Carnegie Mellon University
18-849b Dependable Embedded Systems
Spring 1998
Author: Kanaka Juvva
Computer System and Network Security is of utmost importance in embedded systems like ATM machines, Smartcards etc. Security is concerned with the ability of a system to prevent unauthorized access to information or services. Traditionally, security issues have been associated with large databases. During the last few years, security issues have also become important in embedded real-time systems. Confidentiality, Integrity and Availability are three fundamental objectives of security. Though these objectives seem simple, the foolproof implementation is highly complex. Authentication and access control techniques are used to provide confidentiality. Data encryption is often used to provide Integrity. Intrusion Detection Systems (IDS) is currently being used to detect intruders, security holes, Trojan Horses and other malicious actions to the system. A variety of technologies have been developed to help organizations secure their systems and information against intruders. The paper discusses about some practical security methods.
Security is concerned with the ability of a system to prevent unauthorized access to information or services. Traditionally, security issues have been associated with large databases. During the last few years, security issues have also become important in embedded real-time systems, e.g. a cryptographic theft-avoidance systems that locks the ignition of a car if the user cannot present the specific access code. Especially, the expansion of internet has also led to Web-Based control [Rodney98] of devices and embedded systems. This poses severe security concern for these devices. Figure 1 shows the growth of the Internet and the corresponding growth of reported security incidents [CERT97]. The paper discusses some practical methods to achieve security.
Figure 1
Basic Security Concepts
Three basic security concepts important to computer systems are confidentiality, integrity, and availability.
Confidentiality
When information is read or copied by someone not authorized to do so, the result is known as loss of confidentiality. For some types of information, confidentiality is a very important attribute. Examples include research data, medical and insurance records, new product specifications, and corporate investment strategies. In some locations, there may be a legal obligation to protect the privacy of individuals. This is particularly true for banks and loan companies; debt collectors; businesses that extend credit to their customers or issue credit cards; hospitals, doctors' offices, and medical testing laboratories; individuals or agencies that offer services such as psychological counseling or drug treatment; and agencies that collect taxes. Information can be corrupted when it is available on an insecure network. When information is modified in unexpected ways, the result is known as loss of integrity. This means that unauthorized changes are made to information, whether by human error or intentional tampering.
Authentication and access control techniques are used to achieve Confidentiality and are mentioned in the section security practices.
Integrity
Integrity is particularly important for critical safety and financial data used for activities such as electronic funds transfers, air traffic control, and financial accounting. Information can be erased or become inaccessible, resulting in loss of availability. This means that people who are authorized to get information cannot get what they need.
Availability
Availability is often the most important attribute in service-oriented businesses that depend on information (e.g., airline schedules and online inventory systems). Availability of the network itself is important to anyone whose business or education relies on a network connection. When a user cannot get access to the network or specific services provided on the network, they experience a denial of service.
Improving Security
In the face of the vulnerabilities and incident trends discussed above, a robust defense requires a flexible strategy that allows adaptation to the changing environment, well-defined policies and procedures, the use of robust tools, and constant vigilance. It is helpful to begin a security improvement program by determining the current state of security at the site. Methods for making this determination in a reliable way are becoming available. Integral to a security program are documented policies and procedures, and technology that supports their implementation. This section gives some techniques and procedures to build security into systems.
CRYPTOGRAPHY
The purpose of cryptography is to secure the confidentiality, integrity, and authenticity of data resources. One of the primary reasons that intruders can be successful is that most of the information they acquire from a system is in a form that they can read and comprehend. When you consider the millions of electronic messages that traverse the Internet each day, it is easy to see how a well-placed network sniffer might capture a wealth of information that users would not like to have disclosed to unintended readers. Intruders may reveal the information to others, modify it to misrepresent an individual or organization, or use it to launch an attack. One solution to this problem is, through the use of cryptography, to prevent intruders from being able to use the information that they capture.
Encryption
Encryption is the process of translating information from its original form (called plaintext) into an encoded, incomprehensible form (called ciphertext). Decryption refers to the process of taking ciphertext and translating it back into plaintext. Any type of data may be encrypted, including digitized images and sounds. Cryptography secures information by protecting its confidentiality. Cryptography can also be used to protect information about the integrity and authenticity of data. For example, checksums are often used to verify the integrity of a block of information. A checksum, which is a number calculated from the contents of a file, can be used to determine if the contents are correct. An intruder, however, may be able to forget the checksum after modifying the block of information. Unless the checksum is protected, such modification might not be detected. Cryptographic checksums (also called message digests) help prevent undetected modification of information by encrypting the checksum in a way that makes the checksum unique.
The authenticity of data can be protected in a similar way. For example, to transmit information to a colleague by E-mail, the sender first encrypts the information to protect its confidentiality and then attaches an encrypted digital signature to the message. When the colleague receives the message, he or she checks the origin of the message by using a key to verify the sender's digital signature and decrypts the information using the corresponding decryption key. To protect against the chance of intruders modifying or forging the information in transit, digital signatures are formed by encrypting a combination of a checksum of the information and the author's unique private key. A side effect of such authentication is the concept of nonrepudiation. A person who places their cryptographic digital signature on an electronic document cannot later claim that they did not sign it, since in theory they are the only one who could have created the correct signature.
