Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti , University of Padua Slides prepared with the support of Daniele Lain and Moreno Ambrosin SCy-Phy Systems Week 2017 Panel IV: Defences June 6, 2017, Singapore Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 1/#
Intro and Expertise ● ● ● ● ● ● ● ● Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 2/#
Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 3/#
Insecure Things… Mirai Mirai: IP Cameras hack in October/November Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 4/#
Insecure Things… Wannacry Targeting the most devices: Now: PCs - Soon? IoT! - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 5/#
Outline Securing Industrial IoT: Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 6/#
Outline Securing Industrial IoT: Attestation - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 7/#
Outline Securing Industrial IoT: Attestation - Software Update - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 8/#
Outline Securing Industrial IoT: Attestation - Software Update - Data Protection - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 9/#
Outline Securing Industrial IoT: Attestation - Software Update - Data Protection - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 10/#
System Security Remote Attestation Remote Attestation (RA) is an interactive protocol ● A useful tool to detect software attacks ○ e.g., malwares injected on a device, firmware replacement ○ Allows a prover to compute a cryptographic proof of the status ● of its configuration (e.g., SW+data) Called a measure, typically a hash of what you want to measure ○ Security is ensured by HW support on the prover ○ A verifier collects this proof remotely and checks whether the ● collected measure is “valid” or not, i.e., is an expected one Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 11/#
System Security Remote Attestation In a 1 verifier and 1 prover setting RA is a well-established research area Problem: How to verify the integrity of a network of devices ? More efficiently than individually! ○ Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 12/#
System Security Remote Attestation We proposed SANA, a protocol for network attestation that: Improves scalability via in-network aggregation of proofs ● Is end-to-end secure ● Security relies mainly on OAS unforgeability ○ Improved resiliency to hardware attacks ○ Detects attempts to modify attestation proofs from devices ○ Has manageable overhead on the (low) end devices ● Is publicly verifiable ● Verification is linear in the number of “bad provers” ● Depends on the “strength” of the attacker ○ If the network is OK has constant verification overhead ● Most frequent case in practice ○ Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 13/#
System Security Remote Attestation We evaluated SANA [1] Implementing it on a research platform ● Via simulation (for large scale tests) ● [1] M Ambrosin, M Conti, A Ibrahim, G Neven, AR Sadeghi, M Schunter. SANA: Secure and Scalable Aggregate Network Attestation. In ACM CCS 2016 Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 14/#
Outline Securing: Attestation - Software Update - Data Protection - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 15/#
Update distribution architecture Management entity Software updates ○ Device monitoring ○ Commands delivery ○ May be deployment’s owner Proprietary or third-party distribution network CDN, NDN, Fog Layer, ... ○ Data Caching & Aggregation Deployment Heterogeneous ◽ Potentially large scale ◽ Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 16/#
Update adv. model Trusted entity Can be controlled by an adversary Cannot be trusted for Integrity ○ Authenticity ○ Confidentiality ○ Guarantees availability Device integrity may be compromised Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 17/#
Update design requirements Minimize windows of exposure [Bilge and Dumitras, ACM CCS ‘12] 1. Window of exposure Patch is Vulnerability is Patch is Vulnerability is Exploit is Vulnerability is delivered and discovered by released introduced created by publicly installed the vendor the attacker disclosed End-to-end security and scalability 2. #9 of OWASP IoT top 10 Vulnerabilities (*) Access control on the software 3. Software may be proprietary ○ (*) https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 18/#
Updaticator Protocol for end-to-end updates confidentiality and integrity Uses Ciphertext-Policy Attribute-Based Encryption (CP-ABE) To enforce access control based on device attributes ○ Allows linear complexity in the number of attributes ○ Leverages untrusted caches to speed up distribution Evaluated on top of ICN/NDN Novel networking paradigm providing cache at the network layer ○ Results showed improved scalability w.r.t. Direct fetching ○ [1] M Ambrosin, C Busold, M Conti, AR Sadeghi, M Schunter. Updaticator: Updating billions of devices by an efficient, scalable and secure software update distribution over untrusted cache-enabled networks. In ESORICS 2014 Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 19/#
Outline Securing: Attestation - Software Update - Data Protection - Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 20/#
IoT permission models Existing IoT frameworks only have permission based access control • Permissions control what data an app can access • Permissions do not control how apps use data, once they have access Did not work on mobile (see Android permissions) ...will not work on IoT! Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 21/#
Potential Abuses APP Sink Consumer App Publisher of Sensitive Data Source Sink • Unlock door if face is • App needs to compute on recognized sensitive data to provide useful service • Home-owner can check • But has the potential to leak activity from Internet data Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 22/#
FlowFence Label-based flow control Language-based flow control • Component-level information tracking • Restructure apps to obey flow rules • Flow enforcement through label policies • Developer declares flows FlowFence • Support of diverse publishers and consumers of data, with publisher and consumer flow policies • Allows use of existing languages, tools, and OSes [1] E. Fernandes, J. Paupore, A. Rahmati, D. Simionato, M. Conti, A. Prakash. FlowFence: Practical Data Protection for Emerging IoT Application Frameworks. In USENIX Security 2016 Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 23/#
Thanks! Thanks! Mauro Conti conti@math.unipd.it Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 24/#
Backup slides... ...Backup slides beyond this point... Do we need a holistic approach for the design of secure IoT systems? Mauro Conti 25/#
Recommend
More recommend