the future of embedded and iot security: kaspersky operating system · 2019-07-26 · the internet...

THE FUTURE OF EMBEDDEDAND IoT SECURITY:KASPERSKY OPERATING SYSTEM

THE INTERNET OF THINGS

AN EXPLOSION OF CONNECTED POSSIBILITIES

Kaspersky Lab | Future of embedded and IoT security: Kaspersky Operating System2

BIL

LIO

NS

OF

DE

VIC

ES

50

40

30

20

10

0

90 92 94 96 98 00 02 04 06 08 10 12 14 16 1820

YEAR

1992

1,000,0002003

0.5 BILLION

2009

IoT INCEPTION

2012

8.7 BILLION

2014

14.4 BILLION

2015

18.2 BILLION

2017

28.4 BILLION2016

22.9 BILLION

2018

34.8 BILLION

2019

42.1 BILLION

2020

50.1 BILLION

2013

11.2 BILLION

RICH IoT DEVICES ARE THE MOST VULNERABLE

Things

Sensor & Actuator Processing Communication

Local Network

Gateway(s)

Wired/wireless

Power line

BAN, PAN, LAN

The Internet Back-End Services

Remote Server

User access and

control

Business Data

Analysis


IoT ATTACKS

MIRAI

Mirai was initially discovered in August and its name comes from

the discovered binaries called “mirai.()”. It is an ELF Linux

executable and focuses mainly on DVRs,

routers, web IP cameras, Linux servers, and other devices that

are running Busybox, a common tool for IoT embedded devices.

BASHLITE

Infects Linux systems in order to launch distributed denial-of-

service attacks (DDoS). In 2014 BASHLITE exploited the

Shellshock software bug to exploit devices running BusyBox.

In 2016 it was reported that one million devices have been

infected with BASHLITE.



THE MAIN PROBLEM OF IoT FROM A CYBER SECURITY POINT OF VIEW

Human mistakes

Use of 3rd party software

and libraries

Software Complexity

(Number of lines of code

increasing dramatically)

INSECURE DESIGN

VULNERABILITIES

Time to market pressure

INSECURITY OF CONVENTIONAL OPERATING SYSTEMS


WHY CONVENTIONAL OPERATING SYSTEMS ARE NON SECURE

Monolithic system where any

module can call any other

By exploiting the arbitrary code

execution vulnerability it is possible

to call any other module,

regardless of security settings

Uncontrolled use of 3rd party

libraries

Adversaries can get control over a

whole system with the help of only

one vulnerability

Poor security settings due to

various reasons (lack of expertise,

laziness, lack of time…)

Big attack surface

Interactive user

Device Driver

Libraries Commands Application

Programs

OS System Call Interface

…

Device Driver

Device Driver

…

Driver

Inte

rface

Trap Table

Monolithic Kernel Module

Process Management

Memory Management

File Management

Device Mgmt Infrastructure

HOW WE SECUREEMBEDDED SYSTEMS


HOW TO FIX THE PROBLEM

Make an environment that simply won't allow

the program to perform undeclared functions

and prevent the exploitation of vulnerabilities.

THE MAIN PRINCIPLES OF SECURE OS

Secure by design system

MILS with reference monitor approach

Microkernel based

Meets specific requirements for embedded systems

SPECIFIC REQUIREMENTS FOR EMBEDDED OPERATION SYSTEMS

SMALL SIZE AND MINIMUM RESOURCE USAGE

Most embedded systems

use limited hardware

recourses (RAM, ROM,

CPU)

OUT OF THE BOX SECURITY

Most embedded systems have

(almost) unique security

requirements. It is necessary

to reduce time to market and

reduce the efforts that need to

be put into security settings


STABLE WORK EVEN UNDER ATTACK

One has to think about

possible threats and threat

vectors in advance

COMPLIANCE WITH INDUSTRY STANDARDS

A system has to be designed

and developed in accordance

to industrial safety and security

standards.


