SlideShare a Scribd company logo

Embedded Systems Security

Malachi Jones, profile picture
Malachi Jones

This document discusses embedded systems security and how it can be improved. It is difficult to design secure embedded systems because economic incentives often reward producing insecure products, and adding security after development is challenging. However, security can be improved by designing it in from the start using principles like minimal implementation, component architecture, and independent validation. The document provides an overview of embedded systems, operating systems, networked devices, and motivates the importance of security.

1 of 31
Downloaded 250 times
1
2
Most read
3
4
Most read
5
Most read
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Embedded Systems Security: (Why its difficult and what we can do about it) Malachi Jones, PhD Software Engineer
About me (Cyber-security Background) 2 • Intel Corporation (Summer 2011) – Software security internship – Designed/implemented an authentication method for mobile embedded devices • Georgia Tech (2007-2013) – Security research collaboration between Georgia Tech (GT) and University of California Santa Barbara (UCSB) – PhD thesis: “Asymmetric Information Games and Cyber Security” Giovanni Vigna, PhD Security Researcher Joao Hespana, PhD Game Theorist Jeff Shamma, PhD Game Theorist Georgios Kotsalis, PhD Game Theorist Malachi Jones, PhD Security Researcher
Outline 5 • Motivation • Cyber Security Overview • Embedded Systems Security – Networked Systems – Embedded Systems OS • Principles for Designing Secure Software – Minimal Implementation – Component Architecture – Independent Expert Validation • Conclusion • Additional Resources
Motivation 6 • Why should embedded security be important to YOU (and your loved ones)? Critical Infrastructure (Nuclear Power Plant) Life Critical Systems (Pace Maker) Transportation Systems (Flight Control) Financial Infrastructure (Banking & Investing) Information Systems (Patient MRI information) Consumer Products (Wireless Router)
Motivation 7 • What could possibly happen if your home router was attacked by a hacker? – Step 1: Hacker gains access to router settings – Step 2: Changes DNS settings on router – Step 3: Router now talks to hacker’s server to resolve name address – Step 4: www.yourbank.com now resolves to an IP address of the hacker’s server – Step 5: You think you are entering login information for your bank account, but you are handing it over to the hacker. – Step 6: pwn3d (Hacker speak for you’ve been owned) • True story (DNSChanger Trojan)
Main Takeaways 8 • Why is embedded security difficult? – Economic/Business incentive to produce bad security products: Oftentimes buyers (experts included) are unable to observe the difference in quality between a good security product and a lemon. – Increased software complexity: Linear growth in hardware/software content creates non-linear growth in overall system complexity. Complexity breeds flaws. – Security as an afterthought: Often financially and/or technically infeasible to retrofit security capabilities to an embedded system that was not originally designed for it
Main Takeaways 9 • How can we address these difficulties? – Balance the tradeoffs: Strike a balance between security, performance, cost, and schedule. – Control complexity: Aspire for a minimal implementation that provides the simplest solution to the problem with respect to tradeoffs (e.g. cost and schedule) mentioned above – Design in security from conception: Build in security from the start by following well-established security-design principles and techniques Theme of presentation
Cyber Security Overview 10 • Objectives of cyber security – Confidentiality: Prevention of unauthorized access to resources – Integrity: Prevention of modification or corruption of resources – Accessibility: Prevention of attacks that would keep a resource from being accessed or used according to its intended function
Cyber Security Overview 11 • Security topic areas include: Cryptography Penetration Testing Monitoring & Detection Social Engineering Cyber Situational Awareness Security System Design
Cyber Security Overview 12 • Cyber security principles – Without physical security, there is no security: If the physical system is compromised, so are the other components of the system that interact directly or indirectly with the physical system – Once “root”, always “root”: Once a system has been compromised, a hacker can install “backdoors” to access the system with root privileges later – Defense in depth: Complete prevention is impossible. Multiple layers of prevention and monitoring are necessary to achieve the optimum degree of protection (for a given budget). – Kerckhoffs’s Principle: Assume the hacker knows the system. Corollary: Security by obscurity is not secure. – Weakest Link Principle: Weakest link in the system is the most likely part of the system to be first attacked because it is the easiest
