Improving Security in Embedded Systems Felix Baum, Product Line Manager

Transcription

1

2 Improving Security in Embedded Systems Felix Baum, Product Line Manager

3 The Challenge with Embedded Security Business Imperatives Security Imperatives I need to keep my production expenses as low as possible. My devices require network connectivity for M2M communication. My products operate in a number of different environments and verticals. How do I provide adequate security with limited resources? How do I protect my devices from Internet-based attacks? How do I meet regulatory requirements specific to my industry? 3

4 PREPA: A House of Pain 2010 FBI Cyber-Intelligence Bulletin Puerto Rico Electric Power Authority (PREPA) Bad Guys Tools Used Attack Vectors Financial Incentive Affected Devices Individuals with only a moderate level of computer knowledge $400 tools and software readily available on the Internet Weak authentication credentials; magnetic interference $300 $3,000/meter for hackers; lower utility bills for customers ~10% of smart meters in Puerto Rico Fiscal Year 2011 Financial Information Assets: $9.9B Revenue: $4.4B Net income: $706M Fitch bond rating: BBB+ 4

5 Start with a Bottom-up Approach 5

6 RTOS Threats: Mitigation Strategies Boot-time threats Trust Authentication Run-time attacks Kernel User space Networking 6

7 Boot-Time Protection Strategy: Trust Enable features offered by best-of-class silicon vendors, per specifications defined by Trusted Computing Group, to provide layered security from the moment power is applied. 7

8 Boot-Time Protection Strategy: Authentication Trusted boot ROM will not help if the OS that it loads has not been signed and authenticated. LOAD Unsigned VxWorks Kernel Image Boot ROM Memory 8

9 Boot-Time Protection Strategy: Authentication Trusted boot ROM will not help if the OS that it loads has not been signed and authenticated. LOAD Unsigned VxWorks Kernel Image Boot ROM Memory 9

10 Boot-Time Protection Strategy: Authentication To authenticate the binary OS image we need to ask two questions. LOAD Did come from? Is untampered? OEM Inc. VxWorks Kernel Image Boot ROM Memory 10

11 Boot-Time Protection Strategy: Authentication Public/private key pair Private Company Secret OEM Inc. Public 11

12 Boot-Time Protection Strategy: Authentication Binary signature OEM Inc. Private Hash Encrypt Private Signature Unsigned VxWorks Kernel Image Signature Decrypt Public

13 Boot-Time Protection Strategy: Authentication Signed binary Signature Public Unsigned VxWorks Kernel Image Boot ROM Signature Signed VxWorks Kernel Image Public Boot ROM with Key 13

14 Boot-Time Protection Strategy: Authentication Signed binary loading Decrypt Signature Public Signature Signed VxWorks Kernel Image LOAD Hash Match? Boot ROM with Key Memory 14

15 Run-Time Protection Strategy: Kernel Hardening ISR/task stack overrun detection Heap usage tracking and leakage detection Persistent storage of error records Code corruption detection Null pointer usage detection Heap block overrun detection 15

16 Run-Time Protection Strategy: User Space User space RTPs are containers for Code (text and data), stack, heap Tasks owned by this RTP Objects created by this RTP They offer Memory protection for Text Data Stack Kernel isolation 16

17 Run-Time Protection Strategy: Networking Network robustness and cyber-attack testing Wurldtech Achilles certified Interoperability testing VPNC, IPv6 Forum Gold Logo host, router, IPsec OpenSSL FIPS run-time module Source code quality Coverity Unit test Diagnostics Denial of service testing Nessus Satan Protocol validation ANVL Performance testing 17

18 Run-Time Protection Strategy: Networking Wurldtech conducts a variety of Ethernet and TCP/IPlevel and Vnet/IP protocol level cyber attacks 18

