Formal Security Analysis of Smart Embedded Systems Farid - - PowerPoint PPT Presentation

formal security analysis of smart embedded systems farid
SMART_READER_LITE
LIVE PREVIEW

Formal Security Analysis of Smart Embedded Systems Farid - - PowerPoint PPT Presentation

Dec 27, 2022 24 likes •225 views

Formal Security Analysis of Smart Embedded Systems Farid Farid Molazem Molazem Tabrizi Tabrizi Karthik Pattabiraman Karthik Pattabiraman http://blogs.ubc.ca/karthik/ 1 IoT Systems 2 Security Attacks

slide-1
SLIDE 1

Formal Security Analysis of Smart Embedded Systems

  • Farid

Farid Molazem Molazem Tabrizi Tabrizi Karthik Pattabiraman Karthik Pattabiraman

  • http://blogs.ubc.ca/karthik/
  • 1
slide-2
SLIDE 2

IoT Systems

2

slide-3
SLIDE 3

Security Attacks against IoT

3

slide-4
SLIDE 4

Challenge

  • No systematic technique to automatically find

No systematic technique to automatically find security vulnerabilities in security vulnerabilities in IoT IoT devices devices

  • Large attack surface
  • Attacker often has physical access
  • Devices are often resource constrained

4

slide-5
SLIDE 5

Problem

5

embedded device

void foo() { …} int bar() { … }

Environment

Attacker

Action

Enumerate all possible attacks

slide-6
SLIDE 6

Security Analysis

  • Attack trees [Byres 04, Morais 09]
  • Predefined attack goals
  • Manual search
  • Attack graphs [Jha 02, Sheyner 02]
  • Need vulnerabilities of the hosts
  • Formal analysis [Delaune 10, Miculan 11]
  • Targets well-defined protocols

6

slide-7
SLIDE 7

Our Approach: Idea

  • IoT devices perform specific tasks
  • Define the right abstraction
  • Not too low level, not too high level
  • Allows us to systematically find vulnerabilities

Abstraction

7

slide-8
SLIDE 8

High-level picture

8

System specification

Security expert Formal model

  • f

the system Formal model

  • f

attacker User

Source code Attacks

slide-9
SLIDE 9

Abstraction

System Model Attacker Model Analysis Attacks

Rewriting Logic

9

slide-10
SLIDE 10

Abstraction: System Model

Start è sensorData(0, 0) sensorData(r, n) è sensorData(r, n) sensorData(r+1, 0) sensorData(r, n) è sensorData(r, n+1)

start

Receive data Store data

Rewriting logic:

  • Rewrite rules
  • Equations

10

slide-11
SLIDE 11

Abstraction: Attacker Model

sensorData(c1, v1) sensorData(c2, v2) sensorData(c3, v3)è sensorData(c1, v1) sensorData(c3, v3) if c2 = i

Attacker action: e.g. access to the ith sensor channel

State space

Unsafe state

Start è receive(c1, v1) where v1 < 0

Explicit model checking:

11

slide-12
SLIDE 12

Case study

12

  • SEGMeter: an open source smart meter
  • Sensor board: Receive raw data
  • Communication board: talk to server
  • Code base: Lua and C (~ 3000 LOC)
slide-13
SLIDE 13

Threat model

  • Access
  • Actions
  • Drop messages
  • Replay messages
  • Reboot meter

13

Read/Write access to communication interfaces[McLaughlin et al. 2010]

  • Root access to a node in grid

network [Mo et al. 2012]

slide-14
SLIDE 14

Evaluation

14

Performance Performance

3.4 GHz CPU, 16GB RAM

Using Maude [Clavel 15]: http://maude.cs.illinois.edu/

  • Less than a second à up to 2 hours
slide-15
SLIDE 15

Evaluation

Practicality Practicality

  • Query for paths to unsafe states
  • Some map to the same execution path

15

search sensor(N1, M1) sensor(N2, M2) sensor(N3, M3) ⇒ stored(N1, M1) stored(N2, M2)

slide-16
SLIDE 16

Attack Example 1: Rebooting

16

start Receive new data Add to

  • ld data

Send to server Reboot

S1 è S2 where data(s1) not sent & cycle=start

slide-17
SLIDE 17

Attack Example 1: Rebooting

17

Open file in write mode Vulnerability window Will lose data if reboot 1. 1. function function update_node_list() 2. all_data = get_node_list 3. all_data = merge_table(current,all_data) 4. 4. data_file data_file = assert( = assert(io.open io.open(dataFile dataFile, “w”)) , “w”)) 5. for key, value in pairs(node_list) do 6. data_file::write(data) 7. end 8. assert(data_file::close()) 9. 9. end end

slide-18
SLIDE 18

Attack Example 2: Drop Messages

18

Meter Server

Root Root access to access to a routing a routing node node Add Add IPTables IPTables rule: drop rule: drop messages messages to time to time server server Function confirm_time_is_OK() while while time_is_ok time_is_ok == false do == false do ... time_is_ok = check_time() if (time_is_ok == true) then set_time() break end end end end

Gets stuck Gets stuck in the loop in the loop

: iptables − A INPUT − d ADDRESS − j DROP

slide-19
SLIDE 19

Attack Example 3: Spoofing

19

Sensor board Communi cation board

Request Request Data Data Normal behavior Normal behavior

  • Find serial

Find serial communication communication configuration (a configuration (a handful common handful common configs configs, a couple of , a couple of hundreds total hundreds total configs configs

  • Use USB to 6-pin

Use USB to 6-pin serial connector from serial connector from laptop to meter laptop to meter

  • Replay

Replay data data request request

  • Receive

Receive data on the data on the laptop – laptop – data deleted data deleted from sensor from sensor board board

  • One of the

One of the common common configs configs worked in our case worked in our case

slide-20
SLIDE 20

Conclusion

  • IoT devices perform specific tasks
  • Formalize their operations
  • Formalize the attacker
  • Perform automated analysis
  • Find real vulnerabilities
  • Videos of attacks found by our technique:

http://www.ece.ubc.ca/~faridm/acsac.html

20

“Formal Security Analysis of Smart Embedded Systems”, “Formal Security Analysis of Smart Embedded Systems”, Farid Farid Molazem Molazem Tabrizi Tabrizi and Karthik Pattabiraman, and Karthik Pattabiraman, Annual Computer Security Applications Conference (ACSAC), 2016 Annual Computer Security Applications Conference (ACSAC), 2016