Cyber Security Overview 13 • What are some of the primary culprits for the abundant security vulnerabilities found in most mainstream products? Poor Implementation Flawed Design
Cyber Security Overview 14 • Why can it be rational to produce bad security products? • Market for Lemons – Paper written by the economist George Akerlof in the 1970s to discuss information asymmetry. – Information asymmetry: One party has better information than another party – Main Idea: When buyers don't have as much information about the quality of the products as sellers do, there will be severe downward pressure on both the price and quality of product
Cyber Security Overview 15 • Market for cyber security “lemons” – Buyers (security experts included) are often unable to distinguish a “good” security product from a “bad” security product – Difficult to evaluate a product’s claims when the source code and design architecture are proprietary and kept private. – Costs significant amount of money for an independent third party to evaluate and test the product claims. Testing is also slow. – Bottom line: Can be rational for companies to produce mediocre security products because users and experts are likely to make their purchasing decision on parameters (i.e. price) they can observe. – Rare Exception: Secustick was exposed by Tweakers.net for not encrypting data on USB drives when they claimed to have done so.
Embedded Security: Embedded Systems 16 • Definition: An embedded system is an electronic product that contains a microprocessor (one or more) and software to perform some constituent function within a larger entity • Key Point: Embedded systems may be constrained by cost, memory, energy, mass, and volume • Examples • What do all these embedded devices have in common? Smart Meter Raspberry Pi Smart Phone Router
Embedded Security: Networked Systems 17 • What are the advantages of networked embedded systems? • Remote management – Monitor performance of devices deployed in the field – Enables installation of patches or other software upgrades – Execute a plethora of management duties – Increases product lifetime, reliability, serviceability, and customer satisfaction while reducing maintenance cost and total cost of ownership • Example of remote management: Mars Pathfinder Mission
Embedded Security: Remote Management 18 • Mars Pathfinder Mission (1997) – Malfunction was diagnosed down to a software defect during mission – Priority inversion issue between communication tasks (medium priority), meteorological tasks (low priority), and information bus thread (high priority) – Patch to remedy defect by implementing priority inheritance was installed via radio link from Earth – Remote management saved the mission from disaster
Embedded Security: Remote Management 19 • Security implications of remote management – Remote device management is the answer to the hacker’s wildest dreams – The embedded system is imbued not only with internet access, but also a means to remotely modify and patch software • What could go wrong? – Critical and widespread vulnerability in VxWorks OS discovered in 2010 – A debug communication port that provided remote diagnostics was used to commandeer the system – Using the debug interface, a remote attacker could read or write to any memory location: – Hacker could install malware and even replace the OS itself – Key Point: Even if your software is perfect, you still have to take into account the security of the third-party OS
Embedded Security: Operating Systems 20 • Why is the operating system important to security? – Recall: Even with perfect software, the OS can allow the system to be vulnerable to a cyber attack – Operating system (OS) controls the resources of the embedded system (e.g. memory and CPU) – The OS has the power to prevent unauthorized use of resources
Embedded Security: Operating Systems 21 • Design decisions emphasize performance over security because more profitable (Market for Lemons) • Monolithic kernel: Popular OS design – User applications able to access most services (TCP/IP, files, and I/O devices) with a simple system call into kernel – Services typically reside within a single process • Microkernel: Secure OS design – Implements services in separate processes – Requires inter-process communication (added overhead) – Extra context switching
Embedded Security: Operating Systems 22 Traditional Kernel (Monolithic) Microkernel (Implemented in MILS)
