Transcript Security - Institut für Informatik

Information Security of
Embedded Systems
2.12.2009: Foundations of Security II
Prof. Dr. Holger Schlingloff
Institut für Informatik
und
Fraunhofer FIRST
Structure
1. Introductory example
2. Embedded systems
engineering
1. definitions and terms
2. design principles
3. Foundations of security
1. threats, attacks, measures
2. construction of safe systems
4. Design of secure systems
1. design challenges
2. safety modelling and
assessment
3. cryptographic algorithms
Embedded Security © Prof. Dr. H. Schlingloff 2009
5. Communication of
embedded systems
1.
2.
remote access
sensor networks
6. Algorithms and
measures
1.
2.
3.
4.
digital signatures
key management
authentification
authorization
7. Formal methods for
security
1.
2.
protocol verification
logics and proof methods
2.12.2009
2
Security – Basic Terms
• System, computational system
 ownership of information
• RAMS
• Safety vs. security
• Threats, attacks, security holes
 Modelling system, stakeholders, boundaries, intentions
• Example: Internet Thermostat
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
3
More Basic Terms
• Access (Zugriff)
 interaction between a subject (with intentions) and an object (a
computational system)
 If the access modifies the object, it is a write access, otherwise a
read access
 in embedded systems, read access to sensor values, write access to
actuator values, read/write access to internal data
 An access is authorized, if the owner of the information appreciates
it at the time it occurs (the access is in the intent of the owner)
• Security (Informationssicherheit)
 ability of a system to inhibit or restrict unauthorized access to the
system (No threats from outside subjects for the system’s information)
 confidentiality (Vertraulichkeit): no unauthorized read access
 integrity (Integrität): no unauthorized write access
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
4
Communication Threats
• e.g., TCP/IP protocol stack
• Example packet
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
5
Homework: Monitor your connections!
• e.g.,
Microsoft
Network
Monitor
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
6
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
7
Link layer attacks
Security hole via physical access to a wired network
(hardware monitoring devices)
• e.g. ARP masquerading: rerouting of information
 send unrequested ARP-reply which associates own HW-id
with IP-address of victim
 server “updates” cache information
• WLAN, bluetooth, zigbee security?
 embedded devices communicate wireless
 security measures in increasing sophistication
 cf. ch. 5.2
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
8
Network layer attacks (1)
• Address spoofing: Attacker pretends to be
somebody else (via manipulated IP-headers)
 Flooding attacks
- direct: SYN-Flooding
- indirect: Smurf
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
9
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
10
Network layer attacks (2)
• Eavesdropping of IP-packets (tcpdump)
 IP provides unencrypted communication
(no confidentiality, integrity, authenticity, ...)
 routing nondeterministic
- strict source routing attack
- RIP (routing inf. protocol) and redirect attack
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
11
Transport layer attacks (1)
• Access via faked packets
 TCP: sequence numbering / acknowledgement
 upon receipt of a connection request, the server generates a new
sequence number, sends it back, and waits for an acknowledgement
 “guessing” of ack numbers allows write access blocking of receipt at
victim’s site
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
12
Transport layer attacks (2)
• “session hijacking”
 eavesdrop communication
 kill client
 use false packets to continue communication, e.g.,
install backdoor on server
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
13
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
14
Application Layer Threats (1)
• Web Applications, E-Mail: viruses, worms, trojans, …




responsible for 90% of present-day security problems
mobile code, e.g. ActiveX, VB Scripts
MIME-threats: attachments, links, …
no security guaranteed (esp. authenticity)
• ftp, telnet, rlogin, rsh
 password encryption?
 anonymous FTP: write access?
• NFS: false mounting of exported files
 NFS masquerading: UID on untrusted hosts can be arbitrarily
manipulated
 faking of NFS file handles (replay attack)
 similar problems with NetBIOS
 (workgroup or password-level access)
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
15
Application Layer Threats (2)
• NIS
 supplies password information to outside
 password shadowing
• HTTP Cookies: Write access
 “permission assumed”
 personal data, e.g., passwords, user profiles
 disallow by default!
• CGI-scripts
 execution of arbitrary commands on server
 errors in scripts can open security holes
 minimal rights principle!
• DNS poisoning: Attacker fudges IP number / name
assignment
 system access via .rhosts and rlogin
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
16
General Construction Principles
• Fail-safe defaults principle
 access denied if not explicitly allowed
• Complete mediation principle
 each access hat to be supervised
• Need-to-know principle
 each subject has exactly the rights needed for its tasks
• Open design principle
 security does not depend on design knowledge
 “no security by obscurity”
• Economy of mechanisms principle
 measures must be efficient and easy to use
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
17
System Construction Phases (1)
“Design for security”: respect security issues in each phase,
enrich life cyle by special (sub-) phases
1. System requirements analysis
 System environment, functionality, use scenarios
 necessary components, available resources
2. Threat and risk analysis
 list vulnerabilities and possible attacks
 estimate potential damage and occurrence probability
3. Security strategy and security model
 derive and classify necessary security mechanisms
-
effort, cost, importance, ...
 build a model of the system and prove properties
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
18
System Construction Phases (2)
4. System architecture (coarse-grained design)
 Realisation of the model
 Interface definitions, services and protocols, module decomposition
5. Module definition (fine-grained design)
 algorithms, data and control structures, ...
 adaption or extension of existing architectures and modules
6. Module and system implementation
 Coding and integration of components
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
19
System Construction Phases (3)
7. Validation, testing and evaluation
 code-inspection, module testing, integration testing
-
(e.g., find logical time bombs, security holes, hidden channels)
 testing of security measures
 validation of implementation of security model
8. Security classification
 according to different criteria catalogues (TCSEC, ITSEC, ...)
 certification authorities, e.g., TÜV, BSI
9. Installation, maintenance
 establishment of security infrastructure
 assert that security policy is being followed, fixing of known security
holes etc.
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
20
Construction of Secure Systems
• Security engineering: “The effort to achieve and maintain
optimal security and survivability of a system throughout its
life cycle” [InfoSec 1999]
 Integration with the SW-engineering process
 New phases: Threat and risk analysis, security strategy; Security
classification, infrastructure
• Lit.:
 Ross Andersen, Security Engineering; Addison-Wesley, 2001 (Case
Studies)
 Nancy G. Leveson, Safeware; Addison-Wesley 1995 (Safety)
 Ed Amoroso, Fundamentals of Computer Security Technology
Embedded Security © Prof. Dr. H. Schlingloff 2009
2.12.2009
21