iot security in industry 4 - v-digital · why cross-industry collaboration is vital •...
TRANSCRIPT
IoT Security in Industry 4.0
https://ccs.korea.ac.kr https://iotcube.nethttps://labrador.iotcube.com
Prof.HeejoLee([email protected])
CenterforSoftwareSecurityandAssurance(CSSA)
KoreaUniversity
Oct.21,2019
KoreaUniversityCollegeofInformatics
Aboutspeaker
2
• Experience§ Director,CSSA(2015-current)§ CEO,IoTcubeInc.(CSSA Spin-off since2018)§ Professor,Dept.ofComputerScienceandEng.,KoreaUniv.(2004-current)§ VisitingProfessor, CyLab /CarnegieMellonUniv.(2010-2011)§ CTO,AhnLab Inc.(2001-2003)
• ProfessionalActivities§ PresidentialCommitteeonthe4thIndustrialRevolution(2017-2018)§ Advisory CommitteefortheConsultation ofCybersecurity innumerous
Asianeconomies andCostaRica§ Advisory CommitteeofSupremeProsecutor'sOffice,Nat’lPoliceAgency,
KoreaInternet&SecurityAgency(KISA)andothers
• Education§ Postdocresearcher,CERIASatPurdueUniversity (2000-2001)§ BS,MS,PhDfromPOSTECH,Korea(1989-2000)
▲ 2016ISC2ISLAawardofcommunityservicestar
Prof. Heejo Lee
3
ContentsI. IntroductiontoIoT Security
II. IoTSecurityThreats
III. IoTcube:anAutomatedSecurityVulnerability
AnalysisPlatform(https://iotcube.net)
IV. SecuringIoTDevicesforSmartFactoryandCities
V. PotentialCollaborations
4
The Internet of Things (IoT)
• TheInternetofthings(IoT)• Inter-networkingofphysicalthings suchasdevices,vehicles,buildings, andother itemsembedded withsensorsandactuators
• Providing smartservicessuchasintelligentrobots, drones,autonomous vehicles,smartfactories,precisionbioscience,education,andmanyothers
• GrowthofIoTdevicesandservices• Increaseto125billiondevicesby2030(IHSMarkit'17)• IoTsecurityproblemsaffectnotonlydeviceitselfbutalsoserviceprovidersandhumanusers
I.IntroductiontoIoT Security
5
• InternetofComputers(IOC)• Problemsgiveimpactonthedigitalworldofcomputers
• Cyber-physicalsystems(CPS)• ACPSwithconnectedsensorsandactuatorsmaynotbeconnectedtotheInternet
• IoT security=Cybersecurity+CPSsecurity• IoT cangivedirectimpactonphysicalworldsuchasunlocking doors,alteringheatingsystems,affectingthebrakingofavehicleandkilling thehostofanimplantedmedicaldevice
I.IntroductiontoIoT Security
Security and Safety of IoT Devices
Why Cross-Industry Collaboration is Vital
• Cross-disciplinesecurityengineering• Mostengineeringdisciplinesrarelyaddresssecurityengineering(thoughsomeaddresssafety)
• Manysecurityengineersareignorantofcoreengineeringdisciplines(mechanical,chemical,electrical),includingfault-tolerantsafetydesign
• Relationshipofsafetyandsecurity,Boehm’13• Safety:thesystemmustnotharmtheworld• Security:theworldmustnotharmthesystem
I.IntroductiontoIoT Security
7
Industry 4.0: Smart Factory in Korea
• ManufacturingisthefoundationoftheKoreaneconomy• Accountingfor30%oftotalproduction and85%ofexports (2018)
• The5th rankedmanufacturingcountry intheworld
• Smartfactoryasanationwideinnovationstrategy• Productivityandsafetyenhancementresultinmorejobpositions
• 30,000smartfactories and100,000professionalsby2022
• KoreaUniversityestablishedanewmastercourseforcomputersecurity insmartfactory
I.IntroductiontoIoT Security
100,000Professionals
85%ofexports
$
30,000SmartFactories
Ranked5thintheworld
8
Encryption ≠ Security
• Lotsofvulnerabilities foundandtheneedforbettersecuritypractices• Mostdevicesimplemented encryption,bypassingencryption ispossiblebymisconfigured networkservices,lackofproperkeymanagement, stealingauthenticationtokens
• Multiplevendorssellthesamedeviceunderdifferentbrandnames
II.IoT SecurityThreats
IEEE Security & Privacy Magazine, September 2019
Open Source Software (OSS) and Code Reuse
• Growingpopularityofopensourceprojects• GitHubhosted10Mprojectsin2013,100Mprojectsin2019• DevelopmentofAI,IoT,blockchains arebasedonopensource software• Manyglobal companiesaretransitioning toopensourceITsystems
9
Rank NameofaProject Forks Area1 Tensorflow 72K
AI2 Tensorflow (modelandexample) 30K3 Linux 25K IoT4 OpenCV 23K AI5 Bitcoin 22K Blockchain6 Caffe 16K AI7 Git 15K OSS8 Redis 13K DB9 Electron 9K Web10 ProtoBuf(Google) 9K Protocols
