Hack in the Box Conference April 10 -13, 2005, Bahrain 1 Toward Architectural Challenges of Secured...
-
Upload
abigail-jordan -
Category
Documents
-
view
212 -
download
0
Transcript of Hack in the Box Conference April 10 -13, 2005, Bahrain 1 Toward Architectural Challenges of Secured...
Hack in the Box Conference April 10 -13, 2005, Bahrain
1
Toward Architectural Challenges of Secured Mobile Devices
Manzur AshrafBRAC University, Bangladesh
Email: [email protected]
Hack in the Box Conference April 10 -13, 2005, Bahrain
2
Agenda / classification
Energy-efficient Mobile Device & Applications
Energy-efficient Security Protocols
Tamper Resistance
Flexibility
Designing (Modeling) & Verifying Security Protocols
Hack in the Box Conference April 10 -13, 2005, Bahrain
3
Energy-efficient Mobile Device & Applications
Device physics
Software-based approach
Hack in the Box Conference April 10 -13, 2005, Bahrain
4
Energy constraints dominate ‘Algorithm’ and ‘system-design trade-offs for small devices
Lithium batteries offer higher energy density with fewer memory effects but longer recharge times.
Rechargeable lithium
(1080 j/cm3 ) & non-re (2880 j/cm3 )
Device Physics
Hack in the Box Conference April 10 -13, 2005, Bahrain
5
Contd..
Zinc-based batteries have higher energy densities but possess high leakage, so are best for high usage over short duration.Recent polymer-based batteries have excellent energy densities (manufactured in a range of form factors) but expensive.
Hack in the Box Conference April 10 -13, 2005, Bahrain
6
Researchers have fabricated tiny, 1-mm3 lead-acid batteries. We can expect to package energy storage directly with logic.
Fuel cells (based on methanol, 8900 J/cm3)have 10 times the energy densities than batteries but additional volume of membrane, storage and housing lowers this by a factor of two to five.
Contd..
Hack in the Box Conference April 10 -13, 2005, Bahrain
7
Solar (outdoors midday): 15 mW/cm2
Solar (indoor office lightings): 10 uW/cm2
Vibrations (from microwave oven casing): 200 uW/cm3
Temperature gradient” 15 uW/cm3 (from 10 deg C temp grad)
With existing tech, a cubic mm of battery space has enough energy to perform roughly 1 billion 32-bit computations, take 100 million sensor samples or send and receive 10 million bits. (L. Doherty et.al, 2001)
Sample scavenging energy ratings
Hack in the Box Conference April 10 -13, 2005, Bahrain
8
Ideal battery properties
Depth of discharge
0% 100%
voltage
Charge capacity
Rate of load
Non-ideal case
Hack in the Box Conference April 10 -13, 2005, Bahrain
9
Non-ideal battery
In practice, the voltage and capacity both varies widely. The voltage drops over the course of a discharge.
The shape of voltage discharge curve depends on –
materials used to construct the battery
size of the load.
For example, NiCd batteries have a relatively FLAT discharge curve. Most types of Li-ion batteries has a SLOPPED discharge curve.
Two more pointers:
A) Loss of capacity with increasing load
B) Recovery: A reduction of the load for periods of time results in an increase in battery capacity. (Thomas et al 03)
Hack in the Box Conference April 10 -13, 2005, Bahrain
10
Better indicator of battery capacity?- Peak or Average power (Thomas et. Al. 2003)
Waveform modification
Peak power W/.Kg
Average powerW/Kg
Battery life form from simulation (min)
Est battery life using rated capacity of 151 Wh/Kg, min
Diff between simulation %
Est battery life using capacity at peak power, min
Diff between simulation %
NONE 300 120 51 76 +48 45 -12
A 180 96 83 94 +14 74 -11
B 300 96 67 94 +41 56 -16
C 300 96 68 94 +39 56 -17
NONE 200 80 87 113 +30 85 -2
A 120 64 132 142 +7 120 -9
B 200 64 117 142 +21 106 -9
C 200 64 117 142 +20 106 -10
NONE 100 40 202 227 +12 200 -1
A 60 32 268 283 +6 261 -3
B 100 32 253 283 +12 250 -1
C 100 32 268 283 +6 250 -7
Hack in the Box Conference April 10 -13, 2005, Bahrain
11
Non-ideal properties of Battery1. Battery capacity will vary with load power.
