Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
EECS 388: Embedded Systems
11. Safety and Security
Heechul Yun
1
Agenda
• Safety and security challenges
• Safety and fault tolerance
• Security basics
2
Safety
• Many CPS are safety-critical systems
– Can harm people or things
3
Remote Attack on Jeep (2015)
4
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
• Able to remotely (via cellular network) control steering, brake, and other critical functions via the car’s infotainment system
5C. Miller and C. Valasek, “A Survey of Remote Automotive Attack Surfaces”
Remote Attack Surfaces
“…As cars move into the future, they are being more connected with features normally found in desktop computers like apps and even web browsers. The 2014 Jeep Cherokee even has a Wi-Fi hotspot with open ports (when not using encryption)…”
6
C. Miller and C. Valasek, “A Survey of Remote Automotive Attack Surfaces”
Ukraine Power Grid Attack (2016)
• Attack on SCADA control network of a power grid in Ukraine, causing blackout on 80K users.
7
https://www.antiy.net/p/comprehensive-analysis-report-on-ukraine-power-system-attacks/
Pacemaker Hack (2017,2018)
8
https://www.wired.com/story/pacemaker-hack-malware-black-hat/
https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update
Internet of Things (IoT)
• IoT ~= Internet connected embedded systems
• “Internet is evil and wants to kill you”
9
Mirai Bot DDoS Attack (2016)
10https://www.nytimes.com/2016/10/22/business/internet-problems-attack.html
The Mirai IoT Botnet
https://www.corero.com/resources/ddos-attack-types/mirai-botnet-ddos-attack
IoT WiFi Attacks (2019)
12https://hackaday.com/2019/09/05/esp8266-and-esp32-wifi-hacked/
“… These EAP hacks are more
troubling, and not just because
session hijacking is more
dangerous than a crash-DOS
scenario. The ESP32 codebase
has already been patched
against them, but the older
ESP8266 SDK has not yet. So
as of now, if you’re running an
ESP8266 on EAP, you’re
vulnerable. We have no idea how
many ESP8266 devices are out
there in EAP networks, but we’d
really like to see Espressif patch
up this hole anyway. “
13https://techcrunch.com/2019/11/07/amazon-ring-doorbells-wifi-hackers/
Challenges
• Predictability
• Complexity
• Reliability
• Security
14
Real-Time Predictability
Michael G. Bechtel and Heechul Yun. “Denial-of-Service Attacks on Shared Cache in Multicore: Analysis and Prevention.” In RTAS, 2019 (Outstanding Paper Award)
LLC
Core1 Core2 Core3 Core4
victim attackers
• Observed worst-case: >300X (times) slowdown
– On simple in-order multicores (Raspberry Pi3, Odroid C2)Difficult to guarantee predictable timing
Complexity
• Software complexity increases
16
More bugs, unintended side-effects
Ibe et al., “Scaling Effects on Neutron-Induced Soft Error in SRAMs Down to 22nm Process” (Hitachi)
Reliability
• Transient hardware faults (soft errors)
– Due to environment factors (ex: alpha particle, cosmic radiation)
– Manifested as software failures
– Bigger problem in advanced CPU• Increased density higher soft error rate (SER) per chip
17
http://www.cotsjournalonline.com/articles/view/102279
Hardware can fail
Security
• Insecure software in CPS safety hazards
• Stuxnet: first reported cyber warfare, targeted for Iranian nuclear plants (destroying centrifuges)
• Vermont power grid hack by Russia
• Remote hack into cars (Zeep)
• Police drone hacking
18
CPS software can be attacked
How to Improve Safety of CPS?
• Correct by design
– Model based design, verification and validation
• Deal with failures
– Run-time monitoring
– Redundancy
20
Redundancy
• Triple Modular Redundancy (TMR)
21
Module #1
Module #2
Module #3
Voting
Majority outcome
Automotive Industry Approaches
• Hardware redundancy is needed– A well known solution: 2oo3 (2 out of three with
voting, a.k.a. TMR)
• But the automotive industry is cost sensitive– 2oo3 is too expensive (3 redundant ECUs)
• Alternative approach– 1oo2d: Dual redundancy with diagnostics
22Robert Leibinger, “Software Architectures for Advanced Driver Assistance Systems (ADAS)”, OSPERT 2015
1oo2D Approach
• Runtime diagnostics system detects node failures• Continue to operate while disabling the failed node• What to do after one node failed?
