class: title, smokescreen, shelf, bottom, no-footer background-image: url(images/cortextrustzone.png) # 181U Spring 2020 ## Security Solutions <style> h1 { border-bottom: 8px solid rgb(32,67,143); border-radius: 2px; width: 90%; } .smokescreen h1 { border-bottom: none; } .small.remark-slide-content.compact {font-size:1.4rem} .smaller.remark-slide-content.compact {font-size:1.1rem} .small {font-size: 80%} .smaller {font-size: 70%} .small-code.remark-slide-content.compact code {font-size:1.0rem} .very-small-code.remark-slide-content.compact code {font-size:0.9rem} .line-numbers{ /* Set "line-numbers-counter" to 0 */ counter-reset: line-numbers-counter; } .line-numbers .remark-code-line::before { /* Increment "line-numbers-counter" by 1 */ counter-increment: line-numbers-counter; content: counter(line-numbers-counter); text-align: right; width: 20px; border-right: 1px solid #aaa; display: inline-block; margin-right: 10px; padding: 0 5px; } </style> --- layout: true .footer[ - 181U - See acknowledgements ] --- class: compact # Agenda <audio controls> <source src="audio/solutions_2.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * Overcoming Insecure Design Patterns * Crypto building blocks * Key exchange, Certificates * Tokens * TLS/DTLS * Hardware level protections --- class: compact # Insecure Design Patterns <audio controls> <source src="audio/solutions_3.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * Doing too much * Coding blunders * Authentication and authorization blunders * Cryptography blunders --- class: compact # Doing too much <audio controls> <source src="audio/solutions_4.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * A standard source of insecurity is system interfaces that provide more functionalility than they are supposed to - failure of input validation: interfaces often assume inputs are properly validated and accept invalid inputs which provides an attack vector - classic instance is *buffer overflow attack* - sql attacks - devious URLs * Excess power - Giving more power than necessary - running a full linux kernel (e.g. does it need to support NFS) - extra established components provides more attacks - "every IoT device will eventually run full linux 'because it can'" --- class: compact # Coding Blunders <audio controls> <source src="audio/solutions_5.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * We've grown to expect that desktops and servers depend upon "penetrate and patch" - But, IoT devices may not be updated leading to "forever days" * IoT devices shipped with malware installed * Debug code left in product Coding blunders in IoT have greater long-term consequences ! --- class: compact # Authentication Blunders <audio controls> <source src="audio/solutions_6.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * It is important that a system verify who is claiming to send it an update or confiuration change * A service may require *no authentication* whatsoever * A service may have a *permanent credential* that is never changeable * A service may fail to allow for *revocation* of a credential or privilege * A service may fail to allow for *delegation* of a privilege to another legitimate party (thus engendering workarounds) --- class: compact # Authentication Blunders (None) <audio controls> <source src="audio/solutions_7.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * The controller area bus (CAN) in modern cars - this is the central IT system in a car - components listen for messages, but can't determine the sender -- for example, the engine control unit is *supposed* to tell the brakes to engage, but anything can - Stefan Savage showed how to use the CD player to inject malware * Some devices permit updating firmware with no authentication - Progressive insurance's "snapshot" device * "Hello Barbie" would accept anything with the name "Barbie" * School application systems that use URLs to select students - 2/4/19 -- "An official IU GPA calculator allowed students, faculty and staff to access the grades of at least 100,000 current and former students in apparent violation of federal privacy law" --- class: compact # Authentication Blunders (Default credentials) <audio controls> <source src="audio/solutions_8.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * Design challenge -- what should a system do when it first comes out of the box - common approach is to ship with a default password - often default passwords are never changed * Default SSH backdoors have been found in Cisco security products * Two high-school students hacked Bank of Montreal ATMs using a default administrator password --- class: compact # Permanent Credentials <audio controls> <source src="audio/solutions_9.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> An authentication credential is an electronic embodiment of the right of an entity to invoke some service * A binding between an entity and right * A binding between an entity and credential * A binding between credential and right Errors: * Right permanently bound to an entity - a hardcoded password - An entity posses a right but loses it in the future, but the right is not *revoked* - Suppose you have a smart thermostat and sell the house, is the right to control the thermostat revoked ? - What about the right to track a car's location ? --- class: compact # Easy exposure <audio controls> <source src="audio/solutions_10.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * websites that require user ID and password, but collect them over a plain-text channel * storing credentials in easily hacked form --- class: compact # Cryptography Blunders <audio controls> <source src="audio/solutions_11.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * Bad randomness -- key generation depends upon "good" random numbers - A study of TLS and SSH found a large number of internet-facing machines with the same key-pairs or sharing a large prime factor * Common keys -- LIFX internet-connected lightbulbs all used the same common key * Bad public key encryption * Aging of cryptography and protocols --- class: compact # Mitigating forever-days <audio controls> <source src="audio/solutions_12.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * Make sure vulnerabilities can be discovered and patches created * Make sure patches can be pushed * Make sure someone exists to push patches * Make sure systems automatically die off if they are not patched --- class: compact # Secret-key encryption and decryption <audio controls> <source src="audio/solutions_13.