Post on 18-Dec-2015
Building Security into Embedded Systems:Validating Theoretical Designs using Experimental
Platforms
Yuan XueInstitute for Software Integrated Systems Vanderbilt University
A joint work withMatthew Eby, Janos Mathe, Jan Werner, Taojun Wu, Gabor Karsai, Sandeep Neema, Janos Sztipanovits, Akos Ledeczi
Outline
• Introduction• Challenge• Approach• Two Projects
– Experiment Platform for Model-based Secure Embedded System Design
– Application-Driven Testbed for Wireless Sensor Network Security Analysis and Design
Introduction
• Embedded systems – Low end: cellphones, PDAs, sensors, smartcards– High end: routers, home appliances
• They are– Interactive with physical world – Pervasive in our daily life– Essential for national critical infrastructure
• Currently embedded systems are migrating – From proprietary solutions to open standard– From standalone systems to networked
environments
Increasing concern of security threats in embedded systems
Challenge
• Security solutions developed in the context of desktop-based operating systems and networks– Cryptography, – Secure network protocol– Etc.
• Designing secure embedded systems faces unique challenges– Embedded system design is a systems-software co-design
problem needs to meet cross-cutting requirements in terms of performance and physical constraints
– Securing embedded systems involves more issues than what are addressed for desktop computing
• Resource constraint • Development model and environment
Applying existing security mechanisms as the additions of functional features is insufficient to secure embedded systems
Approach
• Our approach– security consideration as an integral part
throughout the design process, – security design to be validated over the
software and system platforms.
• This talk will present two experimental platforms– Plant control system– Wireless sensor network
Secure embedded system design needs to be validatedusing the experimental platforms
Experimental Platform for
Model-Based Secure Embedded System Design
Overview
• Model-based Approach to Embedded System Design
• Integrate Security into Model-based Approach
• Experiment Platform Architecture• Demonstration System
Model-based Approach
Models facilitate formal analysis, verification, validationand generation of embedded systems
Functional Models
ComponentModels
Componentized Model Platform
Model
Deployment Model
Generators(Interpreters)
Composition Platform(e.g.: AADL)
HW/SW Architecture(Windows, Linux)
Source Files(e.g.: SimuLink, Hand crafted code, etc.)
Integrate Security into Models
Generators(Interpreters)
Secure Composition Platform(e.g.: AADL security extension)
Hardware, OS service(e.g.: Kernel partition)
Source Files(e.g.: SimuLink, Hand crafted code, etc.)
Security Extension examples
• Role Based Access Control
• Secure Links• Fair Exchange
Functional Model
Component Model
Secure Componentized Model
PlatformModel
Deployment Model
Securityextension
Securityservice
Secure Component Structure Model
Securitypolicy
Advantages
• Advantages to integrate security into model-based embedded system development– Introducing security at design level– Verifying required security properties using
explicit security models– Consistent and automatic configuration of
security services offered by the operating system
– Investigating design tradeoffs between performance and security properties
An Example based on AADL
• AADL (Architectural Analysis and Design Language – SAE Aerospace Standard (AS5506)– provide a standard interface and
environment for system designers to model, analyze and generate embedded system code. AADL Components
AADL Metamodel
AADL Security Extension
An example security mechanism
Role-based Access Control
• Objects – subject to access control
• Operations – execution of some functions on objects
• Permissions – approval to perform operation on RBAC protected object
• Roles – job with assigned authority and responsibility
• Users – human being, machine, network or agent requesting operation on objects
Security Extension Metamodel
Platform Security Service Modeling
Security Service Providers• OS (ex: Linux, LynxOS, WinCE)• HW (ex: Space Partitioning,
Memory protection)• Services of different
applications• (ex: Web Browser Based
Authentication)• Partition in OS
Platform Security Models with sufficient detail enable Code Generators to access Platform Specific Security Services
Theoretical Security Concepts (Platform Independent)
Theoretical Security Concepts (Platform Independent)
SecurityRequirementsof a System
Existing Security Solutions Provided Different Platforms
Existing Security Solutions Provided Different Platforms
SecurityCapabilitiesof a Platform
Mapping between requirementsand underlying capabilities
( Ideally requirements are thesubset of the capabilities )
Platform Security Service Model-- Abstracts out security properties of the platform that are essential for the design flow
Software Architecture with Security Extension
Embedded Hardware Target
Real-TimeOperating System
AADL Runtime System
Application Software
Component
Application Software
Component
Application Software
Component
Embedded Hardware Target
Real-Time Operating System
OS Security Extension
App App App
AADLRuntimeSystem
Application Software
Component
AADLRuntimeSystem
Application Software
Component
AADLRuntimeSystem
Application Software
Component
API
API
AADL Execution Environment
AADL Extended AADL
Experimental Platform Architecture
10/100BASE-T or 802.11b
PlantSimulator
Data Acquisition Board (DAQ)
EmbeddedSystem Board
EmbeddedSystem Board
EmbeddedSystem Board
The Data Acquisition Board interfaces plant simulation with embedded system boards
The Plant Simulator acts as the physical environment in which the embedded system would run
The embedded system boards run distributed control algorithms
Implementing Systems on Platform
• The experimental platform facilitates “Hardware”-in-the-Loop testing of controllers.
