Upload
dwight-watkins
View
213
Download
1
Embed Size (px)
Citation preview
Secure Software Updatesvia Integrity Protection
Marcellus BuchheitPresident and [email protected]
IoT Show North America, Chicago ILApril 16, 2015
Page 1/35
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 2/35
Security Challenge: Internet Connection
Security Challenge: Open System Architecture
Some Cryptographic Basics
Solution: Code Integrity
Technical Implementation Details
Summary
Agenda
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 3/35
Security ChallengeInternet Connection
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
┐ Most embedded systems are still “stand alone”┐ Most used interfaces (if any): USB and LAN Ethernet
Comparable with desktop PCs before Netscape Comparable with cell phones before iPhone
┐ Some remote access using land line phone and/or radio wireless
This will all change with Internet Of Things
Embedded Systems: Situation Today
Page 4/35
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
┐ Embedded system can be directly accessed/attacked via internet Principle protection: Firewalls etc.
┐ Execution code updates can be polluted Redirected code source: Hacker’s malicious code looks like new code update Execution code modified during download process Firewalls can protect but are difficult to manage by operation people
┐ Weakness in code can be used to infiltrate malicious code Example: Weak internet access parameter validation Buffer Overruns
Security Challenge “Internet Connection”
Page 5/35
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 6/35
Security ChallengeOpen System Architecture
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
┐ Many systems have simple software logic All the software is in-house developed Closed architecture, information outside of manufacturer difficult to get• Seems as black box for users, administrators and hackers• A successful hack typically needs a physical access to the system• Reverse-engineering of architecture required before hack is possible
Embedded Systems Today: Many are “closed”
Page 7/35
┐ But such simple systems will disappear sooner or later IoT requires complex interaction with a complex outside world
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
┐ Prediction: Embedded systems will go the way of PCs and cell phones┐ Reason: Much more complex software than today:
Graphical user interface Complex memory management Multithreading and multiprocessing Remote access for administration Access to complex control devices and/or sensors Internet access Complex internet protocols: HTTPS, SOAP, JSON etc.
Embedded Systems Tomorrow: Most will be “open”
Page 8/35
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
┐ Result: Not even large companies will develop everything “in-house”┐ More components will be used (similar to PCs and smart phone):
An open operating system for a specific purpose• Linux, Windows Industry, VxWorks, QNX, RIO and many highly-specialized still coming
Open source libraries, static-link libraries, dynamic-link libraries, applets, applications, device drivers
Access to cloud/big-data: Code will be provided from service provider┐ All these components need standardized interfaces
on a standardized platformSummary: Only open/standardized systems can fulfill the future demands
Embedded Systems Tomorrow: Most will be “open” (II)
Page 9/35
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
┐ Hacker has same information available as developer┐ Hacker can use powerful development/analysis tools
Debugger, Disassembler, Source-Reverser etc.┐ Hacker knows execution code binary structure
Direct modification on the executable file: Static attack┐ Hacker knows memory and process architecture
Inserting of malicious code into the process space: Dynamic attack
Security Challenge “Open Systems”
Page 10/35
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
Some “Real Life” Hacks…
Page 11/35
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 12/35
┐ ATM with Windows XP┐ Drill hole in case, attach USB stick┐ Reboot ATM (by power off/power on)┐ Boot from USB stick, install malware┐ Remove USB stick, reboot ATM┐ Malware activated by secret keypad input
Two-key authentication via cell phone guaranteed controlled access┐ Special keypad input instantly withdraws bills without trace
Credit Card Hack: Attack an ATM machine
http://www.securityweek.com/skillful-hackers-drained-atms-using-malware-laden-usb-drives
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 13/35
┐ Between Thanksgiving and Christmas 2013 Most busy retail shopping time in the year
┐ Remote access through internet at POS to install malware Used weak access security of Target partner company
┐ Malware at POS tracked all swiped credit card information Uploaded to Target server at hidden location Downloaded by hackers over night with slow speed Target’s problem: FireFly server security software was disabled
┐ Result: 40 million credit cards and 70 million addresses/personal information stolen
Target Credit Card Hack: Attack the POS systems
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 14/35
┐ Windows computer worm┐ Attacked Siemens Step 7 software to program PLCs
Modified files created by interactive softwarebefore they are copied to USB drive
Modified PLC control software on USB drivewas uploaded into Siemens PLC
┐ Was only effective in Iran at PLCs to controlcentrifuges to enrich nuclear material
┐ Result: destroyed about 20% of the centrifuges
Stuxnet: Attack Programmable Logic Controllers (PLC)
https://en.wikipedia.org/wiki/Stuxnet and book of Kim Zetter:“Countdown to Zero Day: Stuxnet and the Launch of the Word’s First Digital Weapon
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 15/35
Some Cryptographic Basics
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
Symmetric Encryption/Decryption
Asymmetric Encryption/Decryption
Hash Function
Signature and Authentication
Certificate
Some Cryptographic Basics
Page 16/35
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
┐ Shared secret key Same key for encryption and decryption
┐ Faster then asymmetric cryptography┐ Examples: DES, Triple DES, Blowfish, AES
┐ Challenges: Key exchange: needs secret path Key storage: vulnerable for hacks Authentication not possible
Symmetric Encryption / Decryption
Page 17/35
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
┐ Private/public key pair Private Key Public Key
┐ Examples: RSA, elliptic curve┐ Asymmetric encryption
Sender uses receiver’s public key for encryption Receiver uses his private key for decryption
┐ Signatures Sender uses private key to sign plain text data Receiver uses sender’s public key to verify
the plain text data signature
Asymmetric Cryptography
Page 18/35
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
┐ Hash generates fingerprint of data┐ Large amount of data reduced to small
fingerprints Example: SHA-256 with 32 bytes Difference to checksum, CRC-32 etc:
no reverse-calculation possible┐ Often used in combination with signatures
Create hash value Authenticate hash value (sign)
with private key Verify hash value with public key
Hash Functions and Signatures
Page 19/35
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
┐ A certificate is a standardized public key (X.509 format)┐ Challenge:
Public key must be authentic (not forged)┐ Solution:
Trusted party: Certificate Authority (CA) CA signs public key plus credential data• Optional use of certificate chain
Public key of CA (root key) is used to verify certificate After verification: Public key of certificate can be used Credentials can be used after verified by public key of certificate
Certificates
Page 20/35
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 21/35
Solution:Code Integrity
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
Embedded System
Page 22/35
Code Integrity: The Principle
Development
Encrypt Code
EXE0000TEXT11DATA022CODE3355RES44ASM0000PICT1111DATA8844CODE77DATA33TEXT9999TEXT88RES66ASM
Application x
EXE3A9C21C8DF31E734933D2818D875CF66045D814A56C29148A3981C369A1793F175E3979235F165B84C841B8
Application x
PrivateKey
PublicKey
Certificate
CodeSignature
Decrypt Code
LicenseKey
LicenseKey
CodeSignature
VerifyCode
Grant Code Execution
yes/no
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 23/35
┐ Execution Code is authenticated: Can only be created by developer, no other source possible Cannot be modified during delivery or on embedded system
┐ Execution Code is encrypted: Cannot be easily reverse engineered by hacker, competitor etc.
