Towards a Secure Internet of Things. Stanford University Philip Levis (representing many contributors)

Size: px

Start display at page:

Download "Towards a Secure Internet of Things. Stanford University Philip Levis (representing many contributors)"

Francis Stokes
5 years ago
Views:

1 Towards a Secure Internet of Things University Philip Levis (representing many contributors) 1

2 The Internet of Things (IoT) 2

3 A Security Disaster A 2014 HP security analysis of IoT devices 1 found 80% had privacy concerns 80% had poor passwords 70% lacked encryption 60% had vulnerabilities in UI 60% had insecure updates 1 3

4 Securing the Internet of Things Secure Internet of Things Project 5 year project (just started second year) 12 faculty collaborators 3 universities:, Berkeley, and Michigan Rethink IoT systems, software, and applications from the ground up Make a secure IoT application as easy as a modern web application 4

5 Team Philip Levis Embedded Systems Mark Horowitz Hardware Christopher Ré Data Analytics Dan Boneh Cryptography Dawson Engler Software Keith Winstein Networks Peter Bailis Database Systems David Mazières Security Björn Hartmann Berkeley Prototyping Raluca Ada Popa Berkeley Security Prabal Dutta Berkeley/Michigan Embedded Hardware David Culler Berkeley Low Power Systems Steve Eglash Executive Director Philip Levis Faculty Director 5

6 This Talk Technology trends: why today? Security: why is it so hard? Research: what we re doing Architectural principles Tock: a secure embedded OS TLS-RaR: network auditing Tethys: a sample application 6

The EmNets Vision Information technology (IT) is on the verge of another revolution The use of EmNets [embedded networks] throughout society could well dwarf previous milestones.

7 The EmNets Vision Information technology (IT) is on the verge of another revolution The use of EmNets [embedded networks] throughout society could well dwarf previous milestones. 1 The motes [EmNet nodes] preview a future pervaded by networks of wireless batterypowered sensors that monitor our environment, our machines, and even us. 2 1 National Research Council. Embedded, Everywhere, MIT Technology Review. 10 Technologies That Will Change the World, iii.2005 Interview Talk 2 7

8 Example Part: nrf51822 Cortex M0+ with integrated 2.4GHz transceiver Supports Bluetooth Low Energy Two models: 32kB/256kB or 16kB/128kB DigiKey cost for 25,000: $1.99 8

9 This Talk Technology trends: why today? Security: why is it so hard? Research: what we re doing Architectural principles Tock: a secure embedded OS TLS-RaR: network auditing Macrobase: sifting through data 9

Internet(s) of Things Industrial Automation Home Area Networks Personal Area Networks Networked Devices

Hundreds/person Uncontrolled Environment Unlicensed spectrum Convenience Consumer requirements

function Tens/person Uncontrolled Environment Unlicensed spectrum Convenience Powered WirelessHART, 802.

10 Internet(s) of Things Industrial Automation Home Area Networks Personal Area Networks Networked Devices Thousands/person Controlled Environment High reliability Control networks Industrial requirements Hundreds/person Uncontrolled Environment Unlicensed spectrum Convenience Consumer requirements Tens/person Personal environment Unlicensed spectrum Instrumentation Fashion vs. function Tens/person Uncontrolled Environment Unlicensed spectrum Convenience Powered WirelessHART, tsch, RPL IEEE/IIC/IETF ZigBee, Z-Wave 6lowpan, RPL IETF/ZigBee/private Bluetooth, BLE 3G/LTE 3GPP/IEEE WiFi/ TCP/IP IEEE/IETF 10

11 IoT: MGC Architecture embedded devices 6lowpan, ZigBee, ZWave, Bluetooth, WiFi, WirelessHART Gateways Cloud 3G/4G, TCP/IP End application 11

IoT Security is Hard Complex, distributed systems 103-10 6 differences in resources across tiers Many languages, OSes, and networks Specialized hardware Just developing applications is hard Securing

12 IoT Security is Hard Complex, distributed systems differences in resources across tiers Many languages, OSes, and networks Specialized hardware Just developing applications is hard Securing them is even harder Enormous attack surface embedded C (ARM, avr, msp430) ZigBee, ZWave, Bluetooth, WiFi 3G/4G, TCP/IP Ruby/Rails, Python/Django, J2EE, PHP, Node.js Obj-C/C++, Java, Swift, Javascript/HTML Secure Internet of Things 23 Reasoning across hardware, software, languages, devices, etc. What are the threats and attack models? Valuable data: personal, location, presence Rush to development + hard avoid, deal later 12

13 This Talk Technology trends: why today? Security: why is it so hard? Research: what we re doing Architectural principles Tock: a secure embedded OS TLS-RaR: network auditing Tethys: a sample application 13

14 Architectural Principles Longevity: these systems will last for up to 20 years and their security must too. Transparency: we must be able to observe what our devices are saying about us. End-to-end: consider security holistically, from data generation to end-user display. 14

