Securing Industrial IoT - MathUniPDconti/slides/20170606_PanelSingapore.pdf · 6/6/2017 · Do we...
Transcript of Securing Industrial IoT - MathUniPDconti/slides/20170606_PanelSingapore.pdf · 6/6/2017 · Do we...
1/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Securing Industrial IoT
Device Attestation, Software Updates,
and Data Protection
Mauro Conti, University of Padua
Slides prepared with the support of Daniele Lain and Moreno Ambrosin
SCy-Phy Systems Week 2017
Panel IV: Defences
June 6, 2017, Singapore
2/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Intro and Expertise
●●●●
●
●●●
3/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
4/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Insecure Things… Mirai
Mirai: IP Cameras hack in October/November
5/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Insecure Things… Wannacry
Targeting the most devices:
- Now: PCs- Soon? IoT!
6/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Outline
Securing Industrial IoT:
7/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Outline
Securing Industrial IoT:
- Attestation
8/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Outline
Securing Industrial IoT:
- Attestation
- Software Update
9/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Outline
Securing Industrial IoT:
- Attestation
- Software Update
- Data Protection
10/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Outline
Securing Industrial IoT:
- Attestation
- Software Update
- Data Protection
11/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
System SecurityRemote Attestation
● Remote Attestation (RA) is an interactive protocol
○ A useful tool to detect software attacks
○ e.g., malwares injected on a device, firmware replacement
● Allows a prover to compute a cryptographic proof of the status of its configuration (e.g., SW+data)
○ Called a measure, typically a hash of what you want to measure
○ Security is ensured by HW support on the prover
● A verifier collects this proof remotely and checks whether the collected measure is “valid” or not, i.e., is an expected one
12/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
System SecurityRemote Attestation
In a 1 verifier and 1 prover setting RA is a well-established research area
Problem: How to verify the integrity of a network of devices?
○ More efficiently than individually!
13/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
System SecurityRemote Attestation
We proposed SANA, a protocol for network attestation that:
● Improves scalability via in-network aggregation of proofs
● Is end-to-end secure
○ Security relies mainly on OAS unforgeability
○ Improved resiliency to hardware attacks
○ Detects attempts to modify attestation proofs from devices
● Has manageable overhead on the (low) end devices
● Is publicly verifiable
● Verification is linear in the number of “bad provers”
○ Depends on the “strength” of the attacker
● If the network is OK has constant verification overhead
○ Most frequent case in practice
14/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
System SecurityRemote Attestation
We evaluated SANA [1]
● Implementing it on a research platform
● Via simulation (for large scale tests)
[1] M Ambrosin, M Conti, A Ibrahim, G Neven, AR Sadeghi, M Schunter. SANA: Secure and Scalable Aggregate Network Attestation. In ACM CCS 2016
15/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Outline
Securing:
- Attestation
- Software Update
- Data Protection
16/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Update distribution architecture
Management entity
○ Software updates○ Device monitoring○ Commands delivery
May be deployment’s owner
Proprietary or third-party distribution network
○ CDN, NDN, Fog Layer, ...
Data Caching & Aggregation
Deployment
◽ Heterogeneous◽ Potentially large scale
17/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Update adv. model
Trusted entity
Device integrity may be compromised
Can be controlled by an adversaryCannot be trusted for○ Integrity○ Authenticity○ Confidentiality
Guarantees availability
18/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Update design requirements
1. Minimize windows of exposure [Bilge and Dumitras, ACM CCS ‘12]
2. End-to-end security and scalability
3. Access control on the software ○ Software may be proprietary
#9 of OWASP IoT top
10 Vulnerabilities(*)
(*) https://www.owasp.org/index.php/Top_IoT_Vulnerabilities
Vulnerability is introduced
Exploit is created by
the attacker
Vulnerability is discovered by
the vendor
Vulnerability is publicly
disclosed
Patch is released
Patch is delivered and
installed
Window of exposure
19/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Updaticator
Protocol for end-to-end updates confidentiality and integrity
Uses Ciphertext-Policy Attribute-Based Encryption (CP-ABE)○ To enforce access control based on device attributes○ Allows linear complexity in the number of attributes
Leverages untrusted caches to speed up distribution
Evaluated on top of ICN/NDN○ Novel networking paradigm providing cache at the network layer○ Results showed improved scalability w.r.t. Direct fetching
[1] M Ambrosin, C Busold, M Conti, AR Sadeghi, M Schunter. Updaticator: Updating billions of devices by an efficient, scalable and secure software update distribution over untrusted cache-enabled networks. In ESORICS 2014
20/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Outline
Securing:
- Attestation
- Software Update
- Data Protection
21/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
IoT permission models
Existing IoT frameworks only have permission based access control
• Permissions control what data an app can access
• Permissions do not control how apps use data, once they have access
Did not work on mobile (see Android permissions)
...will not work on IoT!
22/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Potential Abuses
Consumer App
APP
• Unlock door if face is recognized
• Home-owner can check activity from Internet
• App needs to compute on sensitive data to provide useful service
• But has the potential to leak data
Publisher of Sensitive Data
Sink
Source
Sink
23/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
[1] E. Fernandes, J. Paupore, A. Rahmati, D. Simionato, M. Conti, A. Prakash. FlowFence: Practical Data Protection for Emerging IoT Application Frameworks. In USENIX Security 2016
FlowFence
FlowFence• Support of diverse publishers and consumers of data,
with publisher and consumer flow policies• Allows use of existing languages, tools, and OSes
Language-based flow control
• Restructure apps to obey flow rules• Developer declares flows
Label-based flow control
• Component-level information tracking• Flow enforcement through label policies
24/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Thanks!
Thanks!
Mauro Conti
25/#Mauro Conti
Do we need a holistic approach for the design of secure IoT systems?
Backup slides...
...Backup slides beyond this point...