Embed Size (px)
Citation preview
SecurityandReliabilityoftheInternetOfThings(IoT):ASmartMeterCaseStudy
KarthikPattabiramanFaridMolazemTabrizi,MaryamRaiyat,AbrahamChan,
IvanBeschastnikh
UniversityofBritishColumbia(UBC)
MyResearch• Buildingfault-tolerantandsecuresoftwaresystems
• Application-levelfaultandattacktolerance• Softwareresiliencetechniques [SC’16][DSN’16][DSN’15][DSN’14A][DSN14B]• Webapplications’reliability[ICSE’16][ICSE’15][ICSE’14A][ICSE’14B]• IoT Security[ACSAC’16][EDCC’15][HASE’14]
• Thistalk• IoT SecurityandReliability:SmartMeterCaseStudy
2
IoT SystemsareEverywhere
3
IoT SecurityandReliability
4
IoT SecurityandReliability:Challenges
• IoT devicesareresourceconstrained• Lowmemoryandcomputingcapacity• Sometimesenergyconstrained
• Largescaleofdeployment• Wormscanspreadquicklyinthenetwork• Needscalablesolutionswithlowfalsepositives
• Autonomousoperation• Needforhumanintervention shouldbeminimalornone• Mustbecapableofoperatingcontinuously foralongtime
IoT Example:SmartMeters
Thermostat
TV Fridge
SmartMeter
LightControl
LockControl
SmartMeter
7
Energy
Sensors
Powerline/Wireless
UtilityServer
- Cellular- Internet
GlobalStatusofSmartMeters
8
21,500,000
312,000
95,000,000
120,000
600,000
1,275,000
2009:76million 2010:118million 2012:1billion
SmartMeterSecurity• SmartmeterAttacks• Noneedforphysicalpresence• Hardtodetectbyinspectionortesting• Attackscanbelarge-scale
9
AnalogMeter SmartMeter
SmartMeterSecurityisaconcern
Outline
• MotivationandGoals
• Host-based IntrusionDetectionSystem(IDS)forsmartmeters[EDCC’15– DistinguishedPaperAward][HASE’14]
• Modelcheckingtofinddesignvulnerabilitiesinsmartmeters[ACSAC’16]
• OngoingWorkandConclusions
IDS:Goal
• Goal:MakeIoT embeddeddevicessecure• Buildahost-basedintrusiondetectionsystem
• Importantconstraints
• Smallembedded devices=>Lowmemorycapacity
• Largescale=>Nofalsepositives
• Lowcost=>Automated,nospecialhardwareetc.
IDSChallenge:FalsePositives
13
Center
device
device
device
device
device
device
device
IDSChallenge:MemoryConstraints
14
{a=receive();if(a>0)foo(a);
elsebar(a);
}
voidfoo(int a){if(a%2==0)even(a);
elseodd(a);
}
voidbar(int a){if(a==-1)error1();elseif(a==-2)error2();
}
a>0 a<=0
a%2==0 a%2==1 a==-1 a==-2
IDSExistingSolutionsFalse
-Positives
MemoryConsumption
ProgramAnalysisTechniques[Wagner][Giffin]
StatisticalTechniques[Moradi][Warrender]
Ourgoal
IDSThreatmodel
• Adversary:Wantstochangetheexecutionofthesoftware(insubtleways)toavoiddetection.Donotconsiderprivacyorconfidentiality.