23
ECU #1
ECU #2
Inputdata
Diagnostics
Diagnostics
enable
enable
Outputdata
Robert Leibinger, “Software Architectures for Advanced Driver Assistance Systems (ADAS)”, OSPERT 2015
1oo2D with Reconfiguration
24
Diagnostics
Func3
Func2
Func1
Diagnostics
Func3
Func2
Func1
Func4
Func5
Func6
Func7
Normal operation
Robert Leibinger, “Software Architectures for Advanced Driver Assistance Systems (ADAS)”, OSPERT 2015
ECU #1 ECU #2 ECU #3
1oo2D with Reconfiguration
25
Diagnostics
Func3
Func2
Func1
Diagnostics
Func3
Func2
Func1
Func4
Func5
Func6
Func7
1 node failedECU #1 ECU #2 ECU #3
Robert Leibinger, “Software Architectures for Advanced Driver Assistance Systems (ADAS)”, OSPERT 2015
1oo2D with Reconfiguration
• ECU#3 is not necessarily identical to ECU#1 and #2
• Some (non critical) functions in ECU#3 may be disabled
26
Diagnostics
Func3
Func2
Func1
Diagnostics
Func3
Func2
Func1
Func4
Func5
Critical functions are migrated to a different nodeECU #1 ECU #2 ECU #3
Func6
Func7
Func2 Func1
Robert Leibinger, “Software Architectures for Advanced Driver Assistance Systems (ADAS)”, OSPERT 2015
Tesla FSD Chip
• Dual redundant architecture (1oo2D)
27https://www.youtube.com/watch?time_continue=4988&v=Ucp0TTmvqOE
Simplex Architecture
• Protect an untrusted complex controller with a trusted backup controller– General architectural principal (*)
– Called Run-Time Assurance (RTA) in Airforce (**)
28(*) L. Sha, Using Simplicity to Control Complexity, IEEE Software, 2001(**) M. Clark et al., A study on run time assurance for complex cyber physical systems, Airforce Research Lab, 2013
Safety Controller
PerformanceController
UAVPlant
Decision Logic Plant
UAV Simplex Architecture
• Idea: use two hardware/software platforms with distinct performance and reliability characteristics to realize Simplex
29
High Performance (HP) Platform
High Assurance (HA) Platform
Safety controller
Performance controller
UAVPlant
Decision Logic
GPS,IMU
Radar, Camera
HA Platform(Arduino)
HP Platform:(Tegra TK1)
Rich OS (Linux), Middleware (ROS)
Prasanth Vivekanandan, Gonzalo Garcia, Heechul Yun, Shawn Keshmiri. A Simplex Architecture for Intelligent and Safe Unmanned Aerial Vehicles. IEEE RTCSA, IEEE, 2016. (Best Student Paper Nominee)
Two Platforms
• High Assurance (HA) Platform– Simple hardware and software for verification and reliability– Hardware: low frequency and density to reduce SEUs– Software: certifiable, simple, low SLOC
• High Performance (HP) Platform– Complex hardware and software for performance– Hardware: performance oriented multicore, multi-gigahz, gpu– Software: productivity oriented software framework, millions SLOC
30
Performance Controller
31
• HW: Nvidia Tegra TK1, 4 x Cortex-A15 @ 2.3GHz, 192 core GPU• SW: Use Linux (Ubuntu), Robot Operating System (ROS)
ROS node/topic architecture
Safety Controller
• HW: Arduino Due, a single ARM Cortex-M3 @ 80MHz
• SW: Matlab Simulink coder + Arduino sketch, no OS
32
Safety controller (Simulink model)
Decision Logic
• Assumption– HA (safety controller, decision logic) is trusted– HP is not trusted
• Fault detection and recovery– Detect crash, connect failure, timing violation, invalid outputs
(e.g., NaN)– Recovery: reboot the HP platform– Limitation: Currently don’t know “unsafe” states
33
Detectable faults
Execution Flow
34
HA platform(Arduino)
HP platform(Tegra TK1)
Prototype Avionics #1
• HA: Arduino based custom DAQ
– Basic sensors: IMU, GPS
• HP: Nvidia Tegra TK1
– 4 x ARM cores + 192 GPU cores
35
12-15 knots wind and 18 knots gust
Prototype Avionics #2
Avionics: Pixhawk (HA) + Odroid XU4 (HP)Airplane: Skyhunter
Your Project
37
Raspberry Pi 4 (Linux)
HiFive1 rev B Microcontroller
Lidar
Camera
Intelligent controller(Vision based steering using DNN)
Safety controller(Basic control + emergency breaking)
Self-Driving Car
Limitations of Simplex
• Assume HA is trusted.– Both software and hardware of HA must be trusted– HA is a single point of failure
• Doesn’t deal with physical system faults– Faults on sensors, actuators– Damaged fuselage, wings, ..
