspects Embedded Security

9

Relationship Dependability - Security

18.12.2012

Embedded Security

10

Pathology of Faults System boundaries

fault

error

failure

Fault

Cause of error

Error

Unintended system state

Failure

Deviation of actual from intended service

18.12.2012

Embedded Security

11

Propagation of Security failures  In a safety-critical systems a failure has catastrophic consequences Propagation from the security domain to the safety domain:  Unintended behavior of a system is caused by a previous intrusion  AVI chain illustrates this propagation attack vulnerability

intrusion

error

Vulnerability

Weakness in the system

Intrusion

Malicious, externally induced fault

failure

hacker, designer, or operator

System boundaries

18.12.2012

Attack

Interaction fault / Intrusion attempt

Embedded Security

12

Classification of counter measures

 Any particular security mechanism falls into one (or more) of these broad categories 18.12.2012

Embedded Security

13

Security Incident Taxonomy Incident Attack

Event

3.Vulnerabi lity

4.Action

5.Target

6.Unauthori zed Result

7.Objective s

Design

Probe

Account

Increased access

Challenge, status, thrill

Implementation

Scan

Process

Disclosure of information

Political gain

Data

Corruption of information

Financial gain

Authenticate

Component

Denial of service

Damage

Autonomous agent

Bypass

Computer

Theft of resources

Vandals

Toolkit

Spoof

Network

Voyeurs

Distributed tool

Read

Internetwork

Data tap

Copy

1.Attackers Hackers Spies Terrorists Corporate Raiders Professional Criminals

2.Tool Physical Attack Information Exchange User command Script or program

Click toConfiguration continue… Flood

Steal Modify Delete

18.12.2012

Embedded Security

14

Vulnerability Life Cycle risk

0. vulnerability birth 1. discovery: exploit available to private groups 2. announcement: exploit available to public 3. popularity: used by the masses "Penetrate and Patch" is not that it 4. patch available makes your system better by design, rather it merely makes it toughened by 5. patch applied

4 patch available

3 popularity

5 patch applied

2 announcement

1 discovery

trial and error.

18.12.2012

Embedded Security

15

time

Some key security issues  Information Security is not only a technical problem  Insufficient security awareness  Lacking experience in risk management

 No or weak security policies  Security measures should be taken on all stages

18.12.2012

Embedded Security

16

Implementing security

How to implement security?  Partition the users in groups, assign roles  Introduce asymmetry between users „In a system where everyone is allowed to do everything, conflicts are foreseeable.“

18.12.2012

Embedded Security

18

Security Policies A security policy is a high-level specification of the security properties that a given system should possess.

• Origins from the military: Bell-LaPadula • Integrity models are mostly domain-specific • Other common policies: • Discretionary Acess Control (DAC) • Mandatory Acess Control (MAC) • Role-based Acess Control (RBAC) 18.12.2012

Embedded Security

write-up

TOP SECRET SECRET CONFIDENTIAL readdown OPEN

19

Asymmetry  Use ‚hard to guess‘ problems to achieve asymmetry  uniform distribution of bits in ciphertexts (AES, …)  discrete logarithm problem (RSA, DSA, ECC,…)

 Cryptographic ciphers forge these problems in executable algorithms and schemes

18.12.2012

Embedded Security

20

Security Protocols A protocol describes how the algorithms should be used.

 Key agreement and exchange (Diffie-Hellman, IKE, …)

 Authentication (HMAC, Kerberos, …)  Confidential data transport (SSH, SSL, IPSec, …)  Non-repudiation (DSA, RSA-SHA1, …)

18.12.2012

Embedded Security

21

Cryptography  Cryptography is the science and art to design ciphers  Cryptanalysis is the science and art of breaking them  Cryptology is the study of both. key1 plaintext

encryption

key2 ciphertext

decryption

 Encryption is the process to transform to convert a plaintext to a ciphertext under a certain secret parameter (key).