* C/C++ Project Forks Ranking in GitHub, CSSA, Mar. 2019
II.IoT SecurityThreats
Vulnerability Discovery by Security Testing during Development• Pacemakerrecallduetosecurityvulnerabilities,Aug.2017
• 500,000patientsaresusceptible
• Twovulnerabilities• Crashattacks:becomingunresponsive aftersomeamountofradiotraffic• Batterydrainattacks:drainingitsonboard batteryfasterthanusual
• Abovevulnerabilitiescanhavebeenfoundbyfuzztesting• Penetrationtestingafterdevelopmenthaslimitationstofindvulnerabilitiesandfixsecurityproblemsbeforereleaseanddeployment
II.IoT SecurityThreats
III.IoTcube:anAutomatedSecurityAnalysisPlatform
11
Center for Software Security and Assurance (CSSA)
III.IoTcube:anAutomatedSecurityAnalysisPlatform
12
Automation
Easy-to-Use
Scalability
Vulnerable Functions(97,501)
Total Users(11,846)
Detected Vulnerable Clones(773,028)
AnalyzedLines ofCodes(34,777,413,267)Updated2019-9-6
OnApril19,2016,IoTcube, asanautomatedanalysisplatformforsecurityvulnerabilities,opensinpublic!(https://iotcube.net)
Itistoprovide securityanalysis evenfornon-securityexperts inordertomanagevulnerabilities professionally.
IoTcube: Security experts are always with you!
III.IoTcube:anAutomatedSecurityAnalysisPlatform
13
• Whytheyselectedhmark?(IEEES&P’17,ComSec’18)① Speed:2xfasterpreprocessingand1,000xfasterdetectionspeed② Scalability:20millionlinesofsmartphonesoftwareareprocessedinlessthan1.3seconds③ Pin-pointdetection:Detectsexactvulnerablefunctions,sodeveloperscanfixitwithease
Token-levelmatching
CCFinder(TSE’02) Graph/treematching
DECKARD(ICSE’07)Bag-of-tokensmatching
SourcererCC(ICSE’15)
ReDeBug(S&P’12)
File-levelmatching
FCFinder(MSR’10)
VUDDY
Bag-of-tokensmatching
IoTcube
Scalability
Accuracy
VUDDY(S&P’17)Line-levelmatching
X1,000
IoTcube hmark has no false positives, while static analysis tools usually produce too many false alarms
Whitebox Testing: IoTcube “hmark” CVE Scanner
• AnalysisofAndroid 20MLoCfordetectingCVEvulnerabilitieswithin1Second
14
III.IoTcube:anAutomatedSecurityAnalysisPlatform
Whitebox Testing: IoTcube “hmark” Demonstration
15
III.IoTcube:anAutomatedSecurityAnalysisPlatform
The vulnerabilities of AI speakershave been analyzed by IoTcube and
broadcasted in the prime news channelMBC newsdesk, Oct. 8, 2019
“Recent Android Smartphones Have 200 Security Holes,”
Daily newspaper cover story, Dec. 12, 2016
Security Vulnerabilities in Brand New Smartphones and AI Speakers
IoTcube Growing Dimensions from Year 2018
• ThreepartsofIoTcube includeseducation, researchandbusinesscollaborations
16
Education Research Business
GraduateschoolforsecurityIncognitoconferences
BlockchainsecurityplatformdevelopmentLAsmartcity (I3)securitymodels
IOTCUBEInc.Labradorlaunching
IV.SecuringIoT DevicesforSmartFactoryandCities
17
IOTCUBE:automatedvulnerabilityanalysisplatformprovider• Find security vulnerabilities in software, and supervise patch updates and
license violations, with easy-to-use interfaces• Provide security validation at any stage of SDLC including design,
development, test, deployment and operation of software systems
IV.SecuringIoT DevicesforSmartFactoryandCities
Labrador Security experts are always with you!
Security validation at any SDLC stageSoftware security analysis platform Labrador
Vulnerablesource code
Vulnerablebinary
Securebinary
Securesource code
Design
Test
Develop
Deploy
Operate
IOTCUBE Inc. as a Spin-off of KU CSSA
https://labrador.iotcube.com/userguide
18
• Forcollectingwell-refineddata,thesecurityofthedeviceshouldbeguaranteed
• Previousapproachestoverifydevicessecurity1)Version-basedapproach:high falsepositives
- Checkthevulnerabilitieswiththeversioninformationofthedevices
- Therearemanycasesofvulnerabilities beingpatched,eveninthevulnerable versions ofdevices
2)Network-basedapproach:high falsenegatives- Checkremotelythevulnerabilities ofnetworkservices, e.g.,Metasploit
- Limitedcoverageofvulnerabilities byexecutingexploitcodes
Deepscan,ratherthansurfacescan:StaticcodeanalysiswillbeusefulforexaminingtheexistenceofcriticalCVE*vulnerabilities!
