Upload
trankhuong
View
217
Download
0
Embed Size (px)
Citation preview
Improving Security in Embedded Systems Felix Baum, Product Line Manager
Business Imperatives
Security Imperatives
“I need to keep my production expenses as low as possible.”
“How do I provide adequate security with limited resources?”
“My products operate in a number of different environments and verticals.”
“My devices require network connectivity for M2M communication.”
“How do I protect my devices from Internet-based attacks?”
How do I meet regulatory requirements specific to my industry?”
| © 2012 Wind River. All Rights Reserved. 3
The Challenge with Embedded Security
| © 2012 Wind River. All Rights Reserved. 4
Puerto Rico Electric Power Authority (PREPA)
Fiscal Year 2011 Financial Information Assets: $9.9B Revenue: $4.4B Net income: $706M Fitch bond rating: BBB+
“Individuals with only a moderate level of computer knowledge” “$400 tools and software readily available on the Internet” Weak authentication credentials; magnetic interference $300–$3,000/meter for hackers; lower utility bills for customers ~10% of smart meters in Puerto Rico
Bad Guys
Tools Used
Attack
Vectors
Financial Incentive
Affected Devices
2010 FBI Cyber-Intelligence Bulletin
PREPA: A House of Pain
Start with a Bottom-up Approach
| © 2012 Wind River. All Rights Reserved. 5
| © 2012 Wind River. All Rights Reserved. 6
RTOS Threats: Mitigation Strategies
§ Boot-time threats – Trust – Authentication
§ Run-time attacks – Kernel – User space – Networking
Boot-Time Protection Strategy: Trust
§ Enable features offered by best-of-class silicon vendors, per specifications defined by Trusted Computing Group, to provide layered security from the moment power is applied.
| © 2012 Wind River. All Rights Reserved. 7
Boot-Time Protection Strategy: Authentication
§ Trusted boot ROM will not help if the OS that it loads has not been signed and authenticated.
| © 2012 Wind River. All Rights Reserved. 8
Unsigned VxWorks Kernel Image
Boot ROM
Memory
LOAD
Boot-Time Protection Strategy: Authentication
§ Trusted boot ROM will not help if the OS that it loads has not been signed and authenticated.
| © 2012 Wind River. All Rights Reserved. 9
Unsigned VxWorks Kernel Image
Boot ROM
Memory
LOAD
Boot-Time Protection Strategy: Authentication
§ To authenticate the binary OS image we need to ask two questions.
| © 2012 Wind River. All Rights Reserved. 10
VxWorks Kernel Image Boot ROM
Memory
LOAD Did come from ? Is untampered?
OEM Inc.
Boot-Time Protection Strategy: Authentication
§ Public/private key pair
| © 2012 Wind River. All Rights Reserved. 11
OEM Inc.
Private
Public
Company Secret
Boot-Time Protection Strategy: Authentication
§ Binary signature
| © 2012 Wind River. All Rights Reserved. 12
Encrypt Signature Private
Unsigned VxWorks Kernel Image
Hash
10110011
OEM Inc.
Private
Signature Decrypt
Public 10110011
Boot-Time Protection Strategy: Authentication
§ Signed binary
| © 2012 Wind River. All Rights Reserved. 13
Signature
Signed VxWorks Kernel Image
Signature
Unsigned VxWorks Kernel Image Boot ROM
Boot ROM with Key
Public
Public
Boot-Time Protection Strategy: Authentication
§ Signed binary loading
| © 2012 Wind River. All Rights Reserved. 14
Signed VxWorks Kernel Image
Signature
LOAD
Memory
Signature
Decrypt
Public 10110011
Hash
10110011
Match?
Boot ROM with Key
| © 2012 Wind River. All Rights Reserved. 15
§ ISR/task stack overrun detection § Heap usage tracking and leakage
detection § Persistent storage of error
records § Code corruption detection § Null pointer usage detection § Heap block overrun detection
Run-Time Protection Strategy: Kernel Hardening
| © 2012 Wind River. All Rights Reserved. 16
§ User space RTPs are containers for – Code (text and data), stack, heap – Tasks owned by this RTP – Objects created by this RTP
§ They offer – Memory protection for
• Text • Data • Stack
– Kernel isolation
Run-Time Protection Strategy: User Space
| © 2012 Wind River. All Rights Reserved. 17
§ Interoperability testing ‒ VPNC, IPv6 Forum Gold Logo host,
router, IPsec ‒ OpenSSL FIPS 140-2 run-time module
Run-Time Protection Strategy: Networking
§ Source code quality ‒ Coverity ‒ Unit test ‒ Diagnostics
§ Denial of service testing ‒ Nessus ‒ Satan
§ Protocol validation ‒ ANVL
§ Performance testing
§ Network robustness and cyber-attack testing ‒ Wurldtech Achilles certified
| © 2012 Wind River. All Rights Reserved. 18
Run-Time Protection Strategy: Networking
Wurldtech conducts a variety of Ethernet and TCP/IP-level and Vnet/IP protocol−level cyber attacks
| © 2012 Wind River. All Rights Reserved. 19
Monitoring § Active monitoring of key lists for vulnerabilities applicable to supported
products Assessment/Prioritization § Assessment and prioritization of vulnerabilities and response with an
initial acknowledgement within one day of receipt (for external source) § Prioritization at High, Medium, Low, or Not Susceptible Notification § Proactive notifications for VxWorks vulnerabilities that do apply at
Online Support (OLS) and external party (if applicable) § Regular consolidated alerts for vulnerabilities that do not affect VxWorks
at OLS and external party (if applicable) § Certain public disclosure restrictions for some vulnerabilities (e.g., cert) Remediation § Posting and notification of patch; resolution on OLS and external party
(if applicable)
Security Response Flow Cert Customers
VxWorks Security Response Team (SRT) (each relevant engg group,
customer support)
Does Not Affect VxWorks
Consolidated OLS Notification
Applicable to VxWorks
Security Patch and OLS Notification
Proactive OLS Notification
Defect Filed
External security-alert@ windriver.com
Then take a step back to look at the big picture.
