6. Need for security in devices
Devices getting integrated into personal and
commercial networks
Consumer devices are ubiquitous
Pervasive use of Wireless communication
Portable devices communicate with changing
network conditions
Gadgets can get stolen making them physically
accessible .
6
12. Threats in a device
Theft of data ,keys and privacy
Loss of data consistency
Altering device firmware
Copy of digital content
Breaking access control
12
13. Embedded devices have different
challenges compared to their
desktop counterparts.
13
14. Design challenges
Devices are constrained on their
resources and capabilities
Defense mechanisms should not alter the
response time of their key function
Physical accessibility of devices call for
solutions different from ones applied to
traditional systems
14
15. Design challenges
Security concerns cannot be solved in a
single abstraction layer of software
Software on devices becoming complex
Quick time to market and increased cost
need simple yet robust solutions
15
17. 17
Security requirements - Example
All password and user data should be encrypted
using 128bit AES
User and device should be authenticated before
allowing streaming session
Device should use https for all transactions with the
server
XXX 128 bit encryption should be used for content
security
ATSC channels need not be protected.
18. What are the weak links intruders
looking for ?
18
19. Areas prone to attack
Logical threats aiming to modify
device firmware
Threats due to weakness in
design and implementation
Unhandled system errors
19
26. Core problems with ‘C’ language
26
Language has no consideration for
security
There are functions that can be used in
unsecure way
Dynamic memory allocation needs careful
manipulation
27. Core problems with ‘C’ language
27
Vulnerable
Function
Safe Version
strcpy() strncpy() & explicit null
termination
strcat() strncat()(destination size–1)
sprintf() snprintf()
scanf()
family
scanf() (specify the maximum)
length)
getc() /
getchar()
This function can be
vulnerable if used in a loop.
28. Unsecure program
int func( char * input)
{
char local [10];
int i=0;
while (*input !=‘0’)
{
local[i++]=*input++;
}
return 0;
}
NO “NULL” CHECK
NO “Length of input “CHECK
28
29. Secure programming
A more appropriate program would be :
int func( char * input)
{
if((*input !=NULL) && (strlen(input) <=10))
{
……
…………….
}
}
29
Return appropriately based on error
30. Reducing attack at the entry
point is as important as trying
to get the code right
30
31. Input parameter validation
Perform validation at all inputs across
modules
Assume all inputs are malicious
Reject data when in doubt
Parse the characters , commands and
escape sequences
31
35. Memory management
Always free() dynamically allocated memory
after it is not needed
Set the free pointer to NULL
Failure to release memory is problematic
on embedded devices with limited memory
Attackers can use memory
vulnerabilities to damage operation of
device 35
36. Error handling principles
Every error should be handled in a graceful
way
At lowest level (e.g. drivers) try to recover from
error
Internal errors should not be reported to users
Disable core dumps , stack trace , diagnostic
information
36
37. Safe initialization
Initialize variables and file descriptors before
using them.
Initialize and limit the use of env variables
Avoid passing data using env variables
Avoid execution of program at high privileges
37
38. Safe initialization
int vuln_fn(int a) {
unsigned int result;
if (a > 0) {
result = 256 % result;
}
return result;
}
uninitialized
variable
Potential security bugs can creep in
through uninitialized variable usage
38
39. Compiler warnings
Warnings are first level of defense against any
security flaw
Compiler warnings are effective at detecting
programming flaws
It can catch bugs which are hard to find during
testing.
Compile with the highest level of
warning set as error
39
40. Flag setting for compilers
GNU C compiler :
-Wall : enable all compiler warnings
-Werror : treat compiler warnings as errors
ARM Developer Suite C compiler:
-E+c : enable all implicit cast errors
-E+l : errors on linkage disagreements
-fv : reports unused declarations
…
Greenhills Embedded MIPS compiler:
- check=all : enable all compile time error and warning
-strict :enables strictest level of error checking
40
42. Basics of cryptography
Encryption is used to encode message only the group
communicating would understand
Encryption : move alphabets one step up
Decryption :move alphabets one step down
“ A SECRET MESSAGE” encrypted as
“ B TFDSFU NFTTBHF “
42
43. Keyed encryption algorithm
KEY value = “No of steps rotated by position of English alphabet”
Encryption : Move up the alphabet
Encrypt : “A SECRET MESSAGE”
Key : “C”
Encrypted message “ C UGETGV OGUUCHG”
Cryptographic strength is measured in the time and
resource it would require to recover the plain content
43
44. Advantages of keyed algorithm
Instead of communicating the algorithm , share
the key in secret
With varying key sizes the encryption will get
stronger (min 80 bits)
44
45. Public key cryptography
Asymmetric scheme using a pair of keys for encryption:
Public key is used to encrypt data
Private key is used for decryption
The public key is published to the world
The private and public keys are mathematically
related but difficult to break
45
46. 46
Other crypto mechanisms
Hash functions
o Validate integrity of data by sending a digest
Digital signature
o Checks authentication of origin
o Non - repudiation
RSA DSA DES MD5 SHA1
Signature Encryption Hashing
SSL
Algorithm
Mechanism
Service
47. Protect data stored in device
Encrypt private and confidential data
like password , address book, database.
Do not store data in contiguous location.
In your design identify critical and non critical
memory areas based on data stored
47
48. Securing Network transactions
• SSL is Secure socket layer ,a global standard
in transferring data
• It creates encrypted link between server and
web browser
Secure communication goals are
privacy, message integrity and
authentication 48
49. Security within the device
Architecture of a secure processor
49
Secure SoC
Secure ROM
Secure
Bootloader
ROM
(Internal)
RAM
(Internal)
Processor
External
RAM
Signed Firmware (Ext. ROM/Flash/HDD)
50. Signed Firmware binary
Secure boot loader
Boot
functionality
Sign
verification
Public
key
Signed firmware
App code + data Signature
Private
key
The Keys are generated by the device manufacturer
Firmware not signed by manufacturer will not work.
