cybersecurity for iot verify your software today
play

Cybersecurity for IoT: Verify your Software Today! Allan Blanchard, - PowerPoint PPT Presentation

Feb 01, 2024 •106 likes •694 views

Cybersecurity for IoT: Verify your Software Today! Allan Blanchard, Nikolai Kosmatov (based on a tutorial prepared with Frdric Loulergue) Outline Introduction Verification of absence of runtime errors using Frama-C/Eva Deductive

  1. Cybersecurity for IoT: Verify your Software Today! Allan Blanchard, Nikolai Kosmatov (based on a tutorial prepared with Frédéric Loulergue)

  2. Outline Introduction Verification of absence of runtime errors using Frama-C/Eva Deductive verification using Frama-C/WP Runtime Verification using Frama-C/E-ACSL Conclusion A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 2 / 48

  3. Introduction Security in the IoT Outline Introduction Security in the IoT An overview of Frama-C The Contiki operating system Verification of absence of runtime errors using Frama-C/Eva Deductive verification using Frama-C/WP Runtime Verification using Frama-C/E-ACSL Conclusion A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 3 / 48

  4. Introduction Security in the IoT Internet of Things ◮ connect all devices and services ◮ 46 billions devices by 2021 ◮ transport huge amounts of data (c) Internet Security Buzz A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 4 / 48

  5. Introduction Security in the IoT And Security? A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 5 / 48

  6. Introduction Security in the IoT And Security? A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 5 / 48

  7. Introduction Security in the IoT And Security? A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 5 / 48

  8. Introduction Security in the IoT And Security? A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 5 / 48

  9. Introduction Security in the IoT And Security? A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 5 / 48

  10. Introduction An overview of Frama-C Outline Introduction Security in the IoT An overview of Frama-C The Contiki operating system Verification of absence of runtime errors using Frama-C/Eva Deductive verification using Frama-C/WP Runtime Verification using Frama-C/E-ACSL Conclusion A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 6 / 48

  11. Introduction An overview of Frama-C Frama-C Open-Source Distribution Framework for Analysis of C source code http://frama-c.com ◮ offers a specification language called ACSL ◮ targets both academic and industrial usage A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 7 / 48

  12. Introduction An overview of Frama-C Frama-C, a Collection of Tools Several tools inside a single platform ◮ plugin architecture like in Eclipse ◮ over 20 plugins in the open-source distribution ◮ also close-source plugins, either at CEA (about 20) or outside ◮ a common kernel ◮ provides a uniform setting ◮ provides general services A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 8 / 48

  13. Introduction An overview of Frama-C Plugin Gallery Eva Jessie Wp Aora¨ ı RTE Abstract Interpretation Specification Generation Deductive Verification Slicing Sparecode Formal Methods PathCrawler E-ACSL Clang Plugins Code Transformation Dynamic Analysis StaDy Semantic constant folding Browsing of unfamiliar code Sante Ltest Metrics Callgraph Impact Occurrence Scope & Data-flow browsing A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 9 / 48

  14. Introduction An overview of Frama-C Use the Right Tool for the Right Task We may want to assure different degrees of confidence: ◮ absence of runtime errors or functional correctness ◮ partial/complete analysis (testing vs. verification) Different tools require from us more or less work: ◮ Just provide the source code ◮ Configure tool parameters ◮ Provide code annotations The higher the confidence is, the more information we have to provide A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 10 / 48

  15. Introduction The Contiki operating system Outline Introduction Security in the IoT An overview of Frama-C The Contiki operating system Verification of absence of runtime errors using Frama-C/Eva Deductive verification using Frama-C/WP Runtime Verification using Frama-C/E-ACSL Conclusion A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 11 / 48

  16. Introduction The Contiki operating system A lightweight OS for IoT Contiki is a lightweight operating system for IoT It provides a lot of features: ◮ (rudimentary) memory and process management ◮ networking stack and cryptographic functions ◮ ... Typical hardware platform: ◮ 8, 16, or 32-bit MCU (little or big-endian), ◮ low-power radio, some sensors and actuators, ... ms Group Note for security: there is no memory protection unit. A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 12 / 48

  17. Introduction The Contiki operating system Contiki: Typical Applications ◮ IoT scenarios: smart cities, building automation, ... ◮ Multiple hops to cover large areas ◮ Low-power for battery-powered scenarios ◮ Nodes are interoperable and addressable (IP) Traffjc lights Parking spots Public transport Street lights Smart metering … Light bulbs Thermostat Power sockets CO2 sensors Door locks Smoke detectors 5 5 SICS Networked Embedded Systems Group … Sics th Sense A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 13 / 48

  18. Verification of absence of runtime errors using Frama-C/Eva Runtime errors and the Eva plugin Outline Introduction Verification of absence of runtime errors using Frama-C/Eva Runtime errors and the Eva plugin Simple Example An application to Contiki Deductive verification using Frama-C/WP Runtime Verification using Frama-C/E-ACSL Conclusion A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 14 / 48