* CVEistheuniqueandcommonidentifiersforknownsecurityvulnerabilities,https://cve.mitre.org.
IV.SecuringIoT DevicesforSmartFactoryandCities
Security and Safety of IoT Devices in Factories and Cities
19
I3MarketplacePlatform
DataConsumer:3rd partyapp
DataConsumer:IoT cloudplatform
DataBroker
DeviceandDataOwner
IoTcube
IV.SecuringIoT DevicesforSmartFactoryandCities
RestAPIforIoTcube
Theintelligent IoT integrator(I3)isLAsmartcity projectstartingfrom2017,https://i3.usc.edu
Integrating IoTcube to the I3 Marketplace
20
IV.SecuringIoT DevicesforSmartFactoryandCities
• IoTcubeintegrationispossiblewithRESTAPI• Simplysendthehidx filecreatedbyhmark tooltoIoTcubeserverusingPOSTrequest
- Thenuser(e.g.,dataseller)canreceivethescannedvulnerabilityresultasJSON
• Evendatasellerswhoarenotfamiliarwithsecuritycaneasilyanalyzethesecurityofthedata-sourcedevicesusingIoTcube
DataSeller
I3MarketplacePlatform
1)Generatethehidxfile
2)Whileregistering,submitthehidx file
3)Sendhidx file(RestAPI)
4)Returnthecertificatelevelhidx
hidx
Integrating IoTcube to the I3 Marketplace
IV.SecuringIoT DevicesforSmartFactoryandCities
21
• Howtochoosecertificatelevel?§ CertificatelevelisdeterminedaccordingtothescanningresultofIoTcube
§ Dependingontheexistenceofhigh-severityvulnerabilitiesandnamedvulnerabilities
Certificatelevel WeakValidation Strong Validation
★★★★★ - - No high-severityvulnerabilitiesandnamedvulnerabilities
★★★★ - No high-severityvulnerabilitiesandnamedvulnerabilities
- Either high-severityvulnerabilitiesornamedvulnerabilities
★★★ - Either high-severityvulnerabilitiesornamedvulnerabilities
- Both high-severityvulnerabilitiesandnamedvulnerabilities
★★ - Both high-severityvulnerabilitiesandnamedvulnerabilities -
★ - Thedevicehad notbeenanalyzedyetbyIoTcube
Integrating IoTcube to the I3 Marketplace
• Finding unpatchedcodeclonesforsecurityenhancement ineverycommit• SecurityteamordeveloperscanmanagesecurityvulnerabilitieswiththeIoTcube engine• Automatedsecuritycheckingoncodecommitprocess
22
Daily Detecting CVEsin OSS Project
UnknownVulnerabilities
(JIRA Issue & Project Tracking)
KnownVulnerabilities(Microsoft Gerrit
Code Review)
Samsung AVAS
CVE DB(Patch)
CVEScanner
Daily Update
* IoTcube Engine
V.PotentialCollaborations
Case1: CVE Scanning in Code Review for SW Development
• THEINTELLIGENTIOTINTEGRATOR(I3)CONSORTIUM• ThegoaloftheI3systemistocreateIoTcommunities including smartcities,wheredeviceownersareanactivepartofthecommunity
• Foundingmembers includeLAcity,USC,Verizon,Oracle,KianaandKoreaUniversity,visithttps://i3.usc.edu/
• IoTcube isintegratedwiththeI3testbedandmarketplaceviatheIoTcube API’s
23
V.PotentialCollaborations
Case2: Security Evaluation for IoT Devices in Factories and Cities
• NewPrograminGraduateSchoolforConvergenceSecurity• Opening themastercourseforcomputer securityinCSE,KoreaUniversity• 25students/yearforfull-scholarship startingfromyear2020• Consortium of18companies/institutes from4countriesforjointresearchandeducationinthefieldofsmartfactory
24
V.PotentialCollaborations
Case3: Collaboration in Education as an Internship Program
• Examiningvulnerabilityoncodebaseisrequired• Vulnerablecodeclonescarryvulnerabilities toothersoftware• Automated CVEscannersuchasIoTcube Labradorwillbeuseful
• ThelatestversionofOSSisnotasilverbullet• Vulnerabilities inreused/modified codetendtotakealong timetobefixed• Continuousmanagementofvulnerabilities isrequired
• Importanceofsecuritymanagementforproducingsafeproductsandservices• Securityofopensourceplatformsshouldbeconsideredatthemomentofdevelopmentandbeforedeployment
• Wearelookingforcollaborativepartners!
25
V.PotentialCollaborations
Summary
Q&ALess vulnerabilities make
more secure software!
HowtoContact:IoTcubefindsallbugs!• CSSA: [email protected], https://iotcube.net
• IoTcube Inc.: [email protected] https://lab.iotcube.com