five ways to secure a real-time distributed system without compromising performance
TRANSCRIPT
Your systems. Working as one.
Five Ways to Secure a Real-Time Distributed System Without Compromising Performance
Heidi Schubert, Ph.D.Director of Research, RTIJune 26, 2012
The Threat
Threats• Denial of service• Information access• Gaining control of the
system
Vulnerabilities• Belief in security by
obscurity• Dependence on physical
network isolation• Lack of operator ability to
detect a cyber attack• Malware accidently installed
through operator or supply chain
The Challenge
• Many proven security solutions for IT systems
• How to adapt these solutions for real-time?
Five Ways to Secure Real-Time Systems
1. Create a Secure Channel between Real-Time Systems
2. Secure UDP 3. Selective Encryption4. Secure Platforms5. Passive Monitoring
Communication Framework for Real-Time Systems
• Data Distribution Service (DDS)– Publish/subscribe
• Plug and play flexibility– Add new nodes at
anytime• Peer-to-peer
performance– Low latency
• Scalable• Reliable
RTI DataBus™
ConnextDDS
App 1
ConnextDDS
App 2
Peer-to-Peer
• DDS sends data directly to peer
• Anonymous publish subscribe
• Data strongly typed• Discovery process
to find which peers to send to
Real-Time Middleware
• Designed for– Performance – peer-to-peer, no brokers,
middleware tuned for low latency, data push– Availability – no single point of failure, can have
multiple publishers of the same data– Scalability – multicast data delivery, push data only
to interested subscribers• Security?
– Want to use proven security technologies without compromising real-time capabilities
Secure Data Transfer
1. Authenticate– Verify your identity
2. Securely exchange cryptographic keys3. Use keys to:
– Encrypt data– Add a message authentication code
App 1 App 2
Transport Layer Security (TLS)
• Provides– Authentication and key exchange– Encryption with symmetric keys– Message authentication
• Proven and widely used– Web browsing, email, IM, VoIP– Client-server– Primarily used over TCP
TLS/TCP for Real-Time Systems
• DDS typically runs over UDP/IP– Runs in best-effort mode for sensor data– Reliable mode – tuned for real-time
• Performance challenges with TCP– Latency – more jitter for sensor data, generally
higher– Throughput
Secure Solutions for DDS
• Use Case:– Connect separate real-time systems– Provide a secure connection into a real-time
system– Connect LANs over an non-secured WAN
1. Secure Channel between Systems
System 1Routing Service
Gateway acts as security point
System 2Routing Service
TLS
15
Secure Channel with Firewall
System 1Routing Service System 2Routing
ServiceTLS
Can use firewall as added protection
DDS Routing Service with Secure Asymmetric TCP
• WAN clients access DDS data within LAN– Clients communicate with participants in LAN not between each other– Clients behind fire-walls– Only one public address required. Only one firewall configured
• Example: Exposing a service to end-user clients
Remote App
System 1Routing Service
Remote App
Remote App
Secure UDP Transport
• DTLS– Datagram version of the TLS protocol
• Provides– Authentication, encryption, and/or integrity
• Requires:– A Certificate Authority (CA)– An application must be configured with an identifying certificate assigned by
the CA– An application must have a private key associated with the public key in the
certificate• Standard protocol
– The protocol is highly scrutinized– Unicast only
• open source: OpenSSL
Secure DDS Transport
DDS
DTLS
DDS Discovery TrafficDDS User Traffic
Application 1
DDS
DTLS
Application 2
DTLS handshaking Encrypted RTPS
DTLS trafficApp 1
DTLS handshaking
App 2
DDS discovery
DDS user data
Performance
• Latency test– Two Linux x86 2.4 GHz machine– Send 1024 bytes packets
• DDS - one-to-one best effort average latency– UDP: 77 us– DTLS/UDP: 132 us– TLS/TCP: 291 us
3. Selective Encryption
• Use Case– Secure some data
• Secure commands, but not sensor data• Secure sensitive sensor data, but not all sensor data
– Secure discovery or meta data, but not real-time streaming data
Pluggable Transport Framework
Standard IP network
IP
UDP
• Allows for simultaneous use of multiple transports
• Allows for Secure Transports (e.g. DTLS or TLS/TCP)
DTLS / UDP
RTI Connext DDS
Real-time applications
Encrypt Discovery Traffic only
• Can configure DDS to use only certain transports for discovery:– discovery.enabled_transports QoS
• Use case: – protects meta data such as information on the
data types.– protects against an unauthorized application
joining a DDS domain
Encrypt Selected Topics
• Can configure DDS to use only certain transports for specific Writers/Readers– transport_selection QoS
W
W
R
R
R
W
W
Insecure Writer
Secure Writer
UDP
UDPDTLS/UDP
4. Secure Platforms
• A secure platform can provide security with minimal impact on run-time performance
• Secure platforms– SE Linux– Separation Kernels
Key aspects of SE Linux security
• Subjects of access control decisions enforced on Processes– So applications running on a single process cannot
be differentially secured by the kernel– E.g. All components running in an app server are
indistinguishable to the Linux kernel• Objects protected by SE Linux are:
– files, directories, inter-process communication mechanisms, ports, devices, etc.
Using SE Linux to Secure DDS Applications
• SE Linux Type Enforcements can be used to restrict access to domains– DDS maps domains to ports and SE Linux can
restrict access which processes can open a given port number
• SE Linux can also be used to restrict access to specific data– Data samples are defined by Topics in DDS– Each Topic can use a separate port
RTI DDS in a MILS Partitioning OS
• MILS separation kernel guarantees separation between processes– Time partitioning– Space partitioning– Pre-configured data flow
• Designed to keep data at different security levels separate• MILS kernel evaluated to prove it provides separation• RTI Connext DDS supports VxWorks MILS
Active Monitoring
• Intrusion Prevention Systems– Network appliance– Identify and block malware and malicious activity
5. Passive Monitoring
• Passive Monitoring on the Device– Application Protocol based IDS
• Dynamic protocol behavior monitoring• Application fingerprinting
– Host based IDS• Monitors behavior of the host• E.g. Verisys, Tripwire
• Passive Monitoring on the Network– Network IDS and anomaly detection
Conclusions
• Don’t blindly use IT security technologies on your real-time system
• Instead, use one or more of these approaches1. Create a Secure Channel between Real-Time
Systems2. Secure UDP 3. Selective Encryption4. Secure Platforms5. Passive Monitoring
Additional Resources
• Get started in less than an hour– Download a FREE trial of RTI Connext™ Messaging:
www.rti.com/downloads/connext.html
• RTI Supporting Resources– RTI website: www.rti.com– RTI security:
http://www.rti.com/products/dds/security.html – Additional RTI webinars: www.rti.com/mk/webinars.html – Follow RTI on Twitter: twitter.com/RealTimeInnov