 The reverse process is called decryption. 18.12.2012

Embedded Security

plaintext

Cryptography provides the tools, that underlie most modern security protocols. 22

Attacks on Cryptosystems Attack

Prerequisites

Attacker‘s goal

Ciphertext–only

set of ciphertexts, encrypted with the same cipher.

plaintext or key

Known–plaintext

set of cipher texts and their corresponding plaintexts

key or algorithm

Chosen–plaintext or Adaptive-chosen-plaintext

Cryptographic device and can input arbitrary plaintexts and read the device’s output

duplicate the device

Chosen–ciphertext

set of ciphertexts, can decrypt them without knowing the key

plaintext or key

Using violence

physical violence, blackmailing, kidnapping, threatening, etc.

anything

18.12.2012

Embedded Security

23

Example: Digital Signatures Encrypt - Sign

Extend message with security tag

Decrypt - Verify

message

Sender

channel

Receiver

manipulate

Transmit a message an a way that the attacker cannot modify its contents.

Attacker

 Integrity of contents

Attacker model: e.g., Dolev-Yao: ‚the attacker carries the message‘

 Confidentiality of keys 18.12.2012

Embedded Security

24

Example: Digital Signatures Consists of  Key generation  Signing operation  Verifying operation “Plain” RSA signatures are not secure, require a combination with a padding scheme, e.g., RSA-PSS. 18.12.2012

Embedded Security

25

Design principles

(1)

Introduced 1975 by Saltzer and Schroeder



Least Privilege: A subject should be given only those privileges necessary to complete its task.



Fail-Safe Defaults: E.g. a permission-based approach: Unless a subject is given explicit access to an object, it should be denied access to that object by default.



Economy of Mechanism/Simplicity: A security mechanisms should be as simple as possible.



Complete Mediation: Accesses to objects are checked to ensure that they are allowed. 18.12.2012

Embedded Security

26

Design principles

(2)

 Open Design: Security should not depend on the secrecy of its design or implementation.

 Separation of Privilege: A system should not grant permission based on a single condition.

 Least Common Mechanism: Mechanisms used to access resources should not be shared.

 Psychological Acceptability/Easy to use: Security mechanisms should not make the resource more difficult to use than if the security mechanisms were not present. 18.12.2012

Embedded Security

27

Design challenges for embedded security

Embedded Systems Security  Security violations can have catastrophic consequences regarding the environment, human life and cost.

 Embedded systems pose restrictions on cost, real-time performance, power consumption and physical security.

 Security applications in Embedded Systems: ─ Software updates ─ Theft prevention ─ Access control

18.12.2012

─ Support new business models (DRM) ─ Personalization/Identification ─ Legal obligations

Embedded Security

29

Key Problems in Embedded Security  Numerical problems require high computing power • E.g., modular exponentiation operation as used in RSA: C  K e mod N  Random number generation • Needs a source of entropy (keyboard strokes or mouse moves) • In low-end diskless embedded platforms it becomes • •

increasingly difficult to gather any random material at all Initialization file containing 1024 true random bytes used as a seed for a pseudo-random generator Collect random information from the environment

18.12.2012

Embedded Security

30

Functional Classification

Embedded System Attacks

Integrity Attacks

Privacy Attacks

Availability Attacks

Agent-based Classification

Power Analysis Eavesdropping Microprobing Physical Attacks

Fault injection Timing Analysis Electromagnetic Analysis

Virus Trojan Horse Software Attacks

Side-Channel Attacks

18.12.2012

Embedded Security

31

Embedded Security Pyramid

To ensure security in an embedded system, address the problem at all abstraction levels. 18.12.2012

Embedded Security

32

Design Challenges for secure ES Processing gap

increased computational demand of security processing.

Battery gap

energy consumption overheads of supporting security is very high

Flexibility

execute multiple and diverse security protocols

Tamper resistance

withstand physical attacks

Assurance gap

reliable operation despite attacks from intelligent adversaries

Cost

increases with the number of integrated security measures

18.12.2012

Embedded Security

33

Solving these challenges  Perform rigorous security engineering method  Focus on key threat scenarios  Introduce security early in the specification and design

 Research on suitable schemes and algorithms  Follow secure coding guidelines  Use specialized hardware support

18.12.2012

Embedded Security

34

Example: AES Performance Ethernet

Embedded Controller AES in Mbps

100Mbps

 Diagram shows throughput of an AES implementation in software and hardware on a microcontroller.

