Formal Security Analysis of Smart Embedded Systems Farid - - PowerPoint PPT Presentation

Formal Security Analysis of Smart Embedded Systems

• Farid Molazem,

Farid Molazem, Karthik Karthik Pattabiraman Pattabiraman

• Dependable Systems Lab

University of British Columbia

Internet of Things

Real attacks against IoT

• [Koscher 2010, Zetter 2010]

Security Mechanisms

• Hardware-based techniques [Schellekens 2008]
• Remote Attestation [LeMay 2007, LeMay 2009]
• Intrusion detection systems [Wenjie Hu 2003, Ahmed U 2009,

Wagner 2001, Giffin 2004] Looks Legit!

IDS Netowork

Security Analysis

• Attack trees [Byres 04, Morais 09]
• Predefined attack goals
• Manual search
• Attack graphs [Jha 02, Sheyner 02]
• Need vulnerabilities of the hosts
• Formal analysis [Delaune 10, Miculan 11]
• Targets well-defined protocols

Idea

• IoT devices perform specific tasks
• Define the right abstraction
• Not too low level, not too high level
• Opens door to formal analysis

Abstraction

High-level picture

System specification

Security expert (Us) Formal model

• f

the system Formal model

• f

attacker User

Source code Attacks

Abstraction – step 1

System Model Attacker Model Analysis Attacks Changes to the System Model Rewriting System Model

Rewriting Logic

Abstraction – step 1

Start è sensorData(0, 0) sensorData(r, n) è sensorData(r, n) sensorData(r+1, 0) sensorData(r, n) è sensorData(r, n+1)

start

Receive data Store data

Rewriting logic:

• Rewrite rules
• Equations

Abstraction – step 2

Design Specifications Formal model Formal model Formal model

• Comp. 1
• Comp. 1
• Comp. 2
• Comp. 2
• Comp. 3
• Comp. 3

[Molazem 14]

Abstraction – step 3

sensorData(c1, v1) sensorData(c2, v2) sensorData(c3, v3)è sensorData(c1, v1) sensorData(c3, v3) if c2 = i

Attacker action: e.g. access to the ith sensor channel

State space

Start è receive(c1, v1) where v1 < 0

Explicit model checking:

Abstraction – step 4

Formal attack paths Control Flow Graph Source code

Case study

SEGMeter: an open source smart meter Sensor board: Receive raw data Communication board: talk to server Code base: Lua and C (~ 3000 LOC)

Threat model

• Access
• Actions
• Drop messages
• Replay messages
• Reboot meter

Read/Write access to communication interfaces[McLaughlin et al. 2010]

• Root access to a node in grid

network [Mo et al. 2012]

Evaluation

Q1: Performance Q1: Performance

• Q2: Practicality

Q2: Practicality

Evaluation

Performance Performance

3.4 GHz CPU, 16GB RAM: Reasonable time

Using Maude [Clavel 15]: http://maude.cs.illinois.edu/

• Less than a second à up to 2 hours

Evaluation

Practicality Practicality

• Query for paths to unsafe states
• Some map to the same execution path

search sensor(N1, M1) sensor(N2, M2) sensor(N3, M3) ⇒ stored(N1, M1) stored(N2, M2)

Attack example

start Receive new data Add to

• ld data

Send to server Reboot

S1 è S2 where data(s1) not sent & cycle=start

Attack example

Open file in write mode Vulnerability window Will lose data if reboot 1. 1. function function update_node_list() 2. all_data = get_node_list 3. all_data = merge_table(current,all_data) 4. 4. data_file data_file = assert( = assert(io.open io.open(dataFile dataFile, “w”)) , “w”)) 5. for key, value in pairs(node_list) do 6. data_file::write(data) 7. end 8. assert(data_file::close()) 9. 9. end end

Attack example (video)

Discussion

• Applicability to other devices
• Cars (AUTOSAR)
• Medical devices
• Model correctness
• Refine the model
• Abstraction level
• The model is extensible

Conclusion

• IoT devices perform specific tasks
• Abstract out their operations
• Formalize them
• Formalize the attacker
• Perform automated analysis
• Find real vulnerabilities

www.ece.ubc.ca/~faridm faridm@ece.ubc.ca