Securing the supply chain: A multi-pronged approach

Transcription

1 Securing the supply chain: A multi-pronged approach By Jason Jaskolka and John Villasenor Stanford University University of California, Los Angeles June 1, 2017

2 This presentation addresses two key issues 1. Supply chain security in relation to the integrated circuits ( chips ) that are at the core of every electronics system, including in US critical infrastructure (work done by John Villasenor at UCLA; pre-ciri) 2. Supply chain security in relation to critical infrastructure networks (work done under CIRI by Jason Jaskolka and John Villasenor at Stanford) 2017 CIRI / A Homeland Security Center of Excellence 2

3 Intentionally compromised chips

4 Chips: A gaping cybersecurity exposure Chips are used to make the internet work manage antilock braking in cars position flaps on modern airliners control access to ATMs manage financial transactions - big and small run the stock market run the electricity grid run our communications systems store and access information run key aspects of every critical infrastructure sector 2017 CIRI / A Homeland Security Center of Excellence 4

5 Chips: A gaping cybersecurity exposure The importance of chip supply chain integrity is well recognized, particularly with respect to counterfeits Yet the supply chain is almost completely unprotected against a threat that may turn out to be more significant in the long term: Chips could be intentionally compromised during the design process, before they are even manufactured 2017 CIRI / A Homeland Security Center of Excellence 5

6 A chip-launched cyberattack could... Stop or impede the chip (and possibly the system containing it) from functioning Exfiltrate data while making the chip appear to function normally Corrupt data within the chip Some combination of the above 2017 CIRI / A Homeland Security Center of Excellence 6

7 Creating a chip: A simplified view Specification Design Manufacture Test Ship 2017 CIRI / A Homeland Security Center of Excellence 7

8 Creating a chip: A simplified view Specification Design Manufacture Test Ship Much of the attention to hardware trust issues has been directed here 2017 CIRI / A Homeland Security Center of Excellence 8

9 Creating a chip: A simplified view Specification Design Manufacture Test Ship We also need to be looking here Much of the attention to hardware trust issues has been directed here 2017 CIRI / A Homeland Security Center of Excellence 9

10 Inside a chip: A (very!) simplified view Chips often contain a combination of outsourced and in-house designs 2017 CIRI / A Homeland Security Center of Excellence 10

11 Design practices In the early days of ICs, the design was carried out in-house within a single company using small teams composed of people working towards a common purpose Many of the protocols developed in those days for example that the various parts of a circuit will behave as expected assumed all participants were trusted In those days, that was a reasonable assumption Analogy with internet: early assumptions of trust haven t held true 2017 CIRI / A Homeland Security Center of Excellence 11

12 Why testing for hardware attacks is hard Example: A block that adds 6 ADD CIRI / A Homeland Security Center of Excellence 12

13 Why testing for hardware attacks is hard Example: A block that adds 6 20 ADD CIRI / A Homeland Security Center of Excellence

14 Why testing for hardware attacks is hard Example: A block that adds 6 20 ADD ADD CIRI / A Homeland Security Center of Excellence

15 Why testing for hardware attacks is hard Example: A block that adds 6 20 ADD ADD Test 100,000 more inputs... If the answer is always correct, conclude that the block works 2017 CIRI / A Homeland Security Center of Excellence

16 Why testing for hardware attacks is hard Example: A block that adds 6 But... Suppose there is one particular input leads to another result: 126,321,204 ADD 6 Start attack It s simply not possible to test every possible input Thus, the trigger, in this case consisting of the input 126,321,204, is likely to never be tested before deployment 2017 CIRI / A Homeland Security Center of Excellence

17 Addressing the problem Publication in IEEE Transactions on VLSI Systems 2017 CIRI / A Homeland Security Center of Excellence

18 Addressing the problem Publication in IEEE Transactions on Reliability 2017 CIRI / A Homeland Security Center of Excellence

19 Addressing the problem Publication in IEEE Transactions on VLSI Systems 2017 CIRI / A Homeland Security Center of Excellence