WLAN 54Mbps

 Introducing encryption in an embedded application requires additional resources

USB 12Mbps

UART 0,1Mbps J. Wilbrink, D. Nativel, T. Morin, "Networked Networks and Embedded Microcontroller Architectures", Information Quarterly, Vol. 4(4), 2005

18.12.2012

Embedded Security

35

Example: AES Energy efficiency W. Burleson, T. Wolf, R. Tessier, W. Gong, G. Gogniat, “Embedded System Security: A Configurable Approach”, DHS 2005

Gigabits per joule 102

ASIC FPGA

101 100

Processor

10-1 10-2 10-3 10-4 10-5 10-6 0.18 micron CMOS

18.12.2012

Virtex-II Pro FPGA Feedback

Virtex-II Pro FPGA Feedback Fault detection

Virtex-II Pro FPGA Feedback Fault tolerance

Virtex-II Pro FPGA Non Feedback

Embedded Security

Hand-optimized Assembly code On Pentium II

C Sparc

Java K virtual machine Sparc

36

Tamper Resistance  Tamper-evidence is to provide evidence that an attack has been attempted,

Attack prevention

Attack detection

Attack recovery

Attack

Tamper evidence t

e.g. security seals, using special covers, or enclosures.

 Tamper-resistance is to provide passive protection against an attack, e.g., scrambling of bus lines and memories or use special logic styles.

 Tamper-responsiveness is to provide an active response to the detection of an attack: e.g., zeroisation, deletion of all security relevant data (e.g. keys).

18.12.2012

Embedded Security

37

Examples and concluding remarks

Information Security Economics  Economic considerations of security are at least as important as the technical ones.  Risk: the chance a risk event will occur and the loss or harm resulting from the occurrence.  Return On Investment (ROI): identify security measures yielding a positive return  Cost To Break (CTB): lowest expected cost for anyone to discover and exploit a vulnerability

 Security management consists of its risks and its risk mitigation measures 18.12.2012

Embedded Security

39

Exemplary cases  Heart pacemaker: • wireless access to a combination heart defibrillator and pacemaker • shut down and deliver jolts of electricity that would potentially be fatal • manipulating signals from the tiny wireless radio that had been embedded in the implant as a way to let doctors monitor and adjust it without surgery.

 Nuclear plant : • shutdown after two water recirculation pumps failed. • An investigation found that the controllers for the pumps locked up due to a flood of computer data traffic on the plant's internal control system network.

 ATM Skimming: • iniature debit card reader, which scans the card's magnetic strip, and a video camera that records the PIN number when it is entered. 18.12.2012

Embedded Security

40

Exemplary cases  Wastewater incident: • In March 2000, a former consultant to a waste water plant in Maroochy Shire, Queensland, Australia, accessed the control system of the plant and released up to 1 million Liter of sewage into the surrounding waterways.

 Automotive hacking: • Researchers access the automotive Controller Area Network (CAN) •

network via the On–Board Diagnostics (OBD) port Override the driver and adversarially control functions like disabling the brakes, selectively braking individual wheels on demand, and stopping the engine.

18.12.2012

Embedded Security

41

Exemplary cases  Stuxnet: • The Stuxnet computer worm infected in 2010 industrial software •

•

and equipment. The worm strives to propagate through the Supervisory Control and Data Acquisition (SCADA) system to the Programmable Logic Controller (PLC)s deployed in factory floors, military installations, chemical and power plants. Reprogamming of these devices by sending program code to the infected machines.

18.12.2012

Embedded Security

42

Summary  Embedded systems have stringent resource constraints, therefore solutions for Desktop PCs cannot be simply transferred.

 Embedded security must be solved at all levels of the pyramid

 Security is achieved by exploiting asymmetry  Follow proven design principles  Learn from documented security incidents

18.12.2012

Embedded Security

43

ENDE Danke für die Aufmerksamkeit! 18.12.2012

Embedded Security

44