Embedded Security: Operating Systems 23 • Good News: A few OS technologies have taken a new approach to embedded security that is based on a design concept originally developed in the 1980’s. • Design concept: Multiple Independent Levels of Security (MILS) • Foundation of MILS-based embedded system is a special type of microkernel called the separation kernel.
Embedded Security: Operating Systems 24 • Separation Kernel: A small microkernel that implements a limited set of critical functional security polices that include data isolation, damage limitation, and information flow – Data Isolation: Data within partitioned applications cannot be read or modified by other applications – Damage limitation: If a bug or attack damages a partitioned application, this damage cannot spread to other application – Information flow: Information cannot flow between partitioned applications unless explicitly permitted by the system security policy
Designing secure embedded systems 25 • Why not bolt on security after the fact? • Key Concept: Often financially and/or technically infeasible to retrofit security capability to a system that was not originally designed for it • Think about the difficulty of retrofitting these systems: • These systems can have a lifespan of 10+ years • Moore's Law doesn’t apply!! (Very difficult to add/upgrade hardware) Pace Maker Smart Meter Nuclear reactor controller
Designing secure embedded systems 26 • Software assurance: Refers to the level of confidence that software end user and other stakeholders have that security policies and functions claimed by software are actually fulfilled • Key Point: Simply meeting functional requirements does not achieve the assurance required for security-critical embedded systems • Principles of High Assurance Software Engineering [2] – Minimal Implementation – Component Architecture – Independent expert validation – Least privilege – Secure development process
Designing secure embedded systems: Minimal Implementation 27 • Minimal Implementation – Linear growth in hardware/software content creates non-linear growth in overall complexity of the system – Complexity increases nonlinearly because of the exponential increase in interactions between functions and components – Complexity breeds flaws, and those flaws can be exploited to breach the system’s security – Ideally: Implement the simplest system needed to solve the problem. – Design Concept: Find a balance between schedule, performance, design, and cost that doesn’t compromise the required security of the system
Designing secure embedded systems: Component Architecture 28 • Component Architecture – Difficult/infeasible for a single engineer to understand every single line of code of a large monolithic system – Design Concept: Compose large software systems from small components. Each component should be easily maintained by a single engineer who understands every single line of code – Design Concept: Safety and/or security enforcing functionality should be placed into separate components that allow critical operations to be protected from compromise by noncritical portions of the system
Designing secure embedded systems: Component Architecture 29 • Component Architecture – Modern OS provides memory protected processes – Design Concept: Designers should strive for a one-to-one ratio between threads and processes – Security/Performance Tradeoff: Threads are lighter weight than processes, but processes can provide memory protection
Designing secure systems: Independent Expert Validation 30 • Independent Expert Validation – Security claims are a dime-a-dozen (e.g. Secustick) – Design Concept: Evidence of a secure system must be evaluated by independent experts – Anyone can produce a security design that is so clever, they can’t defeat it – Very difficult to produce a design that is so secure, others can’t defeat it – Independent experts provide another set of eyes that can spot security vulnerabilities that the designers can’t see
Conclusion 31 “The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable” —The Art of War, Sun Tzu
Additional Resources 32 1. M. Jones, G. Kotsalis, and J. Shamma, “Cyber-attack forecast modeling and complexity reduction using a game-theoretic framework,” in Control of Cyber- Physical Systems (D. C. Tarraf, ed.), vol. 449 of Lecture Notes in Control and Information Sciences, pp. 65–84, Springer International Publishing, 2013. 2. Kleidermacher, D. & Kleidermacher, M. (2012). Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development. 3. Ferguson, Niels, Schneier, Bruce & Kohno, Tadayoshi (2010). Cryptography Engineering: Design Principles and Practical Applications. Wiley Publishing 4. Gebotys, C.H. (2009). Security in Embedded Devices. Springer 5. Anderson, R., "Why information security is hard - an economic perspective," Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual , vol., no., pp.358,365, 10-14 Dec. 2001
Questions? 33