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio>   --- class: compact # Public-key encryption <audio controls> <source src="audio/solutions_14.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio>   --- class: compact # Key Distribution <audio controls> <source src="audio/solutions_15.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * predistributed keys (long-lived) - public keys distributed "out of band" - used to bootstrap - * session keys (short-lived) - each session uses a new session key, generated when the session is created * Diffie-Hellman key exchange -- works without using predistributed keys * Certificates and tree of cerificate authorities (CA) used to help build trust. --- class: compact,small # Tokens <audio controls> <source src="audio/solutions_16.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * Flespi, AWS and others use "security tokens" to grant access privileges. For flespi/azure they must be "pre-distributed" AWS has a distribution protocol   --- class: compact # TLS Overview <audio controls> <source src="audio/solutions_17.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * SSL = Secure Sockets Layer. - Developed by Netscape * TLS = Transport Layer Security. - IETF-standardised version of SSL. - TLS 1.0=SSLv3 with minor tweaks, RFC 2246 (1999). – TLS 1.1=TLS 1.0 + tweaks, RFC 4346 (2006). - TLS 1.2=TLS 1.1 + more tweaks, RFC 5246 (2008). - TLS 1.3= simplification/optimization of TLS 1.2 plus removal of obsolete security * SSL/TLS provides security ‘at TCP layer’. - Runs over TCP, using TCP to provide reliable, end-to-end transport. - Widely deployed in Web browsers and servers to support ‘secure e-commerce’ over HTTP. --- class: compact # TLS Protocol Architecture <audio controls> <source src="audio/solutions_18.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio>   --- class: compact # TLS Record Protocol <audio controls> <source src="audio/solutions_19.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * TLS Record Protocol provides: - Data origin authentication and integrity using a MAC. - Confidentiality using a symmetric encryption algorithm. - Anti-replay using sequence numbers protected by the MAC. * Keys for the algorithms are supplied by the TLS Handshake Protocol. - agree on crypto method to use - generate session keys --- class: compact # TLS Record Protocol: MAC-Encode-Encrypt <audio controls> <source src="audio/solutions_20.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio>   --- class: compact # TLS Record Processing <audio controls> <source src="audio/solutions_21.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> 1. Decrypt; 2. Remove padding; 3. Check MAC on header data, sequence number and plaintext. * Each of these steps can fail. * Additional sanity checking may be needed. * Any failure results in an error message being sent and immediate termination of the TLS connection. * Great care is needed in implementations to avoid attacks based on analyzing error conditions. --- class: compact,small # DTLS Overview <audio controls> <source src="audio/solutions_22.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> * DTLS = Datagram Transport Layer Security. - A tweak to TLS. - Runs over UDP, using UDP to provide end-to-end transport. – Becoming more widely used, e.g. Cisco VPN products. * Some modifications to TLS are needed to handle unreliable nature of UDP. - Allow for retransmission of handshake messages. - Allow out-of-order arrival of messages. * Use explicit sequence numbers rather than implicit sequence numbers and keep a sliding window of received messages. - Tolerance of errors during decryption, but no error messages and no session termination. * Versions: - DTLS 1.0, based on TLS 1.1, RFC 4347 (2006). - DTLS 1.2, based on TLS 1.2, RFC 6347 (2012). - DTLS 1.3 in draft form --- class: compact # DTLS Protocol Architecture <audio controls> <source src="audio/solutions_23.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio>   --- class: compact # Attacks on IoT Devices  <audio controls> <source src="audio/solutions_24.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> --- class: compact # Attacking the hardware directly # Attacks on IoT Devices <audio controls> <source src="audio/solutions_25.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio>  * JTAG Interface (a simplified version called SWD is used on ARM processors) - All embedded devices have a serial interface based upon JTAG that is used in manufacturing for - programming the device - testing the hardware - By attaching to this interface it *may* be possible to - download the processor code - reprogram the device --- class: compact,small # JTAG <audio controls> <source src="audio/solutions_26.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio>  A Netgear DG632 ADSL Modem with JTAG header at location 5. * Ways to mitigate attacks - disable flash erase - lock flash read - disable jtag (swd) port * But - For ARM parts it is still possible to connect "under reset" which enables the flash port - For STM32 parts, it's easy to work around -- "Shedding too much Light on a Microcontroller’s Firmware Protection", Obermaier and Tatschner --- class: compact # Crypto support in STM32 processors <audio controls> <source src="audio/solutions_27.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio>  * Some STM32 processors have hardware accelerators for cryptographic protocols * Recent STM32 processors have a random number generator based upon a "noisy source". --- class: compact # Embedded hardware security features are evolving rapidly [STM32 Security Protections](https://www.st.com/content/ccc/resource/technical/document/application_note/group1/9f/0b/e4/b6/75/15/4f/e2/DM00493651/files/DM00493651.pdf/jcr:content/translations/en.DM00493651.pdf)  <audio controls> <source src="audio/solutions_28.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> --- class: compact # Even "smaller" processors are getting security hardware  <audio controls> <source src="audio/solutions_29.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> --- class: compact # Summary * cover image -- [ARM](https://community.arm.com/resized-image/__size/640x480/__key/communityserver-discussions-components-files/430/1803.M23-with-dialog-boxes.png) * Material drawn from "The Internet of Risky Things" by Sean Smith * Material drawn from " TLS and DTLS: A Tale of Two Protocols Kenny Paterson" * Material drawn from "Computer Networks: A Systems Approach"