Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security of Embedded Systems

Published byTristan Matson Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security of Embedded Systems"— Presentation transcript:

1 Information Security of Embedded Systems 11. 11
Information Security of Embedded Systems : Foundations of Security Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST

2 Structure Introductory example Embedded systems engineering
definitions and terms design principles Foundations of security threats, attacks, measures construction of safe systems Design of secure systems design challenges safety modelling and assessment cryptographic algorithms Communication of embedded systems remote access sensor networks Algorithms and measures digital signatures key management authentification authorization Formal methods for security protocol verification logics and proof methods Embedded Security © Prof. Dr. H. Schlingloff 2009

3 Security – Basic Terms RAMS: the pillars of trustability (Verlässlichkeit) Reliabiliy (Zuverlässigkeit) mean time between failure, inverse failure rate Availability (Verfügbarkeit) limit of uptime/time Maintainability (Betriebsfähigkeit) probability that an item will be operational within a given period of time Safety (Sicherheit, Ausfallsicherheit) probability of absence of critical failures Security (Schutz, Informationssicherheit) degree of protection against attacks R=mtbf=1/failure rate; A=P(ok)=d/dt uptime/time; M=probability that an item will be operational within a given period of time; S=probability of absence of critical failures S=degree of protection against attacks Embedded Security © Prof. Dr. H. Schlingloff 2009

4 Safety vs. Security Safety (frz. sauf, exception)
protection against unintended accidents/incidents threats from the system’s inside (malfunctioning) “nothing bad ever happens” Security (lat. sine cura, carefree) protection against malevolent (intended) attacks, degree of resistance to harm threats from the outside Boundaries sometimes not clear Intention, purpose, aim, will, wish, faith … Embedded Security © Prof. Dr. H. Schlingloff 2009

5 Threats and Attacks Analysis of threats and possible attacks Hints
model the system with all stakeholders who possesses, who owns which information? know your system interfaces and boundaries in particular, which potential harm it could do assess your enemy’s intentions assume he/she has total control of the system: full access to all sensor information, controlling all actuators Hints Refrain from categories such as “good” and “bad” Remember Murphy’s law “anything which can go wrong, will go wrong” every lock can be broken, every line overheard… Embedded Security © Prof. Dr. H. Schlingloff 2009

6 Main Reasons for Security Problems
Faulty design implementation bugs missing checks of parameters, possibility of avoidance of checks, missing / unimplemented security checks wrong rights in design, e.g. unlimited access Faulty operation (missing awareness, administrative sloppyness, convenience instead of security) passwords pinned to the screen, easy-to-guess passwords, account without password, default settings for devices exceptions in firewall no reactions to known gaps Embedded Security © Prof. Dr. H. Schlingloff 2009

7 What are the Attacks? Accessing confidential information
intellectual damage e.g. monetary transactions, IPR spoiled reputation, lost identity gaining access to other systems Unauthorized control of the system physical property damage causing system malfunctions causing accidents through the system potentially even injury, death Embedded Security © Prof. Dr. H. Schlingloff 2009

8 Who are the Attackers? Hacker, cracker Criminal organizations
“sport”, avoiding license fees Criminal organizations Mass-mailing farms, bots Industrial espionage underbidding, know-how transfer Government agencies infamous “Bundestrojaner” Personal enemies Insiders More than 50% of all known attacks are from insiders! reasons: frustration, monetary, revenge Embedded Security © Prof. Dr. H. Schlingloff 2009

9 What are the Reactions? Owners Suppliers Competitors Government
don’t care complain Suppliers don’t publish security issues; blame the customer Competitors demand and advertise software multi-culture Government criminal laws against trespassers Software-industry better/more virus protection software Science discuss in the open, research security improvements, social engineering Embedded Security © Prof. Dr. H. Schlingloff 2009

10 Example: Internet Thermostat
Control of household heating and cooling Embedded control for automatic adjustment summer/winter, day/night, presence/absence, … Connectivity for remote control e.g. via SMS for noticing imminent arrival Attacks false “coming home” messages waste energy subject the house to extreme heat and cold turn off the system, freezing pipes, dying pets… Philip Koopman, Embedded System Security, Carnegie Mellon University Embedded Security © Prof. Dr. H. Schlingloff 2009

11 Example: Internet Thermostat (2)
Connectivity to utility companies possibility of suggesting or demanding changes in thermostat operation during periods of peak demand radio commands to disable or reduce the duty cycle of air conditioning units during peak loads change all thermostat’s set point a few degrees to ease power requirements during peak loads financial compensation Attacks practical jokes such as “nightly home sauna” increase power demand by modifying set points, inflate utility bills coordinate power consumption among many homes, causing power grid failure, esp. if feature is calculated with Embedded Security © Prof. Dr. H. Schlingloff 2009

12 Example: Internet Thermostat (3)
Power supply wireless thermostat (no wires, no transformer, increased safety) each communication costs battery power attack: drain battery by repeated queries Systems are particularly vulnerable if battery is low low-voltage detection circuit, energy management, … Privacy monitor thermostat setting to detect absence or habits monitor traffic for inbound packets talking to the thermostat to detect absence “Big Brother” monitoring whether temperature is properly set monitor household temperature for taxes, dragnet investigations, … compare meter reading and temperature for suspicious differences Leo: Rasterfahndung = computer-aided search for wanted persons whereby the data of a large number of people are checked against existing data in a database Embedded Security © Prof. Dr. H. Schlingloff 2009

13 Homework: Car Guidance System
Automotive navigational systems are nowadays standard Internet connectivity is imminent Dynamic route calculation and guidance will soon be available broadly (partially, it already exists) What are the threats? Embedded Security © Prof. Dr. H. Schlingloff 2009

Download ppt "Information Security of Embedded Systems"

Similar presentations

Information Security of Embedded Systems 9.1.2010: Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Information Security of Embedded Systems 4.11.2009: Embedded Systems Design Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Embedded Systems Design Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
VSE Corporation Proprietary Information

VSE Corporation Proprietary Information
Home Area Networks …Expect More Mohan Wanchoo Jasmine Systems, Inc.

Home Area Networks …Expect More Mohan Wanchoo Jasmine Systems, Inc.
Information Security of Embedded Systems 6.1.2010: Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.

STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Information Security of Embedded Systems 2.12.2009: Foundations of Security II Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Foundations of Security II Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Information Security of Embedded Systems 9.1.2010: Public Key Cryptosystems, Communication Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.

Information Security of Embedded Systems : Public Key Cryptosystems, Communication Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Information Security of Embedded Systems 20.1.2010: Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.

Information Security of Embedded Systems : Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
Information Security of Embedded Systems 27.1.2010: remote access, wireless networks Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.

Information Security of Embedded Systems : remote access, wireless networks Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
Information Security of Embedded Systems 3.2.2010: Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Improving Security. Networking Terms Node –Any device on a network Protocol –Communication standards Host –A node on a network Workstation 1.A PC 2.A.

Improving Security. Networking Terms Node –Any device on a network Protocol –Communication standards Host –A node on a network Workstation 1.A PC 2.A.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Information Security of Embedded Systems 10.2.2010: BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Similar presentations

Ads by Google