information security of embedded systems 2.12.2009: foundations of security ii prof. dr. holger...
Post on 19-Dec-2015
218 views
TRANSCRIPT
Information Security of Embedded Systems
2.12.2009: Foundations of Security II
Prof. Dr. Holger SchlingloffInstitut für Informatik
undFraunhofer FIRST
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 2
Structure
1. Introductory example2.Embedded systems
engineering1. definitions and terms2. design principles
3.Foundations of security1. threats, attacks, measures2. construction of safe
systems
4.Design of secure systems1. design challenges2. safety modelling and
assessment3. cryptographic algorithms
5. Communication of embedded systems
1. remote access2. sensor networks
6. Algorithms and measures
1. digital signatures2. key management3. authentification4. authorization
7. Formal methods for security
1. protocol verification2. logics and proof
methods
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 3
Security – Basic Terms
• System, computational system ownership of information
• RAMS
• Safety vs. security
• Threats, attacks, security holes Modelling system, stakeholders, boundaries, intentions
• Example: Internet Thermostat
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 4
More Basic Terms
• Access (Zugriff) interaction between a subject (with intentions) and an object
(a computational system) If the access modifies the object, it is a write access,
otherwise a read access in embedded systems, read access to sensor values, write
access to actuator values, read/write access to internal data An access is authorized, if the owner of the information
appreciates it at the time it occurs (the access is in the intent of the owner)
• Security (Informationssicherheit) ability of a system to inhibit or restrict unauthorized access to
the system (No threats from outside subjects for the system’s information)
confidentiality (Vertraulichkeit): no unauthorized read access integrity (Integrität): no unauthorized write access
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 5
Communication Threats
• e.g., TCP/IP protocol stack
• Example packet
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 6
Homework: Monitor your connections!
• e.g., Microsoft Network Monitor
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 8
Link layer attacks
Security hole via physical access to a wired network(hardware monitoring devices)
• e.g. ARP masquerading: rerouting of information send unrequested ARP-reply which associates own HW-
id with IP-address of victim server “updates” cache information
• WLAN, bluetooth, zigbee security? embedded devices communicate wireless security measures in increasing sophistication
cf. ch. 5.2
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 9
Network layer attacks (1)
•Address spoofing: Attacker pretends to be somebody else (via manipulated IP-headers) Flooding attacks
- direct: SYN-Flooding- indirect: Smurf
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 11
Network layer attacks (2)
• Eavesdropping of IP-packets (tcpdump) IP provides unencrypted communication
(no confidentiality, integrity, authenticity, ...) routing nondeterministic
- strict source routing attack- RIP (routing inf. protocol) and redirect attack
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 12
Transport layer attacks (1)
• Access via faked packets TCP: sequence numbering / acknowledgement upon receipt of a connection request, the server generates a
new sequence number, sends it back, and waits for an acknowledgement
“guessing” of ack numbers allows write access blocking of receipt at victim’s site
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 13
Transport layer attacks (2)
•“session hijacking” eavesdrop communication kill client use false packets to continue communication,
e.g., install backdoor on server
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 15
Application Layer Threats (1)
• Web Applications, E-Mail: viruses, worms, trojans, … responsible for 90% of present-day security problems mobile code, e.g. ActiveX, VB Scripts MIME-threats: attachments, links, … no security guaranteed (esp. authenticity)
• ftp, telnet, rlogin, rsh password encryption? anonymous FTP: write access?
• NFS: false mounting of exported files NFS masquerading: UID on untrusted hosts can be arbitrarily
manipulated faking of NFS file handles (replay attack) similar problems with NetBIOS (workgroup or password-level access)
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 16
Application Layer Threats (2)
• NIS supplies password information to outside password shadowing
• HTTP Cookies: Write access “permission assumed” personal data, e.g., passwords, user profiles disallow by default!
• CGI-scripts execution of arbitrary commands on server errors in scripts can open security holes minimal rights principle!
• DNS poisoning: Attacker fudges IP number / name assignment system access via .rhosts and rlogin
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 17
General Construction Principles
• Fail-safe defaults principle access denied if not explicitly allowed
• Complete mediation principle each access hat to be supervised
• Need-to-know principle each subject has exactly the rights needed for its
tasks
• Open design principle security does not depend on design knowledge “no security by obscurity”
• Economy of mechanisms principle measures must be efficient and easy to use
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 18
System Construction Phases (1)
“Design for security”: respect security issues in each phase, enrich life cyle by special (sub-) phases
1. System requirements analysis System environment, functionality, use scenarios necessary components, available resources
2. Threat and risk analysis list vulnerabilities and possible attacks estimate potential damage and occurrence probability
3. Security strategy and security model derive and classify necessary security mechanisms
- effort, cost, importance, ... build a model of the system and prove properties
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 19
System Construction Phases (2)
4. System architecture (coarse-grained design) Realisation of the model Interface definitions, services and protocols, module
decomposition
5. Module definition (fine-grained design) algorithms, data and control structures, ... adaption or extension of existing architectures and modules
6. Module and system implementation Coding and integration of components
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 20
System Construction Phases (3)
7. Validation, testing and evaluation code-inspection, module testing, integration testing
- (e.g., find logical time bombs, security holes, hidden channels) testing of security measures validation of implementation of security model
8. Security classification according to different criteria catalogues (TCSEC, ITSEC, ...) certification authorities, e.g., TÜV, BSI
9. Installation, maintenance establishment of security infrastructure assert that security policy is being followed, fixing of known
security holes etc.
2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 21
Construction of Secure Systems
• Security engineering: “The effort to achieve and maintain optimal security and survivability of a system throughout its life cycle” [InfoSec 1999] Integration with the SW-engineering process New phases: Threat and risk analysis, security strategy;
Security classification, infrastructure
• Lit.: Ross Andersen, Security Engineering; Addison-Wesley, 2001
(Case Studies) Nancy G. Leveson, Safeware; Addison-Wesley 1995 (Safety) Ed Amoroso, Fundamentals of Computer Security Technology