KASPERSKYOS // OVERVIEW

Designed for embedded connected systems with

specific requirements for cyber security

Based on the separation kernel which guarantees

the control of all internal system communications

The behavior of every module is pre described via

security policies

MILS architecture

Domain separation/isolation

Flexible internal

communications control via

Kaspersky Security System

(KSS)


KASPERSKYOS // SPECIFICATIONS

Microkernel based OS from the in-house

development team at Kaspersky Lab

Static security configuration

MILS architecture

Separate business applications from security

(easier to develop and support, decrease time to

market, increase security and safety)

Maximum level of control due to minimum security

domains granularity (every single module/driver

could be set as security domain)

POSIX API compatible (well 98% of the API)

Runs on Intel x86, x64 and ARM (v6, v7, v8)


KASPERSKYOS - TRUSTED. FLEXIBLE. SECURE.

KasperskyOS is the foundation from which to build a trusted platform – it will not allow untrusted/ malicious/ undocumented code to run, due to strict security policies

Set any type of security policy and combine different types of policies.

Use one OS for different appliances – saving time on education and implementation

Due to separation, functional code and security can be worked on in parallel. This saves time to market without sacrificing anything.

Improve safety because of strict security policies that describe the behaviour of a system

TRUSTED FLEXIBLE SECURE

BENEFITS OF KASPERSKYOS

INHERENT SECURITY

KasperskyOS is an operating

system that is secure by design

and we intend to keep it that way

by using the best practices of

software development

FLEXIBLE SECURITY CONFIGURATION

Well-designed configuration tools

make it easy to create declarative

rule definitions and combinations of

rules to control interactions in the

system


VERSATILE MODULAR ARCHITECTURE

Building the system based on

loosely coupled modules helps to

minimize the amount of trusted

code and tailor each solution to

the customer’s specific needs

SEPARATION OF APPLICATION FEATURES FROM SECURITY FUNCTIONSThe security architecture is designed

to separate security functions from

application business logic, making

both configuring security policies and

developing applications easier

KASPERSKYOS IMPLEMENTATIONS


Our technologies help developers and

manufacturers of complex embedded systems to

secure their future revenue by minimizing the risks

associated with cyber incidents and malicious

software.

We have developed a set of products that suit

different client needs and follow the same security

principles (separation and isolation of security

domains and strict control of inter domain

communications):

KasperskyOS

Kaspersky Secure Hypervisor

Kaspersky Security System for

Linux

TECHNOLOGIES THAT ARE FIT FOR EVERY PURPOSE TO SECURE EMBEDDED SYSTEMS


Level of control

Am

ou

nt o

f e

xtr

a w

ork

Kaspersky

OS

Most secure solution (all components

are isolated and controlled)

Requires rethinking and redevelopment

of architecture of every component

Requires (at least) porting of applications

or complete rewriting of them

Limited support of hardware

(embedded systems only)



Level of control

Am

ou

nt o

f e

xtr

a w

ork

Kaspersky

OS









Level of control

Am

ou

nt o

f e

xtr

a w

ork

Good level of

security (isolation of

VMs and critical

functions, limited

control of

communications)

Requires rethinking

and redeveloping of

applications’

architecture only

Kaspersky

Secure

Hypervisor

Requires

re/development

some critical

functions

Wide range of

hardware supported

(not only embedded

systems)

Kaspersky

OS



Level of control

Am

ou

nt o

f e

xtr

a w

ork

Kaspersky

OS









Level of control

Am

ou

nt o

f e

xtr

a w

ork

Good level of


VMs and critical

functions, limited

control of

communications)

Requires rethinking

and redeveloping of

applications’

architecture only

Kaspersky

Secure

Hypervisor

Requires

re/development

some critical

functions

Wide range of

hardware supported

(not only embedded

systems)

Kaspersky

OS

KSS for

Linux

Good level of


Linux containers,

control only inter

container

communications)

Only requires the

rethink and

redevelopment of

application

architecture

Requires minimum

re/development

Runs on virtually

all Linux systems

with container

support

Kaspersky

Secure

Hypervisor

Level of control

Am

ou

nt o

f e

xtr

a w

ork

Kaspersky

OS



Most secure solution (all components are isolated and controlled)

Requires the rethinking and redevelopment of the architecture of every component

Requires (at least) the porting of applications or their complete rewrite

Limited support of hardware (embedded systems only)

