towards a secure internet of things - industry …...secure internet of things project (sitp)...

35
Towards a Secure Internet of Things Stanford University Philip Levis (representing many contributors) http://iot.stanford.edu 1

Upload: others

Post on 28-May-2020

16 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Towards a Secure Internet of Things

Stanford UniversityPhilip Levis (representing many contributors)

http://iot.stanford.edu

1

Page 2: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

The Internet of Things (IoT)

2

Page 3: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

A Security Disaster

31http://fortifyprotect.com/HP_IoT_Research_Study.pdf

• A 2014 HP security analysis of IoT devices1 found▶ 80% had privacy concerns▶ 80% had poor passwords▶ 70% lacked encryption▶ 60% had vulnerabilities in UI▶ 60% had insecure updates

Page 4: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Securing the Internet of Things

• Secure Internet of Things Project▶ 5 year project (just started second year)▶ 12 faculty collaborators▶ 3 universities: Stanford, Berkeley, and Michigan

• Rethink IoT systems, software, and applications from the ground up

• Make a secure IoT application as easy as a modern web application

4

Page 5: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Dawson EnglerStanfordSoftware

5

Philip LevisStanford

Embedded Systems

Mark HorowitzStanfordHardware

Christopher RéStanford

Data Analytics

Dan BonehStanford

Cryptography

Keith WinsteinStanfordNetworks

Prabal DuttaBerkeley/Michigan

Embedded Hardware

David MazièresStanfordSecurity

Björn HartmannBerkeley

Prototyping

Raluca Ada PopaBerkeleySecurity

Steve EglashStanford

Executive Director

Philip LevisStanfordFaculty Director

Team

David CullerBerkeley

Low Power Systems

Peter BailisStanford

Database Systems

Page 6: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

This Talk

• Technology trends: why today?• Security: why is it so hard?• Research: what we’re doing

▶ Architectural principles▶ Tock: a secure embedded OS▶ TLS-RaR: network auditing▶ Tethys: a sample application

6

Page 7: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP) 715.iii.2005 Stanford Interview Talk 2

The EmNets Vision•  “Information technology (IT) is on the verge of

another revolution… The use of EmNets [embedded networks] throughout society could well dwarf previous milestones.” 1

•  “The motes [EmNet nodes] preview a future pervaded by networks of wireless battery-powered sensors that monitor our environment, our machines, and even us.” 2

1 National Research Council. Embedded, Everywhere, 2001.2 MIT Technology Review. 10 Technologies That Will Change the World, 2003.

Page 8: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Example Part: nRF51822

• Cortex M0+ with integrated 2.4GHz transceiver▶ Supports Bluetooth Low Energy▶ Two models: 32kB/256kB or 16kB/128kB

• DigiKey cost for 25,000: $1.99

8

Page 9: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

This Talk

• Technology trends: why today?• Security: why is it so hard?• Research: what we’re doing

▶ Architectural principles▶ Tock: a secure embedded OS▶ TLS-RaR: network auditing▶ Macrobase: sifting through data

9

Page 10: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Internet(s) of Things

10

NetworkedDevices

Tens/personUncontrolled Environment

Unlicensed spectrumConvenience

Powered

WiFi/802.11TCP/IP

IEEE/IETF

Personal AreaNetworks

Tens/personPersonal environmentUnlicensed spectrum

InstrumentationFashion vs. function

Bluetooth, BLE3G/LTE

3GPP/IEEE

Home AreaNetworksHundreds/person

Uncontrolled EnvironmentUnlicensed spectrum

ConvenienceConsumer requirements

ZigBee, Z-Wave6lowpan, RPL

IETF/ZigBee/private

IndustrialAutomation

Thousands/personControlled Environment

High reliabilityControl networks

Industrial requirements

WirelessHART, 802.15.46tsch, RPL

IEEE/IIC/IETF

Page 11: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

3G/4G,TCP/IP

eMbeddeddevices

Gateways Cloud

11End application

IoT: MGC Architecture

6lowpan,ZigBee,ZWave,

Bluetooth,WiFi,

WirelessHART

Page 12: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Secure Internet of Things 23

Obj-C/C++, Java, Swift, Javascript/HTML

embedded C(ARM, avr, msp430)

ZigBee,ZWave,

Bluetooth,WiFi

3G/4G,TCP/IP

Ruby/Rails,Python/Django,J2EE, PHP, Node.js

IoT Security is Hard

• Complex, distributed systems▶ 103-106 differences in resources across tiers▶ Many languages, OSes, and networks▶ Specialized hardware

• Just developing applications is hard• Securing them is even harder

▶ Enormous attack surface▶ Reasoning across hardware, software, languages, devices, etc.▶ What are the threats and attack models?

• Valuable data: personal, location, presence

• Rush to development + hard ➔ avoid, deal later12

Page 13: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

This Talk

• Technology trends: why today?• Security: why is it so hard?• Research: what we’re doing

▶ Architectural principles▶ Tock: a secure embedded OS▶ TLS-RaR: network auditing▶ Tethys: a sample application

13

Page 14: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Architectural Principles

• Longevity: these systems will last for up to 20 years and their security must too.

• Transparency: we must be able to observe what our devices are saying about us.

• End-to-end: consider security holistically, from data generation to end-user display.

14

Page 15: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Architectural Principles

• Longevity: these systems will last for up to 20 years and their security must too.

• Transparency: we must be able to observe what our devices are saying about us.

• End-to-end: consider security holistically, from data generation to end-user display.