• Doesn’t deal with security issues– What if an attacker re-programs the HA controller?
38
Agenda
• Security attributes
• Threat model
• Encryption
• Digital signature and hashing
• SSL/TLS
39
Security
• What are the attributes of security?
40
Security Attributes
• Confidentiality
– Can secret data be leaked?
• Integrity
– Can the system be modified?
• Availability
– Can the system function when needed?
• Authenticity
– Am I interacting with the right person/thing?
41
System Security
• A system is secure if it is used and accessed as intended under all circumstances
– Unachievable
• A system security can be determined only in the context of a clear threat model
42
Threat Model
• Attacker’s capabilities– What we assume the attacker can do
• Examples– Has a physical access to the system
– Has a remote (network) access to the system
– Can reprogram the software
– Can eavesdrop the communication
– …
43
Example: Pacemaker Security Analysis
44Halperin et al. “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses,” IEEE S&P, 2008 https://www.secure-medicine.org/hubfs/public/publications/icd-study.pdf
Example: Pacemaker Security Analysis
• Threat model: 3 classes of attackers– Attacker possessing an ICD programmer.
– Attacker who simply eavesdrops on communications between an ICD and the programmer, using commodity software-defined radio.
– Attacker who eavesdrops as well as generates arbitrary RF traffic to the ICD, possibly spoofing an ICD programmer.
• Demonstrated successful attacks on all cases
45
Basic Cryptography
• Symmetric (shared key) crypto
– XOR encryption (one-time pad)
– DES (56 bit key)
– AES (up to 256bit key)
• Asymmetric (public-key) crypto
– RSA
• Digital signature and secure hashing
– SHA-256
46
XOR
NPUT OUTPUT
A B A XOR B
0 0 0
0 1 1
1 0 1
1 1 0
47
XOR Encryption
Slide source: Edward A. Lee and Prabal Dutta (UCB)
XOR Encryption
Slide source: Edward A. Lee and Prabal Dutta (UCB)
Example
• Encryption
• Decryption
50
01010111 01101001 01101011 01101001 M: message (“Wiki”)XOR 11110011 11110011 11110011 11110011 K: repeat key (11110011)-------------------------------------------= 10100100 10011010 10011000 10011010 C: encrypted message
10100100 10011010 10011000 10011010 C: encrypted messageXOR 11110011 11110011 11110011 11110011 K: repeat key-------------------------------------------= 01010111 01101001 01101011 01101001 M: message (“Wiki”)
https://en.wikipedia.org/wiki/XOR_cipher
XOR Encryption
How?
Slide source: Edward A. Lee and Prabal Dutta (UCB)
Example
• Recovering the key from M and C
• Pros and Cons of XOR Encryption
– Inexpensive
– Insecure when key is used repeatedly and/or part of the message is known
52
01010111 01101001 01101011 01101001 M: message (“Wiki”)XOR 10100100 10011010 10011000 10011010 C: encrypted message -------------------------------------------= 11110011 11110011 11110011 11110011 K: repeat key (11110011)
Symmetric (Shared Key) Cryptography
• Block cipher uses more elaborate algorithms so that key size and message size don’t need to be the same.
• Data Encryption Standard (DES) – mid 1970s.
• Advanced Encryption Standard (AES) – 2001Based on a cryptographic scheme called Rijndaelproposed by Joan Daemen and Vincent Rijmen, two researchers from Belgium. AES uses a message block length of 128 bits and three different key lengths of 128, 192, and 256 bits.
Asymmetric (Public Key) Cryptography• Each participant has two keys, a public and a private one.
• A message is encrypted with the public key.
• The message can only be decrypted with the private key.
• Public and private keys match via clever algorithms.
• Relies on a one-way function, easy to compute, hard to reverse without knowing a (private) key.
