Securing Industrial IoT - MathUniPDconti/slides/20170606_PanelSingapore.pdf · 6/6/2017 · Do we...

1/#Mauro Conti

Do we need a holistic approach for the design of secure IoT systems?

Securing Industrial IoT

Device Attestation, Software Updates,

and Data Protection

Mauro Conti, University of Padua

Slides prepared with the support of Daniele Lain and Moreno Ambrosin

SCy-Phy Systems Week 2017

Panel IV: Defences

June 6, 2017, Singapore

2/#Mauro Conti


Intro and Expertise

●●●●

●

●●●

3/#Mauro Conti


4/#Mauro Conti


Insecure Things… Mirai

Mirai: IP Cameras hack in October/November

5/#Mauro Conti


Insecure Things… Wannacry

Targeting the most devices:

- Now: PCs- Soon? IoT!

6/#Mauro Conti


Outline

Securing Industrial IoT:

7/#Mauro Conti


Outline


- Attestation

8/#Mauro Conti


Outline


- Attestation

- Software Update

9/#Mauro Conti


Outline


- Attestation

- Software Update

- Data Protection

10/#Mauro Conti


Outline


- Attestation

- Software Update

- Data Protection

11/#Mauro Conti


System SecurityRemote Attestation

● Remote Attestation (RA) is an interactive protocol

○ A useful tool to detect software attacks

○ e.g., malwares injected on a device, firmware replacement

● Allows a prover to compute a cryptographic proof of the status of its configuration (e.g., SW+data)

○ Called a measure, typically a hash of what you want to measure

○ Security is ensured by HW support on the prover

● A verifier collects this proof remotely and checks whether the collected measure is “valid” or not, i.e., is an expected one

12/#Mauro Conti



In a 1 verifier and 1 prover setting RA is a well-established research area

Problem: How to verify the integrity of a network of devices?

○ More efficiently than individually!

13/#Mauro Conti



We proposed SANA, a protocol for network attestation that:

● Improves scalability via in-network aggregation of proofs

● Is end-to-end secure

○ Security relies mainly on OAS unforgeability

○ Improved resiliency to hardware attacks

○ Detects attempts to modify attestation proofs from devices

● Has manageable overhead on the (low) end devices

● Is publicly verifiable

● Verification is linear in the number of “bad provers”

○ Depends on the “strength” of the attacker

● If the network is OK has constant verification overhead

○ Most frequent case in practice

14/#Mauro Conti



We evaluated SANA [1]

● Implementing it on a research platform

● Via simulation (for large scale tests)

[1] M Ambrosin, M Conti, A Ibrahim, G Neven, AR Sadeghi, M Schunter. SANA: Secure and Scalable Aggregate Network Attestation. In ACM CCS 2016

15/#Mauro Conti


Outline

Securing:

- Attestation

- Software Update

- Data Protection

16/#Mauro Conti


Update distribution architecture

Management entity

○ Software updates○ Device monitoring○ Commands delivery

May be deployment’s owner

Proprietary or third-party distribution network

○ CDN, NDN, Fog Layer, ...

Data Caching & Aggregation

Deployment

◽ Heterogeneous◽ Potentially large scale

17/#Mauro Conti


Update adv. model

Trusted entity

Device integrity may be compromised

Can be controlled by an adversaryCannot be trusted for○ Integrity○ Authenticity○ Confidentiality

Guarantees availability

18/#Mauro Conti


Update design requirements

1. Minimize windows of exposure [Bilge and Dumitras, ACM CCS ‘12]

2. End-to-end security and scalability

3. Access control on the software ○ Software may be proprietary

#9 of OWASP IoT top

10 Vulnerabilities(*)

(*) https://www.owasp.org/index.php/Top_IoT_Vulnerabilities

Vulnerability is introduced

Exploit is created by

the attacker

Vulnerability is discovered by

the vendor

Vulnerability is publicly

disclosed

Patch is released

Patch is delivered and

installed

Window of exposure

https://www.owasp.org/index.php/Top_IoT_Vulnerabilities

19/#Mauro Conti


Updaticator

Protocol for end-to-end updates confidentiality and integrity

Uses Ciphertext-Policy Attribute-Based Encryption (CP-ABE)○ To enforce access control based on device attributes○ Allows linear complexity in the number of attributes

Leverages untrusted caches to speed up distribution

Evaluated on top of ICN/NDN○ Novel networking paradigm providing cache at the network layer○ Results showed improved scalability w.r.t. Direct fetching

[1] M Ambrosin, C Busold, M Conti, AR Sadeghi, M Schunter. Updaticator: Updating billions of devices by an efficient, scalable and secure software update distribution over untrusted cache-enabled networks. In ESORICS 2014

20/#Mauro Conti


Outline

Securing:

- Attestation

- Software Update

- Data Protection

21/#Mauro Conti


IoT permission models

Existing IoT frameworks only have permission based access control

• Permissions control what data an app can access

• Permissions do not control how apps use data, once they have access

Did not work on mobile (see Android permissions)

...will not work on IoT!

22/#Mauro Conti


Potential Abuses

Consumer App

APP

• Unlock door if face is recognized

• Home-owner can check activity from Internet

• App needs to compute on sensitive data to provide useful service

• But has the potential to leak data

Publisher of Sensitive Data

Sink

Source

Sink

23/#Mauro Conti


[1] E. Fernandes, J. Paupore, A. Rahmati, D. Simionato, M. Conti, A. Prakash. FlowFence: Practical Data Protection for Emerging IoT Application Frameworks. In USENIX Security 2016

FlowFence

FlowFence• Support of diverse publishers and consumers of data,

with publisher and consumer flow policies• Allows use of existing languages, tools, and OSes

Language-based flow control

• Restructure apps to obey flow rules• Developer declares flows

Label-based flow control

• Component-level information tracking• Flow enforcement through label policies

24/#Mauro Conti


Thanks!

Thanks!

Mauro Conti

[email protected]

25/#Mauro Conti


Backup slides...

...Backup slides beyond this point...

Securing Industrial IoT - MathUniPDconti/slides/20170606_PanelSingapore.pdf · 6/6/2017 · Do we...

Documents

Transcript of Securing Industrial IoT - MathUniPDconti/slides/20170606_PanelSingapore.pdf · 6/6/2017 · Do we...