More Related Content

PPTX
introduction to Embedded System Security
Adel Barkam
 
PPTX
Security in an embedded system
UrmilasSrinivasan
 
PPTX
Security in embedded systems
Raghav S
 
PDF
Security in Embedded systems
Naveen Jakhar, I.T.S
 
PDF
Secure Embedded Systems
Informatik-Forum Stuttgart e.V.
 
PPTX
Embedded systems
Edgefxkits & Solutions
 
PPTX
Introduction to Embedded Systems I : Chapter 1
Moe Moe Myint
 
PPT
Embedded systems ppt
Shreya Thakur
 
introduction to Embedded System Security
Adel Barkam
 
Security in an embedded system
UrmilasSrinivasan
 
Security in embedded systems
Raghav S
 
Security in Embedded systems
Naveen Jakhar, I.T.S
 
Secure Embedded Systems
Informatik-Forum Stuttgart e.V.
 
Embedded systems
Edgefxkits & Solutions
 
Introduction to Embedded Systems I : Chapter 1
Moe Moe Myint
 
Embedded systems ppt
Shreya Thakur
 

What's hot (20)

PPTX
Introduction to Embedded Systems
Sandeep Reddy
 
PPTX
Basic concepts in computer security
Arzath Areeff
 
PDF
AUTOMOTIVE CYBER SECURITY PPT
VinayakSharma609332
 
PPTX
Embedded systems
Ashok Raj
 
PDF
Embedded systems basics
Mathivanan Natarajan
 
PPT
Design of embedded systems
Pradeep Kumar TS
 
PPTX
Ppt on embedded systems
Vaibhava Mishra
 
PPTX
Introduction to IoT Security
CAS
 
PPTX
Embedded Systems - Training ppt
Nishant Kayal
 
PPT
Embedded System Presentation
Prof. Erwin Globio
 
PPTX
Ppt on six month training on embedded system & IOT
preetigill309
 
PPTX
Embedded system.ppt
Radhika Puttewar
 
PPTX
Internet of Things (IoT) Presentation
Jason K
 
PPTX
A Career in Cybersecurity
lfh663
 
DOC
Report file on Embedded systems
Sukhendra Chaudhary
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
PPTX
Network security
fatimasaham
 
PDF
Embedded systems The Past Present and the Future
Srikanth KS
 
PPTX
TARA- Automotive Cybersecurity.pptx
Shriya Rai
 
DOCX
project report on embedded system
ram avtar
 
Introduction to Embedded Systems
Sandeep Reddy
 
Basic concepts in computer security
Arzath Areeff
 
AUTOMOTIVE CYBER SECURITY PPT
VinayakSharma609332
 
Embedded systems
Ashok Raj
 
Embedded systems basics
Mathivanan Natarajan
 
Design of embedded systems
Pradeep Kumar TS
 
Ppt on embedded systems
Vaibhava Mishra
 
Introduction to IoT Security
CAS
 
Embedded Systems - Training ppt
Nishant Kayal
 
Embedded System Presentation
Prof. Erwin Globio
 
Ppt on six month training on embedded system & IOT
preetigill309
 
Embedded system.ppt
Radhika Puttewar
 
Internet of Things (IoT) Presentation
Jason K
 
A Career in Cybersecurity
lfh663
 
Report file on Embedded systems
Sukhendra Chaudhary
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Network security
fatimasaham
 
Embedded systems The Past Present and the Future
Srikanth KS
 
TARA- Automotive Cybersecurity.pptx
Shriya Rai
 
project report on embedded system
ram avtar
 
Ad

Viewers also liked (7)

PPTX
Robot supervisor
Malak Talbi
 
PDF
Embedded System Security: Learning from Banking and Payment Industry
Narudom Roongsiriwong, CISSP
 
KEY
121115 Présentation Arduino Cocoaheads
cgodefroy
 
PPTX
Embedded based home security system
NIT srinagar
 
PDF
McAffee_Security and System Integrity in Embedded Devices
Işınsu Akçetin
 
PPTX
Présentation des IoT
Lakhdar Meftah
 
ODP
Les systèmes embarqués arduino
CHERIET Mohammed El Amine
 
Robot supervisor
Malak Talbi
 
Embedded System Security: Learning from Banking and Payment Industry
Narudom Roongsiriwong, CISSP
 