Widely Used Asymmetric Cryptography:SSL/TLS
• Secure Socket Layer/Transport Layer Security
– Widely used for web serverson the Internet
– Provides:• Authentication
• Confidentiality and integrity of communication
HTTPS = HTTP over SSL/TLS
Slide source: Hokeun Kim and E. A. Lee (UCB)
Intro to SSL/TLS Based on Certificates
Account balance
Make wire transfer
Internet
Eavesdropper
ID/PasswordBrowser (client)
Your bank (server)Message Encryption
Shared secret: Cryptographic key for encryption
Slide source: Hokeun Kim and E. A. Lee (UCB)
Intro to SSL/TLS Based on Certificates
• Public key cryptography (e.g., RSA)
Browser (client)
Secret to be sharedEncrypted With Bank's
Public Key
Bank'sPublic Key
Bank'sPrivate Key
Your bank (server)
Decrypted WithBank's Private Key
Slide source: Hokeun Kim and E. A. Lee (UCB)
Intro to SSL/TLS Based on Certificates
• However, even with public key cryptography…Browser (client) Your bank (server)
Bank'sPublic Key
Bank'sPrivate Key
Fake website &Malory's Public Key
Encrypted With Malory's Public Key
Malory"Man In The Middle"
Decrypted WithMalory's Private Key
Encrypted With Bank's Public Key
Malory'sPublic Key
Malory'sPrivate Key
Spoof network address to redirect client to fake website(e.g. DNS cache poisoning)
www.bankofamerica.com=> Malory's IP address
Slide source: Hokeun Kim and E. A. Lee (UCB)
Signing a Message• Each participant has two keys, a public and a
private one.
• A message is encrypted with the private key and both the message and its encryption are sent.
• The encrypted part can be decrypted with the public key. If it matches the plaintext message, the signature is valid.
Intro to SSL/TLS Based on CertificatesA (Digital) Certificate (Proof of Public Key's Authenticity)
Signed (encrypted)* with issuer (CA)'s Private key
Can only be decrypted (verified) with issuer (CA)'s matching public key!
• www.bankofamerica.com
• Additional Information: validity period, etc.
• Bank's public key
Actually the hash of data is encrypted (signed), and the result of decryption is also hash
• Digital Signature
• Name of certificate authority (CA)
Slide source: Hokeun Kim and E. A. Lee (UCB)
Intro to SSL/TLS Based on Certificates
Browser (client) Your bank (server)
CAs Issues a certificate for Bank
Connects to www.bankofamerica.com
CA Certificates(embedded in browser)
Bank's certificate issued by CA
Verify Bank's certificatewith CA's certificate
Malory's (invalid)certificateinsisting ownership of domain
Can't be verified!
Slide source: Hokeun Kim and E. A. Lee (UCB)
Issues with Using SSL/TLS for IoT
• Overhead for resource-constrained devices
– Energy/computation overhead for public key crypto, communication bandwidth, memory, etc.
• Limited support one-to-many communication
– Connections are 1-to-1 (server/client model)
Thermostat
Sensors
HVAC
Garage door
Vehicle
Fridge
Microwave
Washing Machine
Roomba
Mobile phoneRemote doorcontrol
Certificates
Slide source: Hokeun Kim and E. A. Lee (UCB)
Issues with Using SSL/TLS for IoT
• Company Validation… First, we will verify that the company requesting a certificate is in good standing …
• Domain Validation… can include emails or phone calls to the contact listed in a domain's whois record …
• Management overhead of certificates
– If you use commercial certificate authorities (CAs)
– Alternative: free & automated CA• Overhead for managing domains to get certificates
Quotes from www.digicert.com
Slide source: Hokeun Kim and E. A. Lee (UCB)
Is Your Project Secure?
64
Raspberry Pi 4 (Linux)
HiFive1 rev B Microcontroller
Lidar
Camera
Intelligent controller(Vision based steering using DNN)
Safety controller(Basic control + emergency breaking)
Self-Driving Car
Can’t be answered until you define the threat model.
Threat Model(What Attacker Can Do)
• Have remote access to the same WiFi network?
• Have remote login capability to the Pi 4?
• Have physical access to the hardware?
65
Raspberry Pi 4 (Linux)
HiFive1 rev B Microcontroller
Lidar
Camera
Intelligent controller(Vision based steering using DNN)
Safety controller(Basic control + emergency breaking)
Self-Driving Car
Design Your Defenses
• Have remote access to the same WiFi network?
• Have remote login capability to the Pi 4?