UniversityofBritishColumbia(UBC) 16
ReadConsumption
data
Sendconsumptiondatatotheserver
Readconsumption
data
Multiplyconsumption
by0.01
Writemodifieddatatomemory
IDS:MainIdea• Quantifysecuritytodetectonlythemostcriticalattacks,subjecttomemoryconstraints
17
IDSApproach:Overview
18
OurworkSoftwareDesign
Documents(SDD)
Code
Coveragefunction
Invariants
IDSMonitoringSoftwaretrace
IDSApproach:Details
19
OurworkSoftwareDesign
Documents(SDD)
Code
Coveragefunction
1- StudySoftwareDesign
Document
2-GeneratingabstractInvariants
3-StaticAnalysis
4-Generatingconcreteinvariants
SoftwareDesign
Documents(SDD)
Code
Coveragefunction
5- Selectoptimizedinvariants
• Storage/Retrievalintegrity
20
Receivesensordata
Storeonflash
memory
Sensordatamusteventuallybestoredonflashmemory□(𝑔𝑒𝑡𝑡𝑖𝑛𝑔𝑠𝑒𝑛𝑠𝑜𝑟𝐷𝑎𝑡𝑎⟹ ◊ 𝑠𝑡𝑜𝑟𝑒𝑜𝑛𝑓𝑙𝑎𝑠ℎ )
1- StudySoftwareDesign
Document
2-GeneratingabstractInvariants
3-StaticAnalysis
4-Generatingconcreteinvariants
5- Selectoptimizedinvariants
IDSApproach:Steps3-4
21
Abstractinvariants Concreteinvariants(containsystemcalls)
1- StudySoftwareDesign
Document
2-GeneratingabstractInvariants
3-StaticAnalysis
4-Generatingconcreteinvariants
SoftwareDesign
Documents(SDD)
Code
Coveragefunction
5- Selectoptimizedinvariants
22
□(𝑔𝑒𝑡𝑡𝑖𝑛𝑔𝑠𝑒𝑛𝑠𝑜𝑟𝐷𝑎𝑡𝑎(𝑑𝑎𝑡𝑎)⟹ ◊ 𝑠𝑡𝑜𝑟𝑒𝑜𝑛𝑓𝑙𝑎𝑠ℎ(𝑑𝑎𝑡𝑎) )
□(𝑟𝑒𝑐𝑒𝑖𝑣𝑒(𝑑)⟹ ◊𝑤𝑟𝑖𝑡𝑒(𝑑) )
{….data=socket.receive();….
}
{….write(f,data);….
}
1- StudySoftwareDesign
Document
2-GeneratingabstractInvariants
3-StaticAnalysis
4-Generatingconcreteinvariants
5- Selectoptimizedinvariants
…recv(4,0x47cf68,8192,0)…write(1,0x47cf68,4)=4…
IDSApproach:Step5
23
1- StudySoftwareDesign
Document
2-GeneratingabstractInvariants
3-StaticAnalysis
4-Generatingconcreteinvariants
SoftwareDesign
Documents(SDD)
Code
Coveragefunction
5- Selectoptimizedinvariants
IDSApproach:BuildingtheIDS
1- StudySoftwareDesign
Document
2-GeneratingabstractInvariants
3-StaticAnalysis
4-Generatingconcreteinvariants
5-GeneratingIDS
MemoryCapacity
FormulatebuildingtheIDSasanoptimizationproblem,wherewemaximizecoveragesubjecttocostconstraints
IDSCoverage:MaxMin Coverage
𝑣 8 𝑣 9
𝑝 8 𝑝 ;
Invaria
nts
Security
Prop
ertie
s
𝑝 9
𝑣 ; 𝑣 < 𝑣 = 𝑣 >
𝑝 <
MaxMin CoverageIDS:Maximizeminimumcoveragei.e.,distributecoverageamongallproperties
IDSCoverage:MaxProperty IDS
𝑣 8 𝑣 9
𝑝 8 𝑝 ;
Invaria
nts
Security
Prop
ertie
s
𝑝 9
𝑣 ; 𝑣 < 𝑣 = 𝑣 >
𝑝 <
MaxProperty IDS:Maximizesecurityproperties thatarefullycovered
IDS:BuildingtheIDSSelecttheinvariantsfromthegraphaccordingtothecoveragefunction
AutomaticallyconvertittoBuchi Automaton
Monitortheinvariantsatruntime
IDSEvaluation:Testbed• Testbed:SmartMeter
• Meter:• Arduinoboard
• ATMEGA32xseriesmicrocontroller
• Sensors• Gatewayboard
• BroadcomBCM3302240MHzCPU
• 16MBRAM• 4MBavailableforIDS• OpenWRT Linux
• IDSrunsontheGatewayboard
IDSEvaluation:Faultinjection
• Flippingbranches(surreptiously)
29
if(data_file ~=nil)thenbig_string =data_file:read("*all")…
end
if(data_file ==nil)thenbig_string =data_file:read("*all")…
end
IDSResults(MaxMin IDS:2MBmemory)• HowgoodisthecoverageoftheIDS(left)?• Howgoodthegraph-basedoptimizationisreflectedatrun-time(right)?