121115 Présentation Arduino Cocoaheads
cgodefroy
 
Embedded based home security system
NIT srinagar
 
McAffee_Security and System Integrity in Embedded Devices
Işınsu Akçetin
 
Présentation des IoT
Lakhdar Meftah
 
Les systèmes embarqués arduino
CHERIET Mohammed El Amine
 
Ad

Similar to Embedded Systems Security (20)

PPTX
Cyber Security: Threats and Needed Actions
John Gilligan
 
PDF
Hardware Security on Vehicles
Priyanka Aash
 
PPT
Information Assurance And Security - Chapter 2 - Lesson 4
MLG College of Learning, Inc
 
PPT
Lesson 4
MLG College of Learning, Inc
 
PPTX
ITT408_Unit#1_InformationSecurity_Fundamentals_STUDENTS.pptx
srizvi9
 
PPT
Introduction to information security
Kumawat Dharmpal
 
PPT
01Introduction to Information Security.ppt
it160320737038
 
PPT
its a computer security based ppt which is very useful
SantoshChintawar
 
PPT
Understanding Technology Stakeholders
John Gilligan
 
PPT
Lecture 4 presentation of cyber security
jitendrachettri894
 
PPT
Understanding Technology Stakeholders: Their Progress and Challenges
John Gilligan
 
PPTX
IIoT Endpoint Security
Industrial Internet Consortium
 
PDF
WSO2CON 2024 - How to Run a Security Program
WSO2
 
PPT
Chapter 5 cyber security in computer.ppt
ubaidullah75790
 
PPTX
Data Information and Security Unit-1.pptx
sbrainyajay
 
PPTX
security onion
Boni Yeamin
 
PPTX
CISSP Domain 03 Security Architecture and Engineering.pptx
gealehegn
 
PPTX
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
PPTX
19-f15-mobile-security.pptx
Jhansigali
 
PDF
III SEM MCA-Module 4 -Ch2.pdf- Securing IoT
RAJESHWARI M
 
Cyber Security: Threats and Needed Actions
John Gilligan
 
Hardware Security on Vehicles
Priyanka Aash
 
Information Assurance And Security - Chapter 2 - Lesson 4
MLG College of Learning, Inc
 
Lesson 4
MLG College of Learning, Inc
 
ITT408_Unit#1_InformationSecurity_Fundamentals_STUDENTS.pptx
srizvi9
 
Introduction to information security
Kumawat Dharmpal
 
01Introduction to Information Security.ppt
it160320737038
 
its a computer security based ppt which is very useful
SantoshChintawar
 
Understanding Technology Stakeholders
John Gilligan
 
Lecture 4 presentation of cyber security
jitendrachettri894
 
Understanding Technology Stakeholders: Their Progress and Challenges
John Gilligan
 
IIoT Endpoint Security
Industrial Internet Consortium
 
WSO2CON 2024 - How to Run a Security Program
WSO2
 
Chapter 5 cyber security in computer.ppt
ubaidullah75790
 
Data Information and Security Unit-1.pptx
sbrainyajay
 
security onion
Boni Yeamin
 
CISSP Domain 03 Security Architecture and Engineering.pptx
gealehegn
 
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
19-f15-mobile-security.pptx
Jhansigali
 
III SEM MCA-Module 4 -Ch2.pdf- Securing IoT
RAJESHWARI M
 

More from Malachi Jones (7)

PDF
Automating Reverse Engineering: Function Classification and Matching
Malachi Jones
 
PDF
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
PDF
Embedded device hacking Session i
Malachi Jones
 
PDF
SmartphoneHacking_Android_Exploitation
Malachi Jones
 
PDF
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
PDF
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
PDF
Cyber_Attack_Forecasting_Jones_2015
Malachi Jones
 