DES
The Data Encryption Standard (DES) has been in use worldwide as a standard for more than a decade. DES uses an algorithm to encrypt and decrypt blocks Of data consisting of 64 bits using a 64-bit key. The same key used for both The encryption and decryption processes. One benefit of this algorithm is that The same process can be used for both encryption and decryption (with the exception of the key, which must be used in reverse order for decryption). The algorithm also has the advantage that it only uses logical operations Resulting in a fast process whether implemented in hardware or software. An ongoing debate has been exactly how secure is DES ? There has been much Suspicion that when NSA got involved, a "trap door" was inserted so they Could decrypt any DES encrypted messages. A unclassified report cleared the suspicion of any improper manipulation of the algorithm. Debate also surrounds the issue of the DES key length. Also one known weakness in DES surrounds the selection of the initial key.
Security Policy, Procedures, and Practices
Security Policy
A security policy is concerned with the the following Issues:
Security-Related Procedures
Procedures are specific steps to follow that are based on the computer security policy. Procedures address such topics as retrieving programs from the network, connecting to the site's system from home or while traveling, using encryption, authentication for issuing accounts, configuration, and monitoring.
Security Practices
Checklists and general advice on good security practices are readily available. Below are examples of commonly recommended practices:
Intrusion Detection
Research is underway to improve the ability of networked systems and their managers to determine that they are, or have been, under attack. Intrusion detection is recognized as a problematic area of research that is still in its infancy. There are two major areas of research in intrusion detection: anomaly detection and pattern recognition. Research in anomaly detection is based on determining patterns of "normal" behavior for networks, hosts, and users and then detecting behavior that is significantly different (anomalous). Patterns of normal behavior are frequently determined through data collection over a period of time sufficient to obtain a good sample of the typical behavior of authorized users and processes. The basic difficulty facing researchers is that normal behavior is highly variable based on a wide variety of innocuous factors. Many of the activities of intruders are indistinguishable from the benign actions of an authorized user.
The second major area of intrusion detection research is pattern recognition. The goal here is to detect patterns of network, host, and user activity that match known intruder attack scenarios. One problem with this approach is the variability that is possible within a single overall attack strategy. A second problem is that new attacks, with new attack patterns, cannot be detected by this approach. Finally, to support the needs of the future Internet, intrusion detection tools and techniques that can identify coordinated distributed attacks are critically needed.
Monitoring Tools
Continuous monitoring of network activity is required if a site is to maintain confidence in the security of its network and data resources. Network monitors may be installed at strategic locations to collect and examine information continuously that may indicate suspicious activity. It is possible to have automatic notifications alert system administrators when the monitor detects anomalous readings, such as a burst of activity that may indicate a denial-of-service attempt. Such notifications may use a variety of channels, including electronic mail and mobile paging. Sophisticated systems capable of reacting to questionable network activity may be implemented to disconnect and block suspect connections, limit or disable affected services, isolate affected systems, and collect evidence for subsequent analysis.
Tools to scan, monitor, and eradicate viruses can identify and destroy malicious programs that may have inadvertently been transmitted onto host systems. The damage potential of viruses ranges from mere annoyance (e.g., an unexpected "Happy Holidays" jingle without further effect) to the obliteration of critical data resources. To ensure continued protection, the virus identification data on which such tools depend must be kept up to date. Most virus tool vendors provide subscription services or other distribution facilities to help customers keep up to date with the latest viral strains.
Security Analysis Tools.
Because of the increasing sophistication of intruder methods and the vulnerabilities present in commonly used applications, it is essential to assess periodically network susceptibility to compromise. A variety of vulnerability identification tools are available, which have garnered both praise and criticism. System administrators find these tools useful in identifying weaknesses in their systems. Critics argue that such tools, especially those freely available to the Internet community, pose a threat if acquired and misused by intruders.
Formal methods are often used to verify security protocols and security procedures employed by the system.
System Architectural Approaches
System architecture approaches can be used to build security into the system.
With the rapid expansion of the Internet and the proliferation of distributed computing, new interest is now focused on the security aspects of both personal and enterprise computing systems, and with good reason. Millions of computer users are downloading files and applications of unknown origin every day-directly onto their PCs and workstations. This poses serious concern for security of the computer systems. The security concerns expand to embedded systems as we have more and more embedded devices on the Internet. I believe all the above mentioned techniques can be applied for embedded system security.
I am not sure how an Embedded Internet would like! I am sure it will have to deal with security better than open Internet. Then techiques like intrusion detection and security monitoring will play key role. As it stands embedded systems are closed systems and most of the above mentioned security procedures apply to them.
Interestingly, some emerging platforms like JAVA provide built-in security models [Steven96] for web-centric environments. Research and development efforts are underway to allow critical applications to operate in the future in a more secure environment than exists today
Notes: Wide variety of information on computer system and network security. It contains chapters on security models, risk analysis, network firewalls and cryptography.
Notes: This paper discusses security concerns in network oriented computing and how JAVA's security model handles them.
Notes: This paper discusses about Internet security and several security policies, procedures and technology.
Notes: This paper discusses about Web-based device monitoring and control of embedded systems. There is a small section on security for Web-Based embedded devices.