dominig ar foll
play

Dominig ar Foll Senior Software Architect Intel Open Source IoT - PowerPoint PPT Presentation

Dominig ar Foll Senior Software Architect Intel Open Source IoT Summit 2016, Berlin, DE dominig.arfoll@fridu.net 1/21 Attacking IoT, a viable business Ransom model Stall manufacturing Immobilise expensive items (e.g. your car)


  1. Dominig ar Foll Senior Software Architect Intel Open Source IoT Summit 2016, Berlin, DE dominig.arfoll@fridu.net 1/21

  2. Attacking IoT, a viable business ➢ Ransom model ➢ Stall manufacturing ➢ Immobilise expensive items (e.g. your car) ➢ … ➢ Competitive advantage ➢ Collecting R&D, manufacturing data ➢ Disturbing production line ➢ Indirect ➢ Cheap robot for DDoS ➢ Easy entry point

  3. Understanding the risks Developer Fix all possible weaknesses Deactivate possible users errors LTS assumed for free Back Hat Only need one security hole Can be help by careless users Good long term business opportunities Good international network 3/21

  4. Security fundamentals Minimise surface of attack Control the code which is run Provide a bullet proof update model Track security patches Use HW security helpers when available Limit lateral movement in the system Develop and QA with security turned on Do not rely on human but on platform and tools Security cannot be added after the fact 4/21

  5. Do not rely on human ➢ Security experts are out of reach ➢ 9M Mobile Developers ➢ 8M Web Developers ➢ 0.5M Embedded Developers ➢ How many Embedded Security Developers ? ➢ Human are unreliable ➢ We do not have the time now ➢ Oups, it’s too late to change it ➢ No one is interested by our system ➢ We are too small ➢ ...

  6. Concepts are Known but what about implementation? Full isolation AppFW AppFW Untrusted Apps / Middleware Untrusted Apps / Middleware App Debug App Debug App Packaging App Packaging API API Mandatory Access Control Default policies Default policies Integrity Debug Debug Harden OS services Harden OS services Name Space Sample code Sample code Firewall HowTo HowTo Safe update Signing Signing Encryption Linux Kernel with up-to-date patches Linux Kernel with up-to-date patches Repo create Repo create ID/Key protection Debug Debug SoC Specific drivers Customize Customize EPID TPM UEFI EPID TPM UEFI SoC Drivers SoC Drivers ID Management Private/Secure Store Secured Boot ID Management Private/Secure Store Secured Boot Tools-Doc Software running onTarget Tools-Doc Software running onTarget 6/21

  7. Know who/what you trust ➢ Trusted Boot : a MUST Have Feature ➢ Leverage hardware capabilities ➢ Small series & developer key handling ➢ Application Installation ➢ Verify integrity ➢ Verify origin ➢ Request User Consent [privacy & permissions] ➢ Update ➢ Only signed updates with a trusted origin ➢ Secured updates on compromised devices are a no-go option ➢ Factory reset built-in from a trusted zone ➢ Do not let back doors opened via containers ➢ Strict control of custom drivers [in kernel mode everything is possible] 7/21

  8. Layered Architecture ➢ Client/UI (untrusted) ➢ Risk of code injection (HTML5/QML) ➢ UI on external devices (Mobiles, Tablets) ➢ Access to secure service APIs [REST/WS] ➢ Applications & Services (semi-trusted) ➢ Unknown developers & Multi-source ➢ High-grain protection by Linux DAC & MAC labels. ➢ Run under control of Application Framework: need to provide a security manifest ➢ Platform & System services (trusted) ➢ Message Services started by systemd ➢ Service and API fine grain privilege protection ➢ Part of baseline distribution and certified services only 8/21

  9. Bullet proof update and ID Update is the only possible correction l Must run safely on compromised devices l Cannot assume a know starting point Compromised ID / keys has no return l Per device unique ID l Per device symmetric keys l Use HW ID protection (e.g. EPID) Non reproducibility l Breaking in one device cannot be extended l Development I/O are disabled l Root password is unique (or better a key) l Password cannot be easily recalculated 9/21

  10. A practical example (AGL) Applicable to any Industrial IoT Linux 10/21

  11. Service isolation Run services with UID<>0 SystemD is your friend l Create dedicated UID per service l Use Linux MAC and Smack DAC to minimise open Access Drop privileges l Posix privileges l MAC privileges C-goups l Reduce offending power l RAM/CPU/IO Name Space l Limit access to private data l Limit access to connectivity https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt https://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt http://man7.org/linux/man-pages/man7/namespaces.7.html https://en.wikipedia.org/wiki/Mandatory_access_control https://en.wikipedia.org/wiki/Discretionary_access_control 11/21

