LUCON. Data Flow Control for Message-Based IoT Systems. Julian Schütte, Gerd Brost. Fraunhofer AISEC, Germany

Transcription

1 LUCON Data Flow Control for Message-Based IoT Systems Julian Schütte, Gerd Brost Fraunhofer AISEC, Germany TrustCom 2018, New York, 1st of August, 2018

2 Outline 1 Message-based IoT Architectures 2 Approach Message Routes as a Control Flow Graph Usage Control as a Taint Analysis Problem Compliance Checking as Reachability Problem The LUCON Policy Language 3 Evaluation & Conclusions 1 11

3 Message-based IoT Architectures

4 A Typical IoT System Data Processing Pre-Processing Services Message Broker Edge Device Message Broker Message Queuing Sensors On-Premise Cloud Storage Sensitive data is collected from sensors Pre-processing at the edge, main processing/aggregation in the backend Communication over messages queues, orchestration by message routers 2 11

5 Usage Control in Distributed Systems Usage Control instead of Access Control Access Control only regulates if data may be used. Usage Control is about how data may be used continuous control of data processing "Flow-sensitive" Usage Control Existing work on information flow control implements specific info flow models e.g. secrecy/integrity in cloud computing (e.g., FlowK, CamFlow) only runtime enforcement of information flows Our Goal Policies over any kind of data flow Runtime enforcement & provenance of data flows Design-time compliance verification of message routes against data flow policies 3 11

6 Usage Control in Distributed Systems Usage Control instead of Access Control Access Control only regulates if data may be used. Usage Control is about how data may be used continuous control of data processing "Flow-sensitive" Usage Control Existing work on information flow control implements specific info flow models e.g. secrecy/integrity in cloud computing (e.g., FlowK, CamFlow) only runtime enforcement of information flows Our Goal Policies over any kind of data flow Runtime enforcement & provenance of data flows Design-time compliance verification of message routes against data flow policies 3 11

7 Usage Control in Distributed Systems Usage Control instead of Access Control Access Control only regulates if data may be used. Usage Control is about how data may be used continuous control of data processing "Flow-sensitive" Usage Control Existing work on information flow control implements specific info flow models e.g. secrecy/integrity in cloud computing (e.g., FlowK, CamFlow) only runtime enforcement of information flows Our Goal Policies over any kind of data flow Runtime enforcement & provenance of data flows Design-time compliance verification of message routes against data flow policies 3 11

8 Approach

9 Approach We treat information flow control as a program analysis problem. Usage Control Message Routes Runtime Enforcement Compliance Checking Program Analysis Control Flow Graph (CFG) Dynamic Taint Analysis Reachability Problem Note: Typical attacker model of dist. usage control is less strict than of program analysis Program analysis: Control flow (the program) is public. Observation of control flows at runtime is trivial (ptrace) Usage Control: Control flow (a message route) is non-public. Typically, attacker can observe only parts of control flow, esp. not termination 4 11

10 Message Routes as a Control Flow Graph <route id = " Sensor_Messaging " > <from uri = " timer: // everysecond? period=1000 " /> <to uri = "ahc://localhost:9292/temp" /> <to uri = "hdfs://a.example.com/store" /> <aggregate outbatchsize = " 10 " /> <to uri = "ahc: /> </ route > LUCON compiles Apache Camel routes into a CFG representation in Prolog. Message m Lm = {raw, temperature} Policy = {publish raw} m Service A (Database) L = L + = Lm = {raw, temperature} P = {persist(hdfs2://...)} Service B (Merges Data) m m L = {raw} L + = {merge(10)} Lm = {temperature, merge(10)} P = Service C (Publisher) L = L + = Lm = {temperature, merge(10)} P = {publish( 5 11

11 Usage Control as Taint Analysis We apply the technique of taint analysis from software analysis to information flows Labels are attached to messages Labels may change whenever a message is processed by a service (transformation functions L and L + ). Rules declare what happens when message with label X enters service Y. Block message Execute an action ( obligation ) 6 11

12 Compliance Checking as Reachability Problem Reminder: We compile Camel message routes into a CFG representation in Prolog We also compile LUCON policies into data flow constraints over the CFG Prolog We can now turn the problem of compliance checking into a reachability problem verify that there is no path through the CFG that violates the constraints of the policy Route Sensor_Messaging i s invalid because s e r v i c e may receive label ( s ) [ raw ]. This i s forbidden by rule dontpublishraw Example flows v i o l a t i n g p o l i c y follow : sensor creates message labeled [ raw ] storage receives message labeled [ raw ] aggregator receives message labeled [ raw ] receives message labeled [ raw, aggregated ] fail!. Compliance violation reported by Prolog 7 11

13 The LUCON Policy Language LUCON is a DSL created in Eclipse XText ( generates IDE w/ syntax highlighter & autocomplete) Declares transformation functions and flow rules Rules are compiled into Prolog Evaluation of rules is a Prolog query Simple example: Do not publish data labeled as raw 8 11

14 Evaluation & Conclusions

15 Implementation & Evaluation Enforcement of data flow rules is sound & complete, assuming that the compilation from Camel to Prolog is, too. LUCON implementation Domain specific language with Eclipse XText Compliance checking & enforcement with tuprolog Performance of tuprolog as an enforcement engine? 9 11

16 Runtime Performance & Memory Consumption 200 Evaluation time (ms) ,000 2,000 3,000 4,000 5,000 Red=No. of labels. Blue=No. of applicable rules Memory consumption (MB) ,000 2,000 3,000 4,000 5,000 Red=No. of labels. Blue=No. of applicable rules 10 11

17 Conclusions LUCON is a policy language that controls data flows in message-based systems Implemented as a Prolog-based interceptor for Apache Camel approx. 20 ms + 20 MB runtime impact for realistic size of policies (uncached) Generalization of classic access control and information flow policies. Prevents any policy violation at runtime Compliance checking: Proofs that your message route will never violate any policy 11 / 11