Secure Internet of Things Project
Philip Levis, Stanford
Computer Forum Internet of Things WorkshopApril 14, 2016
Stanford University
1
Secure Internet of Things Project (SITP)
The Internet of Things (IoT)
2
Secure Internet of Things Project (SITP)
A Security Disaster
31http://fortifyprotect.com/HP_IoT_Research_Study.pdf
• HP conducted a security analysis of IoT devices1
▶ 80% had privacy concerns▶ 80% had poor passwords▶ 70% lacked encryption▶ 60% had vulnerabilities in UI▶ 60% had insecure updates
Secure Internet of Things Project (SITP)
Securing the Internet of Things
• Secure Internet of Things Project▶ 5 year project (just started second year)▶ 12 faculty collaborators▶ 3 universities: Stanford, Berkeley, and Michigan
• Rethink IoT systems, software, and applications from the ground up
• Make a secure IoT application as easy as a modern web application
4
Secure Internet of Things Project (SITP)
This Talk
• Technology trends: why today?• Security: why is it so hard?• Research: what we’re doing
▶ Architectural principles▶ A brief overview of talks today
5
Secure Internet of Things Project (SITP) 615.iii.2005 Stanford Interview Talk 2
The EmNets Vision• “Information technology (IT) is on the verge of
another revolution… The use of EmNets [embedded networks] throughout society could well dwarf previous milestones.” 1
• “The motes [EmNet nodes] preview a future pervaded by networks of wireless battery-powered sensors that monitor our environment, our machines, and even us.” 2
1 National Research Council. Embedded, Everywhere, 2001.2 MIT Technology Review. 10 Technologies That Will Change the World, 2003.
Secure Internet of Things Project (SITP)
Two Game-Changers
7
• ARM Cortex M series▶ First released 2004▶ Ultra-low power 32-bit processor▶ 8-96kB of RAM, 64-512kB code flash▶ Sleep currents recently dropped <1µA
• Bluetooth Low Energy▶ First released in 2006▶ Send a 30 byte packet once per second,
last for a year on a coin cell battery▶ Support was weak until Apple
incorporated into iBeacon, now all major smartphones include it
Secure Internet of Things Project (SITP)
Example Part: nRF51822
• Cortex M0+ with integrated 2.4GHz transceiver▶ Supports Bluetooth Low Energy▶ Two models: 32kB/256kB or 16kB/128kB
• DigiKey cost for 25,000: $1.99
8
Secure Internet of Things Project (SITP)
This Talk
• Technology trends: why today?• Security: why is it so hard?• Research: what we’re doing
▶ Architectural principles▶ A brief overview of talks today
9
Secure Internet of Things Project (SITP)
Secure Internet of Things 23
Obj-C/C++, Java, Swift, Javascript/HTML
embedded C(ARM, avr, msp430)
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Ruby/Rails,Python/Django,J2EE, PHP, Node.js
IoT Security is Hard
• Complex, distributed systems▶ 103-106 differences in resources across tiers▶ Many languages, OSes, and networks▶ Specialized hardware
• Just developing applications is hard• Securing them is even harder
▶ Enormous attack surface▶ Reasoning across hardware, software, languages, devices, etc.▶ What are the threats and attack models?
• Valuable data: personal, location, presence
• Rush to development + hard ➔ avoid, deal later10
Secure Internet of Things Project (SITP)
This Talk
• Technology trends: why today?• Security: why is it so hard?• Research: what we’re doing
▶ Architectural principles▶ A brief overview of talks today
11
Secure Internet of Things Project (SITP)
Architectural Principles
• Longevity: these systems will last for up to 20 years and their security must too.
• Transparency: we must be able to observe what our devices are saying about us.
• End-to-end: consider security holistically, from data generation to end-user display.
12
Secure Internet of Things Project (SITP)
Architectural Principles
• Longevity: these systems will last for up to 20 years and their security must too.
• Transparency: we must be able to observe what our devices are saying about us.
• End-to-end: consider security holistically, from data generation to end-user display.
13
Secure Internet of Things Project (SITP) 14
Secure Internet of Things Project (SITP)
1995: SSL 0.2
15
Secure Internet of Things Project (SITP)
Flexible Crypto Hardware
• Devices need to be able to support ciphers that are used 20 years from now
• Add extensible cryptographic accelerator: silicon is cheap and BLE dominates the SoC
• Designing a 20-year crypto processor▶ Symmetric crypto: S-boxes and vectors, an instruction set▶ Public key crypto: several very different constructions▶ What if quantum computers are real in 20 years?
• There is often unused micro controller die area
16
Secure Internet of Things Project (SITP)
CESEL
17
MCU Core(Cortex M)
Mem
ory bus
Vector arithmetic S-Boxes
Polynomial mult.
ECC co-processor
RNG/CTR
R-LWEProcessor
Fasthash function
Symmetric ciphers
ECC public-key operations Post-quantum public key
RNG, atomic counter SHA-2, SHA-3
11:20 - 11:40, Kevin Kiningham
Secure Internet of Things Project (SITP)
Random Numbers
18
MCU Core(Cortex M)
Mem
ory bus
Vector arithmetic S-Boxes
Polynomial mult.
