Securing Industrial IoT Device Attestation, Software Updates, and - - PowerPoint PPT Presentation

1/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Securing Industrial IoT

Device Attestation, Software Updates, and Data Protection

Mauro Conti, University of Padua

Slides prepared with the support of Daniele Lain and Moreno Ambrosin

SCy-Phy Systems Week 2017 Panel IV: Defences June 6, 2017, Singapore

2/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Intro and Expertise

3/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

4/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Insecure Things… Mirai

Mirai: IP Cameras hack in October/November

5/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Insecure Things… Wannacry

Targeting the most devices:

• Now: PCs
• Soon? IoT!

6/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Outline

Securing Industrial IoT:

7/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Outline

Securing Industrial IoT:

• Attestation

8/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Outline

Securing Industrial IoT:

• Attestation
• Software Update

9/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Outline

Securing Industrial IoT:

• Attestation
• Software Update
• Data Protection

10/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Outline

Securing Industrial IoT:

• Attestation
• Software Update
• Data Protection

11/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

System Security

Remote Attestation

• Remote Attestation (RA) is an interactive protocol

○ A useful tool to detect software attacks ○ e.g., malwares injected on a device, firmware replacement

• Allows a prover to compute a cryptographic proof of the status
• f its configuration (e.g., SW+data)

○ Called a measure, typically a hash of what you want to measure ○ Security is ensured by HW support on the prover

• A verifier collects this proof remotely and checks whether the

collected measure is “valid” or not, i.e., is an expected one

12/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

System Security

Remote Attestation

In a 1 verifier and 1 prover setting RA is a well-established research area Problem: How to verify the integrity of a network of devices?

○ More efficiently than individually!

13/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

System Security

Remote Attestation

We proposed SANA, a protocol for network attestation that:

• Improves scalability via in-network aggregation of proofs
• Is end-to-end secure

○ Security relies mainly on OAS unforgeability ○ Improved resiliency to hardware attacks ○ Detects attempts to modify attestation proofs from devices

• Has manageable overhead on the (low) end devices
• Is publicly verifiable
• Verification is linear in the number of “bad provers”

○ Depends on the “strength” of the attacker

• If the network is OK has constant verification overhead

○ Most frequent case in practice

14/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

System Security

Remote Attestation

We evaluated SANA [1]

• Implementing it on a research platform
• Via simulation (for large scale tests)

[1] M Ambrosin, M Conti, A Ibrahim, G Neven, AR Sadeghi, M Schunter. SANA: Secure and Scalable Aggregate Network

• Attestation. In ACM CCS 2016

15/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Outline

Securing:

• Attestation
• Software Update
• Data Protection

16/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Update distribution architecture

Management entity

○

Software updates

○

Device monitoring

○

Commands delivery May be deployment’s owner Proprietary or third-party distribution network

○

CDN, NDN, Fog Layer, ... Data Caching & Aggregation Deployment

◽

Heterogeneous

◽

Potentially large scale

17/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Update adv. model

Trusted entity Device integrity may be compromised Can be controlled by an adversary Cannot be trusted for ○ Integrity ○ Authenticity ○ Confidentiality Guarantees availability

18/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Update design requirements

1.

Minimize windows of exposure [Bilge and Dumitras, ACM CCS ‘12]

2.

End-to-end security and scalability

3.

Access control on the software

○ Software may be proprietary

#9 of OWASP IoT top 10 Vulnerabilities(*)

(*) https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Vulnerability is introduced Exploit is created by the attacker Vulnerability is discovered by the vendor Vulnerability is publicly disclosed Patch is released Patch is delivered and installed

Window of exposure

19/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Updaticator

Protocol for end-to-end updates confidentiality and integrity Uses Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

○ To enforce access control based on device attributes ○ Allows linear complexity in the number of attributes

Leverages untrusted caches to speed up distribution

Evaluated on top of ICN/NDN

○ Novel networking paradigm providing cache at the network layer ○ Results showed improved scalability w.r.t. Direct fetching

[1] M Ambrosin, C Busold, M Conti, AR Sadeghi, M Schunter. Updaticator: Updating billions of devices by an efficient, scalable and secure software update distribution over untrusted cache-enabled networks. In ESORICS 2014

20/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Outline

Securing:

• Attestation
• Software Update
• Data Protection

21/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

IoT permission models Existing IoT frameworks only have permission based access control

• Permissions control what data an app can

access

• Permissions do not control how apps use

data, once they have access Did not work on mobile (see Android permissions) ...will not work on IoT!

22/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Potential Abuses

Consumer App

APP

• Unlock door if face is

recognized

• Home-owner can check

activity from Internet

• App needs to compute on

sensitive data to provide useful service

• But has the potential to leak

data

Publisher of Sensitive Data Sink Source Sink

23/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

[1] E. Fernandes, J. Paupore, A. Rahmati, D. Simionato, M. Conti, A. Prakash. FlowFence: Practical Data Protection for Emerging IoT Application Frameworks. In USENIX Security 2016

FlowFence FlowFence

• Support of diverse publishers and consumers of data,

with publisher and consumer flow policies

• Allows use of existing languages, tools, and OSes

Language-based flow control

• Restructure apps to obey flow rules
• Developer declares flows

Label-based flow control

• Component-level information tracking
• Flow enforcement through label policies

24/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Thanks!

Thanks! Mauro Conti conti@math.unipd.it

25/# Mauro Conti Do we need a holistic approach for the design of secure IoT systems?

Backup slides... ...Backup slides beyond this point...