Automating Reverse Engineering: Function Classification and Matching
Malachi Jones
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
Embedded device hacking Session i
Malachi Jones
 
SmartphoneHacking_Android_Exploitation
Malachi Jones
 
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
Cyber_Attack_Forecasting_Jones_2015
Malachi Jones
 

Embedded Systems Security

  • 1. Embedded Systems Security: (Why its difficult and what we can do about it) Malachi Jones, PhD Software Engineer
  • 2. About me (Cyber-security Background) 2 • Intel Corporation (Summer 2011) – Software security internship – Designed/implemented an authentication method for mobile embedded devices • Georgia Tech (2007-2013) – Security research collaboration between Georgia Tech (GT) and University of California Santa Barbara (UCSB) – PhD thesis: “Asymmetric Information Games and Cyber Security” Giovanni Vigna, PhD Security Researcher Joao Hespana, PhD Game Theorist Jeff Shamma, PhD Game Theorist Georgios Kotsalis, PhD Game Theorist Malachi Jones, PhD Security Researcher
  • 3. Outline 5 • Motivation • Cyber Security Overview • Embedded Systems Security – Networked Systems – Embedded Systems OS • Principles for Designing Secure Software – Minimal Implementation – Component Architecture – Independent Expert Validation • Conclusion • Additional Resources
  • 4. Motivation 6 • Why should embedded security be important to YOU (and your loved ones)? Critical Infrastructure (Nuclear Power Plant) Life Critical Systems (Pace Maker) Transportation Systems (Flight Control) Financial Infrastructure (Banking & Investing) Information Systems (Patient MRI information) Consumer Products (Wireless Router)
  • 5. Motivation 7 • What could possibly happen if your home router was attacked by a hacker? – Step 1: Hacker gains access to router settings – Step 2: Changes DNS settings on router – Step 3: Router now talks to hacker’s server to resolve name address – Step 4: www.yourbank.com now resolves to an IP address of the hacker’s server – Step 5: You think you are entering login information for your bank account, but you are handing it over to the hacker. – Step 6: pwn3d (Hacker speak for you’ve been owned) • True story (DNSChanger Trojan)
  • 6. Main Takeaways 8 • Why is embedded security difficult? – Economic/Business incentive to produce bad security products: Oftentimes buyers (experts included) are unable to observe the difference in quality between a good security product and a lemon. – Increased software complexity: Linear growth in hardware/software content creates non-linear growth in overall system complexity. Complexity breeds flaws. – Security as an afterthought: Often financially and/or technically infeasible to retrofit security capabilities to an embedded system that was not originally designed for it
  • 7. Main Takeaways 9 • How can we address these difficulties? – Balance the tradeoffs: Strike a balance between security, performance, cost, and schedule. – Control complexity: Aspire for a minimal implementation that provides the simplest solution to the problem with respect to tradeoffs (e.g. cost and schedule) mentioned above – Design in security from conception: Build in security from the start by following well-established security-design principles and techniques Theme of presentation
  • 8. Cyber Security Overview 10 • Objectives of cyber security – Confidentiality: Prevention of unauthorized access to resources – Integrity: Prevention of modification or corruption of resources – Accessibility: Prevention of attacks that would keep a resource from being accessed or used according to its intended function
  • 9. Cyber Security Overview 11 • Security topic areas include: Cryptography Penetration Testing Monitoring & Detection Social Engineering Cyber Situational Awareness Security System Design
  • 10. Cyber Security Overview 12 • Cyber security principles – Without physical security, there is no security: If the physical system is compromised, so are the other components of the system that interact directly or indirectly with the physical system – Once “root”, always “root”: Once a system has been compromised, a hacker can install “backdoors” to access the system with root privileges later – Defense in depth: Complete prevention is impossible. Multiple layers of prevention and monitoring are necessary to achieve the optimum degree of protection (for a given budget). – Kerckhoffs’s Principle: Assume the hacker knows the system. Corollary: Security by obscurity is not secure. – Weakest Link Principle: Weakest link in the system is the most likely part of the system to be first attacked because it is the easiest
