Information Security of Embedded Systems

2.12.2009: Foundations of Security II

Prof. Dr. Holger SchlingloffInstitut für Informatik

undFraunhofer FIRST

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 2

Structure

1. Introductory example2.Embedded systems

engineering1. definitions and terms2. design principles

3.Foundations of security1. threats, attacks, measures2. construction of safe

systems

4.Design of secure systems1. design challenges2. safety modelling and

assessment3. cryptographic algorithms

5. Communication of embedded systems

1. remote access2. sensor networks

6. Algorithms and measures

1. digital signatures2. key management3. authentification4. authorization

7. Formal methods for security

1. protocol verification2. logics and proof

methods

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 3

Security – Basic Terms

• System, computational system ownership of information

• RAMS

• Safety vs. security

• Threats, attacks, security holes Modelling system, stakeholders, boundaries, intentions

• Example: Internet Thermostat

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 4

More Basic Terms

• Access (Zugriff) interaction between a subject (with intentions) and an object

(a computational system) If the access modifies the object, it is a write access,

otherwise a read access in embedded systems, read access to sensor values, write

access to actuator values, read/write access to internal data An access is authorized, if the owner of the information

appreciates it at the time it occurs (the access is in the intent of the owner)

• Security (Informationssicherheit) ability of a system to inhibit or restrict unauthorized access to

the system (No threats from outside subjects for the system’s information)

confidentiality (Vertraulichkeit): no unauthorized read access integrity (Integrität): no unauthorized write access

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 5

Communication Threats

• e.g., TCP/IP protocol stack

• Example packet

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 6

Homework: Monitor your connections!

• e.g., Microsoft Network Monitor

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 7

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 8

Link layer attacks

Security hole via physical access to a wired network(hardware monitoring devices)

• e.g. ARP masquerading: rerouting of information send unrequested ARP-reply which associates own HW-

id with IP-address of victim server “updates” cache information

• WLAN, bluetooth, zigbee security? embedded devices communicate wireless security measures in increasing sophistication

cf. ch. 5.2

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 9

Network layer attacks (1)

•Address spoofing: Attacker pretends to be somebody else (via manipulated IP-headers) Flooding attacks

- direct: SYN-Flooding- indirect: Smurf

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 10

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 11

Network layer attacks (2)

• Eavesdropping of IP-packets (tcpdump) IP provides unencrypted communication

(no confidentiality, integrity, authenticity, ...) routing nondeterministic

- strict source routing attack- RIP (routing inf. protocol) and redirect attack

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 12

Transport layer attacks (1)

• Access via faked packets TCP: sequence numbering / acknowledgement upon receipt of a connection request, the server generates a

new sequence number, sends it back, and waits for an acknowledgement

“guessing” of ack numbers allows write access blocking of receipt at victim’s site

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 13

Transport layer attacks (2)

•“session hijacking” eavesdrop communication kill client use false packets to continue communication,

e.g., install backdoor on server

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 14

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 15

Application Layer Threats (1)

• Web Applications, E-Mail: viruses, worms, trojans, … responsible for 90% of present-day security problems mobile code, e.g. ActiveX, VB Scripts MIME-threats: attachments, links, … no security guaranteed (esp. authenticity)

• ftp, telnet, rlogin, rsh password encryption? anonymous FTP: write access?

• NFS: false mounting of exported files NFS masquerading: UID on untrusted hosts can be arbitrarily

manipulated faking of NFS file handles (replay attack) similar problems with NetBIOS (workgroup or password-level access)

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 16

Application Layer Threats (2)

• NIS supplies password information to outside password shadowing

• HTTP Cookies: Write access “permission assumed” personal data, e.g., passwords, user profiles disallow by default!

• CGI-scripts execution of arbitrary commands on server errors in scripts can open security holes minimal rights principle!

• DNS poisoning: Attacker fudges IP number / name assignment system access via .rhosts and rlogin

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 17

General Construction Principles

• Fail-safe defaults principle access denied if not explicitly allowed

• Complete mediation principle each access hat to be supervised

• Need-to-know principle each subject has exactly the rights needed for its

tasks

• Open design principle security does not depend on design knowledge “no security by obscurity”

• Economy of mechanisms principle measures must be efficient and easy to use

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 18

System Construction Phases (1)

“Design for security”: respect security issues in each phase, enrich life cyle by special (sub-) phases

1. System requirements analysis System environment, functionality, use scenarios necessary components, available resources

2. Threat and risk analysis list vulnerabilities and possible attacks estimate potential damage and occurrence probability

3. Security strategy and security model derive and classify necessary security mechanisms

- effort, cost, importance, ... build a model of the system and prove properties

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 19

System Construction Phases (2)

4. System architecture (coarse-grained design) Realisation of the model Interface definitions, services and protocols, module

decomposition

5. Module definition (fine-grained design) algorithms, data and control structures, ... adaption or extension of existing architectures and modules

6. Module and system implementation Coding and integration of components

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 20

System Construction Phases (3)

7. Validation, testing and evaluation code-inspection, module testing, integration testing

- (e.g., find logical time bombs, security holes, hidden channels) testing of security measures validation of implementation of security model

8. Security classification according to different criteria catalogues (TCSEC, ITSEC, ...) certification authorities, e.g., TÜV, BSI

9. Installation, maintenance establishment of security infrastructure assert that security policy is being followed, fixing of known

security holes etc.

2.12.2009Embedded Security © Prof. Dr. H. Schlingloff 2009 21

Construction of Secure Systems

• Security engineering: “The effort to achieve and maintain optimal security and survivability of a system throughout its life cycle” [InfoSec 1999] Integration with the SW-engineering process New phases: Threat and risk analysis, security strategy;

Security classification, infrastructure

• Lit.: Ross Andersen, Security Engineering; Addison-Wesley, 2001

(Case Studies) Nancy G. Leveson, Safeware; Addison-Wesley 1995 (Safety) Ed Amoroso, Fundamentals of Computer Security Technology