Enhancing Smart Device Security: Protecting Critical ...
Transcript of Enhancing Smart Device Security: Protecting Critical ...
Enhancing Smart Device Security: Protecting
Critical Information in the Field
Jeff Voas, PhD, FIEEE, FAAAS, FIET
Story
1. Invite Reason: Possibly some of your folks work in the
same hostile environment in the Middle East as do US
soldiers
2. Approached by DARPA in Feb. 2010 with the question:
how do you vet mobile apps for security concerns?
3. DARPA had a new software acquisition model in mind
(economic)
4. Military wanted smartphones versus radio packs
5. Outcome: Methodology for rebuilding OTS smartphones
for hostile and non-hostile environments
6. Starting point: What does it mean to assure and trust
smart devices and apps?
“A consumer [patient] may not be able to assess accurately
whether a particular drug is safe, but [they] can be reasonably
confident that drugs obtained from approved sources have the
endorsement of the U.S. Food and Drug Administration (FDA)
which confers important safety information. Computer system
trustworthiness has nothing comparable to the FDA. The
problem is both the absence of standard metrics and a
generally accepted organization that could conduct such
assessments. There is no Consumer Reports for
Trustworthiness.”
[Source: “Trust in Cyberspace,” National Academy of Sciences Report,
National Academy Press, 1998.]
Old, But Sadly Still True:
1998?
Premise for App Vetting
Third party apps should be tagged with some guarantee (or “warm
fuzzy”) about the app’s quality.
•Situation: Software Of Unknown Pedigree (SOUP)
•Goal: Software of Known Pedigree
Problems:
1. What is “good” software?
2. Or is the question “good enough”?
3. Or is the question “better”?
4. Who creates “a” vetting criteria of quality?
5. What is the criteria?
Why Is the Problem Hard?
• Software is non-Physical!
• Physical sciences have measures
• Software has measures, often direct, but with no
correlation to behaviorally “how good?, better?”
• Question: Is there physics (e.g., a periodic table)
for non-physical systems?
• Question: A Defined, Timely, Repeatable
Vetting (Certification) Process that Ensures
Fairness?
Ah, But a Solution?
• We know how to build highly reliable software
in accordance to specific guidelines
• Q: Who does this?
• A: Regulated industry sectors (e.g., nuclear,
avionics, medical)
– $1K+/LOC?
– Will anyone “non-regulated” pay such costs?
Three Key Messages That App Vetting
Can Convey
• Compliance with Standards vs.
• Compliance with Requirements vs.
• Fitness for Purpose
Threat Space
Environment Software
Physical
System
System{Reliability, Security, Performance, Availability, Safety, ..}
Assurance ‘Grand Scheme’ Model
3rd party
t0 t∞
Threat
Space Environment
Software
Time
P1
E2
E1
T1
P2
v1 v2
T2
Physical
System
Assurance is Temporal: Time
Changes Everything
outpost
App
Developers
App
Store
Banks
• Concerned originally
about apps
• Vetted 3rd party apps go
into app store
• If feedback is good, an
app becomes app store
accepted and money is
deposited
Smartphone Project
Supply Chain Problem?
Goal (not original): Take an OTS smart-phone
(Phone A), and re-engineer it through
customizations (becoming Phone B) such that a
user:
(1) Notices little difference between A and B,
(2) Receives greater data security advantages,
(3) Retains expected performance, and
(4) Receives a smartphone that satisfies military needs in
battlefield/hostile situations
Risks in Mobile Security Supply Chain
Devices
Secure Verify Test Deploy
Ente
rprise
Security
Ente
rprise
Security
Ente
rprise
Security
Ente
rprise
Security
Ente
rprise
Security
Devic
e
Pro
vis
ionin
g
Hardware & App
Providers
Military Concerns
• Lost Phone - Forensics
• Password Length
• Counterfeit phone parts or apps
• Personnel Localization
• Camera Localization
• Identity Management
• Power Consumption
• Upgrade Policy
Approach
• Quarantine “any” functionality if deemed “risky.”