2. Peak power is a better indicator for battery capacity than average power.
3. Peak power should be reduced whenever possible, which means background operations should be performed serially than concurrently. Serial operation is better than concurrent operation when each consumes roughly the same energy.
4. Reducing active energy is more important than reducing idle energy.
5. Because of non-ideal battery behavior, reducing average power or energy per operation may not increase the amount of computation completed in a battery life.
Hack in the Box Conference April 10 -13, 2005, Bahrain
12
– Aims to collect ambient energy to help power systems, possibly storing energy when it is not required
Solar energy
Transducers that convert vibrating energy into electrical one- ( source: energy from floors,stairs & equipment housings)
Harvesting mechanical energy (such as energy produced by a person walking and an object’s movement- for example, self-winding watches, hybrid cars that transfer energy from engine to battery during braking)
Temperature & pressure gradient.
Energy harvesting (energy scavenging)
Hack in the Box Conference April 10 -13, 2005, Bahrain
13
Mostly Applicable: Demand for small amount of continuous power or short periods of high power usage.
Can supplement conventional energy source-
(To what extent?)
when a mobile device is in a low power sleep state or charging its battery; for instance, if a mobile user extensively uses the device for short periods, an energy harvesting system might be able to ensure that battery is always topped up during the standby period.
Why Needed? Due to significant manufacturing complexity sizing in VLSI circuitry is slow. It may benefits its ‘switching’ power at the cost of current leakage.
Hack in the Box Conference April 10 -13, 2005, Bahrain
14
Research in energy harvesting
Improving existing energy transducers with more efficient components or in searching for fundamentally new materials with improved energy conversion properties.
Example: Solar cells with greater than 20-30% efficiency can be achieved based non-silicon solution or a better piezoelectric material than commonly used PZT (lead zirconate titrate)
Better understanding of solid-state physics.
Hack in the Box Conference April 10 -13, 2005, Bahrain
15
Software-based approach
Energy Dependant Mobile Application Adaptation
Task Partitioning
Hack in the Box Conference April 10 -13, 2005, Bahrain
16
Applications can dynamically modify their behavior to conserve energy.
Hardware only Power management:
a) Powering down as many h/w components (disk in standby mode after 10 sec of inactivity).
b) Placing wireless network interface in standby mode except during RPC calls or bulk transfer.
c) Turning off display during speech recognition ,for example & disable bios-based power mgmt.
Hardware power mgmt 34% reduction in energy usage
Energy Dependant Mobile Application Adaptation
Hack in the Box Conference April 10 -13, 2005, Bahrain
17
Lowering data-fidelity (low resolution/color reduction/compression) yields significant energy savings.
Lowering fidelity can be combined with h/w power mgmt.
[ Ref: Jason et al, 1999]
Hack in the Box Conference April 10 -13, 2005, Bahrain
18
Hack in the Box Conference April 10 -13, 2005, Bahrain
19
1. There is a significant variation in the effectiveness of fidelity reduction
a) across data objects.
b) across applications.
2. Combining h/w power mgmt with lowered fidelity can sometimes reduce energy usage below the product of their individual reductions. Intuitively this is because reducing fidelity decreases h/w utilization, thereby decreasing h/w power mgmt.
Hack in the Box Conference April 10 -13, 2005, Bahrain
20
Task Partitioning
Cyber Foraging /Surrogate Computing Proxy-based task partitioning
Hack in the Box Conference April 10 -13, 2005, Bahrain
21
Cyber Foraging /Surrogate Computing
Challenges:
1) Develop mechanism whereby a potential surrogate can make some of its resources available to mobile devices.
