EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces...
Transcript of EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces...
![Page 1: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/1.jpg)
EECS 388: Embedded Systems
11. Security
Heechul Yun
1
![Page 2: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/2.jpg)
Agenda
• Embedded systems security
2
![Page 3: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/3.jpg)
Internet of Things (IoT)
• IoT ~= Internet connected embedded systems
• “Internet is evil and wants to kill you”
3
![Page 4: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/4.jpg)
Remote Attack on Jeep (2015)
4
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
• Able to remotely (via cellular network) control steering, brake, and other critical functions via the car’s infotainment system
![Page 5: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/5.jpg)
5C. Miller and C. Valasek, “A Survey of Remote Automotive Attack Surfaces”
![Page 6: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/6.jpg)
Remote Attack Surfaces
“…As cars move into the future, they are being more connected with features normally found in desktop computers like apps and even web browsers. The 2014 Jeep Cherokee even has a Wi-Fi hotspot with open ports (when not using encryption)…”
6
C. Miller and C. Valasek, “A Survey of Remote Automotive Attack Surfaces”
![Page 7: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/7.jpg)
Ukraine Power Grid Attack (2016)
• Attack on SCADA control network of a power grid in Ukraine, causing blackout on 80K users.
7
https://www.antiy.net/p/comprehensive-analysis-report-on-ukraine-power-system-attacks/
![Page 8: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/8.jpg)
Pacemaker Hack (2017,2018)
8
https://www.wired.com/story/pacemaker-hack-malware-black-hat/
https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update
![Page 9: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/9.jpg)
Mirai Bot DDoS Attack (2016)
9https://www.nytimes.com/2016/10/22/business/internet-problems-attack.html
![Page 10: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/10.jpg)
The Mirai IoT Botnet
https://www.corero.com/resources/ddos-attack-types/mirai-botnet-ddos-attack
![Page 11: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/11.jpg)
IoT WiFi Attacks (2019)
11https://hackaday.com/2019/09/05/esp8266-and-esp32-wifi-hacked/
“… These EAP hacks are more troubling, and not just because session hijacking is more dangerous than a crash-DOS scenario. The ESP32 codebase has already been patched against them, but the older ESP8266 SDK has not yet. So as of now, if you’re running an ESP8266 on EAP, you’re vulnerable. We have no idea how many ESP8266 devices are out there in EAP networks, but we’d really like to see Espressifpatch up this hole anyway. “
![Page 12: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/12.jpg)
12https://techcrunch.com/2019/11/07/amazon-ring-doorbells-wifi-hackers/
![Page 13: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/13.jpg)
Agenda
• Security attributes
• Threat model
• Software security
• Information flow
• Encryption
• Digital signature and hashing
• SSL/TLS
13
![Page 14: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/14.jpg)
Security
• What are the attributes of security?
14
![Page 15: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/15.jpg)
Security Attributes
• Confidentiality
– Can secret data be leaked?
• Integrity
– Can the system be modified?
• Availability
– Can the system function when needed?
• Authenticity
– Am I interacting with the right person/thing?
15
![Page 16: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/16.jpg)
System Security
• A system is secure if it is used and accessed as intended under all circumstances
– Unachievable
• A system security can be determined only in the context of a clear threat model
16
![Page 17: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/17.jpg)
Threat Model
• Attacker’s capabilities– What we assume the attacker can do
• Examples– Has a physical access to the system
– Has a remote (network) access to the system
– Can reprogram the software
– Can eavesdrop the communication
– …
17
![Page 18: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/18.jpg)
Is Your Project Secure?
18
Raspberry Pi 4 (Linux)
HiFive1 rev B Microcontroller
Lidar
Camera
Intelligent controller(Vision based steering using DNN)
Safety controller(Basic control + emergency breaking)
Self-Driving Car
Can’t be answered until you define the threat model.
![Page 19: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/19.jpg)
Threat Model(What Attacker Can Do)
• Have remote access to the same WiFi network?