• Have physical access to the hardware?
66
Raspberry Pi 4 (Linux)
HiFive1 rev B Microcontroller
Lidar
Camera
Intelligent controller(Vision based steering using DNN)
Safety controller(Basic control + emergency breaking)
Self-Driving Car
Example Defenses
• Have remote access to the same WiFi network?– Encrypt all communications over WiFi (e.g., ssh)
• Have remote login capability to the Pi 4?– Don’t give the sudo permission, patch OS, …
• Have physical access to the hardware?– Secure boot, remote attestation, encrypt serial communication, …
67
Raspberry Pi 4 (Linux)
HiFive1 rev B Microcontroller
Lidar
Camera
Intelligent controller(Vision based steering using DNN)
Safety controller(Basic control + emergency breaking)
Self-Driving Car
Agenda
• Software security
• Information flow
68
Memory Safety Vulnerabilities
• Stack overflow
• Heap overflow
• Use after free
• Double free
• Null pointer
• Uninitialized use
• …
69
Memory Safety Vulnerabilities
• Account for 70% percent of all Microsoft patches over the past 12 years
70
Image source: Matt Miller, Microsoft
https://www.youtube.com/watch?v=PjbGojjnBZQ
Stack/Buffer Overflow
• Overflow either the stack or memory buffers
• Failure to check bounds on inputs, arguments
71
Stack Overflow
72
Not this
Stack Overflow
73
Stack Frame Layout
74
Stack pointer
Stack Overflow
return address
saved frame pointer
sensor_data[15]
…
sensor_data[1]
sensor_data[0]
75
What would happen when more than 16 bytes are received?
Buffer Overflow
76
What would happen when more than 16 bytes are received?
Use after Free
• Freed but uninitialized pointers can be exploited77
#include <stdlib.h>#include <stdio.h>struct auth{
char name[32];int priv;
};
int main() {struct auth *auth_ptr;char *service;auth_ptr = malloc(sizeof(struct auth));free(auth_ptr);service = malloc(36);printf("[auth = %p, service = %p]\n",
auth_ptr, service);free(service);return 0;
}
$ ./use_after_free[auth = 0x716010, service = 0x716010]
Linux Kernel: Buffer Overflow
78http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-9/cvssscoremax-/Linux-Linux-Kernel.html
Linux Kernel: Use-after-free
79http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-9/cvssscoremax-/Linux-Linux-Kernel.html
Linux Kernel: Use-after-free
80http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-9/cvssscoremax-/Linux-Linux-Kernel.html
Linus Torvalds: "Nothing better than C"
81
https://www.youtube.com/watch?v=CYvJPra7Ebk
Recall: C is popular but …
• Why popular?– Fast, efficient, and portable
– Close to machine (assembly-like control)
– Pointer, minimal type checking
• Problems– Pointer, minimal type checking
– Require manual control of dynamic memory
– Unsafe (memory leak, undefined behavior, ..)
– Difficult to write correct, safe, secure code
82
“C is assembly, Rust is future”
83
Intel and Rust: the Future of Systems Programming: Josh Triplett
Information Flow
• Many security properties concern the FLOW of information between different principals in a system.– Confidentiality: preventing secret attacker
– Integrity: preventing attacker system
• Information flow security is the study of how such flows affect the security and privacy properties of a system.
84
Example 1: Illegal Information Flow?
85
Example 2: Illegal Information Flow?
86
Example 3: Illegal Information Flow?
87
The fact that you failed to loginLeak some information about Your password
Limiting Password Attempts
• To limit information leakage, most today’s devices disable them after a few failed attempts.
88
Invasive Attack
89
What if the attacker is capable of directly reading from the memory?
Secure Storage and Hashing
90
(hash(input_pwd) == patient_pwd_hash)
patient_pwd_hash = read_from_secure_storage(…)
Invasive Attack
91
What if the attacker is capable of directly reading from the memory?
Summary
• Security used to be an after thought (if any)
• In networked embedded systems (a.k.a. IoT) security is a first-class concern
• Embedded systems security are even harder than desktop/server security because of:– Diversity (no standard os, hardware, runtime, …)
– Resource constraints (performance, energy, memory space, …)
– The prevalent use of C (insecure language)
• Read chapter 17, take security courses…
92
Acknowledgements
• Security slides draw heavily on materials developed by
– Edward A. Lee and Prabal Dutta (UCB) for EECS149/249A
93