Post on 28-May-2020
Towards a Secure Internet of Things
Stanford UniversityPhilip Levis (representing many contributors)
http://iot.stanford.edu
1
Secure Internet of Things Project (SITP)
The Internet of Things (IoT)
2
Secure Internet of Things Project (SITP)
A Security Disaster
31http://fortifyprotect.com/HP_IoT_Research_Study.pdf
• A 2014 HP security analysis of IoT devices1 found▶ 80% had privacy concerns▶ 80% had poor passwords▶ 70% lacked encryption▶ 60% had vulnerabilities in UI▶ 60% had insecure updates
Secure Internet of Things Project (SITP)
Securing the Internet of Things
• Secure Internet of Things Project▶ 5 year project (just started second year)▶ 12 faculty collaborators▶ 3 universities: Stanford, Berkeley, and Michigan
• Rethink IoT systems, software, and applications from the ground up
• Make a secure IoT application as easy as a modern web application
4
Secure Internet of Things Project (SITP)
Dawson EnglerStanfordSoftware
5
Philip LevisStanford
Embedded Systems
Mark HorowitzStanfordHardware
Christopher RéStanford
Data Analytics
Dan BonehStanford
Cryptography
Keith WinsteinStanfordNetworks
Prabal DuttaBerkeley/Michigan
Embedded Hardware
David MazièresStanfordSecurity
Björn HartmannBerkeley
Prototyping
Raluca Ada PopaBerkeleySecurity
Steve EglashStanford
Executive Director
Philip LevisStanfordFaculty Director
Team
David CullerBerkeley
Low Power Systems
Peter BailisStanford
Database Systems
Secure Internet of Things Project (SITP)
This Talk
• Technology trends: why today?• Security: why is it so hard?• Research: what we’re doing
▶ Architectural principles▶ Tock: a secure embedded OS▶ TLS-RaR: network auditing▶ Tethys: a sample application
6
Secure Internet of Things Project (SITP) 715.iii.2005 Stanford Interview Talk 2
The EmNets Vision• “Information technology (IT) is on the verge of
another revolution… The use of EmNets [embedded networks] throughout society could well dwarf previous milestones.” 1
• “The motes [EmNet nodes] preview a future pervaded by networks of wireless battery-powered sensors that monitor our environment, our machines, and even us.” 2
1 National Research Council. Embedded, Everywhere, 2001.2 MIT Technology Review. 10 Technologies That Will Change the World, 2003.
Secure Internet of Things Project (SITP)
Example Part: nRF51822
• Cortex M0+ with integrated 2.4GHz transceiver▶ Supports Bluetooth Low Energy▶ Two models: 32kB/256kB or 16kB/128kB
• DigiKey cost for 25,000: $1.99
8
Secure Internet of Things Project (SITP)
This Talk
• Technology trends: why today?• Security: why is it so hard?• Research: what we’re doing
▶ Architectural principles▶ Tock: a secure embedded OS▶ TLS-RaR: network auditing▶ Macrobase: sifting through data
9
Secure Internet of Things Project (SITP)
Internet(s) of Things
10
NetworkedDevices
Tens/personUncontrolled Environment
Unlicensed spectrumConvenience
Powered
WiFi/802.11TCP/IP
IEEE/IETF
Personal AreaNetworks
Tens/personPersonal environmentUnlicensed spectrum
InstrumentationFashion vs. function
Bluetooth, BLE3G/LTE
3GPP/IEEE
Home AreaNetworksHundreds/person
Uncontrolled EnvironmentUnlicensed spectrum
ConvenienceConsumer requirements
ZigBee, Z-Wave6lowpan, RPL
IETF/ZigBee/private
IndustrialAutomation
Thousands/personControlled Environment
High reliabilityControl networks
Industrial requirements
WirelessHART, 802.15.46tsch, RPL
IEEE/IIC/IETF
Secure Internet of Things Project (SITP)
3G/4G,TCP/IP
eMbeddeddevices
Gateways Cloud
11End application
IoT: MGC Architecture
6lowpan,ZigBee,ZWave,
Bluetooth,WiFi,
WirelessHART
Secure Internet of Things Project (SITP)
Secure Internet of Things 23
Obj-C/C++, Java, Swift, Javascript/HTML
embedded C(ARM, avr, msp430)
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Ruby/Rails,Python/Django,J2EE, PHP, Node.js
IoT Security is Hard
• Complex, distributed systems▶ 103-106 differences in resources across tiers▶ Many languages, OSes, and networks▶ Specialized hardware
• Just developing applications is hard• Securing them is even harder
▶ Enormous attack surface▶ Reasoning across hardware, software, languages, devices, etc.▶ What are the threats and attack models?
• Valuable data: personal, location, presence
• Rush to development + hard ➔ avoid, deal later12
Secure Internet of Things Project (SITP)
This Talk
• Technology trends: why today?• Security: why is it so hard?• Research: what we’re doing
▶ Architectural principles▶ Tock: a secure embedded OS▶ TLS-RaR: network auditing▶ Tethys: a sample application
13
Secure Internet of Things Project (SITP)
Architectural Principles
• Longevity: these systems will last for up to 20 years and their security must too.
• Transparency: we must be able to observe what our devices are saying about us.
• End-to-end: consider security holistically, from data generation to end-user display.
14
Secure Internet of Things Project (SITP)
Architectural Principles
• Longevity: these systems will last for up to 20 years and their security must too.
• Transparency: we must be able to observe what our devices are saying about us.
• End-to-end: consider security holistically, from data generation to end-user display.
