Trusted Computing Technologies for Embedded Systems and Sensor Networks Adrian Perrig Carnegie Mellon University.

Slides:



Advertisements
Similar presentations
Chris Karlof and David Wagner
Advertisements

Message Integrity in Wireless Senor Networks CSCI 5235 Instructor: Dr. T. Andrew Yang Presented by: Steven Turner Abstract.
Overcoming an UNTRUSTED COMPUTING BASE: Detecting and Removing Malicious Hardware Automatically Matthew Hicks Murph Finnicum Samuel T. King University.
BIND: A F INE - GRAINED ATTESTATION S ERVICE FOR S ECURE D ISTRIBUTED S YSTEMS Presented by: Maryam Alipour-Aghdam University of Guelph.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.
A Survey of Secure Wireless Ad Hoc Routing
Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment.
Software Certification and Attestation Rajat Moona Director General, C-DAC.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
Software-based Code Attestation for Wireless Sensors.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
VIPER: Verifying the Integrity of PERipherals’ Firmware Yanlin Li, Jonathan M. McCune, and Adrian Perrig Carnegie Mellon University.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
INSENS: Intrusion-Tolerant Routing For Wireless Sensor Networks By: Jing Deng, Richard Han, Shivakant Mishra Presented by: Daryl Lonnon.
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Security Risks for Ad Hoc Networks and how they can be alleviated By: Jones Olaiya Ogunduyilemi Supervisor: Jens Christian Godskesen © Dec
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.
Towards Application Security On Untrusted OS
1 Pioneer: Dynamic Root of Trust for Measurement and Verifiable Executable Invocation Arvind Seshadri, Mark Luk, Elaine Shi, Adrian Perrig (CMU), Leendert.
The Sybil Attack in Sensor Networks: Analysis & Defenses James Newsome, Elaine Shi, Dawn Song, Adrian Perrig Presenter: Yi Xian.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Seeing-Is-Believing: using camera phones for human-verifiable authentication Jonathan M. McCune, Adrian Perrig and Michael K. Reiter Int. J. Security and.
On-Chip Control Flow Integrity Check for Real Time Embedded Systems Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Bootstrapping Trust in Commodity Computers Bryan Parno, Jonathan McCune, Adrian Perrig 1 Carnegie Mellon University.
Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, Department of Computer.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.
On the Difficulty of Software-Based Attestation of Embedded Devices Claude Castelluccia Aurélien Francillon Daniele Perito INRIA Rhône-Alpes
10. Key Management. Contents Key Management  Public-key distribution  Secret-key distribution via public-key cryptography.
Network Security Lecture 23 Presented by: Dr. Munam Ali Shah.
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures Chris Karlof and David Wagner (modified by Sarjana Singh)
Digital Signatures, Message Digest and Authentication Week-9.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Security Architecture and Design Chapter 4 Part 1 Pages 297 to 319.
Focus On Bluetooth Security Presented by Kanij Fatema Sharme.
Wireless and Mobile Security
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
1 An Interleaved Hop-by-Hop Authentication Scheme for Filtering of Injected False Data in Sensor Networks Sencun Zhu, Sanjeev Setia, Sushil Jajodia, Peng.
1 Routing security against Threat models CSCI 5931 Wireless & Sensor Networks CSCI 5931 Wireless & Sensor Networks Darshan Chipade.
Pioneer (and a few digressions) CMU CyLab Your Humble Presenter: Anthony Cozzie.
International Conference Security in Pervasive Computing(SPC’06) MMC Lab. 임동혁.
Security Review Q&A Session May 1. Outline  Class 1 Security Overview  Class 2 Security Introduction  Class 3 Advanced Security Constructions  Class.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.
Software Security Seminar - 1 Chapter 2. Protocol Building Blocks 발표자 : 최두호 Applied Cryptography.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
chownIoT Secure Handling of Smart Home IoT Devices Ownership Change
Hardware-rooted Trust for Secure Key Management & Transient Trust
SPINS: Security Protocols for Sensor Networks
AEGIS: Secure Processor for Certified Execution
Path key establishment using multiple secured paths in wireless sensor networks CoNEXT’05 Guanfeng Li  University of Pittsburgh, Pittsburgh, PA Hui Ling.
SPINS: Security Protocols for Sensor Networks
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Kriti shreshtha.
Shielding applications from an untrusted cloud with Haven
Outline A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar. SPINS: Security protocols for sensor networks. In Proceedings of MOBICOM, 2001 Sensor.
Presentation transcript:

Trusted Computing Technologies for Embedded Systems and Sensor Networks Adrian Perrig Carnegie Mellon University

Motivation  Embedded processors closely integrated into the fabric of everyday life Anything with a powerplug is likely to already be equipped with an embedded processor Additional battery-operated embedded devices are emerging (e.g., thermometers)  Embedded processors enable new features Unfortunately, features increase complexity  Steady increase in complexity results in bugs, which require software updates to fix  Trend: embedded systems become networked Network access enables many features Scary: Embedded systems with network access and code update features

Example: Vehicular Embedded Networks  Technology trends Steady increase in number and complexity of processing units GPS, in-car entertainment, safety systems Car communication systems DSRC, cellular technologies, BlueTooth, USB  Security challenges: Vehicular malware!

