security architecture - a reference for embedded systems...2019/02/12 · i.e. uncontrolled...
TRANSCRIPT
![Page 1: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/1.jpg)
SECURITY ARCHITECTUREA reference for embedded systems
![Page 2: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/2.jpg)
Domains on real products
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 2 / 23
ACD-AV
![Page 3: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/3.jpg)
Domains on real products
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 2 / 23
ACD-AV ACD-IS
![Page 4: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/4.jpg)
Domains on real products
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 2 / 23
ACD-AV ACD-IS AISD
![Page 5: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/5.jpg)
Domains on real products
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 2 / 23
ACD-AV ACD-IS AISD PIESD ARINC 811
![Page 6: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/6.jpg)
Domains on real products
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 2 / 23
ACD-AV ACD-IS AISD PIESD ARINC 811
SIG
![Page 7: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/7.jpg)
Domains on real products
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 2 / 23
ACD-AV ACD-IS AISD PIESD ARINC 811
SIG
TCMS
![Page 8: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/8.jpg)
Domains on real products
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 2 / 23
ACD-AV ACD-IS AISD PIESD ARINC 811
SIG
TCMS
PACIS
![Page 9: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/9.jpg)
Domains on real products
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 2 / 23
ACD-AV ACD-IS AISD PIESD ARINC 811
SIG
TCMS
PACIS
IOB
![Page 10: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/10.jpg)
Domains on real products
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 2 / 23
ACD-AV ACD-IS AISD PIESD ARINC 811
SIG
TCMS
PACIS
IOB
SIG
TCMS
PACIS
IOB
![Page 11: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/11.jpg)
Basic principles of security architecture
Plan
1 Basic principles of security architecture
2 Typical requirements for embedded systems
3 Consequences on architectures
4 Main security functions
5 Reference architecture
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 3 / 23
![Page 12: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/12.jpg)
Basic principles of security architecture
Basic Principles
Security function shall be updatable
• Attacks get better
• Vulnerabilities are discovered
Separate Critical from Security
• Critical functions don’t change often and are very costly to certify
• Security functions have to be updated over time
• Separating them makes the update easier and less expensive
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 4 / 23
![Page 13: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/13.jpg)
Basic principles of security architecture
Basic Principles
No single vulnerability shall compromise the system
• Do not trust any individual component
Defense in depth
Apply principle of least privilege
Control data entering higher-criticality domains
... using “proxies” or “application-level filters” (ALF)
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 5 / 23
![Page 14: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/14.jpg)
Typical requirements for embedded systems
Plan
1 Basic principles of security architecture
2 Typical requirements for embedded systems
3 Consequences on architectures
4 Main security functions
5 Reference architecture
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 6 / 23
![Page 15: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/15.jpg)
Typical requirements for embedded systems
Embedded systems requirements
Internet connection
• For updates, non-critical applicative communications
• Wi-Fi for passengers
No Internet connection
• Planes in warehouses
• Helicopters in the wilderness
• Trains in tunnels
• ...
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 7 / 23
![Page 16: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/16.jpg)
Typical requirements for embedded systems
Embedded systems requirements
Critical networks
• Impacts (catastrophic)
• Real-time requirements (i.e. availability)
BYOD : Bring Your Own Device
• E.g. Pilot EFB, Phones in cars, ...
• i.e. uncontrolled equipment connected to our system
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 8 / 23
![Page 17: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/17.jpg)
Typical requirements for embedded systems
Embedded systems requirements
Maintenance
• Software updates
• Testing
all requires access to the entire system
Standard IT solutions do not apply
• No admin
• No SOC
• No real-time reaction
But system entirely defined at design time
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 9 / 23
![Page 18: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/18.jpg)
Consequences on architectures
Plan
1 Basic principles of security architecture
2 Typical requirements for embedded systems
3 Consequences on architectures
4 Main security functions
5 Reference architecture
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 10 / 23
![Page 19: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/19.jpg)
Consequences on architectures
Domains
• Identify domains based on security impacts
• Segregate applications
• Identify dataflows between domains
• Protect Higher-impact domains from lower domains
Limit dataflows to specificationLimit data ratesVerify data format
• Avoid dataflows from domain n to n+ 2
Each domain is a DMZ for the next domain up
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 11 / 23
![Page 20: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/20.jpg)
Main security functions
Plan
1 Basic principles of security architecture
2 Typical requirements for embedded systems
3 Consequences on architectures
4 Main security functions
5 Reference architecture
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 12 / 23
![Page 21: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/21.jpg)
Main security functions
Changing domains
Going down...
• Firewall (for confidentiality)
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 13 / 23
![Page 22: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/22.jpg)
Main security functions
Changing domains
Going up...
Two threats :
• Incoherent corruption
• Coherent corruption
Two impacts : NSE, SENSE SE
Incoherent corruption ALF ALFCoherent corruption ALF VPN to same-level or validation
Crit 3
ALF
Crit 2
Untrusted
Crit 3VPN
Crit 2
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 14 / 23
![Page 23: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/23.jpg)
Reference architecture
Plan
1 Basic principles of security architecture
2 Typical requirements for embedded systems
3 Consequences on architectures
4 Main security functions
5 Reference architecture
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 15 / 23
![Page 24: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/24.jpg)
Reference architecture
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 16 / 23
![Page 25: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/25.jpg)
Reference architecture
One domain
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 17 / 23
![Page 26: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/26.jpg)
Reference architecture
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 18 / 23
![Page 27: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/27.jpg)
Reference architecture
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 19 / 23
![Page 28: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/28.jpg)
Reference architecture
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 20 / 23
![Page 29: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/29.jpg)
Reference architecture
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 21 / 23
![Page 30: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/30.jpg)
Reference architecture
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 22 / 23
![Page 31: Security Architecture - A reference for embedded systems...2019/02/12 · i.e. uncontrolled equipment connected to our system Yves Rutschl} e (APSYS-AIRBUS) Security Architecture](https://reader034.vdocuments.site/reader034/viewer/2022050521/5fa52a3a08f160015f1319f5/html5/thumbnails/31.jpg)
Reference architecture
Questions ?
Yves Rutschle (APSYS-AIRBUS) Security Architecture 2019-02-12 23 / 23