  12. Segregate Apps from OS ➢ Application Manager ➢ One system daemon for application live cycle installs, update, delete ➢ One user daemon per user for application start, stop, pause, resume ➢ Create initial share secret between UI and Binder ➢ Spawn and controls application processes: binder, UI, … ➢ Security Manager ➢ Responsible of privilege enforcement ➢ Based on Cynara + WebSocket and D-Bus for Legacy) ➢ Application & Services Binders ➢ Expose platform APIs to UI, Services, Applications ➢ Loads services/application plugins :Audio, Canbus, Media Server… ➢ One private binder per application/services [REST, WebSocket, Dbus] ➢ Authenticate UI by oAuth token type ➢ Secured by SMACK label + UID/GIDs ➢ AppBinders runs under user $HOME 12/21

  13. AGL2 Application Security Application Framwork Live Cycle Management Log/Supervision Start,Stop,Pause,Install,Remove,... Navigation MultiMedia Cgroups Service Service Service NameSpace Carte handling Carte handling Media Player Containers POI management POI management Radio Interface etc... etc... etc... Transport + Acess Control Agent-2 Agent-3 Agent-4 MAC Car Environement Engine Remote Signal Enforcement CAN Bus-A CAN Bus-B Smart City Smack LIN Bus-A Cluster-Unit RVI ... Audio Cloud Distributed Application Architecture 13/21

  14. AGL2 AppFW logic 14/21

  15. To write an App ➢ Write back-end binding ➢ Adds the specialised API to the system ➢ Accessible by Web Socket or slow legacy D-Bus ➢ Run in its own security domain ➢ Can be cascaded ➢ Write the Front end ➢ Typically in HTML5, QML but open to any ➢ Connect to back-end binding using REST with secured key (OAuth2) ➢ ➢ Package ➢ Based on W3C widget ➢ Feature allow to handle AGL specificities ➢ Install via the AppFW 15/21

  16. AGL2+ Distributed Architecture Entertainement Cluster Cloud Navigation Maintenance Portal My Car Portal Head Unix Service Know Bugs Paiement Direction Indication Carte handling Maintenances Subcriptions Localistion management Service Packs Preference POI Transport & ACL Transport & ACL Transport & ACL Geopositioning Preferences Log CAN-BUS Cluster Virtual Virtual Signal & Analytics Virtual Signal Signal Custumisation Gyro, Acelerometer CAN-BUS MongoDB Engine No-SQL Engine Engine-CAN-BUS CAN GPS Paiement Service LIN-BUS Statistics & Analytics ABS Multi ECU & Cloud Aware Architecture 16/21

  17. AGL2++ Virtualised Architecture Less Privileges DomU Entertainment DomU Cluster Container AGL App-1 AGL App-2 AGL App-3 App-1 App-2 DOM0 controller AGL Extra AGL Mini Ressources Emergency Alloc/Porxy Diagnistics Plateform Services Middleware Services Trusted Apps AGL Core Plateform Services Linux-RT/Microkernel Integrety control PKI safe Store Guest Operating AGL Linux Kernel Guest Operating AGL Linux More Privileges Supervisor Virt Virt Virt Virt Audio Audio GPU GPU Trusted Boot Hypervisor Trusted Zone Hardware Virtualized Secure Architecture 17/21

  18. Conclusion ➢ Technologies are available ➢ Secure boot, Secure zone ➢ Update over the air ➢ Isolation and containment ➢ Tools and training ➢ Management is not ready ➢ Still perceived as a nice to have ➢ Too risky to commit ➢ Engineering sees security as a brake to innovation ➢ Requires a serious personal investment and paradigm shift ➢ Complexity imposes to select a “Ready Made” solution ➢ AGL, Tizen, Snappy, ... ➢ “Will add it later” attitude is common but a guaranteed model to failure 18/21

  19. Questions IoT Summit 2016, Berlin, DE dominig.arfoll@fridu.net

  20. Container "A mixed blessing" Easy to use l Detach the App from the platform l Integrated App management l Well known Not very secure l Unreliable introspection l MAC has no power on the inside of a container l Updating the platform does not update the l middleware l Beside the Kernel each App provide its own version l of the OS l Each App restart requires a full passing of credential l RAM and Flash footprint are uncontrollable l Far more secured with Clear Container but not applicable to low end SoC. Only I/O via network https://www.opencontainers.org/ l Well equipped for Rest API https://lwn.net/Articles/644675/ l All other I/O requires driver level access or bespoke framework. 20/21

  21. Security Check list Control which code you run Control image creation l Secure boot l No debug tool in production l Integrity l No default root password l Secure update l No unrequired open port Isolate services Continuous integration l Drop root when possible l Automate static analysis l Drop privileges l QA on secured image Isolate Apps Help developer l Apps are not the OS l Integrate security in Devel image l Enforce – restrict access to standard API l Provide clear guide line l Isolate Apps from OS Identity l Focus on standardised Middleware l Enforce identity unicity l Use available HW protection Encryption l Network traffic l Local storage 21/21

Recommend


More recommend