Challenges  Ensure integrity of code executing on embedded device Ensure result obtained was created by correct code  Secure code updates  Recovery after attack Re-establish code integrity Re-establish secret and authentic keys

How can we trust our devices?  How do we securely use (potentially) compromised devices or devices we don’t trust? Cell phone, PDA, or car computer

Attacker Model  Attacker controls software on embedded system Complete control over OS, memory Injection of malicious code  No hardware modifications, verifier knows HW spec Hardware attacks are much harder to perform, requires physical presence Very challenging to defend against  In this talk, assume verifier controls network, such that verified device cannot contact external helpers

Approaches to Ensure Code Integrity  Hardware-based Fixed ROM-based code Cannot support code updates TCG Requires extra hardware, potentially high unit cost  Software-based Software-based attestation Need to guard against proxy attack

Software-based Attestation Overview  External, trusted verifier knows expected memory content of device  Verifier sends challenge to untrusted device Assumption: attacker has full control over device’s memory before check  Device returns memory checksum, assures verifier of memory correctness Checksum function External Verifier Embedded device Challenge Checksum of memory Device memory Expected device memory contents

ICE: Indisputable Code Execution  Add chksum function execution state to checksum Include program counter (PC) and data pointer  In memory copy attack, one or both will differ from original value  Attempts to forge PC and/or data pointer increases attacker’s execution time Code Unused memory Checksum Code Malicious Code PC

ICE Assembler Code Generate random number using T-Function mov r15, &0x130 mov r15, &0x138 bis #0x5, &0x13A add &0x13A, r15 Load byte from memory add r0, r6 r6 Incorporate byte into checksum add r14, r6 xor r5, r6 add r15, r6 xor r13, r6 add r4, r6 rla r4 adc r4 T-Func Address Generation Memory Read Compute Checksum Seed from verifier

ICE Protocol Wireless link t 1 : nonce, input t 2 : cksum Node Base station output Successful verification if: t 2 – t 1 < expected time and cksum == exp. cksum Verf. Func. Target Code nonce cksum input output

Target Code  Implemented as self-checksumming code Computes checksum over its own instructions  Set up untampered execution environment CPU state for atomic execution E.g., turn off interrupts  Compute checksum Using memory contents and CPU state  Checksum verifies integrity and correct set-up of execution environment ICE Verification Function Verification Function

ICE Properties  Given target code T, verifier obtains property that sensor node S correctly executes T, untampered by any other (malicious) code potentially present on S  By incorporating node ID into checksum computation, we can authenticate response

Key Establishment  How to establish a shared secret? Attacker may know entire memory contents of a newly shipped node After a node has been compromised, attacker may have altered authentic public keys or knows secret keys Without authentication Diffie-Hellman protocol is vulnerable to man-in-the-middle attack: A  B: g a mod p B  A: g b mod p

Problem Formulation  Given nodes in a sensor network, how can any pair of nodes establish a shared secret without any prior authentic or secret information?  In theory, this is impossible … because of active MitM attack  Assumptions Attacker cannot compute faster than sensor node Each node has a unique, public, unchangeable identity stored at a fixed memory address Secure source of random numbers

ICE Key Establishment  Intuition: leverage ICE to compute checksum faster than any other node, and use that checksum as a short-lived shared secret  Challenge: how to use short-lived shared secret to bootstrap long-lived secret? Authenticate Diffie-Hellman public key

First Attempt Pick random aPick random b Compute g a mod pCompute g b mod p t 0 : g a mod p g a mod p = challenge Compute cksum c t 1 : g b mod p, MAC(c, g b mod p) AB

Second Attempt Pick random a Compute g a mod p t 0 : g a mod p g a mod p = challenge Compute cksum c Pick random b Compute g b mod p t 1 : g b mod p, MAC(c, g b mod p) AB

Guy Fawkes Goal: A and B can authenticate each other’s messages Pick random v 2 Pick random w2 v 1 = H(v 2 ), v 0 = H(v 1 )w 1 =H(w 2 ), w 0 =H(w 1 ) one-way chain: v 0  v 1  v 2 w 0  w 1  w 2 Assume: A knows authentic w 0 B knows authentic v 0 v 1, M a, MAC( v 2, M a ) w 1, M b, MAC( w 2, M b ) v2v2 w2w2 AB

ICE Key Establishment Pick random a, g a = g a mod p Compute g’ a = H(g a ), g’’ a = H(g’ a ), g’’ a  g’ a  g a t 0 : g’’ a g’’ a = challenge Compute cksum c w 0  w 1  w 2 t 1 : w 0 MAC( c, w 0 ) random b, g b mod p g’ a w 1, g b mod p, MAC(w 2, g b mod p) gaga w2w2 A B

Summary: ICE Key Re-Establishment  Protocol can prevent man-in-the-middle attacks without authentic information or shared secret  Attacker can know entire memory content of both parties before protocol runs  Forces attacker to introduce more powerful node into network, prevents remote attacks  Future work: relax strong assumption that attacker cannot compute faster

Summary  Software-based attestation provides interesting properties, but many challenges remain Defeat proxy attacks in wireless environments Extend properties to general computation Build systems with perfect detection of code integrity attacks Recover from malicious code infection Provide human-verifiable guarantees  Study use of hardware-based support Determine minimal hardware requirements to provide embedded systems security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.