Mitigating the IoT Threat Model - .NET Framework
Transcript of Mitigating the IoT Threat Model - .NET Framework
Event-driven scale
Sub-second billing
Abstraction of servers
Custom Cloud Gateway
Custom Cloud Gateway
Field Gateway
Device
VPN/ExpressRoute
OPC, HTTP, CoAP,…
Custom Protocols
Device SDK
IoT Edge
AMQP
Management appDevice registry/ManagementMonitoringSend commands
Service SDK
Management appDevice registry/ManagementMonitoringSend commands
Service SDK
Cloud protocol gateway sample
Cloud protocol gateway sample
AMQP, MQTT, HTTPS
Applications- Companion apps- Dashboards- Controllers- …
CoAP, AllJoyn, OPC,…
Device
Device
CoAP, AllJoyn, OPC, …
Device
Device
Device
IoT Hub
Field Gateway
Device Zone
We can analyse it exactly as before
Azure Services Zone
public class PatronsController : Controller
{
//private readonly AppSettings _appSettings;
private readonly IFaceApiRepository _faceApiRepository;
private readonly IStoreRepository _storeRepository;
public PatronsController(IFaceApiRepository faceApiRepository, IStoreRepository storeRepository)
{
_faceApiRepository = faceApiRepository;
_storeRepository = storeRepository;
}
[HttpPost]
public async Task<IActionResult> Post(string device = "Device not given", string exhibit = "Exhibit not given", bool returnFaceLandmarks = false, string returnFaceAttributes = "age,gender,headPose,smile,facialHair,glasses,emotion")
{
//read body of request into a byte array
byte[] bytes = ReadFileStream(Request.Body);
//setup patrons list
var patrons = new List<Patron>();
//get the current facelist id
var currentFaceListId = await _faceApiRepository.GetCurrentFaceListId();
//get faces
var faces = await _faceApiRepository.DetectFaces(bytes, returnFaceLandmarks, returnFaceAttributes);
foreach (var face in faces)
{
//get similar faces from the current face list
var similarPersistedFaces = await _faceApiRepository.FindSimilarFaces(currentFaceListId, face.faceId);
//get persisted face id and confidence by using the closest match or creating one.
var persistedFaceId = string.Empty;
var persistedFaceConfidence = 0.0;
if (similarPersistedFaces.Count() == 0)
{
//this is a new face, add to face list
persistedFaceId = await _faceApiRepository.AddFaceToFaceList(bytes, currentFaceListId, FaceRectangleToString(face.faceRectangle), string.Empty);
}
else {
//get the closest matching face
var sortedPersistedFaces = similarPersistedFaces.OrderByDescending(f => f.confidence);
persistedFaceId = sortedPersistedFaces.FirstOrDefault().persistedFaceId;
persistedFaceConfidence = sortedPersistedFaces.FirstOrDefault().confidence;
}
//create a patron
patrons.Add(new Patron()
{
FaceId = face.faceId,
PersistedFaceId = persistedFaceId,
FaceRectangle = face.faceRectangle,
FaceAttributes = face.faceAttributes,
FaceLandmarks = face.faceLandmarks,
PrimaryEmotion = (face.faceAttributes.emotion != null) ?
GetTopEmotion(face.faceAttributes.emotion) :
null,
Time = DateTime.UtcNow,
Device = device,
Exhibit = exhibit,
CurrentFaceListId = currentFaceListId,
IsInList = (similarPersistedFaces.Count() > 0),
FaceMatchConfidence = persistedFaceConfidence
});
}
//log patron data to storage
await _storeRepository.Store(patrons);
[FunctionName("DeviceImageProcess")]
public async static Task Run([BlobTrigger("images/{device}/{expo}/{id}", Connection = "BlobDevice")] Stream myBlob, string device, string expo, string id, TraceWriter log)
{
// Call the Face API.
Face[] faces = await faceServiceClient.DetectAsync(myBlob, faceAttributes);
var commandMessage = new Message(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(faces)));
await serviceClient.SendAsync(device, commandMessage);
}
*Only available on Windows IoT Enterprise
Device Management
Device Recovery
Device-specific
repudiation
Trusted Platform Module
(TPM)
Windows Device Health
Attestation*
Secure Boot
BitLocker
Windows as a Service
Device Guard
Windows Firewall
Windows Defender*
X.509/TLS-Based Handshake
and Encryption
Encryption at Rest
Azure Active Directory
Key Vault
Policy-Based Access Control
IP- based blocking
Secure Device Registration
Standards-based best
practices
ResponseDevice
protectionThreat
resistanceData protection
in-motionCloud
security
https://aka.ms/SecureDevelopment
https://aka.ms/IoTThreatModelling
[email protected]@microsoft.com
https://www.linkedin.com/in/jdonnelly/https://aka.ms/gabriel https://aka.ms/ThreatModellingBook
https://aka.ms/IoTSecurityWhitepaper
https://aka.ms/NCSCNCAReport