� � � Formal Security Analysis of Smart Embedded Systems � Farid Farid Molazem Molazem Tabrizi Tabrizi � Karthik Pattabiraman Karthik Pattabiraman � http://blogs.ubc.ca/karthik/ � 1 �
IoT Systems � 2 �
Security Attacks against IoT 3
Challenge � • No systematic technique to automatically find No systematic technique to automatically find security vulnerabilities in security vulnerabilities in IoT IoT devices devices � • Large attack surface � • Attacker often has physical access � • Devices are often resource constrained � 4 �
Problem void foo() { � Enumerate all possible attacks � …} � int bar() { � … � } � Action embedded Attacker � device � Environment 5 �
Security Analysis ● Attack trees [Byres 04, Morais 09] ● Predefined attack goals ● Manual search ● Attack graphs [Jha 02, Sheyner 02] ● Need vulnerabilities of the hosts ● Formal analysis [Delaune 10, Miculan 11] ● Targets well-defined protocols 6
Our Approach: Idea • IoT devices perform specific tasks ● Define the right abstraction • Not too low level, not too high level Abstraction � ● Allows us to systematically find vulnerabilities 7
High-level picture User � Security expert � Formal model � of � the system � Attacks � Formal model � of � attacker � System � Source code � specification � 8
Abstraction Rewriting Logic � System Attacker Model � Model � Analysis � Attacks � 9
Abstraction: System Model Rewriting logic: � • Rewrite rules � • Equations � Start è sensorData(0, 0) � sensorData(r, n) è sensorData(r, n) sensorData(r+1, 0) � sensorData(r, n) è sensorData(r, n+1) � Store Receive start � data � data � 10
Abstraction: Attacker Model Attacker action: � e.g. access to the i th sensor channel � sensorData(c1, v1) sensorData(c2, v2) sensorData(c3, v3) è � sensorData(c1, v1) sensorData(c3, v3) if c2 = i � State space Explicit model checking: � Start è receive(c1, v1) where v1 < 0 � Unsafe state 11
Case study • SEGMeter: an open source smart meter • Sensor board: Receive raw data • Communication board: talk to server • Code base: Lua and C (~ 3000 LOC) 12
� � Threat model Read/Write access to communication • Access interfaces[McLaughlin et al. 2010] � Root access to a node in grid network [Mo et al. 2012] � • Actions ● Drop messages ● Replay messages ● Reboot meter 13
� Evaluation Performance Performance � Using Maude [Clavel 15]: � http://maude.cs.illinois.edu/ � Less than a second à up to 2 hours � 3.4 GHz CPU, 16GB RAM � 14
� Evaluation Practicality Practicality � ● Query for paths to unsafe states search sensor(N1, M1) sensor(N2, M2) sensor(N3, M3) ⇒ � stored(N1, M1) stored(N2, M2) � ● Some map to the same execution path 15
Attack Example 1: Rebooting Receive Send to Add to start � new server � old data � data � Reboot � S1 è S2 where data(s1) not sent & cycle=start � 16
Attack Example 1: Rebooting Will lose data if reboot Vulnerability Open file in window write mode 1. 1. function function update_node_list() � 2. all_data = get_node_list � 3. all_data = merge_table(current,all_data) � 4. 4. data_file data_file = assert( = assert(io.open io.open(dataFile dataFile, “w”)) , “w”)) � 5. for key, value in pairs(node_list) do � 6. data_file::write(data) � 7. end � 8. assert(data_file::close()) � 9. 9. end end � 17
� Attack Example 2: Drop Messages Function confirm_time_is_OK() � while while time_is_ok time_is_ok == false do == false do � ... � time_is_ok = check_time() � if (time_is_ok == true) then � set_time() � Add Add Root Root break � IPTables IPTables : iptables − A INPUT − d access to access to end � rule: drop rule: drop ADDRESS − j DROP � a routing a routing end end � messages messages node � node end � to time to time server server � Gets stuck Gets stuck in the loop in the loop � Server � Meter � 18 �
� � � � � Attack Example 3: Spoofing Sensor board � Receive Receive Data Data � Request Request � data on the data on the Replay Replay laptop – laptop – data data data deleted data deleted from sensor from sensor request � request board board � Communi cation board � Find serial Find serial communication communication configuration (a configuration (a Normal behavior Normal behavior � handful common handful common configs configs, a couple of , a couple of hundreds total hundreds total configs � configs One of the One of the common configs common configs worked in our case worked in our case � Use USB to 6-pin Use USB to 6-pin serial connector from serial connector from 19 � laptop to meter � laptop to meter
� Conclusion • IoT devices perform specific tasks ● Formalize their operations ● Formalize the attacker ● Perform automated analysis ● Find real vulnerabilities “Formal Security Analysis of Smart Embedded Systems”, “Formal Security Analysis of Smart Embedded Systems”, � Farid Farid Molazem Molazem Tabrizi Tabrizi and Karthik Pattabiraman, and Karthik Pattabiraman, � Annual Computer Security Applications Conference (ACSAC), 2016 Annual Computer Security Applications Conference (ACSAC), 2016 � Videos of attacks found by our technique: � http://www.ece.ubc.ca/~faridm/acsac.html � 20
Recommend
More recommend