attack trees describing security in distributed internet-enabled metrology
DESCRIPTION
Attack Trees Describing Security in Distributed Internet-Enabled Metrology. Jeanne H. Espedalen. Contents:. Background, attack trees Background, metrology and calibration The basic ideas of the thesis work Performing the task – a case study Some results Conclusion. Author. - PowerPoint PPT PresentationTRANSCRIPT
Jeanne H. Espedalen
Attack Trees Describing Security in Distributed Internet-Enabled Metrology
Contents:
• Background, attack trees • Background, metrology and calibration• The basic ideas of the thesis work• Performing the task – a case study• Some results• Conclusion
Author
• Background in metrology and calibration• Electronics Engineer• Worked at Justervesenet from 1994 • Part time student at GUC from 2002
Background, Attack Trees
Open door
Dismantle door
Burst door open
Open lock
Open locked door
Destroy lock
Open lock with a key
Get hold of a key
Pick lock
Open lock without key
Get someone with a key
to open
Find a key
Steal key
Know which door the key belongs to
and
Bribe Threaten Dupe
Find a person with a
key
Convince someone to open
and
Get a key to open
lock
• Introduced by Bruce Scheiner in 1999• Semi-formal method• Root – main goal, sub-goals and Boolean
calculation possible attacks• Could include attributes, indicating cost, skills
etc.• Used to find vulnerabilities, analyze security
threats• Not very well known, or much used as
methodology
Background, Metrology and CalibrationMetrology (BIPM) – “The science of measurement”
Calibration (International Vocabulary of Basic and
General Terms in Metrology) –
“set of operations that establish, under specified conditions, the relationship between values of quantities indicated by a measuring instrument or measuring system..”
Background, Traditional Calibration
JustervesenetCustomer
High-precision devices
UUT
UUT
Calibration location
T1, P1, H1
T2, P2, H2
• Long downtime for unit under test (UUT) (~weeks)
• Less control with the transport uncertainty introduced in the calibration result
• The UUT is calibrated in an environment different from it’s normal working conditions
• The customer is not part of the calibration process
JustervesenetCustomer
Transfer standardUUT
Transfer standard
Calibration location
T1, P1, H1
T2, P2, H2
wwwwww
• Justervesenet investigates effects of transport and environmental conditions for the transfer standard and has more control
• The UUT is calibrated in it’s normal working environment
• Short downtime for the UUT (~hours) • The customer is part of the calibration
process
Background, Internet-Enabled Calibration
iMet, a System for the Future
Justervesenet
Transport standard
Server
Firewall
wwwwww
Firewall
Firewall
Customer
Measurement softwareMeasurement data
Measurement softwareMeasurement data
DUT
• Firewall-friendly, bidirectional HTTPS channel
• Updated measurement procedures and instrument drivers in database server
• Measurement procedures automatically downloaded to customer, compiled and run
• Measurement data returned • Security?
The Basic Goals of the Project
• Investigation of the attack tree method, evaluate usability of this
• Security analysis of the iMet system, a case study
A Case Study
The case study was performed in a process of several steps:
• Identification of critical assets• Attack trees vulnerabilities• Threats• Risk level• Countermeasures
Identifying Critical Assets
• Metrology specific:– Correct measurement results– Instruments in setup
• System application– IT systems– Application components, SW and HW
Implementing Attack Tree Method
• High level analysis, attacks on critical asset:– Correct measurement results
Incorrect values from
data collections
Manipulated data-
collection at
customer
Faulty cal. result
in DB
Faulty data transfer from cal.
result DB to cal.cert.
Faulty data transfer between
customer / JV
Error in calculation
s
Incorrect calibration values in
calibration certificate
Incorrect
calibra-tion
results
Incorrect calculation
routine
Bug in calcu-lation
routine
Incorrect calibrator standard
data
Error in data input
to calculation
s
Wrong version of calculation routine
Wrong version
of program
Manipulated
calibration results
Error in data
collection
Pretend to be custom
er
Use Instr. with
incorrect ID
Simulate instrument setup
at customer
Manipulate cal
values before
they are returned
Perform as
customer
Steal cal.
standard in
transport
and
Wrong version
of program
Wrong version
of progra
m
Wrong version
of program
Change ID in
Instru-ment
Faulty data-
collection at
customer
Error in data-
collection at
customer
Selection based on critical asset
Incorrect values from
data collections
Manipulated data-
collection at
customer
Faulty cal. result
in DB
Faulty data transfer from cal.
result DB to cal.cert.
