Trusted Computing in Embedded Systems Challenges

November 9, 2010

2010 Carnegie Mellon University

Motivating Premise
Provide end-to-end security in networked environments Network connectivity is central to mission accomplishments Network connectivity enables remote attacks Design and build systems composed of embedded components with well understood levels of security, safety, privacy, reliability, predictability, and dependability Fortress model of computing is inadequate We operate in a malicious environment Security implies ability to isolate systems from malice An understanding of the science of security that will enable verifiable creation of systems that are sufficiently trustworthy to fulfill their missions even though the systems include untrusted components

Trusted Computing in Embedded Systems Workshop November 2010

2010 Carnegie Mellon University

Motivating Premises
Embedded systems are networked Critical applications included Smart grid Applications on Global Information Grid Isolation | fortress | perimeter protections are insufficient Operation is in a malicious environment End-to-end security is insufficient Realtime operations, continuity of operations, and quality of service critical Traditional availability solutions (denial of service DOS and DDOS protection) are insufficient E.g. Cyclic operations must be addressed

Trusted Computing in Embedded Systems Workshop November 2010

2010 Carnegie Mellon University

Attack Sophistication vs. Intruder Technical Knowledge

persistentmalwareinltra1on& emailpropaga1onof persistentsurveillance maliciouscode stealth/advancedscanning techniques sophis1cated controlsystems command targeted &control widespreada&acksusingNNTP todistributea&ack increasein worms maliciouscounterfeit hardware

High

Average Intruder Knowledge

adap1ve,highimpact, targeteda&ackson cri1calinfrastructures

supplychain compromises

widespreada&ackson DNSinfrastructure executablecode a&acks(against browsers)

coordinated cyberphysical a&acks increaseintargeted phishing&vishing widespreada&ackson clientsidesoQware

Attack Sophistication

DDoSa&acks

massivebotnets an1forensictechniques homeuserstargeted

automated widespread a&acks GUIintruder tools hijackingsessions

distributeda&acktools increaseinwidescale Trojanhorsedistribu1on widespread denialofservice a&acks techniquestoanalyzecode forvulnerabili1es withoutsourcecode Windowsbasedremote controllableTrojans (BackOrice)

widespreada&ackson webapplica1ons

Internetsocial engineeringa&acks

packetspoong

automated probes/scans

1990

2010
Trusted Computing in Embedded Systems Workshop November 2010 Copyright2010CarnegieMellonUniversityCERTDRAFTUPDATESeptember3,2010
2010 Carnegie Mellon University

Low
4

Todays Environment
Appetite for engineered systems monitored and controlled by computer and communication networks drives the steep upward growth curve in system complexity It is possible to connect virtually every computing device to a network. In fact, even critical infrastructures are connected to the Internet. Being isolated from a network does not necessarily isolate a computing device from malicious code Autonomous embedded systems are being built and deployed Trusted computing technology is currently in the building block stage i.e., fundamental advantageous capabilities exist but not as yet well integrated

Trusted Computing in Embedded Systems Workshop November 2010

2010 Carnegie Mellon University

Spanair Flight 5022

Preliminary Accident investigation (August 2010) Flight cleared for takeoff at 13:00 but returned to parking for abnormally high temp on Ram Air Temp probe. Maintenance performed and plane redispatched at 14:08 Cleared for takeoff at 14:28, became briefly airborne before descending and impacting 148 passengers and 6 crew perished Takeoff was attempted while in an inappropriate configuration since the flaps and slats were fully retracted. System outfitted on the airplane to warn of inadequate takeoff configuration failed to activate

Embedded System: A combination of computer hardware and software, and perhaps additional mechanical or other parts, designed to perform a dedicated function.

Spanish daily El Pais reports that malware which had infected the airline's central computer system resulted in a failure to raise an alarm over multiple problems with the plane.

Trusted Computing in Embedded Systems Workshop November 2010 Copyright2010CarnegieMellonUniversityCERTDRAFTUPDATENovember2,2010

2010 Carnegie Mellon University

Technical Challenges
Characteristics that enable access controls and security monitoring of complex systems large-scale system homogeneity, static configuration, and software monoculture make it easier for cyber attacks to access, tamper with and destroy information Current methods are inadequate to anticipate all possible failure and attack modes and guarantee safe, predictable, efficient operation Characteristics of embedded systems* : Small CPUs, little memory, short network messages, no built-in security Harsh operating environment with high consequence for failure Real-time control of the physical world Vulnerable to real time operation attacks only a slight overload might cause real time schedule problems No roll-back in case of failure 5 to 50 year life cycle Often do NOT run on Ethernet or any 802.x network System administration / updates / upgrades often unavailable Cost is always an issue * Thanks to Philip Koopman
Trusted Computing in Embedded Systems Workshop November 2010
2010 Carnegie Mellon University

Core Underlying Problems Not Yet Solved

How to protect a networked embedded system operating within a malicious environment How to build and manage high-assurance (trusted) systems built on networked embedded components How to maintain trust in a complex systems environment with autonomous components How to build, validate and verify a model of trust for embedded components How to protect the embedded system from owner compromise How to cooperatively detect and manage potential failures and avoid such emergent effects as cascading failures

Trusted Computing in Embedded Systems Workshop November 2010

2010 Carnegie Mellon University

Core Needs/Challenges
New cross-domain design principles are needed Old principles are insufficient One size cannot fit all Evolving systems security Domain-specific defense-in-depth Expertise in multiple areas required to collaborate on practical solutions

Trusted Computing in Embedded Systems Workshop November 2010

2010 Carnegie Mellon University

Opportunities from Workshop

Embedded systems researchers better understand relevance of recent advances in trusted computing Trusted computing researchers better appreciate the defining characteristics and limitations of embedded systems Researchers and practitioners from both areas explore elements of trusted computing applicable to embedded systems Identify and describe the hard problems that must be overcome to enable trust in embedded systems

Trusted Computing in Embedded Systems Workshop November 2010

2010 Carnegie Mellon University

10