• High fidelity plant simulations behave just as the actual physical environment would.
• Controllers can run on various operating systems with different security designs.
• Code for controllers is generated based on security models for the embedded system
Putting things Together!
10/100BASE-T or 802.11b
PlantSimulator
Data Acquisition Board (DAQ)
EmbeddedSystem Board
EmbeddedSystem Board
EmbeddedSystem Board
Automatic Code Generation and Deployment
Ref
eren
ce
Th
e p
rocess o
f A
AD
L c
od
e
gen
era
tion
Results
• Real-Time Simulation of Three Tank Fluid Transfer System
• With I/O register protection only the tank control process has permission to write to I/O channels
• Model-Based approach can map desired security properties to underlying platform services such as POSIX capabilities (e.g. CAP_SYS_RAWIO)
Application-Driven Testbed for
Secure Wireless Sensor Network Design
Dirty Bomb Detection & Localization
Stadium with Sensors Deployed
Google Earth Illustration of Localization System
Automatic Camera Feed
~12 Static XSM Motes (positions known )
Guard moves with an XSM Mote, tracked by RIPS technology
Architecture
Rad level servlet and camera glue code
Tracking service anduser interface
Nextel/Internet
Mote network
Camera controlnode (Linux)
Jumbotroncontroller
VGA to NTSCadapter
Rad detector, mobile phone
mote
Internet
System Vulnerabilities
Rad level servlet and camera glue
code
Tracking service and
user interface
Nextel/Internet
Mote network
Camera controlnode (Linux)
Jumbotroncontroller
VGA to NTSCadapter
Rad detector, mobile phone
mote
Internet
Mac/Link
Network
Application/Service
Physical• Jamming
• Bogus tracking results• Tracking commandSpoofing• Battery consumption attack
• MAC DoS• Eavesdropping
• Packet dropping• Mis-forwarding• ID spoofing• Forging routingInformation• Disclosing/modifying/replaying tracking results
Sensor network vulnerabilities
Traditional network/system vulnerabilities
• Denial of Service Attack• Information disclosing/modification/replaying• Address Spoofing• etc..
Security Issues in Sensor Networks
Security IssuesMechanisms
Jamming Physical
Mac/Link
Network
addressing
routing
forwarding
MAC DoS
Eavesdropping
Address spoofing
Forge routing information
Drop/forward to wrong neighbor
Release/modify contentMsg Auth Code
Application
/ServiceEncryption
Secure Routing
Source Authentication
Link Level Encryption
Attach Detection
User ID spoofingUser Authentication
Peer Authentication Scheme
• Objective– Provide efficient, effective, and flexible peer
sensor authentication
• Basic Idea – Symmetric-key based (SkipJack in TinySec)– Each sensor node has a different set of keys
through a pre-key distribution scheme– Multiple MACs are generated for each
message from a sensor node– MACs are verified at the receiver sensor
using its common keys with the sender
A Simple Example
A
D
B
C
1
4 2
3
A
D
B
C
D
C
B
C
C
I am C
You are not C, since you
don’t have key 3
You are not C, since you don’t
have key 2
I know you are not me.
Sensors A, B, C, D have different combination of overlapping keys:
A: 1, 4B: 1, 2C: 2, 3D: 3, 4
Sensor A pretends to be C, appends message authentication code (generated with key 1 & 4) to outgoing messages
Implementation and Results
• We implement the peer authentication scheme as a component (MultiMAC) under TinyOS (based on SkipJack in TinySec)
• Measurement Results– Computation time: 5.3 ms;– Verification time: < 0.1 ms, 1.3~1.4 ms or
2.5 ms, if receiver has 0, 1 or 2 keys in common with sender.
• Demonstration Video– Windows Media
Summary
• Security is an increasing concern in embedded system design
• Using a model-based approach, security can be considered as an integral part through design process
• Experiment platforms are critical to validate security designs
Thank you very much!
Questions?