Upload File

tizen, security and the internet of...

  • Home
  • Documents
  • Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security
23
1 Tizen, Security and The Internet of Things Casey Schaufler

Upload: others

Post on 20-Jul-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

1

Tizen, Security and

The Internet of Things

Casey Schaufler

Page 2: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

2

Casey Schaufler

• Security Dinosaur

• Smack Linux Security Module

• Manager Tizen and Linux Kernel Security

Page 3: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

3

Tizen

• Linux based operating system

• Project of the Linux Foundation

• Lead by Samsung and Intel

Page 4: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

4

Security

• Does what it’s supposed to

• Doesn’t do anything else

• Know the difference

Page 5: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

5

Internet of Things

• Collection of computing devices

• Heterogeneous

• Autonomous

Page 6: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

6

Things

• Just want to perform their function

• Not primarily computers

Page 7: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

7

Things need to communicate

• Willing to talk to anyone

• Wide variety of “networks”

• Free from traditional administration

Page 8: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

8

Device Views of the Internet of Things•

Page 9: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

9

Security By Proximity

Only connect with things nearby

Page 10: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

10

Security by Obscurity

No one could possibly guess!

Page 11: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

11

Security By Pairing

Ask human permission

Requires a user interface

Page 12: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

12

Security by Wire

1970’s Smart House

Page 13: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

13

OPEN INTERCONNECT CONSORTIUM

Page 14: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

14

Back To Tizen

• Linux distribution for devices

• Collection of profiles

• Common security base

Page 15: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

15

Tizen Security Basics

Smack

CapabilitiesUser Based

Controls

Systemd Cynara dbus Buxton Connman

CrosswalkWeston

X11tz-launcherBluetoothOfono

HTML5

Application

Native

Application

Kernel

Services

Page 16: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

16

Write

Read

Additional

restrictions

may apply

Tizen Three Domain Security

Floor (“_”)

System

User

HTML5 Application Native Application

Page 17: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

17

Tizen Application Privileges

Linux Kernel Services

Cynara

Service

HTML5 Application Native Application

Service

Page 18: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

18

Security Perimeter

18

Internet

4G

Body

Area

Network

BluetoothApplication

Page 19: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

19

Application Privilege Attributes

• Name of the privilege

• http://tizen.org/privilege/vibrator

• Smack label of requester

• RaunchyRhinos

• UID of requestor

• 5001

• Access permitted

• r, rw, …

Page 20: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

20

Native Application Woes

• Use kernel interfaces directly

• Avoid service based controls

Page 21: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

21

System Object Attributes

• Smack label

• UID

• GID

• Mode bits

• Smack access rules

Page 22: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

22

Running Applications

• Unique Smack label per application

• Unique UID per user account

• Application launcher

Page 23: Tizen, Security and The Internet of Thingsdownload.tizen.org/misc/media/tds2014/slides/Security-IOT_CaseySc… · 10 Security by Obscurity No one could possibly guess! 11 Security

Thank You


Lecture 16: Security · (In-) Security Through Obscurity Security through obscurity Attempting to gain security by hiding implementation details Claim: A secure system should be secure

the web service security threat - CentraleSupélec Metz · Services are standardized, there is little “security through obscurity.” There is very little proprietary about Web

General Security Conceptscourseware.deadcodersociety.org/csis3381-info_assurance_and_sec… · Layered security 6. Defense in depth 7. Security through obscurity 8. Keep it simple

Types of Obscurity in Thomas Hardy's Jude the Obscure and ... · PDF fileTypes of Obscurity in Thomas Hardy's Jude the Obscure and Maurice Blanchot's 114 Obscurity: The Concept and

Sexton.the Obscurity of Black Suffering

Legic Prime: Obscurity in Depth - CCC

SANS Institute Information Security Reading Roomrepository.root-me.org/Réseau/EN - Port Knocking... · Is it simply another means of security through obscurity? This paper will not

Security Through Obscurity - Troopers IT-Security Conference...Security Through Obscurity... powered by HTTPS! Peter Frühwirt, SBA Research Sebastian Schrittwieser, FH St. Pölten

Security in theSecurity in the ‘cloud’ Tables/2012/2… · Security of the cloud “The biggest issue for me when it comes to cloud computing is obscurity. It is not exactlyyy,

Department of Defense Improves Website Protection | Case ... · improve the federal government’s most critical services. Recognizing that security through obscurity is not realistic

The Obscurity of the Equimultiples - University of Pittsburghpap7/The Obscurity of the Equimultiples.pdf · The Obscurity of the Equimultiples 557 couraged Galileo to seek a totally

ANONYMITY, OBSCURITY, AND TECHNOLOGY: RECONSIDERING

Lecture #21 Other I/O, Humans & Securitykoopman/lectures/ece348/... · Misconception #1: Security Through Obscurity It’s so complicated that we don’t need security! • It took

OBSCURITY BY DESIGNcyberlaw.stanford.edu/files/publication/files/ssrn-id2284583.pdf · security through encryption, data minimization techniques, anonymity, and structural protection

(last) ( rst) - ICSI Networking and Security Group · Computer Security Midterm 1 Print your name: , (last) ( rst) ... Don’t rely on security through obscurity. ... In the network

Security by obscurity. Greek “Concealed Writing” Steganography – the science of hiding a message so that only the recipient and sender are aware that

Web stories - The end of obscurity

Steganography - Universitetet i oslofolk.uio.no/infmkt/mkt10c-steg.pdfSteganography Security through obscurity stegano graphy covered writing The art of hiding information in ways

Industrial Automation and Controls Systems Security · • “Security through obscurity” • Inaccurate or non-existing inventory • Unpatched or unsupported (operating) systems

KMC Product Overview€¦ · By using best security practices, we choose not to use “security through obscurity.” Open Device Protocols KMC Commander communicates over these common

Moving Hardware from “Security through Obscurity” to ...Moving Hardware from “Security through Obscurity” to “Secure by Design” Professor Ryan Kastner Dept. of Computer

Globalization and the new obscurity

GRAND OBSCURITY

Basics of ICT securitylioy/01krq/basics_en_2x.pdfBasics of ICT security (basics - nov'09) © Antonio Lioy - Politecnico di Torino (2009) 3 Security through obscurity (STO) Security

Releasing Culture of Mutuality from Obscurity

Writing IRC Bots - Obscurity Systems

Preface - University of Pennsylvanialee/03cse380/lectures/ln22-security-v3.4pp.pdf · Preface q Early (unix systems) security ß Security by obscurity ß Those that know enough to

SYDO - Secure Your Data by Obscurity

Sunera Security Services - ISACA South Floridaisacasfl.org/.../02/...Security-Management-Best-Practices-Part-II.pdf · –Don‟t rely on security through obscurity to protect resources

Nietzsche, And the Obscurity of Light

Prepare your water & wastewater operations for the …y Outdated security principals, like “security through obscurity”, are not effective y Aging software and infrastructure makes

Why open source firmware is important · - Security from obscurity - A bajillion features, extremely complex. Ring -3: Management Engine Management Engine ... - Intel proprietary

Security without obscurity

Software Security Security Principleserikpoll/teaching/SoftwareSecurity2007/SecurityPrinciples.pdfIt’s hard to keep secrets • Don’t rely on security by obscurity [Kerckhoffs

AMWA/EBU Joint Security Efforts - IP Showcase · 9/15/2018  · • Security through obscurity? ... • Default simple password ... SECURITY - EBU R 148. From IP Showcase Theatre