IDSResults(MaxProperty IDS:2MBmemory)• HowgoodisthecoverageoftheIDS(left)?• Howgoodthegraph-basedoptimizationisreflectedatrun-time(right)?
Outline
• MotivationandGoals
• Host-based IntrusionDetectionSystem(IDS)forsmartmeters[EDCC’15– DistinguishedPaperAward][HASE’14]
• Modelcheckingtofinddesignvulnerabilitiesinsmartmeters[ACSAC’16]
• OngoingWorkandConclusions
ModelChecking:Problem
33
embeddeddevice
void foo() {…}intbar() {…}
Environment
Attacker
Action
Enumerateallpossibleattacks
ModelChecking:Challenge
• Formalanalysisrequireswell-definedproperties(e.g.TCP/IP)• UnclearinIoT devices
• Thestatespacemaybeverylarge• Requiretheright levelofabstraction• High-levelenoughtoavoidstatespaceexplosion• Low-levelenoughtobetranslatabletodevicecode
34
ModelChecking:Ourapproach
• KeyIdea:Eachclassofembeddeddevices performssimilaroperations• Wecanabstracttheoperations• Createanabstractmodel
• Formalize the model (using Maude)
• Formalize attacker actions• Define unsafe states• Run model checking to find
attacker actions leading to unsafe states
35
State space
Unsafe state
ModelChecking:Formalmodel
SENSOR-STATES
1.mod SENSOR-STATESis
2.op getSensorDataList :—>SensorDataList.
3.var dataList :SensorDataList.4.var rn:Nat.
5.rl [r1]:getSensorDataList —>sensorDataElement(0,0).
6.crl [r2]:sensorDataElement(r,n)—>sensorDataElement(r,n)sensorDataElement(r+1,0)ifr<maxSensorNumber.
7.crl [r3]:sensorDataElement(r,n)—>sensorDataElement(r,n+1)ifn<maxSensorData.
8.endm
DefinestheoperationofreceivingdatafromsensorsSensorDataList isalistoftuples,eachcalledsensorDataElement
Definesnecessaryvariablesfordefiningtheoperations
RecursivelydefiningtheruletoextendonesensorDataElement,touptomaxSensorNumberelements.Eachtupleis:[value,sensorchannelnumber].
Baseofrecursion
sensorsGatewayboard
Data:(s1,v1)(s2,v2),…
ModelChecking:Threatmodel
• Actions• Dropmessages• Replaymessages• Rebootmeter
37
Read/Writeaccesstocommunicationinterfaces[McLaughlinetal.2010]
Rootaccesstoanodeingridnetwork[Mo etal.
2012]
ModelChecking:Results
•Foreachattackeraction:queryforpathstounsafestates,e.g.,
• searchsensor(N1,M1)sensor(N2,M2)sensor(N3,M3)⇒ sensor(N1,M1)sensor(N2,M2)
• Checksifanydatamaybelostviadroppingmessages
• Foundmanyattacks:Manymaptothesameexecutionpath
38
ModelChecking:Attacks example1
39
Meter ServerServer
Rootaccesstoaroutingnode
AddIPTablesrule:drop
messagestotimeserver
Functionconfirm_time_is_OK()whiletime_is_ok ==falsedo...time_is_ok =check_time()if(time_is_ok ==true)thenset_time()breakend
endend
Getsstuckintheloop
:iptables −AINPUT−dADDRESS−jDROP
ModelChecking:Attack example2
40
Sensorboard
Communicationboard
RequestData
NormalbehaviorFindserialcommunicationconfiguration(ahandfulcommonconfigs,acoupleofhundredstotalconfigs
UseUSBto6-pinserialconnectorfromlaptopto
meter
Replaydatarequest
Receivedataonthelaptop– datadeletedfromsensorboard
Oneofthecommonconfigs workedinourcase
ModelChecking:Attack example3
41
meter
electricity
Network
Meteroperationsfollowspecifictimingrules
Meteroperationsfollowspecifictimingrules
