Securing the supply chain: A multi-pronged approach · Securing the supply chain: A multi-pronged...

Securing the supply chain: A multi-pronged approach

By Jason Jaskolka and John VillasenorStanford UniversityUniversity of California, Los Angeles

June 1, 2017

This presentation addresses two key issues

1. Supply chain security in relation to the integrated circuits (“chips”) that are at the core of every electronics system, including in US critical infrastructure (work done by John Villasenor at UCLA; pre-CIRI)

2. Supply chain security in relation to critical infrastructure networks (work done under CIRI by Jason Jaskolka and John Villasenor at Stanford)

© 2017 CIRI / A Homeland Security Center of Excellence 2

Intentionally compromised chips

Chips: A gaping cybersecurity exposure


• Chips are used to• make the internet work• manage antilock braking in cars• position flaps on modern airliners• control access to ATMs• manage financial transactions - big and small• run the stock market• run the electricity grid• run our communications systems• store and access information• run key aspects of every critical infrastructure sector

Chips: A gaping cybersecurity exposure


• The importance of chip supply chain integrity is well recognized, particularly with respect to counterfeits

• Yet the supply chain is almost completely unprotected against a threat that may turn out to be more significant in the long term:

• Chips could be intentionally compromised during the design process, before they are even manufactured

A chip-launched cyberattack could . . .


• Stop or impede the chip (and possibly the system containing it) from functioning

• Exfiltrate data while making the chip appear to function normally

• Corrupt data within the chip

• Some combination of the above

Creating a chip: A simplified view


Design Manufacture Test ShipSpecification




Much of the attention to hardwaretrust issues has been directed here




Much of the attention to hardwaretrust issues has been directed hereWe also need to

be looking here

Inside a chip: A (very!) simplified view


• Chips often contain a combination of outsourced and in-house designs

Design practices


• In the early days of ICs, the design was carried out in-house within a single company using small teams composed of people working towards a common purpose

• Many of the protocols developed in those days – for example that the various parts of a circuit will behave as expected – assumed all participants were trusted

• In those days, that was a reasonable assumption

• Analogy with internet: early assumptions of trust haven’t held true

Why testing for hardware attacks is hard


• Example: A block that adds 6

ADD6


© 2017 CIRI / A Homeland Security Center of Excellence


ADD620 26




ADD620 26

ADD6127 133




ADD620 26

ADD6127 133

Test100,000moreinputs...

Iftheanswerisalwayscorrect,concludethattheblockworks



• Example: A block that adds 6• But . . . Suppose there is one particular input leads to another result:

• It’s simply not possible to test every possible input

• Thus, the trigger, in this case consisting of the input 126,321,204, is likely to never be tested before deployment

ADD6126,321,204 Startattack

Addressing the problem


• Publication in IEEE Transactions on VLSI Systems



• Publication in IEEE Transactions on Reliability



• Publication in IEEE Transactions on VLSI Systems

Addressing the problem: Example approaches


• Secure bus system: Analyzes statistical patterns of system bus access by different functional blocks, flags aberrant behavior



• Memory gatekeeper: Ensures that functional blocks are able to access only authorized portions of memory; Helps to prevent corruption or exfiltration of data; Flags any attempts at unauthorized access



• Input/output monitor: Analyzes flow of data on and off the chip, compares with expected flows, flags aberrations



• Warning to other devices: A chip under attack can send a warning to other devices, allowing them to preemptively protect themselves against impending attacks.

Policy solutions


• Brookings Institution Paper

Securing networks from the supply chain

Goal


• To develop rigorous (formal methods-based) assessment approaches to better understand, identify, analyze, and mitigate implicit component interactions in critical infrastructures

Overview


• Critical infrastructures consist of numerous components and even more interactions, some of which may be:

• Can indicate unforeseen design flaws allowing for these interactions• Intentional or accidental, malicious or innocuous

• Constitute linkages of which designers are generally unaware⇒ security vulnerability

• Can be exploited to mount cyber-attacks at a later time

• Unfamiliar, unplanned, or unexpected• Not visible or not immediately comprehensible ⇒ Implicit Interactions

Approach


1. Model critical infrastructure systems using a mathematical framework• Communicating Concurrent Kleene Algebra

2. Formulate and identify the existence of implicit interactions• Potential for Communication

3. Analyze the severity of identified implicit interactions• Measuring and Classifying Severity, Exploitability, and Impact

4. Mitigate the existence of and/or minimize the threat posed by identified implicit interactions• Preemptive and Reactive Solutions

Modelling critical infrastructure systems


Illustrative example: Maritime port terminal• Maritime ports consist of a number of physical

components and just as many, if not more, intangible software components distributed throughout the system in order to coordinate and control its overall functionality

• We can view the system as having the following classes of agents responsible for coordinating and controlling system components in order to safely and securely operate with efficiency and reliability:• Port Captain• Ship Managers• Stevedores

• Terminal Managers• Crane Managers• Carrier Coordinators

Aker American Shipping YardSource: Tmarinucci via Wikimedia Commons

Analyzing implicit interactions


Illustrative example: Maritime port terminal• For illustrative maritime port terminal with 8 agents, 21 basic events, and 25 basic behaviors:

• 3902 of the 4596 total interactions are implicit interactions

• Result of the potential for out-of-sequence/unexpected messages from system components• Caused by cyber-attack or failure

• After identifying that implicit interactions exist, we have (or are developing) approaches for:

• Measuring the severity of identified implicit interactions

• Measuring the exploitability of identified implicit interactions

• Studying impact of implicit interactions through simulation

Addressing supply chain challenges


• Perform system-level analysis to identify the vulnerabilities and risks introduced by the inclusion of particular components in the system

• Example: If a supplied component comes pre-loaded with a malicious fault designed to evade quality assurance tests, it may not be until the component in composed with other components that it begins to exhibit behaviors that are unintended or unexpected, thereby causing potentially significant system instabilities, and altered or interrupted information flows.