  • 11. Cyber Security Overview 13 • What are some of the primary culprits for the abundant security vulnerabilities found in most mainstream products? Poor Implementation Flawed Design
  • 12. Cyber Security Overview 14 • Why can it be rational to produce bad security products? • Market for Lemons – Paper written by the economist George Akerlof in the 1970s to discuss information asymmetry. – Information asymmetry: One party has better information than another party – Main Idea: When buyers don't have as much information about the quality of the products as sellers do, there will be severe downward pressure on both the price and quality of product
  • 13. Cyber Security Overview 15 • Market for cyber security “lemons” – Buyers (security experts included) are often unable to distinguish a “good” security product from a “bad” security product – Difficult to evaluate a product’s claims when the source code and design architecture are proprietary and kept private. – Costs significant amount of money for an independent third party to evaluate and test the product claims. Testing is also slow. – Bottom line: Can be rational for companies to produce mediocre security products because users and experts are likely to make their purchasing decision on parameters (i.e. price) they can observe. – Rare Exception: Secustick was exposed by Tweakers.net for not encrypting data on USB drives when they claimed to have done so.
  • 14. Embedded Security: Embedded Systems 16 • Definition: An embedded system is an electronic product that contains a microprocessor (one or more) and software to perform some constituent function within a larger entity • Key Point: Embedded systems may be constrained by cost, memory, energy, mass, and volume • Examples • What do all these embedded devices have in common? Smart Meter Raspberry Pi Smart Phone Router
  • 15. Embedded Security: Networked Systems 17 • What are the advantages of networked embedded systems? • Remote management – Monitor performance of devices deployed in the field – Enables installation of patches or other software upgrades – Execute a plethora of management duties – Increases product lifetime, reliability, serviceability, and customer satisfaction while reducing maintenance cost and total cost of ownership • Example of remote management: Mars Pathfinder Mission
  • 16. Embedded Security: Remote Management 18 • Mars Pathfinder Mission (1997) – Malfunction was diagnosed down to a software defect during mission – Priority inversion issue between communication tasks (medium priority), meteorological tasks (low priority), and information bus thread (high priority) – Patch to remedy defect by implementing priority inheritance was installed via radio link from Earth – Remote management saved the mission from disaster
  • 17. Embedded Security: Remote Management 19 • Security implications of remote management – Remote device management is the answer to the hacker’s wildest dreams – The embedded system is imbued not only with internet access, but also a means to remotely modify and patch software • What could go wrong? – Critical and widespread vulnerability in VxWorks OS discovered in 2010 – A debug communication port that provided remote diagnostics was used to commandeer the system – Using the debug interface, a remote attacker could read or write to any memory location: – Hacker could install malware and even replace the OS itself – Key Point: Even if your software is perfect, you still have to take into account the security of the third-party OS
  • 18. Embedded Security: Operating Systems 20 • Why is the operating system important to security? – Recall: Even with perfect software, the OS can allow the system to be vulnerable to a cyber attack – Operating system (OS) controls the resources of the embedded system (e.g. memory and CPU) – The OS has the power to prevent unauthorized use of resources
  • 19. Embedded Security: Operating Systems 21 • Design decisions emphasize performance over security because more profitable (Market for Lemons) • Monolithic kernel: Popular OS design – User applications able to access most services (TCP/IP, files, and I/O devices) with a simple system call into kernel – Services typically reside within a single process • Microkernel: Secure OS design – Implements services in separate processes – Requires inter-process communication (added overhead) – Extra context switching
  • 20. Embedded Security: Operating Systems 22 Traditional Kernel (Monolithic) Microkernel (Implemented in MILS)
  • 21. Embedded Security: Operating Systems 23 • Good News: A few OS technologies have taken a new approach to embedded security that is based on a design concept originally developed in the 1980’s. • Design concept: Multiple Independent Levels of Security (MILS) • Foundation of MILS-based embedded system is a special type of microkernel called the separation kernel.