15 Architectural Principles Longevity: these systems will last for up to 20 years and their security must too. Transparency: we must be able to observe what our devices are saying about us. End-to-end: consider security holistically, from data generation to end-user display. 15

16 16

17 Tock Operating System Safe, multi-tasking operating system for memoryconstrained devices Core kernel written in Rust, a safe systems language Small amount of trusted code (can do unsafe things) - Rust bindings for memory-mapped I/O - Core scheduler, context switches Core kernel can be extended with capsules Safe, written in Rust Run inside kernel Processes can be written in any language (asm, C) Leverage Cortex-M memory protection unit (MPU) User-level, traps to kernel with system calls 17

18 Tock: Secure Embedded OS grant grant Processes (Any language) heap stack data RAM heap stack data Process Accessible Memory text Flash text Kernel (Rust) SPI I2C UART Console GPIO Timer HAL Scheduler Config Capsules (Untrusted) Core kernel (Trusted) 18

19 Architectural Principles Longevity: these systems will last for up to 20 years and their security must too. Transparency: we must be able to observe what our devices are saying about us. End-to-end: consider security holistically, from data generation to end-user display. 19

Can install new certificates, observe data IoT applications: we

20 Model Today Transport-layer security (TLS) between devices and cloud services Internet applications: we control one end point Can install new certificates, observe data IoT applications: we are a transit network Can t see or control what happens on either end 20

21 TLS-RaR: Rotate and Release (joint work with Keith Winstein and Dan Boneh) 21

22 Device to Cloud TLS Time Handshake AES-GCM Encrypted Session Begin TCP Connection Enter TLS Session 22

23 Device to Cloud TLS Time Handshake AES-GCM Handshake AES-GCM Begin TCP Connection Enter TLS Session TLS 1.2: Renegotiate or Resume TLS 1.3: KeyUpdate 23

24 Device to Cloud TLS With a Twist Time Handshake AES-GCM Rotate Keys Reconnect, Renegotiate, Resume or KeyUpdate AES-GCM Epoch 0 Epoch 1 24

25 Device to Cloud TLS With a Twist Time Handshake AES-GCM Rotate Keys Reconnect, Renegotiate, Resume or KeyUpdate AES-GCM Epoch 0 Epoch 1 Release Previous Epoch (0) Key 25

26 Nice Properties Can audit IoT data streams Audit box's decryption yields the same stream of data as endpoints' SSL_read() calls, but delayed Audit matches what was received Format of TLS on the wire is not changed Easy to reason about security of the protocol, easy to adopt For some existing servers no change is necessary Really easy to adopt Minimal change to OpenSSL on the device Easy to reason about security of the implementation Easy to adopt 26

27 Architectural Principles Longevity: these systems will last for up to 20 years and their security must too. Transparency: we must be able to observe what our devices are saying about us. End-to-end: consider security holistically, from data generation to end-user display. 27

28 28

29 Water Use (joint work with Noah Diffenbaugh and Mark Horowitz) 29

30 Network Architecture (joint work with Noah Diffenbaugh and Mark Horowitz) ios gateway cloud embedded BLE/GATT Android gateway HTTP/REST 30 Energy harvester

31 Security/Privacy Shower data has privacy implications Streaming data: shower 5 is being used right now! Data overall has IRB/privacy implications Gateways are untrusted Owned by students, other participants May download data, never forward to cloud Network encrypts all data end-to-end between sensors and cloud Gateways cannot see data Sensors do not clean log until receiving end-to-end acknowledgement from cloud Cloud issues block acknowledgements to gateways 31

32 This Talk Technology trends: why today? Security: why is it so hard? Research: what we re doing Architectural principles Tock: a secure embedded OS TLS-RaR: network auditing Tethys: a sample application 32

33 Why Now? Technology has just reached the tipping point BLE, ibeacon Cortex M series Sensors, harvesting circuits We've been waiting Leaders in prototyping, cryptographic computation, IoT networking, secure systems, analytics, and hardware design But it's still early enough Most big applications haven't been thought of yet Let's not repeat the web (as good as it is for publications) Very interested in collaborating with industry, to help find and solve hard research problems 33

34 Securing the Internet of Things Secure Internet of Things Project 5 year project (just started second year) 12 faculty collaborators 3 universities:, Berkeley, and Michigan Rethink IoT systems, software, and applications from the ground up Make a secure IoT application as easy as a modern web application 34

35 Thank you! Philip Levis Embedded Systems Mark Horowitz Hardware Christopher Ré Data Analytics Dan Boneh Cryptography Dawson Engler Software Keith Winstein Networks Peter Bailis Database Systems David Mazières Security Björn Hartmann Berkeley Prototyping Raluca Ada Popa Berkeley Security Prabal Dutta Berkeley/Michigan Embedded Hardware David Culler Berkeley Low Power Systems Steve Eglash Executive Director Philip Levis Faculty Director 35

Towards a Secure Internet of Things

Towards a Secure Internet of Things Philip Levis Stanford University Keynote Talk IEEE International Conference on Pervasive Computing and Communication March 20, 2018 1 The Internet of Things (IoT) 2