ECC co-processor
RNG/CTR
R-LWEProcessor
Fasthash function
Symmetric ciphers
ECC public-key operations Post-quantum public key
RNG, atomic counter SHA-2, SHA-3
11:40 - 12:00, Ben Lampert
Secure Internet of Things Project (SITP)
Tock: A Secure, Embedded OS
• Written in Rust, a type-safe systems language▶ Microkernel design▶ Kernel has small trusted base of unsafe code▶ Applications can load safe kernel modules for drivers
• Applications can be written in any language▶ System call interface requires applications allocate memory for
kernel calls▶ Kernel can grant direct register access (CortexM MPU operates
at 32 byte granularity)
• Systems challenges▶ Concurrency models▶ Event-driven memory safety
19
Code
Memory Mapped I/O
Second App Memory
Kernel Stack
First App Memory
App code
App specificKernel memory
TRNG
low address
high address
11:00 - 11:20, Amit Levy
Secure Internet of Things Project (SITP)
Architectural Principles
• Longevity: these systems will last for up to 20 years and their security must too.
• Transparency: we must be able to observe what our devices are saying about us.
• End-to-end: consider security holistically, from data generation to end-user display.
20
Secure Internet of Things Project (SITP)
Model Today
21
• Transport-layer security (TLS) between devices and cloud services
• Internet applications: we control one end point▶ Can install new certificates, observe data
• IoT applications: we are a transit network▶ Can’t see or control what happens on either end
Secure Internet of Things Project (SITP)
Intrusion Detection
• How do we build an intrusion detection system for our smart home?▶ Can’t see what data our devices are transmitting▶ They could be compromised and we’ll never know
• Enterprises solve this by installing new certificates on endpoints, allow IDS to look inside TLS, filter trojan horses from email, etc.▶ We don’t control these devices, can’t install new certificates
22
Secure Internet of Things Project (SITP)
TLS - Rotate and Release
23
auditor
• Transport Layer Security - Rotate and Release
• A trusted auditor▶ can decrypt all traffic▶ but not forge traffic (hard part!)
• Four operating modes that together are compatible with all versions of TLS
10:00 - 10:20, Judson Wilson Keith Winstein
Secure Internet of Things Project (SITP)
Architectural Principles
• Longevity: these systems will last for up to 20 years and their security must too.
• Transparency: we must be able to observe what our devices are saying about us.
• End-to-end: consider security holistically, from data generation to end-user display.
24
Secure Internet of Things Project (SITP)
Applications!
• Applications drive and inform all this research
• Water conservation in a Stanford dorm▶ Holly Chiang, 2:30 - 2:50
• Wearable, smart technology in everyday objects▶ Joanne Lo, 2:50 - 3:10
• Personal telepresence in the home▶ Meghan Clark, 3:10 - 3:30
25
2:30 - 2:50, Holly Chiang
2:50 - 3:10, Joanne Lo
3:10 - 3:30, Meghan Clark
Secure Internet of Things Project (SITP)
Ravel Framework• Write a distributed model view controller pipeline
▶ Models, views, controllers. transforms. and spaces
26
1:55 - 2:15, Laurynas Riliskis
Secure Internet of Things Project (SITP)
Device Generation
• Applications involve software and hardware▶ Embedded devices are application specific
• Hardware/software boundary is difficult▶ Refining a design is easier than writing from scratch
• Idea: generate a prototype device from software specification, allow a programmer to tweak
• Two problems▶ How does one compile the embedded device?▶ Compiler must have a library of components to use:
where does it come from?
27
1:15 - 1:35, Rohit Ramesh 1:35 - 1:55, Luke Hsiao
Secure Internet of Things Project (SITP)
Securing Middleboxes
• All networks today depend on middleboxes▶ Firewalls, optimizers, NATs, intrusion detection▶ The IoT will be no different
• Outsourcing this functionality into the cloud has many advantages▶ Simplicity, management, aggregation: network as a service
• Is it possible to securely outsource this functionality (perform it on encrypted data)?
28
10:20 - 10:40, Chang Lan
Secure Internet of Things Project (SITP)
Day’s Schedule
29
8:30am - 9:30am welcome and check-in9:30am - 9:40am Introductions:The IoT Revolution and Our Research in IoT9:40am - 10:00am Secure Internet of Things Project10:00am - 10:20am Auditing IoT Communications with TLS-RaR10:20am - 10:40am Embark: Securely Outsourcing Middleboxes to the Cloud10:40am - 11:00am break11:00am - 11:20am Tock, a Secure Embedded Operating System11:20am - 11:40am Hardware Support for Long-Term Cryptographic Flexibility11:40am - Noon A Fast, Cheap, High-Entropy Source for IoT DevicesNoon - 1:15pm lunch1:15pm - 1:35pm Embedded Device Generation: Turning Software into Hardware1:35pm - 1:55pm Automatically Building a Component Library from Datasheets1:55pm - 2:15pm Programming IoT Applications with Ravel2:15pm - 2:30pm break2:30pm - 2:50pm An Energy-Harvesting and Reliable Water Flow Sensor2:50pm - 3:10pm Incognito Wearables: Seamlessly Incorporating Fashion and Function3:10pm ; 3:30pm The Haunted House: Virtual Shared Living over a Home-to-Home
Network, 3:30pm - 3:45pm break3:45pm - 4:15pm Innovation in a Post Moore's Law World: Another View of IoT4:15pm - 6:00pm reception
overviewnetworks
systems
programs
applications
looking forward
Secure Internet of Things Project (SITP)
Why Now?
• Technology has just reached the tipping point▶ BLE, iBeacon▶ Cortex M series▶ Sensors▶ Harvesting circuits
• We've been waiting▶ Leaders in prototyping, cryptographic computation, IoT
networking, secure systems, analytics, and hardware design▶ What are the threats? Application attackers?
• But it's still early enough▶ Most big applications haven't been thought of yet▶ Let's not repeat the web (as good as it is for publications)
30
Secure Internet of Things Project (SITP)
Thank you!
31
SystemX Alliance
State Farm
Top Related