• Have remote login capability to the Pi 4?
• Have physical access to the hardware?
19
Raspberry Pi 4 (Linux)
HiFive1 rev B Microcontroller
Lidar
Camera
Intelligent controller(Vision based steering using DNN)
Safety controller(Basic control + emergency breaking)
Self-Driving Car
![Page 20: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/20.jpg)
Example Defenses
• Have remote access to the same WiFi network?– Encrypt all communications over WiFi (e.g., ssh)
• Have remote login capability to the Pi 4?– Don’t give the sudo permission, patch bugs in OS, software
• Have physical access to the hardware?– Secure boot, remote attestation, encrypt serial communication, …
20
Raspberry Pi 4 (Linux)
HiFive1 rev B Microcontroller
Lidar
Camera
Intelligent controller(Vision based steering using DNN)
Safety controller(Basic control + emergency breaking)
Self-Driving Car
![Page 21: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/21.jpg)
Memory Safety Vulnerabilities
• Stack overflow
• Heap overflow
• Use after free
• Double free
• Null pointer
• Uninitialized use
• …
21
![Page 22: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/22.jpg)
Memory Safety Vulnerabilities
• Account for 70% percent of all Microsoft patches over the past 12 years
22
Image source: Matt Miller, Microsoft
https://www.youtube.com/watch?v=PjbGojjnBZQ
![Page 23: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/23.jpg)
Stack/Buffer Overflow
• Overflow either the stack or memory buffers
• Failure to check bounds on inputs, arguments
23
![Page 24: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/24.jpg)
Stack Overflow
24
Not this
![Page 25: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/25.jpg)
Stack Overflow
25
![Page 26: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/26.jpg)
Stack Frame Layout
26
Stack pointer
![Page 27: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/27.jpg)
Stack Overflow
return address
saved frame pointer
sensor_data[15]
…
sensor_data[1]
sensor_data[0]
27
What would happen when more than 16 bytes are received?
![Page 28: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/28.jpg)
Buffer Overflow
28
What would happen when more than 16 bytes are received?
![Page 29: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/29.jpg)
Use after Free
• Freed but uninitialized pointers can be exploited29
#include <stdlib.h>#include <stdio.h>struct auth{
char name[32];int priv;
};
int main() {struct auth *auth_ptr;char *service;auth_ptr = malloc(sizeof(struct auth));free(auth_ptr);service = malloc(36);printf("[auth = %p, service = %p]\n",
auth_ptr, service);free(service);return 0;
}
$ ./use_after_free[auth = 0x716010, service = 0x716010]
![Page 30: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/30.jpg)
Linux Kernel: Buffer Overflow
30http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-9/cvssscoremax-/Linux-Linux-Kernel.html
![Page 31: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/31.jpg)
Linux Kernel: Use-after-free
31http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-9/cvssscoremax-/Linux-Linux-Kernel.html
![Page 32: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/32.jpg)
Linux Kernel: Use-after-free
32http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-9/cvssscoremax-/Linux-Linux-Kernel.html
![Page 33: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/33.jpg)
Linus Torvalds: "Nothing better than C"
33
https://www.youtube.com/watch?v=CYvJPra7Ebk
![Page 34: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/34.jpg)
Recall: C is popular but …
• Why popular?– Fast, efficient, and portable
– Close to machine (assembly-like control)
– Pointer, minimal type checking
• Problems– Pointer, minimal type checking
– Require manual control of dynamic memory
– Unsafe (memory leak, undefined behavior, ..)
– Difficult to write correct, safe, secure code
34
![Page 35: EECS 388: Embedded Systems - KU ITTCheechul/courses/eecs388/W11... · Remote Attack Surfaces “…As cars move into the future, they are being more connected with features normally](https://reader034.fdocuments.in/reader034/viewer/2022050201/5f54b9e1383f2a54e2403a40/html5/thumbnails/35.jpg)
“C is assembly, Rust is future”
35
Intel and Rust: the Future of Systems Programming: Josh Triplett