Secure Internet of Things Project

Transcription

1 Secure Internet of Things Project Philip Levis, Stanford Computer Forum Internet of Things Workshop April 14, 2016 Stanford University 1

2 The Internet of Things (IoT) 2

3 A Security Disaster HP conducted a security analysis of IoT devices 1 80% had privacy concerns 80% had poor passwords 70% lacked encryption 60% had vulnerabilities in UI 60% had insecure updates 1 3

4 Securing the Internet of Things Secure Internet of Things Project 5 year project (just started second year) 12 faculty collaborators 3 universities: Stanford, Berkeley, and Michigan Rethink IoT systems, software, and applications from the ground up Make a secure IoT application as easy as a modern web application 4

5 This Talk Technology trends: why today? Security: why is it so hard? Research: what we re doing Architectural principles A brief overview of talks today 5

6 The EmNets Vision Information technology (IT) is on the verge of another revolution The use of EmNets [embedded networks] throughout society could well dwarf previous milestones. 1 The motes [EmNet nodes] preview a future pervaded by networks of wireless batterypowered sensors that monitor our environment, our machines, and even us. 2 1 National Research Council. Embedded, Everywhere, MIT Technology Review. 10 Technologies That Will Change the World, iii.2005 Stanford Interview Talk 2 6

7 Two Game-Changers ARM Cortex M series First released 2004 Ultra-low power 32-bit processor 8-96kB of RAM, kB code flash Sleep currents recently dropped <1µA Bluetooth Low Energy First released in 2006 Send a 30 byte packet once per second, last for a year on a coin cell battery Support was weak until Apple incorporated into ibeacon, now all major smartphones include it 7

8 Example Part: nrf51822 Cortex M0+ with integrated 2.4GHz transceiver Supports Bluetooth Low Energy Two models: 32kB/256kB or 16kB/128kB DigiKey cost for 25,000: $1.99 8

9 This Talk Technology trends: why today? Security: why is it so hard? Research: what we re doing Architectural principles A brief overview of talks today 9

10 IoT Security is Hard Complex, distributed systems differences in resources across tiers Many languages, OSes, and networks Specialized hardware embedded C (ARM, avr, msp430) ZigBee, ZWave, Bluetooth, WiFi Just developing applications is hard Securing them is even harder 3G/4G, TCP/IP Enormous attack surface Reasoning across hardware, software, languages, devices, etc. What are the threats and attack models? Secure Internet of Things Valuable data: personal, location, presence Rush to development + hard avoid, deal later Ruby/Rails, Python/Django, J2EE, PHP, Node.js Obj-C/C++, Java, Swift, Javascript/HTML 23 10

11 This Talk Technology trends: why today? Security: why is it so hard? Research: what we re doing Architectural principles A brief overview of talks today 11

12 Architectural Principles Longevity: these systems will last for up to 20 years and their security must too. Transparency: we must be able to observe what our devices are saying about us. End-to-end: consider security holistically, from data generation to end-user display. 12

13 Architectural Principles Longevity: these systems will last for up to 20 years and their security must too. Transparency: we must be able to observe what our devices are saying about us. End-to-end: consider security holistically, from data generation to end-user display. 13

14 14

15 1995: SSL

16 Flexible Crypto Hardware Devices need to be able to support ciphers that are used 20 years from now Add extensible cryptographic accelerator: silicon is cheap and BLE dominates the SoC Designing a 20-year crypto processor Symmetric crypto: S-boxes and vectors, an instruction set Public key crypto: several very different constructions What if quantum computers are real in 20 years? There is often unused micro controller die area 16

17 11:20-11:40, Kevin Kiningham CESEL Symmetric ciphers Vector arithmetic ECC public-key operations MCU Core (Cortex M) S-Boxes Polynomial mult. Post-quantum public key ECC co-processor RNG, atomic counter RNG/CTR Memory bus R-LWE Processor SHA-2, SHA-3 Fast hash function 17

18 11:40-12:00, Ben Lampert Random Numbers Symmetric ciphers Vector arithmetic ECC public-key operations MCU Core (Cortex M) S-Boxes Polynomial mult. Post-quantum public key ECC co-processor RNG, atomic counter RNG/CTR Memory bus R-LWE Processor SHA-2, SHA-3 Fast hash function 18

19 11:00-11:20, Amit Levy Tock: A Secure, Embedded OS Written in Rust, a type-safe systems language Microkernel design Kernel has small trusted base of unsafe code Applications can load safe kernel modules for drivers Applications can be written in any language System call interface requires applications allocate memory for kernel calls Kernel can grant direct register access (CortexM MPU operates at 32 byte granularity) Systems challenges Concurrency models Event-driven memory safety high address App specific Kernel memory low address Memory Mapped I/O Kernel Stack Second App Memory First App Memory Code TRNG App code 19