20 Addressing the problem: Example approaches Secure bus system: Analyzes statistical patterns of system bus access by different functional blocks, flags aberrant behavior 2017 CIRI / A Homeland Security Center of Excellence

21 Addressing the problem: Example approaches Memory gatekeeper: Ensures that functional blocks are able to access only authorized portions of memory; Helps to prevent corruption or exfiltration of data; Flags any attempts at unauthorized access 2017 CIRI / A Homeland Security Center of Excellence

22 Addressing the problem: Example approaches Input/output monitor: Analyzes flow of data on and off the chip, compares with expected flows, flags aberrations 2017 CIRI / A Homeland Security Center of Excellence

23 Addressing the problem: Example approaches Warning to other devices: A chip under attack can send a warning to other devices, allowing them to preemptively protect themselves against impending attacks CIRI / A Homeland Security Center of Excellence

24 Policy solutions Brookings Institution Paper 2017 CIRI / A Homeland Security Center of Excellence

25 Securing networks from the supply chain

26 Goal To develop rigorous (formal methods-based) assessment approaches to better understand, identify, analyze, and mitigate implicit component interactions in critical infrastructures 2017 CIRI / A Homeland Security Center of Excellence 26

27 Overview Critical infrastructures consist of numerous components and even more interactions, some of which may be: Unfamiliar, unplanned, or unexpected Not visible or not immediately comprehensible Implicit Interactions Can indicate unforeseen design flaws allowing for these interactions Intentional or accidental, malicious or innocuous Constitute linkages of which designers are generally unaware security vulnerability Can be exploited to mount cyber-attacks at a later time 2017 CIRI / A Homeland Security Center of Excellence 27

28 Approach 1. Model critical infrastructure systems using a mathematical framework Communicating Concurrent Kleene Algebra 2. Formulate and identify the existence of implicit interactions Potential for Communication 3. Analyze the severity of identified implicit interactions Measuring and Classifying Severity, Exploitability, and Impact 4. Mitigate the existence of and/or minimize the threat posed by identified implicit interactions Preemptive and Reactive Solutions 2017 CIRI / A Homeland Security Center of Excellence 28

29 Modelling critical infrastructure systems Illustrative example: Maritime port terminal Maritime ports consist of a number of physical components and just as many, if not more, intangible software components distributed throughout the system in order to coordinate and control its overall functionality We can view the system as having the following classes of agents responsible for coordinating and controlling system components in order to safely and securely operate with efficiency and reliability: Aker American Shipping Yard Port Captain Ship Managers Terminal Managers Crane Managers Source: Tmarinucci via Wikimedia Commons Stevedores Carrier Coordinators 2017 CIRI / A Homeland Security Center of Excellence 29

30 Analyzing implicit interactions Illustrative example: Maritime port terminal For illustrative maritime port terminal with 8 agents, 21 basic events, and 25 basic behaviors: 3902 of the 4596 total interactions are implicit interactions Result of the potential for out-of-sequence/unexpected messages from system components Caused by cyber-attack or failure After identifying that implicit interactions exist, we have (or are developing) approaches for: Measuring the severity of identified implicit interactions Measuring the exploitability of identified implicit interactions Studying impact of implicit interactions through simulation 2017 CIRI / A Homeland Security Center of Excellence 30

31 Addressing supply chain challenges Perform system-level analysis to identify the vulnerabilities and risks introduced by the inclusion of particular components in the system Example: If a supplied component comes pre-loaded with a malicious fault designed to evade quality assurance tests, it may not be until the component in composed with other components that it begins to exhibit behaviors that are unintended or unexpected, thereby causing potentially significant system instabilities, and altered or interrupted information flows. Our approach can also be used to model different components in the macro-level supply chain to identify unforeseen linkages between suppliers and businesses Can show how a disruption of one business may have consequences both upstream and downstream in the supply chain 2017 CIRI / A Homeland Security Center of Excellence 31