2) Provide a means for surrogates to advertise their availability and clients to locate surrogates with appropriate available resources
3) Develop a mechanism whereby clients can transfer tasks to surrogate
4) Make the remote execution of surrogate tasks be largely transparent & easy to program
5) Develop security and trust management so that surrogates can be assured that they will not be abused.
Hack in the Box Conference April 10 -13, 2005, Bahrain
22
Features
Share a common file systemmiddleware (heavy-weight)different file system (surrogate connected to internet will locate
and download client applications)• Highly coupled client and surrogate will increase network
overhead and thus energy consumption. ( Messer 2002)• Application writers will partition application at dev. time in a
way (for example considering clients’ limited resource and IO interfaces) to mitigate above problem rather than automatic partition. (sachin et al 2004). It is useful for data mining, distillation proxies and home applications, etc.
Hack in the Box Conference April 10 -13, 2005, Bahrain
23
Proxy-based task partitioning
Proxy servers compression, trans-code videos in real-time, access/provide directory services, provide service on a rule base for specific devices.Mobile devices thus negotiate with proxy servers for security, QoS and content delivery. It may also create and send data through proxy servers to other mobile devices in the network. (Arun et al. 2004)
Hack in the Box Conference April 10 -13, 2005, Bahrain
24
Proxy-based partitioning of watermarking algorithm for reducing energy consumption
The mobile device (PDA) & proxy (intel cel 1.7 GHz) is connected (over 802.11 wireless LAN) using SSL connection. (Arun et al 2004)
Energy savings was 42J to a high of 236 J (for different watermarking & partitioning algorithm)
Hack in the Box Conference April 10 -13, 2005, Bahrain
25
Energy-efficient Security Protocols
Hack in the Box Conference April 10 -13, 2005, Bahrain
26
Analyzing the Energy Consumption of Security Protocols
Ref: Nachiketh et al. 2003
Hack in the Box Conference April 10 -13, 2005, Bahrain
27
Hack in the Box Conference April 10 -13, 2005, Bahrain
28
Hack in the Box Conference April 10 -13, 2005, Bahrain
29
Discussion
AES has the least energy cost and BLOWFISH has the greatestEnergy cost of IDEA for both encryption/decryption and key-setup compare well with those of AES,however the crypt analytical strength of AES is better than that of IDEA.SHA and SHA1 have better collision resistance (prob of two inputs mapped to same value) than MD4 & 5. This benefit comes as the cost of slightly higher energy cost.RSA performs signature verification efficiently, while ECDSA imposes smaller cost. (choose based on scenario/importance!)
Hack in the Box Conference April 10 -13, 2005, Bahrain
30
Energy analysis of SSL protocol
Step 1: HANDSHAKE1) Server authentication: client verifies digital sig. of trusted CA on the server cert. through public key of CA followed by integrity check.2) Client authentication: client generates digital sig. by hashing some data, concatenating digest & encrypting with private key.3) Key exchange: clients pre-master secret is encrypted using public key of server.Step 2: DATA TRANSMISSION
Hack in the Box Conference April 10 -13, 2005, Bahrain
31
Hack in the Box Conference April 10 -13, 2005, Bahrain
32
Hack in the Box Conference April 10 -13, 2005, Bahrain
33
Hack in the Box Conference April 10 -13, 2005, Bahrain
34
DiscussionWith respect to client energy cost,
RSA-based handshake is much more efficient than ECC-based handshake when there is no client authentication in the SSL handshake stage.
In the presence of client authentication in SSL handshake, ECC-based handshake consumes less energy than RSA-based handshake. Thus, depending on whether client authentication is performed or not, either RSA-based handshake or ECC-based handshake should be chosen by the client for optimizing its energy consumption.
ENERGY cost (highest to lowest) : 1st) Asymmetric algorithms (The energy cost of asymmetric
algorithms is very much dependent on the key size )2nd) Symmetric algorithms (The cost of the key set-up (key
expansion) and encryption/decryption cost)3rd) hash algorithms. .