15
Secure Internet of Things Project (SITP) 16
Secure Internet of Things Project (SITP)
Tock Operating System• Safe, multi-tasking operating system for memory-
constrained devices• Core kernel written in Rust, a safe systems language
▶ Small amount of trusted code (can do unsafe things)- Rust bindings for memory-mapped I/O- Core scheduler, context switches
• Core kernel can be extended with capsules▶ Safe, written in Rust▶ Run inside kernel
• Processes can be written in any language (asm, C) ▶ Leverage Cortex-M memory protection unit (MPU)▶ User-level, traps to kernel with system calls
17
Secure Internet of Things Project (SITP)
Tock: Secure Embedded OS
18
HAL Scheduler Config
SPI
I2C
GPIO
Console
UART
Timer
Core kernel(Trusted)
Capsules(Untrusted)
Proc
esse
s(A
ny la
ngua
ge)
Kern
el(R
ust)
…heapstack
textdata
grant
heapstack
textdata
grant
RAM
Flash
ProcessAccessible
Memory
Secure Internet of Things Project (SITP)
Architectural Principles
• Longevity: these systems will last for up to 20 years and their security must too.
• Transparency: we must be able to observe what our devices are saying about us.
• End-to-end: consider security holistically, from data generation to end-user display.
19
Secure Internet of Things Project (SITP)
Model Today
20
• Transport-layer security (TLS) between devices and cloud services
• Internet applications: we control one end point▶ Can install new certificates, observe data
• IoT applications: we are a transit network▶ Can’t see or control what happens on either end
Secure Internet of Things Project (SITP) 21
TLS-RaR: Rotate and Release(joint work with Keith Winstein and Dan Boneh)
Secure Internet of Things Project (SITP)
Device to Cloud TLS
22
Time
Handshake
Begin TCP Connection
Enter TLS Session
Encrypted Session
AES-GCM
Secure Internet of Things Project (SITP)
Time
Handshake Handshake
Begin TCP Connection
Enter TLS Session
TLS 1.2: Renegotiate or Resume TLS 1.3: KeyUpdate
Device to Cloud TLS
23
AES-GCM AES-GCM
Secure Internet of Things Project (SITP)
Time
Handshake AES-GCM AES-GCM
Epoch 0 Epoch 1
Device to Cloud TLSWith a Twist
24
Rotate KeysReconnect, Renegotiate, Resume or KeyUpdate
Secure Internet of Things Project (SITP)
Time
Handshake
Release Previous Epoch (0) Key
25
AES-GCM AES-GCM
Epoch 0 Epoch 1
Rotate KeysReconnect, Renegotiate, Resume or KeyUpdate
Device to Cloud TLSWith a Twist
Secure Internet of Things Project (SITP)
Nice Properties• Can audit IoT data streams• Audit box's decryption yields the same stream of
data as endpoints' SSL_read() calls, but delayed▶ Audit matches what was received
• Format of TLS on the wire is not changed▶ Easy to reason about security of the protocol, easy to adopt
• For some existing servers no change is necessary▶ Really easy to adopt
• Minimal change to OpenSSL on the device▶ Easy to reason about security of the implementation▶ Easy to adopt
26
Secure Internet of Things Project (SITP)
Architectural Principles
• Longevity: these systems will last for up to 20 years and their security must too.
• Transparency: we must be able to observe what our devices are saying about us.
• End-to-end: consider security holistically, from data generation to end-user display.
27
28
Water Use(joint work with Noah Diffenbaugh and Mark Horowitz)
29
Network Architecture(joint work with Noah Diffenbaugh and Mark Horowitz)
30Energy harvester
embedded
iOS gateway
Android gateway
cloud
BLE/GAT
T
HT
TP/R
EST
Security/Privacy• Shower data has privacy implications
▶ Streaming data: shower 5 is being used right now!▶ Data overall has IRB/privacy implications
• Gateways are untrusted▶ Owned by students, other participants▶ May download data, never forward to cloud
• Network encrypts all data end-to-end between sensors and cloud▶ Gateways cannot see data
• Sensors do not clean log until receiving end-to-end acknowledgement from cloud▶ Cloud issues block acknowledgements to gateways
31
Secure Internet of Things Project (SITP)
This Talk
• Technology trends: why today?• Security: why is it so hard?• Research: what we’re doing
▶ Architectural principles▶ Tock: a secure embedded OS▶ TLS-RaR: network auditing▶ Tethys: a sample application
32
Secure Internet of Things Project (SITP)
Why Now?• Technology has just reached the tipping point
▶ BLE, iBeacon▶ Cortex M series▶ Sensors, harvesting circuits
• We've been waiting▶ Leaders in prototyping, cryptographic computation, IoT
networking, secure systems, analytics, and hardware design
• But it's still early enough▶ Most big applications haven't been thought of yet▶ Let's not repeat the web (as good as it is for publications)
• Very interested in collaborating with industry, to help find and solve hard research problems
33
Secure Internet of Things Project (SITP)
Securing the Internet of Things
• Secure Internet of Things Project▶ 5 year project (just started second year)▶ 12 faculty collaborators▶ 3 universities: Stanford, Berkeley, and Michigan
• Rethink IoT systems, software, and applications from the ground up
• Make a secure IoT application as easy as a modern web application
34
Secure Internet of Things Project (SITP)
Dawson EnglerStanfordSoftware
35
Philip LevisStanford
Embedded Systems
Mark HorowitzStanfordHardware
Christopher RéStanford
Data Analytics
Dan BonehStanford
Cryptography
Keith WinsteinStanfordNetworks
Prabal DuttaBerkeley/Michigan
Embedded Hardware
David MazièresStanfordSecurity
Björn HartmannBerkeley
Prototyping
Peter BailisStanford
Database Systems
Raluca Ada PopaBerkeleySecurity
Steve EglashStanford
Executive Director
Philip LevisStanfordFaculty Director
Thank you!
David CullerBerkeley
Low Power Systems