Flexible Intrusion Detection Systems for Memory-Constrained Embedded Systems Farid Molazem, Karthik Pattabiraman University of British Columbia
2 Embedded Systems
3 Attacks spreading
Attacks spreading Need an Intrusion Detection System Intrusion Alarm 4
Existing solutions Statistical Techniques Neural networks [Moradi et. al.] Hidden Markov Models [Warrender et. al.] Support Vector Machines [Wenjie et. al.] Static analysis Call-graph, NDPDA [Wagner et. al.] Dyck [Giffin et. al.] 5
Challenge False positives device device device Center device device device device 6
Challenge Memory { a = receive(); if (a > 0) foo(a); else bar(a); } void foo(int a) { if (a % 2 == 0) even(a); else odd(a); } void bar(int a) { if (a == -1) error1(); else if (a == -2) error2(); } a > 0 a <= 0 a % 2 == 0 a % 2 == 1 a == -1 a == -2 7
Idea Can t fit everything in memory Quantify security Optimize security for the memory we have 8
Overview Coverage function Documents (SDD) Our work Code Monitoring trace IDS 9
What we do Coverage function Coverage function Documents (SDD) Documents (SDD) 1- Study Document Our work 2-Generating abstract Code 3-Static Analysis 4- Generating concrete 5- Select optimized Code 10
Steps 1-2 1- Study Document 2-Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized Storage/Retrieval integrity Sensor data must eventually be stored on flash memory (getting sensordata ( store on flash)) Receive sensor data Temporal Logic : Something eventually happens : Something always happens : Something happens the next time Store on flash memory 11
Steps 3-4 Coverage function Documents (SDD) 1- Study Document 2-Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized Code 12 Abstract Concrete (contain system calls)
Steps 3-4 1- Study Document 2-Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized { }. data = socket.receive();. { }. write(f, data);. recv(4, 0x47cf68, 8192, 0) write(1, 0x47cf68, 4) = 4 (getting sensordata(data) ( store on flash(data))) 13 (receive(d) ( write(d)))
Step 5 Coverage function Documents (SDD) 1- Study Document 2-Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized Code 14
Coverage, Example 1- Study Document 2- Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized Define a coverage function on the graph and maximize it v 1 v 2 v 3 Security Properties p 1 p 2 p 3 v 4 p 4 15 v 5 v 6
Coverage, Example 1- Study Document 2- Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized Define a coverage function on the graph and maximize it Security Properties p 1 p 2 p 3 p 4 v 1 16 v 2 v 3 v 4 v 5 v 6
Coverage, Example 1- Study Document 2- Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized MaxMin Coverage IDS: Intuition: Make the weakest coverage as strong as possible Security Properties 1/2 2/3 1/2 0/1 p 1 p 2 p 3 p 4 17 v 1 v 2 v 3 v 4 v 5 v 6
Coverage, Example 1- Study Document 2- Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized MaxMin Coverage IDS: Intuition: Make the weakest coverage as strong as possible Security Properties 2/2 2/3 1/2 1/1 p 1 p 2 p 3 p 4 18 v 1 v 2 v 3 v 4 v 5 v 6
Building the IDS Select the from the graph Automatically convert it to Buchi Automaton Iterative process, optimize for memory. 19
Building the IDS (a -> F b) && (a -> F s) && (b -> F c) && (e -> F c) && (t -> F (a && X b)) && (v -> F (e && X d)) && (s -> F d) && (s -> F e) && (s -> F w) 20
Building the IDS (a -> F b) && (a -> F s) && (b -> F c) && (e -> F c) && (t -> F (a && X b)) 21
Building the IDS (a -> F b) && (a -> F s) 22
Evaluation SegMeter: Smart meter, an important device used in smart homes Meter: Arduino board ATMEGA 32x series microcontroller Sensors Gateway board Broadcom BCM 3302 240MHz CPU 16 MB RAM 4 MB available for IDS OpenWRT Linux IDS runs on the Gateway board No attack database available => We use fault injection to simulate attacks 23
Fault injection Flipping branches if (data_file ~= nil) then big_string = data_file:read("*all") end if (data_file == nil) then big_string = data_file:read("*all") end 24
Research questions How close is the estimated coverage at design time to the coverage at run-time? Shows whether the theoretical optimization is useful What is the performance overhead Shows whether it is practical to implement and use 25
Results (MaxMin IDS) How good is the coverage of the IDS? How good the graph-based optimization is reflected at run-time? detection(%)= number of detected attacks/total umber of injected attac 26
27 Performance overhead
Discussions Quantifiable coverage provides flexibility How to pick a coverage function? Having a complete software engineering life cycle can help producing automated security solutions 28
Conclusions Traditional solutions don t work We can quantify security We can use different security measurement functions Coverage function Documents (SDD) 1- Study Document 2- Generating abstract 3-Static Analysis 4- Generating concrete 5- Select optimized Code 29 faridm@ece.ubc.ca
Coverage, Example 2 MaxProperty IDS: Maxmize security properties that are fully covered v 1 v 2 v 3 v 4 v 5 v 6 Security Properties p 1 p 2 p 3 p 4 30
Results (MaxProperty IDS) How good is the coverage of the IDS? How good the graph-based optimization is reflected at run-time? 31