19 Security Response Flow Monitoring Active monitoring of key lists for vulnerabilities applicable to supported products Assessment/Prioritization Assessment and prioritization of vulnerabilities and response with an initial acknowledgement within one day of receipt (for external source) Prioritization at High, Medium, Low, or Not Susceptible Notification Proactive notifications for VxWorks vulnerabilities that do apply at Online Support (OLS) and external party (if applicable) Regular consolidated alerts for vulnerabilities that do not affect VxWorks at OLS and external party (if applicable) Certain public disclosure restrictions for some vulnerabilities (e.g., cert) Remediation Posting and notification of patch; resolution on OLS and external party (if applicable) Cert Customers VxWorks Security Response Team (SRT) (each relevant engg group, customer support) Does Not Affect VxWorks Consolidated OLS Notification External windriver.com Applicable to VxWorks Proactive OLS Notification Defect Filed Security Patch and OLS Notification 19

20 Then take a step back to look at the big picture. 20

21 DESIGN DESTRUCTION / DISPOSAL Vulnerability Landscape OPERATION AND MAINTENANCE 21 PRODUCTION DEPLOYMENT Wind River Domain Expertise Customer Requirements Holistic Approach to Security

22 Security in the Design Phase Questions to Ask What are your product security requirements? Does your product have flaws that can be exploited? What specifications are applicable to your end customer s market segment? What coding standards should you implement? DESTRUCTION / DISPOSAL OPERATION AND MAINTENANCE DESIGN Vulnerability Landscape PRODUCTION DEPLOYMENT 22

23 Security in the Production Phase Questions to Ask Has malicious code been injected during your production process? Has your product been tested against known attacks? Can your testing show robustness against unknown attacks? Does your code contain security holes? DESTRUCTION / DISPOSAL OPERATION AND MAINTENANCE DESIGN Vulnerability Landscape PRODUCTION DEPLOYMENT 23

24 Security in the Deployment Phase Questions to Ask Did your code boot into a trusted state? Is a newly loaded application authorized to operate on your system? Is your product protected against reverse engineering? Is the right thing loaded on your product? DESTRUCTION / DISPOSAL OPERATION AND MAINTENANCE DESIGN Vulnerability Landscape PRODUCTION DEPLOYMENT 24

25 Security in the Operation and Maintenance Phase Questions to Ask Did your software update operation inject malicious code? Are your network transmissions authentic and protected from unauthorized disclosure? Is the private information in your product safe and secure? Are users authenticated and provided the correct authorization to access your systems? DESTRUCTION / DISPOSAL OPERATION AND MAINTENANCE DESIGN Vulnerability Landscape PRODUCTION DEPLOYMENT 25

26 Security in the Disposal Phase Questions to Ask Is your business-sensitive information properly disposed of? Are your products remaining out of service after their end of life? Are critical security parameters being unenrolled after expiration? DESTRUCTION / DISPOSAL OPERATION AND MAINTENANCE DESIGN Vulnerability Landscape PRODUCTION DEPLOYMENT 26

27 Security Tools Throughout Life Cycle Design Production Deployment Operation and Maintenance Destruction/ Disposal Secure Design Life Cycle Training Architectural Studies Industry-Specific Regulations and Certifications Static Analysis Testing Custom OS Configurations Third-Party Integration Wurldtech Achilles Certification Anti-tamper Design/Solution Secure Boot and Run-Time Application Signing Address Space Layout Randomization Network Robustness/ Fuzz Testing Secure Upgrade Process Secure Network Connectivity Built-in Firewall Services Zeroization Procedures Sanitation Procedures Remote Wipe Capabilities Security Built into Every Step of the Product Life Cycle 27

28 Comprehensive Approach Security Expertise and Analysis Development Process and Tools Regulatory requirements Threat assessments Design services White hat services Partner Ecosystem Secure Embedded System Mentoring and best practices Testing, test management, code analytics, monitoring, and simulation Secure Run-Times Third-party certification partners Endpoint protection services Development process and tools Comprehensive hardware vendor support Hypervisor and security appliance platform Android Security policy virtualization/ OS/stack capability Security certification support 28

29