32 Impact and value to homeland security Our approach, backed by rigorous modelling and testing, can provide vital information that can drive decisions on where and how to spend valuable resources in mitigating the potential for such attacks on systems and/or disruption of supply chains Formal foundation upon which mitigation approaches can be developed Basis for developing policies and guidelines for designing and implementing critical infrastructure systems that are resilient to cyber-threats Community engagement can enable contributions to emerging challenges in critical infrastructure cybersecurity 2017 CIRI / A Homeland Security Center of Excellence 32

33 Understanding and addressing network vulnerabilities: Contributions and publications 1. J. Jaskolka and J. Villasenor. Identifying implicit component interactions in distributed cyberphysical systems. In Proceedings of the 50th Hawaii International Conference on System Sciences, HICSS-50, pages , January J. Jaskolka and J. Villasenor. An approach for identifying and analyzing implicit interactions in distributed systems. IEEE Transactions on Reliability, pages 1 18, March J. Jaskolka and J. Villasenor. Securing Cyber-Dependent Maritime Ports and Operations. NMIO Technical Bulletin. (Forthcoming). 4. J. Jaskolka and J. Villasenor. Evaluating the exploitability of implicit interactions in distributed systems. ACM Transactions on Privacy and Security. (Under Review). 5. J. Jaskolka and J. Villasenor. Assessing the impact of implicit interactions through attack scenario simulation. (In Preparation) CIRI / A Homeland Security Center of Excellence 33

34 Thank you Jason Jaskolka John Villasenor

35 Overview Operational Need Significant progress has been made in quality assurance for software and components used to build critical infrastructure systems Much less attention and progress in making the supply chain robust against intentionally compromised hardware and/or software Specifically designed to remain undetected in tests formulated to detect accidental design flaws Often only visible, or known, after a system experiences some kind of compromise or failure Cyber-attacks launched using built-in hardware and/or software vulnerabilities could have a devastating impact 2017 CIRI / A Homeland Security Center of Excellence 35

36 Research Challenge and Goals Research Challenge Develop rigorous (formal methods-based) assessment approaches to better understand, identify, analyze, and mitigate implicit component interactions in critical infrastructures Research Goals Enable the critical infrastructure community to much more effectively: 1. Identify and analyze systemic supply chain-related vulnerabilities, such as implicit interactions 2. Preemptively mitigate at least some of those vulnerabilities 3. Quickly and effectively respond to attacks that might exploit the subset of those vulnerabilities that escape advanced mitigation 2017 CIRI / A Homeland Security Center of Excellence 36

37 Identifying Implicit Interactions Illustrative Example: Maritime Port Terminal Each system agent coordinates it actions/behaviors by passing messages to each other or writing to/reading from shared variables The design of the system can be represented as a (sequenced) message passing diagram Provides a set of expected or intended interactions (P "#$%#&%& ) An implicit interaction exists in a system formed by a set A of agents, if and only if for any two agents A, B A with A B: p p A 3 B : q q P "#$%#&%& SubPath(p, q)) where: A 3 B indicates that A can influence the behavior of B and SubPath(p, q) indicates that p is a subpath of q 2017 CIRI / A Homeland Security Center of Excellence 37

38 Addressing Supply Chain Challenges Our approach indirectly addresses cybersecurity challenges faced by critical infrastructure supply chains direct approach is intractable Perform system-level analysis to identify the vulnerabilities and risks introduced by the inclusion of particular components in the system Example: If a supplied component comes pre-loaded with a malicious fault designed to evade quality assurance tests, it may not be until the component in composed with other components that it begins to exhibit behaviors that are unintended or unexpected, thereby causing potentially significant system instabilities, and altered or interrupted information flows. Our approach can also be used to model different components in the macro-level supply chain to identify unforeseen linkages between suppliers and businesses Can show how a disruption of one business may have consequences both upstream and downstream in the supply chain 2017 CIRI / A Homeland Security Center of Excellence 38