15

Page 16: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP) 16

Page 17: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Tock Operating System• Safe, multi-tasking operating system for memory-

constrained devices• Core kernel written in Rust, a safe systems language

▶ Small amount of trusted code (can do unsafe things)- Rust bindings for memory-mapped I/O- Core scheduler, context switches

• Core kernel can be extended with capsules▶ Safe, written in Rust▶ Run inside kernel

• Processes can be written in any language (asm, C) ▶ Leverage Cortex-M memory protection unit (MPU)▶ User-level, traps to kernel with system calls

17

Page 18: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Tock: Secure Embedded OS

18

HAL Scheduler Config

SPI

I2C

GPIO

Console

UART

Timer

Core kernel(Trusted)

Capsules(Untrusted)

Proc

esse

s(A

ny la

ngua

ge)

Kern

el(R

ust)

…heapstack

textdata

grant

heapstack

textdata

grant

RAM

Flash

ProcessAccessible

Memory

Page 19: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Architectural Principles

• Longevity: these systems will last for up to 20 years and their security must too.

• Transparency: we must be able to observe what our devices are saying about us.

• End-to-end: consider security holistically, from data generation to end-user display.

19

Page 20: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Model Today

20

• Transport-layer security (TLS) between devices and cloud services

• Internet applications: we control one end point▶ Can install new certificates, observe data

• IoT applications: we are a transit network▶ Can’t see or control what happens on either end

Page 21: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP) 21

TLS-RaR: Rotate and Release(joint work with Keith Winstein and Dan Boneh)

Page 22: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Device to Cloud TLS

22

Time

Handshake

Begin TCP Connection

Enter TLS Session

Encrypted Session

AES-GCM

Page 23: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Time

Handshake Handshake

Begin TCP Connection

Enter TLS Session

TLS 1.2: Renegotiate or Resume TLS 1.3: KeyUpdate

Device to Cloud TLS

23

AES-GCM AES-GCM

Page 24: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Time

Handshake AES-GCM AES-GCM

Epoch 0 Epoch 1

Device to Cloud TLSWith a Twist

24

Rotate KeysReconnect, Renegotiate, Resume or KeyUpdate

Page 25: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Time

Handshake

Release Previous Epoch (0) Key

25

AES-GCM AES-GCM

Epoch 0 Epoch 1

Rotate KeysReconnect, Renegotiate, Resume or KeyUpdate

Device to Cloud TLSWith a Twist

Page 26: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Nice Properties• Can audit IoT data streams• Audit box's decryption yields the same stream of

data as endpoints' SSL_read() calls, but delayed▶ Audit matches what was received

• Format of TLS on the wire is not changed▶ Easy to reason about security of the protocol, easy to adopt

• For some existing servers no change is necessary▶ Really easy to adopt

• Minimal change to OpenSSL on the device▶ Easy to reason about security of the implementation▶ Easy to adopt

26

Page 27: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Architectural Principles

• Longevity: these systems will last for up to 20 years and their security must too.

• Transparency: we must be able to observe what our devices are saying about us.

• End-to-end: consider security holistically, from data generation to end-user display.

27

Page 28: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

28

Page 29: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Water Use(joint work with Noah Diffenbaugh and Mark Horowitz)

29

Page 30: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Network Architecture(joint work with Noah Diffenbaugh and Mark Horowitz)

30Energy harvester

embedded

iOS gateway

Android gateway

cloud

BLE/GAT

T

HT

TP/R

EST

Page 31: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Security/Privacy• Shower data has privacy implications

▶ Streaming data: shower 5 is being used right now!▶ Data overall has IRB/privacy implications

• Gateways are untrusted▶ Owned by students, other participants▶ May download data, never forward to cloud

• Network encrypts all data end-to-end between sensors and cloud▶ Gateways cannot see data

• Sensors do not clean log until receiving end-to-end acknowledgement from cloud▶ Cloud issues block acknowledgements to gateways

31

Page 32: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

This Talk

• Technology trends: why today?• Security: why is it so hard?• Research: what we’re doing

▶ Architectural principles▶ Tock: a secure embedded OS▶ TLS-RaR: network auditing▶ Tethys: a sample application

32

Page 33: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Why Now?• Technology has just reached the tipping point

▶ BLE, iBeacon▶ Cortex M series▶ Sensors, harvesting circuits

• We've been waiting▶ Leaders in prototyping, cryptographic computation, IoT

networking, secure systems, analytics, and hardware design

• But it's still early enough▶ Most big applications haven't been thought of yet▶ Let's not repeat the web (as good as it is for publications)

• Very interested in collaborating with industry, to help find and solve hard research problems

33

Page 34: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Securing the Internet of Things

• Secure Internet of Things Project▶ 5 year project (just started second year)▶ 12 faculty collaborators▶ 3 universities: Stanford, Berkeley, and Michigan

• Rethink IoT systems, software, and applications from the ground up

• Make a secure IoT application as easy as a modern web application

34

Page 35: Towards a Secure Internet of Things - Industry …...Secure Internet of Things Project (SITP) Securing the Internet of Things • Secure Internet of Things Project 5 year project (just

Secure Internet of Things Project (SITP)

Dawson EnglerStanfordSoftware

35

Philip LevisStanford

Embedded Systems

Mark HorowitzStanfordHardware

Christopher RéStanford

Data Analytics

Dan BonehStanford

Cryptography

Keith WinsteinStanfordNetworks

Prabal DuttaBerkeley/Michigan

Embedded Hardware

David MazièresStanfordSecurity

Björn HartmannBerkeley

Prototyping

Peter BailisStanford

Database Systems

Raluca Ada PopaBerkeleySecurity

Steve EglashStanford

Executive Director

Philip LevisStanfordFaculty Director

Thank you!

David CullerBerkeley

Low Power Systems