| © 2012 Wind River. All Rights Reserved. 20
DESIGN
PRODUCTION
DEPLOYMENT OPERATION
AND MAINTENANCE
DESTRUCTION / DISPOSAL
Holistic Approach to Security
| © 2012 Wind River. All Rights Reserved. 21
Vulnerability Landscape
Cus
tom
er R
equi
rem
ents
W
ind River D
omain Expertise
DESIGN
PRODUCTION
DEPLOYMENT OPERATION
AND MAINTENANCE
DESTRUCTION / DISPOSAL
| © 2012 Wind River. All Rights Reserved. 22
Vulnerability Landscape
§ Questions to Ask – What are your product security
requirements? – Does your product have flaws
that can be exploited? – What specifications are
applicable to your end customer’s market segment?
– What coding standards should you implement?
Security in the Design Phase
| © 2012 Wind River. All Rights Reserved. 23
§ Questions to Ask – Has malicious code been
injected during your production process?
– Has your product been tested against known attacks?
– Can your testing show robustness against unknown attacks?
– Does your code contain security holes?
Security in the Production Phase
DESIGN
PRODUCTION
DEPLOYMENT OPERATION
AND MAINTENANCE
DESTRUCTION / DISPOSAL
Vulnerability Landscape
| © 2012 Wind River. All Rights Reserved. 24
§ Questions to Ask – Did your code boot into a trusted
state? – Is a newly loaded application
authorized to operate on your system?
– Is your product protected against reverse engineering?
– Is the “right thing” loaded on your product?
Security in the Deployment Phase
DESIGN
PRODUCTION
DEPLOYMENT OPERATION
AND MAINTENANCE
DESTRUCTION / DISPOSAL
Vulnerability Landscape
Security in the Operation and Maintenance Phase
| © 2012 Wind River. All Rights Reserved. 25
§ Questions to Ask – Did your software update
operation inject malicious code? – Are your network transmissions
authentic and protected from unauthorized disclosure?
– Is the private information in your product safe and secure?
– Are users authenticated and provided the correct authorization to access your systems?
DESIGN
PRODUCTION
DEPLOYMENT OPERATION
AND MAINTENANCE
DESTRUCTION / DISPOSAL
Vulnerability Landscape
| © 2012 Wind River. All Rights Reserved. 26
§ Questions to Ask – Is your business-sensitive
information properly disposed of? – Are your products remaining out
of service after their end of life? – Are critical security parameters
being unenrolled after expiration?
Security in the Disposal Phase
DESIGN
PRODUCTION
DEPLOYMENT OPERATION
AND MAINTENANCE
DESTRUCTION / DISPOSAL
Vulnerability Landscape
Security Tools Throughout Life Cycle
| © 2012 Wind River. All Rights Reserved. 27
Design Production Deployment Operation
and Maintenance
Destruction/ Disposal
Secure Design Life Cycle Training Architectural Studies Industry-Specific Regulations and Certifications
Static Analysis Testing Custom OS Configurations Third-Party Integration Wurldtech Achilles™ Certification
Security Built into Every Step of the Product Life Cycle
Anti-tamper Design/Solution Secure Boot and Run-Time Application Signing Address Space Layout Randomization
Network Robustness/ Fuzz Testing Secure Upgrade Process Secure Network Connectivity Built-in Firewall Services
Zeroization Procedures Sanitation Procedures Remote Wipe Capabilities
Comprehensive Approach
Secure Embedded
System Partner Ecosystem
Development Process and Tools
Secure Run-Times
§ Third-party certification partners § Endpoint protection services § Development process and tools § Comprehensive hardware vendor
support
§ Regulatory requirements § Threat assessments § Design services § White hat services
§ Mentoring and best practices § Testing, test management, code
analytics, monitoring, and simulation
§ Hypervisor and security appliance platform
§ Android § Security policy virtualization/
OS/stack capability § Security certification support
Security Expertise and Analysis
| © 2012 Wind River. All Rights Reserved. 28