  • 22. Embedded Security: Operating Systems 24 • Separation Kernel: A small microkernel that implements a limited set of critical functional security polices that include data isolation, damage limitation, and information flow – Data Isolation: Data within partitioned applications cannot be read or modified by other applications – Damage limitation: If a bug or attack damages a partitioned application, this damage cannot spread to other application – Information flow: Information cannot flow between partitioned applications unless explicitly permitted by the system security policy
  • 23. Designing secure embedded systems 25 • Why not bolt on security after the fact? • Key Concept: Often financially and/or technically infeasible to retrofit security capability to a system that was not originally designed for it • Think about the difficulty of retrofitting these systems: • These systems can have a lifespan of 10+ years • Moore's Law doesn’t apply!! (Very difficult to add/upgrade hardware) Pace Maker Smart Meter Nuclear reactor controller
  • 24. Designing secure embedded systems 26 • Software assurance: Refers to the level of confidence that software end user and other stakeholders have that security policies and functions claimed by software are actually fulfilled • Key Point: Simply meeting functional requirements does not achieve the assurance required for security-critical embedded systems • Principles of High Assurance Software Engineering [2] – Minimal Implementation – Component Architecture – Independent expert validation – Least privilege – Secure development process
  • 25. Designing secure embedded systems: Minimal Implementation 27 • Minimal Implementation – Linear growth in hardware/software content creates non-linear growth in overall complexity of the system – Complexity increases nonlinearly because of the exponential increase in interactions between functions and components – Complexity breeds flaws, and those flaws can be exploited to breach the system’s security – Ideally: Implement the simplest system needed to solve the problem. – Design Concept: Find a balance between schedule, performance, design, and cost that doesn’t compromise the required security of the system
  • 26. Designing secure embedded systems: Component Architecture 28 • Component Architecture – Difficult/infeasible for a single engineer to understand every single line of code of a large monolithic system – Design Concept: Compose large software systems from small components. Each component should be easily maintained by a single engineer who understands every single line of code – Design Concept: Safety and/or security enforcing functionality should be placed into separate components that allow critical operations to be protected from compromise by noncritical portions of the system
  • 27. Designing secure embedded systems: Component Architecture 29 • Component Architecture – Modern OS provides memory protected processes – Design Concept: Designers should strive for a one-to-one ratio between threads and processes – Security/Performance Tradeoff: Threads are lighter weight than processes, but processes can provide memory protection
  • 28. Designing secure systems: Independent Expert Validation 30 • Independent Expert Validation – Security claims are a dime-a-dozen (e.g. Secustick) – Design Concept: Evidence of a secure system must be evaluated by independent experts – Anyone can produce a security design that is so clever, they can’t defeat it – Very difficult to produce a design that is so secure, others can’t defeat it – Independent experts provide another set of eyes that can spot security vulnerabilities that the designers can’t see
  • 29. Conclusion 31 “The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable” —The Art of War, Sun Tzu
  • 30. Additional Resources 32 1. M. Jones, G. Kotsalis, and J. Shamma, “Cyber-attack forecast modeling and complexity reduction using a game-theoretic framework,” in Control of Cyber- Physical Systems (D. C. Tarraf, ed.), vol. 449 of Lecture Notes in Control and Information Sciences, pp. 65–84, Springer International Publishing, 2013. 2. Kleidermacher, D. & Kleidermacher, M. (2012). Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development. 3. Ferguson, Niels, Schneier, Bruce & Kohno, Tadayoshi (2010). Cryptography Engineering: Design Principles and Practical Applications. Wiley Publishing 4. Gebotys, C.H. (2009). Security in Embedded Devices. Springer 5. Anderson, R., "Why information security is hard - an economic perspective," Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual , vol., no., pp.358,365, 10-14 Dec. 2001