Code Integrity: The Results
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 24/44
Code Integrity: New Challenges
┐ Who verifies the Verifier? Hacker could remove the Code Verifier and force Code Execution Grant Hacker can then start his own malicious code
Embedded System
EXE3A9C21C8DF31E734933D2818D875CF66045D814A56C29148A3981C369A1793F175E3979235F165B84C841B8
Application x
Certificate Decrypt Code
LicenseKey
CodeSignature
VerifyCode
Grant Code Execution
yes/no
┐ Solution: Code Verifier in the loader must be verified as well ┐ Finally the whole boot process including OS must be verified
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 25/35
Technical Implementation Details
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 26/35
ExProtector: Automatic Protection Process
Prot
ecte
d Ex
ecut
able
/ Li
brar
y
Orig
inal
Exe
cuta
ble
/ Lib
rary
Header
Original Code
Header
Credentials(Hash, Signature, …)
ExProtector
Keys for EncryptionKeys for Code Signing
Typically no source modification necessary
Encrypted Code
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 27/35
ExProtector: Keys and Credentials
Prot
ecte
d Ex
ecut
able
/ Li
brar
y
Orig
inal
Exe
cuta
ble
/ Lib
rary
Header
Original Code
Header
Credentials(Hash, Signature, …)
ExProtector
Keys for EncryptionKeys for Code Signing
Encrypted Code
AES Key (FSB)
ECC Private Key
Certificate(s)
Encrypted Random AES Key
Firm Code and Product Code
Hash
Signature
Certificate(s)
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 28/35
ExProtector: During Runtime - Load of ExecutablePr
otec
ted
Exec
utab
le /
Libr
ary Header
Credentials(Hash, Signature, …)
Encrypted Code ExEngine
Public Root Key
License with Firm Code and Product Code
Mem
ory
of E
mbe
dded
Dev
iceHeader
Decrypted Code(“Original Code”)
Credentials(Hash, Signature, …)
AdditionalSecurity:
Watchdog against
Memory modification
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 29/35
ExProtector: Integration into Loader
Operating System(for ExProtector)
ExEngine(ExProtector
Runtime)
CodeMeter Embedded Driver
Operating System(without modification)
Engineering
Original Loader
Root Public Key
Modified Loader
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
Check
Page 30/35
Forward and Backward Check
ProtectedApplication
Loader Load
Credentials(Hash, Signature, …)
Credentials(Hash, Signature, …)
Time
Start
Check
ApplicationCertificate
LoaderCertificate
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 31/35
Secure Boot: Cascaded Security Chain
Application / Driver etc.
Operating System (VxWorks, …)
Boot Loader (UEFI, …)
Hardware / Pre-Boot Loader
Check
Load
Load
Load
Check
Check Start
Start
Start Check
Check
Check
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 32/35
┐ Integrity Protection provided by CodeMeter Embedded┐ Available today for:
WindRiver VxWorks version 7 Some Linux variants• Demonstration for Rasberry Pi available (https://www.raspberrypi.org)
Adoption to other embedded systems platforms in future available• Ask for demand/availability
Security credentials can be stored as files or in external security hardware• CodeMeter CmDongle security storage
Practical Implementation
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 33/35
Summary
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015
┐ Embedded Systems in the internet (“Internet of Things”) is a serious security threat
┐ Using open platform designs will simplify malicious attacks Hacker has easily detailed information available
┐ Market will force Internet of Things and Open Platform designs┐ Code Integrity guarantees authenticated, encrypted code┐ Code Encryption prevents reverse engineering of code
Summary: Code Integrity
Page 34/35
Wibu-Systems USA presentation for IoT Show North America - Chicago IL - April 16, 2015 Page 35/35
Company┐ Wibu-Systems USA Inc. www.wibuusa.com
┐ US subsidiary ofWibu-Systems AG in Germany www.wibu.com
Speaker┐ Marcellus Buchheit,
President and CEO
┐ [email protected]┐ www.linkedin.com/in/mabuus
More Information