20 Architectural Principles Longevity: these systems will last for up to 20 years and their security must too. Transparency: we must be able to observe what our devices are saying about us. End-to-end: consider security holistically, from data generation to end-user display. 20

21 Model Today Transport-layer security (TLS) between devices and cloud services Internet applications: we control one end point Can install new certificates, observe data IoT applications: we are a transit network Can t see or control what happens on either end 21

22 Intrusion Detection How do we build an intrusion detection system for our smart home? Can t see what data our devices are transmitting They could be compromised and we ll never know Enterprises solve this by installing new certificates on endpoints, allow IDS to look inside TLS, filter trojan horses from , etc. We don t control these devices, can t install new certificates 22

23 10:00-10:20, Judson Wilson Keith Winstein TLS - Rotate and Release auditor Transport Layer Security - Rotate and Release A trusted auditor can decrypt all traffic but not forge traffic (hard part!) Four operating modes that together are compatible with all versions of TLS 23

24 Architectural Principles Longevity: these systems will last for up to 20 years and their security must too. Transparency: we must be able to observe what our devices are saying about us. End-to-end: consider security holistically, from data generation to end-user display. 24

25 2:30-2:50, Holly Chiang 2:50-3:10, Joanne Lo 3:10-3:30, Meghan Clark Applications! Applications drive and inform all this research Water conservation in a Stanford dorm Holly Chiang, 2:30-2:50 Wearable, smart technology in everyday objects Joanne Lo, 2:50-3:10 Personal telepresence in the home Meghan Clark, 3:10-3:30 25

26 1:55-2:15, Laurynas Riliskis Ravel Framework Write a distributed model view controller pipeline Models, views, controllers. transforms. and spaces 26

27 1:15-1:35, Rohit Ramesh 1:35-1:55, Luke Hsiao Device Generation Applications involve software and hardware Embedded devices are application specific Hardware/software boundary is difficult Refining a design is easier than writing from scratch Idea: generate a prototype device from software specification, allow a programmer to tweak Two problems How does one compile the embedded device? Compiler must have a library of components to use: where does it come from? 27

28 10:20-10:40, Chang Lan Securing Middleboxes All networks today depend on middleboxes Firewalls, optimizers, NATs, intrusion detection The IoT will be no different Outsourcing this functionality into the cloud has many advantages Simplicity, management, aggregation: network as a service Is it possible to securely outsource this functionality (perform it on encrypted data)? 28

29 Day s Schedule 8:30am - 9:30am 9:30am - 9:40am 9:40am - 10:00am 10:00am - 10:20am 10:20am - 10:40am 10:40am - 11:00am 11:00am - 11:20am 11:20am - 11:40am 11:40am - Noon Noon - 1:15pm 1:15pm - 1:35pm 1:35pm - 1:55pm 1:55pm - 2:15pm welcome and check-in Introductions:The IoT Revolution and Our Research in IoT Secure Internet of Things Project Auditing IoT Communications with TLS-RaR Embark: Securely Outsourcing Middleboxes to the Cloud break Tock, a Secure Embedded Operating System Hardware Support for Long-Term Cryptographic Flexibility A Fast, Cheap, High-Entropy Source for IoT Devices lunch Embedded Device Generation: Turning Software into Hardware Automatically Building a Component Library from Datasheets Programming IoT Applications with Ravel 2:15pm - 2:30pm break 2:30pm - 2:50pm An Energy-Harvesting and Reliable Water Flow Sensor 2:50pm - 3:10pm Incognito Wearables: Seamlessly Incorporating Fashion and Function 3:10pm ; 3:30pm The Haunted House: Virtual Shared Living over a Home-to-Home 3:30pm - 3:45pm Network, break 3:45pm - 4:15pm Innovation in a Post Moore's Law World: Another View of IoT 4:15pm - 6:00pm reception overview networks systems programs applications looking forward 29

30 Why Now? Technology has just reached the tipping point BLE, ibeacon Cortex M series Sensors Harvesting circuits We've been waiting Leaders in prototyping, cryptographic computation, IoT networking, secure systems, analytics, and hardware design What are the threats? Application attackers? But it's still early enough Most big applications haven't been thought of yet Let's not repeat the web (as good as it is for publications) 30

31 Thank you! State Farm SystemX Alliance 31