  19. Verification of absence of runtime errors using Frama-C/Eva Runtime errors and the Eva plugin Runtime errors Runtime errors in C are undefined behaviors: ◮ out-of-bound accesses, ◮ integer overflows, ◮ division by 0, ◮ invalid pointers ◮ . . . They can raise important security issues ◮ For example, HeartBleed vulnerability (found in 2014 in OpenSSL) A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 15 / 48

  20. Verification of absence of runtime errors using Frama-C/Eva Runtime errors and the Eva plugin Value Analysis Overview Compute possible values of variables at each program point ◮ an automatic analysis based on abstract interpretation ◮ computes a correct over-approximation ◮ reports alarms for potential runtime errors ◮ reports alarms for potentially invalid annotations ◮ can prove the absence of runtime errors ◮ graphical interface: displays the domains of each variable A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 16 / 48

  21. Verification of absence of runtime errors using Frama-C/Eva Simple Example Outline Introduction Verification of absence of runtime errors using Frama-C/Eva Runtime errors and the Eva plugin Simple Example An application to Contiki Deductive verification using Frama-C/WP Runtime Verification using Frama-C/E-ACSL Conclusion A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 17 / 48

  22. Verification of absence of runtime errors using Frama-C/Eva Simple Example Example 1 Run Eva: frama-c-gui div1.c -val -main=f int f ( int a ) { int x, y; int sum, result; if (a == 0) { x = 0; y = 0; } else { x = 5; y = 5; } sum = x + y; // sum can be 0 result = 10/sum; // risk of division by 0 return result; } A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 18 / 48

  23. Verification of absence of runtime errors using Frama-C/Eva Simple Example Example 1 Run Eva: frama-c-gui div1.c -val -main=f int f ( int a ) { int x, y; int sum, result; if (a == 0) { x = 0; y = 0; } else { x = 5; y = 5; } sum = x + y; // sum can be 0 result = 10/sum; // risk of division by 0 return result; } Risk of division by 0 is detected, it is real. A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 18 / 48

  24. Verification of absence of runtime errors using Frama-C/Eva Simple Example Example 2 Run Eva: frama-c-gui div2.c -val -main=f int f ( int a ) { int x, y; int sum, result; if (a == 0) { x = 0; y = 5; } else { x = 5; y = 0; } sum = x + y; // sum cannot be 0 result = 10/sum; // no div. by 0 return result; } A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 19 / 48

  25. Verification of absence of runtime errors using Frama-C/Eva Simple Example Example 2 Run Eva: frama-c-gui div2.c -val -main=f int f ( int a ) { int x, y; int sum, result; if (a == 0) { x = 0; y = 5; } else { x = 5; y = 0; } sum = x + y; // sum cannot be 0 result = 10/sum; // no div. by 0 return result; } Risk of division by 0 is detected, but it is a false alarm. A. Blanchard, N. Kosmatov Cybersecurity for IoT: Verify your Software Today! FIC 2019 19 / 48

Recommend

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical Facilities Local Government Schools Law Enforcement Media Outlets The threat and how to think about it Ransomware has rapidly emerged as the most

398 views • 15 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be

CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be

CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be applicants eligibility from Homeland Security, IRS and Social Security systems, in real time, plus enroll members electronically to any

346 views • 8 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
cybersecurity & compliance automation platform delivered in software as a service model

cybersecurity & compliance automation platform delivered in software as a service model

cybersecurity & compliance automation platform delivered in software as a service model plug&play cybersecurity plug&play compliance Defenselayers company purpose Defenselayers is an innovative, global cybersecurity startup. We

460 views • 13 slides
Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment?

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment?

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment? CEC Entertainment, Irving TX Founded by Nolan Bushnell Revenue What Is CEC Entertainment? What Is CEC Entertainment? What Is CEC Entertainment?

305 views • 19 slides
Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors that will receive 1099s and their

Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors that will receive 1099s and their

2019 CALENDAR YEAR-END CLOSING PROCEDURES 1 USAS-R CYE Procedures Verify 1099 Data Month End Close Calendar Year End Close 1099 Procedures TR1099 Program 2 2 Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors

357 views • 8 slides
KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we

KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we

KAI Software YOUR IDEA.OUR SOFTWARE. Overview KAI SOFTWARE INC was founded in 1994 and today we create new software development solutions for projects with sizable data requirements. Having a background in mining industry, KAI Software have

267 views • 26 slides
Towards Secure Things, or How to Verify IoT Software with Frama-C Tutorial at ZINC 2018 Allan

Towards Secure Things, or How to Verify IoT Software with Frama-C Tutorial at ZINC 2018 Allan

Towards Secure Things, or How to Verify IoT Software with Frama-C Tutorial at ZINC 2018 Allan Blanchard, Nikolai Kosmatov, Fr ed eric Loulergue some slides authored by Julien Signoles Email: allan.blanchard@inria.fr,

1.79k views • 151 slides
Designing Robust Software Analysis and Artificial Intelligence Approaches For Cybersecurity

Designing Robust Software Analysis and Artificial Intelligence Approaches For Cybersecurity