Good level of security (isolation of VMs and critical functions, limited control of communications)

Only requires the rethinking and redevelopment of application architecture

Requires re/development of some critical functions

Wide range of hardware supported (not only embedded systems)

Good level of security (isolation of Linux containers, controls only inter container communications)

Only requires the rethinking and redevelopment of application architecture

Requires minimum re/development

Runs on virtually all Linux systems with container support

KASPERSKYOS SECURE HYPERVISOR KSS FOR LINUX

USE CASES


Telecoms

and Network

Equipment

IoT and

Industrial IoT

Connected

Cars

Endpoints POS

Terminals

Linux Systems

Security

Enhancement

USE CASES – TELECOM EQUIPMENT


Secure boot ensures integrity

of OS and applications

Isolation of every single

module

Minimize impact of

vulnerabilities, malware

protection

Protection of sensitive data

(i.e. encryption keys)

KASPERSKYOS

Trusted platform

Secure by design:

Network Routers & switches,

Firewalls, VPN Internet

Security Domain 0

Network Driver

Security Domain 1

Network Stack

Security Domain 3

SSH

Security Domain 2

Web server

Security Domain 5

Storage

Security Domain 4

Telnet

KasperskyOS

uCore + KSS

Request for security

verdict to allow this

domain to send

datagram to another

domain

USE CASES – IoT


Isolation of every single module

Minimize the impact of vulnerabilities

Protection of sensitive data (i.e. encryption keys,

user’s data, secure storage)

Secure boot

Secure by design system (the only way to secure IoT devices)

1. Smart CCTV cameras (processes images on a

device and sends processed data to a server)

2. Smart hubs (all sensors and end devices connect to

these)

EXAMPLE

Connected to the Internet and powerful enough

(not MCU based) devices like:

KASPERSKYOS

USE CASES – CONNECTED CARS


Isolation of infotainment from safety critical system

(advanced driver assistance systems, AUTOSAR)

Minimize impact of vulnerabilities in every domain

Protection of sensitive data (i.e. encryption keys, logs,

telematics data) from unauthorized access

Secure boot and protection against the unauthorized

modification of firmware and software (i.e. malware

infection, and unauthorized modifications)

Secure by design system

Can be used in central gateway, head unit or specific ECUs

KASPERSKY SECURE HYPERVISOR

USE CASES – ENDPOINTS


No or limited and controlled data

exchange between VMs

Integrity checking of software

Trusted boot

Bootkit and rootkit protection

Control of access to external devices

Reduce TCO (need one PC instead of two)

Two virtual machines

First one with access to sensitive data (internal

domain)

Second one with access to the Internet and

access

to public services (external domain)

o Truly said this is not ordinary PC.

It has to have 2 network cards

and 2 HDDs

Trusted domain Untrusted domain Trusted domain

Administrative

serviceApplication SSL/TLS Certificate storage

Access service

Request

handshake

Give permissions



USE CASES – NETWORK EQUIPMENT


Secure storage for encryption keys (can

be protected from the access of

unauthorized software and hardware)

Separation of functional modules like web

anti-virus, content filtering, mail anti-virus,

cloud storage (can be sold separately

with different licenses)

VPN appliances

UTMs


USE CASES – POS TERMINALS


Dealing with credit cards (protection of CC

data read from a card))

Bank communications

Secure storage (audit, securely sending trusted

data to management or regulator)

Bring security sensitive functions to the Security Service, for example:

Helps with PA DSS compliance

POS software integrity checking


Domain

Untrusted application

Trusted code

Sensitive data

Memory protection

feature

unable to modify

protect

memory

pages


USE CASES – LINUX SECURITY ENHANCEMENT


Secure remote device updates & reconfiguration

Separation of duties between components and

remote agents (like OEMs and consumers)

Sandboxing untrusted components

In-depth system hardening with enforced security

properties on inter components communications

Use cases:

PLCs / Industrial IoT devices

IoT equipment

KASPERSKY SECURITY SYSTEM

QUESTIONS?

Kaspersky OS

Securing Embedded Communications

the future of embedded and iot security: kaspersky operating system · 2019-07-26 · the internet...

Documents