50
Key
51. Secure Boot
Secure boot loader contains critical code to configure
the hardware for limited access.
Secret keys are loaded into the internal RAM only
Secure boot loader checks the validity of firmware
code by verifying the signature
Abort loading of device firmware if signature
verification fails
51
53. Security audit
Periodic audits will uncover security loopholes
Review the code for security violation
Review the system architecture
Look for unintended firmware installations
Check network and storage security
53
54. Example audit report
Module Audit step List Action required
Kernel
List and check if all
x.ko ,
modules
modules are needed
y.ko.
Remove modules
not needed
Kernel
debug
Is kernel debug enabled ? Yes Disable debug
Installed
software
Is there any installed
default software?
Rpc ,
pop3 ,
telnet
Remove these
installed software
Field debug Check logging protocol Clear Encrypt logging
mechanism
54
55. Example audit report (Contd..)
Module Audit step List Action required
Network
Ports
Check which ports
are available for
connection using
nmap.
Remove ports not
reqd.
Stored data Check stored data Clear in file Use encryption
Media
transmission
Check security of
transmission
tiny
encryption
Weak , use
stronger encrypt
Services
Any unintended
services running?
Httpd, telnet Remove the
services.
55
57. Tools
Some of the tools which un cover security issues
Does software analysis in depth.
Profiling and debugging tool
Tool for port scanning
Scans database server application
http://www.securecoding.org/companion/tools.php
57
Your blue tooth may be on without security making it accessible to a stranger sniffing t hem in market place.
The total cost of Internet-related fraud complaints from consumers rose from $206 million in 2003 to $336 million in 2005, according to the U.S. Federal Trade Commission. Internet-related complains accounted for 46 percent of all fraud complaints to the agency.
With products ranging from security camera , medical devices , mobile , dish washer, an off the shelf software program cannot be used to protect devices. The devices have varied platforms with varying security needs. Processor limitations , memory constraints , battery life and host of other idiosyncrasies make security a non trivial thing
Another burning issue is the identity theft of web applications. According to [JAV06], the amount
lost to fraud over a one-year period for online applications (banking, shopping, etc.) is estimated at
$54.4 billion in 2005 in the U.S. alone.
Validate this data!!!
Unlike traditional systems , they have less memory/ processing power and hence cannot add sophisticated algorithms. Hence more prone to attack)
In PC , it is allowed to run virus scan, SSL checks etc in the background at the cost of foreground tasks. Mobile phones or TV need minimum latency for the primary function .
security protocols are computationally intensive, and deploying them on resource-constrained embedded systems without appreciably degrading their performance is a challenging task.
Unlike traditional systems , they have less memory/ processing power and hence cannot add sophisticated algorithms. Hence more prone to attack)
In PC , it is allowed to run virus scan, SSL checks etc in the background at the cost of foreground tasks. Mobile phones or TV need minimum latency for the primary function .
It cannot be an after thought. Product managers should define security requirements right at the beginning of product conceptualization.
Validate this data!!!
Validate this data!!!
This whole section needs review
The C programming language was engineered for speed and portability. At the time it was developed, there was no consideration given to security. As a result, many of the functions in the C language do no properly limit user input, which leads to problems like buffer overflows. There are other classes of security problems also, which can lead to logic bugs and exploitable security bugs. Examples include integer wrapping, signed/unsigned issues, type casting problems, format string bugs, and race conditions
There are some functions that have no secure replacement in the standard library and an external library may be required
What are the various problems in this piece of code
1.
Do not just validate in some modules leaving it vulnerable. When you have to choose the first priority should be to check user inputs , data transactions over network or any other source external to your module
deny access until specifically granted, not grant access until denied
1. Do not just validate in some modules leaving it vulnerable. When you have to choose the first priority should be to check user inputs , data transactions over network or any other source external to your module
Validate the JPEG marker 0xffd8
The addition of 0x103+0xFFFFFFFC = 0x1000000FF . Due to overflow , the result will be 0xFF . It would be good to check individual lengths as well.
Basic principles of memory management
Any error generated by internal components like system call fail ,database error , internal error should not be exposed.
Attackers can easily take control of the system through environment variables even remotely like using CGI scripts
This is a simple example where any one can enter un validated inputs that can lead to a system crash
This is a simple example where any one can enter un validated inputs that can lead to a system crash
1. These algorithms are easily predictable.
New algorithms have to be generated if secrecy is compromised.
fixed algorithms cannot be revealed to anyone but the intended set of recipients.
Taking a simple example to associate algorithm with key.
The algorithm may be known . The effectiveness is in keeping the Key secret and complex.
This is symmetric key cryptography.
Alice wants to buy a book from Bob's online bookstore. In order to complete the process she'll need to transmit sensitive personal information, such as her credit card number. Alice wants to make sure that the information she sends to Bob is kept confidential (privacy), and cannot be altered along the way (message integrity). She also wants to make sure that she's really sending the information to Bob and not an imposter (authentication).
Alice wants to send Bob private information, so Bob says, "Here Alice, use this public key to encrypt your message before sending it to me. When I receive your encrypted message I will use my private key to decrypt your message." It's okay for anyone to have a copy of the public key, but only Bob should have a copy of his private key
Spread data across multiple files , memory location. In case of loss of storage device , such data should not be easily retrievable
The security of the device is dependent on the secrecy of the keys
Tools will help to bring out many security issues without manual intervention
Scatter the pins , do not connect them to processor
Attacks can alter or erase the flash firmware or get access to SIM locks , IMEI etc.
4. Removing external power source will halt clock and may corrupt memory