Designing Robust Software Analysis and Artificial Intelligence Approaches For Cybersecurity Giacomo Iadarola Research fellow (Assegnista di Ricerca) at IIT-CNR PhD student at Department of Computer Science (University of Pisa) TUTOR: Fabio

850 views • 49 slides
Trust, but Verify: An Improved Estimating Technique Using the Integrated Master Schedule (IMS)

Trust, but Verify: An Improved Estimating Technique Using the Integrated Master Schedule (IMS)

Trust, but verify is a form of advice given which recommends that while a source of information might be considered reliable, one should perform additional research to verify that such information is accurate, or trustworthy. The original

437 views • 32 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
Practical BDD with Behat and Mink Jeremy Mikola (@jmikola) In order to verify application

Practical BDD with Behat and Mink Jeremy Mikola (@jmikola) In order to verify application

Practical BDD with Behat and Mink Jeremy Mikola (@jmikola) In order to verify application behavior As a software developer I need tests In order to verify application behavior As a software developer I need tests Preferably automated tests

482 views • 44 slides
Software Assurance and Cybersecurity William L Scherlis Professor of Computer Science

Software Assurance and Cybersecurity William L Scherlis Professor of Computer Science

Software Assurance and Cybersecurity William L Scherlis Professor of Computer Science Director, Institute for Software Research School of Nuclear Regulatory Commission Computer Science 17 December 2015 School of Computer Science Assurance

304 views • 6 slides
verify for NETCONF <draft-cole-netconf-verify-00.txt>

verify for NETCONF <draft-cole-netconf-verify-00.txt>

verify for NETCONF <draft-cole-netconf-verify-00.txt> <draft-cole-netconf-transaction-test-00.txt> Robert G. Cole 1 Dan Romascanu 2 Andy Bierman 3 1 U.S. Army CERDEC 2 Avaya dromasca@avaya.com 3 Netconf Central

87 views • 5 slides
SOFTWARE ENGINEERING SOFTWARE QUALITY - SOFTWARE QUALITY QUALITY COMPONENTS Today we talk

SOFTWARE ENGINEERING SOFTWARE QUALITY - SOFTWARE QUALITY QUALITY COMPONENTS Today we talk

SOFTWARE ENGINEERING SOFTWARE QUALITY - SOFTWARE QUALITY QUALITY COMPONENTS Today we talk about software process quality and certification Objective quality component: properties that can be Jyrki Nummenmaa University of Tampere, CS

438 views • 5 slides
Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland Chapter Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix

685 views • 37 slides
Cybersecurity Legal Requirements Today and Tomorrow AND HOW TO MINIMIZE LIABILITY RISK IN

Cybersecurity Legal Requirements Today and Tomorrow AND HOW TO MINIMIZE LIABILITY RISK IN

Cybersecurity Legal Requirements Today and Tomorrow AND HOW TO MINIMIZE LIABILITY RISK IN CHANGING TIMES Robert Kriss Partner +1 312 701 7165 rkriss@mayerbrown.com Speakers Robert Kriss Partner - Chicago Overview What is the current

639 views • 32 slides
Welcome and Opening Remarks Richard Bailey Assistant Commissioner, DOS March 6, 2020 Agenda

Welcome and Opening Remarks Richard Bailey Assistant Commissioner, DOS March 6, 2020 Agenda

Welcome and Opening Remarks Richard Bailey Assistant Commissioner, DOS March 6, 2020 Agenda Cybersecurity - Foreign Travel - Risk Assessment - Software Cybersecurity Policy - Municipal Cybersecurity Update IT Strategic Planning 2

802 views • 44 slides
Open Source Software & Key Challenges Selvaraj K, SAP Labs India CyberSecurity India 2016

Open Source Software & Key Challenges Selvaraj K, SAP Labs India CyberSecurity India 2016

Open Source Software & Key Challenges Selvaraj K, SAP Labs India CyberSecurity India 2016 Conference February 19 th , 2016 Agenda #1 Introduction #2 Recent cases #3 Challenges #4 Key Takeaways Disclaimer: Views expressed in this

730 views • 16 slides
Thinking Software Today I want to talk about the importance of software/code and why we need to

Thinking Software Today I want to talk about the importance of software/code and why we need to

Thinking Software Today I want to talk about the importance of software/code and why we need to study it: 1. Software/Code 2. The softwarization of the university Apple Siri Thinking Software 3. Knowledge in the Digital Age code and the

476 views • 14 slides
Today & next lecture Aims of the course Introduction to issues of software quality Axiomatic

Today & next lecture Aims of the course Introduction to issues of software quality Axiomatic

Chair of Software Engineering Chair of Software Engineering Software Verification Contracts, Trusted Components and Patterns Bertrand Meyer Manuel Oriol Till Bay ETH, Fall 2008 Today & next lecture Aims of the course Introduction to

405 views • 36 slides
KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

7/17/2020 KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing Attacks Malware/Ransomware Hacking Imposter Scams 1 7/17/2020 KACo Cybersecurity Training BEWARE OF Phishing Phishing attacks

248 views • 6 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2018 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

325 views • 18 slides

More recommend