Hack in the Box Conference April 10 -13, 2005, Bahrain
35
Impact of cipher suite choice on SSL
Hack in the Box Conference April 10 -13, 2005, Bahrain
36
Discussion
For data sizes smaller than 21 KB, ECC-3DES-SHA is more energy-efficient because ECC is simpler than RSA (and asymmetric energy consumption dominates that of small data transactions).
For transactions of bulk data (greater than 21 KB) to encrypt, RSA-RC5 SHA consumes less energy, because for large data transfers energy consumption of symmetric ciphers dominates the total energy spent, and RC5 is much simpler than 3DES.
This shows that a judicious choice of cryptographic algorithms can greatly reduce the amount of energy consumed.
Hack in the Box Conference April 10 -13, 2005, Bahrain
37
summary
The energy consumption of SSL protocol depends on: (i) use of client authentication in handshake, (ii) asymmetric algorithm used in handshake, (iii) key size of the asymmetric algorithm,(iv) symmetric algorithm used in the record stage, (v) hash algorithm used in the record stage, (vi) size of the data to be transmitted, etc.
The cost function can be used to decide the best performing amongpossible alternatives, depending on the input conditions. Such high-levelmacro-models are the subject of future work, and would allowstatic, as well as dynamic, optimization of the SSL protocol for energyefficiency.
Hack in the Box Conference April 10 -13, 2005, Bahrain
38
Tamper Resistance
Hack in the Box Conference April 10 -13, 2005, Bahrain
39
Overview
Brute Force & Factoring Attack( Mathematical) Easy-to-understand but futile attack Undesirable functionalityExample: A mobile network should prevent
unauthorized calls to placed (at handshaking). But an undocumented test-mode or buffer-flow may bypass functions and make calls??
Hack in the Box Conference April 10 -13, 2005, Bahrain
40
Case 1:Physical (invasive) & side-channel (non-invasive) attacks
Ref: Ravi et al 04, Quisquater et al 02Invasive attacks involve getting access to appliances, manipulate & interfere with system-internals. (Hard to deploy)
TYPES: a) Microprobing b) Design reverse engineering
Hack in the Box Conference April 10 -13, 2005, Bahrain
41
Microprobing
Hack in the Box Conference April 10 -13, 2005, Bahrain
42
Non-Invasive attack:A) Timing analysisB) Fault induction techniquesC) Power & electro-magnetic analysis based
attack
Hack in the Box Conference April 10 -13, 2005, Bahrain
43
Fault Induction
Hardware may fail to make correct computations security at stack!Example: RSA modulo-computationsTo deter this specific attack RSA implementations can check their answers by performing public key operation on the result and verifying it generates the original message (Boneh 01)
Hack in the Box Conference April 10 -13, 2005, Bahrain
44
Timing analysis
Keys could be determined by analyzing small variations in time required to perform cryptographic computations. [Statistical techniques to predict] (Paul 96)
Instruction execution time variations (divide/mult instructions take number of cycles based on data)
Hack in the Box Conference April 10 -13, 2005, Bahrain
45
Power analysis attack
Power consumption of h/w circuit is a function of switching activity (hence data).Key used in a crypt alg. can be inferred from power consumption statistics gathered over a wide range of input data.Simple power Analysis (SPA) determines crypto. alg. used, number of operations performed.
Brute-force search space for a DES implementation on 8 bit processor with 7 bytes of key data can be reduced to 240 keys from 256 keys by SPA (Messergers 02)
Hack in the Box Conference April 10 -13, 2005, Bahrain
46
Differential Power Analysis (DPA) uses difference between traces to overcome the measurement error & noise associated with SPA.It targeted to DES (Kocher 99 )but later used to break public keys ( Messerges 99 )
Hack in the Box Conference April 10 -13, 2005, Bahrain
47
Case 2: Logical Attack
Buffer overflowFailure to secure code update processUse of insecure cryptographic algorithmCryptographic protocol flawsKey management failuresRandom number generator defectsUse of debug modes that bypass securityImproper error handling, incorrect algorithmsUse of weak passwords
1. Complexity
(sec.vulnerabilities)
1. Extensibility
(dynamically loadable modules)
1. Connectivity
Hack in the Box Conference April 10 -13, 2005, Bahrain
48
Contd..