Faulty data transfer between
customer / JV
Error in calculation
s
Incorrect calibration values in
calibration certificate
Incorrect
calibra-tion
results
Incorrect calculation
routine
Bug in calcu-lation
routine
Incorrect calibrator standard
data
Error in data input
to calculation
s
Wrong version of calculation routine
Manipulated
calibration results
Error in data
collection
Pretend to be custom
er
Use Instr. with
incorrect ID
Simulate instrument setup
at customer
Manipulate cal
values before
they are returned
Perform as
customer
Steal cal.
standard in
transport
and
Wrong version
of program
Wrong version
of program
Wrong version
of progra
m
Wrong version
of program
Change ID in
Instru-ment
Faulty data-
collection at
customer
Error in data-
collection at
customer
Wrong version
of program
Wrong version
of program
Wrong version
of progra
m
Wrong version
of program
Selection of goal for refinement
Attack Trees
• Refinement and ‘digging’ into the critical or interesting parts of the trees:– Goal: Wrong version of program
Obsolete version used
Obsolete version used at
customer
Obsolete
version available in DB
Obsolete version loaded
from DB
Manipulated
during upload/ downloa
d
Manipulated version
used
Wrong version of program
Access to
source code
Manipulate
program in DB
Author-ized
access
Required skills
to perform change
Manipulated program
at customer
Unauthor-ized access
Acc-ess to
DB
Author-ized
access
Unauthor-ized access
Lack of or
insuff. routine
for deleting and/or removin
g obsolete version
Obsolete
version possible to load
at custome
r
Obsolete
version availabl
e at custome
r
No/faulty
version control
andand
Requir-ed
skills to
perform
change
and
and
No/faulty
version control
Obsolete
version in DB
Sign code with valid
key
Valid, manipulated version in
DB
and Man-in-the-
middle attack
Access to valid
key
Author-ized
access
Unauthor-ized access
Selected goal for refinement
Obsolete version
used
Obsolete version used at customer
Obsolete version
available in DB
Obsolete version loaded
from DB
Manipulated during upload/
download
Manipulate program in
DB
Author-ized
access
Unauthor-ized
access
Acc-ess to
DB
Lack of or insuff. routine
for deleting and/or
removing obsolete version
Obsolete version possible
to load at customer
Obsolete version
available at
customer
No/faulty version control
and an
d
Requir-ed skills
to perform change
and
No/faulty version control
Obsolete version in DB
Sign code with valid
key
Valid, manipulated version in DB
and
Man-in-the-
middle attack
Access to valid
key
Author-ized
access
Unauthor-ized
access
Manipulated version
used
Wrong version of program
Access to
source code
Required skills to perform change
Manipulated program
at customer
Author-ized
access
Unauthor-ized access
and
Selection of branch/goal for example
• Program could be manipulated and used at customer’s– A skilled customer could manipulate the
downloaded source code, and e.g. simulate measurements
– Source code is signed in database, and this signature is checked at download. But customer could run another version, and integrity of the returned measurement data is thereby not secured by this signature.
Identifying Vulnerabilities, an Example
• Customer could want to simulate or manipulate measurements or instrument ID– Save time (instrument should be used in
production most of the time)– Fabricate good results
Threats to the System, Example
• “Program could be manipulated and used at customer”– High criticality (integrity of measurement data)– Low/medium threat (we know our customers..)
• Risk level MEDIUM
Assessment of Risk Level, Example
• Technical: Implement code obfuscator– Make the code harder to understand, and thereby
manipulate
• Administrative: Signing of contract between customer and authority – Define responsibilities, judicial liability
• For the future: Build authentication and signing mechanisms into the instruments– Secure integrity of measurement data
Countermeasures, Example
Some Results: Usability of Method
• (Semi-)Formalized method: – A guide through analysis
• Flexibility– Depth of analysis, maturity of system,
interpretation of the trees
• Presentation of results from analysis– Should adapt to recipients
Some Results: The iMet System
• We have identified 14 vulnerabilities• We have suggested mitigation strategies
for these, based on risk assessment. Most of them easily achievable
ConclusionWe have performed:
• Evaluation of usability of the attack tree method– General usability– For this system (and similar)
• A case study of the iMet system– Security analysis– Countermeasures