• Our approach can also be used to model different components in the macro-level supply chain to identify unforeseen linkages between suppliers and businesses

• Can show how a disruption of one business may have consequences both upstream and downstream in the supply chain

Impact and value to homeland security


• Our approach, backed by rigorous modelling and testing, can provide vital information that can drive decisions on where and how to spend valuable resources in mitigating the potential for such attacks on systems and/or disruption of supply chains

• Formal foundation upon which mitigation approaches can be developed

• Basis for developing policies and guidelines for designing and implementing critical infrastructure systems that are resilient to cyber-threats

• Community engagement can enable contributions to emerging challenges in critical infrastructure cybersecurity

Understanding and addressing network vulnerabilities: Contributions and publications


1. J. Jaskolka and J. Villasenor. Identifying implicit component interactions in distributed cyber-physical systems. In Proceedings of the 50th Hawaii International Conference on System Sciences, HICSS-50, pages 5988–5997, January 2017.

2. J. Jaskolka and J. Villasenor. An approach for identifying and analyzing implicit interactions in distributed systems. IEEE Transactions on Reliability, pages 1–18, March 2017.

3. J. Jaskolka and J. Villasenor. Securing Cyber-Dependent Maritime Ports and Operations. NMIO Technical Bulletin. (Forthcoming).

4. J. Jaskolka and J. Villasenor. Evaluating the exploitability of implicit interactions in distributed systems. ACM Transactions on Privacy and Security. (Under Review).

5. J. Jaskolka and J. Villasenor. Assessing the impact of implicit interactions through attack scenario simulation. (In Preparation).

Thank youJason Jaskolka

[email protected] Villasenor

[email protected]

OverviewOperational Need• Significant progress has been made in quality assurance for software and components

used to build critical infrastructure systems

• Much less attention and progress in making the supply chain robust against intentionally compromised hardware and/or software

• Specifically designed to remain undetected in tests formulated to detect accidental design flaws

• Often only visible, or known, after a system experiences some kind of compromiseor failure

• Cyber-attacks launched using built-in hardware and/or software vulnerabilities could have a devastating impact


Research Challenge and Goals


Research Challenge

• Develop rigorous (formal methods-based) assessment approaches to better understand, identify, analyze, and mitigate implicit component interactions in critical infrastructures

Research Goals• Enable the critical infrastructure community to much more effectively:

1. Identify and analyze systemic supply chain-related vulnerabilities, such as implicit interactions

2. Preemptively mitigate at least some of those vulnerabilities3. Quickly and effectively respond to attacks that might exploit the subset of those

vulnerabilities that escape advanced mitigation

Identifying Implicit Interactions


Illustrative Example: Maritime Port Terminal• Each system agent coordinates it actions/behaviors by passing messages to each other or

writing to/reading from shared variables

• The design of the system can be represented as a (sequenced) message passing diagram• Provides a set of expected or intended interactions (𝑃"#$%#&%&)

• An implicit interaction exists in a system formed by a set 𝒜 of agents, if and only if for any two agents 𝐴, 𝐵 ∈ 𝒜 with 𝐴 ≠ 𝐵:

∃ 𝑝 𝑝 ⟹ 𝐴 →3 𝐵 :∀ 𝑞 𝑞 ∈ 𝑃"#$%#&%& ∶ ¬SubPath(𝑝, 𝑞))where:

𝐴 →3 𝐵 indicates that 𝐴 can influence the behavior of 𝐵 andSubPath(𝑝, 𝑞) indicates that 𝑝 is a subpath of 𝑞

Addressing Supply Chain Challenges


• Our approach indirectly addresses cybersecurity challenges faced by critical infrastructure supply chains ⇒ direct approach is intractable

• Perform system-level analysis to identify the vulnerabilities and risks introduced by the inclusion of particular components in the system

• Example: If a supplied component comes pre-loaded with a malicious fault designed to evade quality assurance tests, it may not be until the component in composed with other components that it begins to exhibit behaviors that are unintended or unexpected, thereby causing potentially significant system instabilities, and altered or interrupted information flows.

• Our approach can also be used to model different components in the macro-level supply chain to identify unforeseen linkages between suppliers and businesses

• Can show how a disruption of one business may have consequences both upstream and downstream in the supply chain

Securing the supply chain: A multi-pronged approach · Securing the supply chain: A multi-pronged...

Documents

Transcript of Securing the supply chain: A multi-pronged approach · Securing the supply chain: A multi-pronged...