Profiletimingbehavior
Profiletimingbehavior
Vulnerablecode
Vulnerablecode
Open file inwritemode
Open file inwritemode
Vulnerability windowVulnerability window
Programsolidstatetimertorebootmeteratvulnerabilitywindow
Programsolidstatetimertorebootmeteratvulnerabilitywindow
Will losedataifreboot
Will losedataifreboot
ModelChecking:Performance
Attackeraction
Time(hrs) Attacksfound
Droppingpackets
0.002 12
Replay 0.005 845Systemreboot
1.9 6452
Outline
• MotivationandGoals
• Host-based IntrusionDetectionSystem(IDS)forsmartmeters[EDCC’15– DistinguishedPaperAward][HASE’14]
• Modelcheckingtofinddesignvulnerabilitiesinsmartmeters[ACSAC’16]
• OngoingWorkandConclusions
Invariants:ARTINALI•AReal-Time-specificInvariantiNferenceALgorIthm•Miningindependentproperties
•FindingTemporalrelationshipofindependentproperties
•Incorporatingtimepropertiesintodatainvariants
Invariants:ARTINALIVS.PreviousworkData
Event
Time
Daikon [IEEE’01]
Dysy [ICSE’08]
Quarry[ICSE’15]
Gk-tail[ICSE’08]
Pefume [ASE’14]
ARTINALI(D|TMiner)
ARTINALI(D|EMiner)
ARTINALI(T|EMiner)
Invariants:SynchronizationTamperingAttack
Detection:violationintimepereventinvariant:send(T0+K*15)à send(T0+(K+1)*15)
send recv
recv
send recv send
send
TimeT0 T0+15 T0+30
recv
send
Get-seg-data=trueCommand=all-nodesPartial=nil
Get-seg-data=trueCommand=all-nodesPartial=nil)
Get-seg-data=trueCommand=all-nodesPartial=nil
Get-seg-data=falseCommand=nilPartial=DATA
Get-seg-data=falseCommand=nilPartial=DATA
Get-seg-data=falseCommand=nilPartial=DATA
Get-seg-data=false√Command=nil√Partial=DATA√
Get-seg-data=false×Command=nil ×Partial=DATA×
Get-seg-data=false√Command=nil√Partial=DATA√
Get-seg-data=false×Command=nil ×Partial=DATA×
T0+45
Get-seg-data=true ×Command=all-nodes×Partial=nil×
Synchronizationtamperingattack
ts ts tsNormalExecution
Diversity:Motivation• Onecompromiseddevicewillnotleadtoattacksonothersimilardevices
47
p1p2
p3pn
……..
Diversity:CodeReuseAttacks
48CodeInjectionAttack CodeReuseAttack
Diversity:FunctionalCorrectnessvsSecurity?
49
SemanticPreservingVariants
SemanticNon-PreservingVariantsbutPassesTests
VariantsBreakTestsCompilableVariants
Conclusions
• IoT SecurityandReliabilityareimportant• Challengingduetomemoryandresourceconstraints• Physicalaccesstothedeviceispossible
• SmartMeters:ImportantclassofIoT device• Host-BasedIDStodetectintrusions• Modelcheckingtofinddesigndefects
• OngoingWork• Extractinginvariantsforruntimemonitoring (ArtiNali)• Enhancingdiversityamongdeployedvariants(NVerD)
SecurityandReliabilityoftheInternetOfThings(IoT):ASmartMeterCaseStudy
KarthikPattabiramanFaridMolazemTabrizi,MaryamRaiyat,AbrahamChan,
IvanBeschastnikh
UniversityofBritishColumbia(UBC)
![BinFI: An Efficient Fault Injector for Safety-Critical …blogs.ubc.ca/karthik/files/2019/08/sc19-camera-ready.pdfsafety violations in practice [43]. Therefore, BinFI is the first](https://img.pdfslide.us/doc/110x75/5fc4d5a667f955729c74e9a8/binfi-an-efficient-fault-injector-for-safety-critical-blogsubccakarthikfiles201908sc19-camera-readypdf.jpg)