Improper reuse of keysPoor user interfaceOperator errorsPointer errorsOperating system weaknessesSequence counter overflowsSolving wrong problemsInability to reestablish security after compromises
Hack in the Box Conference April 10 -13, 2005, Bahrain
49
Countermeasures for logical attacks
Privacy & integrity of sensitive code & data at every stage of execution Use of dedicated hardware to protect sensitive memory locations (Discretix), secure bootstraping (Arbaugh et al 97), use of cryptographic file system (Goh et al 03), sandboxing (Kiriansky 02)Verification methods for finding security flaws in trusted s/w, security protocols are important. (Chess 02)
Hack in the Box Conference April 10 -13, 2005, Bahrain
50
Case 3:Biometric identification
Finger-print authentication is popular because fingerprint scanners can be produced inexpensively and require very little space.Fingerprint based sweep sensor (AT77C101B) is used at tablet Sharp Mebius Muramasa PC TN1-H1W.The sensor captures successive images while sweeping. Resolution: 500 dpi. Sweeping eradicates latent images left on sensor.
Hack in the Box Conference April 10 -13, 2005, Bahrain
51
Flexibility
Hack in the Box Conference April 10 -13, 2005, Bahrain
52
Concern
Need: Ability to interoperate in different environments. Devices thereby need to support distinct security protocols (of different network layers)Example: a single protocol standard support wide range of crypt. Alg. (like SSL)Another challenge: continuous evolution of secured protocol. (In June 02, TLS was revised to accommodate AES)
Hack in the Box Conference April 10 -13, 2005, Bahrain
53
Many of the security protocols used in wireless domain are adaptations of wired security protocols. E.g., WTLS matches closely to SSL/TLS std.Future Wireless Protocols: tailored from the scratch for wireless environment considering power, performance, unique states of wireless environment only, etc.
Hack in the Box Conference April 10 -13, 2005, Bahrain
54
Designing (Modeling) & Verifying Security Protocols
Hack in the Box Conference April 10 -13, 2005, Bahrain
55
Overview
Modeling is the process of abstracting the functional specifications a minimal working specimen (to understand and analyze the system more
closely.) Verification means process of examining this specification for the presence of various errors that could lead to improper system operation.
Hack in the Box Conference April 10 -13, 2005, Bahrain
56
Hack in the Box Conference April 10 -13, 2005, Bahrain
57
Correctness
Checking of ‘Safety’ comprises two things: (1) checking local process assertions and invariants (if any), and (2) checking proper termination points of progress (end state levels – if any).
Validating ‘liveness’ comprises (1) looking for acceptance cycles, (2) looking for non-progress cycles, (3) using never claims – which defines an observer process that executes synchronously with the system, and (4) trace assertions – to reason about valid or invalid sequences of send or receive statements.
Hack in the Box Conference April 10 -13, 2005, Bahrain
58
Related works
Adam D. Bradley Azer Bestavros Assaf J. Kfoury (2002)
Write Deadlock: C1.1 - S1.1Resembles a DoS attack
Hack in the Box Conference April 10 -13, 2005, Bahrain
59
Proxy-2616-fixed handles this correctly
Hack in the Box Conference April 10 -13, 2005, Bahrain
60
but
Problem:Imperfect knowledge beyond first hop
Hack in the Box Conference April 10 -13, 2005, Bahrain
61
Sample Linear Temporal Logic Claim
It represents whenever a message is sent by the ‘Responder’, it will eventually accepted by the ‘Requester’.
!([](p -> X(<>q)))Where p corresponds to
“to_rcvr?[request(1)]”q corresponds to “to_sndr?[response(1)] OR to_sndr?[err(1)]”.
Hack in the Box Conference April 10 -13, 2005, Bahrain
62
Simulation using –XSPIN tool
Hack in the Box Conference April 10 -13, 2005, Bahrain
63
Verification in SuperTrace/ BitState mode
Hack in the Box Conference April 10 -13, 2005, Bahrain
64
Questions