• Secure/Vet all software apps
• Build app vetting process and app-store
• Secure hardware
• Rewrite encryption
• Sign “our” vetted apps
• Encourage a policy for app updates
• Secure the OS (as best possible)
• Rewrite app permissions when warranted/allowed
28
App Vetting Workflow
App Testing Portal
TRANSAPPS
MARKETPLACE
Developer
App (Source/APK)
ATP
App (Source/APK)
Assessor
Approver (DARPA)
NIST-Signed APK
Summary, Risk Assessment, Recommendation
Approve/Disapprove
User
NIST-Signed APK
Test Tools
…
Metadata, status, reports App (Source/APK)
Reports
Metadata, status
Repository
29
Component Architecture
App Testing Portal
App (Source/APK) NIST-Signed APK
Metadata, status, reports App (Source/APK)
Reports
ATP
Request
Manager
Tool
Adapters
Report
Manager
Marketplace
Adapter
UI
Manager
Repository
Manager
App
PreProcessor
Tool Adapter
Manager
App Status
Manager
APK and File
Manager
Configuration
Manager
Configuration files APK, reports
Metadata, status
Result (1)
• Thousands of modified smart-phones (from
this project) in use today – Afghanistan/Iraq
– 2013 Obama Inauguration
– 2013 Boston 4th of July Celebration
• Reduced the need for soldiers to carry
heavy radio packs while offering most of the
core features of smart-phones, e.g.,
cameras, apps, localization, velocity, etc.
that radio packs may lack
• Language translation, better maps
Result (2)
Transition Plan: To a Federal government
agency such as DISA, NSA, DHS, or DoJ
currently in discussions – DARPA makes the
final decision as to whom within the Federal
government it is transitioned to (and/or
commercializes it).
General Conclusion for NIST’s App
Vetting Workflow Process
A 3rd party software vetting approach such as the one built at
NIST for DARPA can be employed for COTS, GOTS, open
source, and a variety of hybrid software types.
NOTE: This is likely not a viable model for app assurance for a
major commercial app store enterprises, where apps are
numerous and sold for minimal dollars. Scalability is an issue.
The key to 3rd party app vetting is: (1) tools, (2) how good are
they?, and (3) how accurate/reliable is the human assessor
and/or approver?
Vendor testimonials and other vendor supplied artifacts can
also be used as partial evidence to support the argument for
inclusion in an app store.
Closing Thoughts
1. Apps are often 3rd party
2. Apps may carry “inherited behaviors” and potentially
“malicious” or “faulty” behaviors
3. Counterfeit apps are problematic
4. App malware is inevitable
5. NIST Special Publication (SP) 800-163: Technical
Considerations for Testing and Vetting Mobile Applications
(DRAFT) addresses assessing 3rd party apps via a defined
process. Currently in NIST internal review. Advanced copies
can be released to USGov employees if requested and
approved.
• “In three tours, being fielded lots of systems I’ve
always been left wanting for more. Not this time.”
-MAJ Casiano, 4/4 CAV Squadron XO
• "I'll keep my analog 'til the day I die, but the
technology on this I'm sold!” -CPT William - A Co
CDR
• "If it weren't for these phones it would be
catastrophic. Wouldn't have hit our objective” -
2LT Villanueva - 1PLT A Co CDR
• “These gizmos are gonna save some lives. It's
gonna save a lot of lives!” -CPT William - A Co
CDR
• "I hear nothing but good things about those
phones from my guys!“ -1SG - A Co 1SG
• “My squad leader showed this device to me on
an Air Assault Mission. It was perfect, it led us
directly to the HVT house. I can’t wait to get
one.” –SPC Kidwell, point man for 3 PLT/B/2/87
IN
• "These phones are money! All my guys are
singing praises because of them” -CPT
William - A Co CDR
• “Thank God for TransApps on that air assault,
we pushed 1.5k north and had no mapsets-it
wasn’t anticipated to go there.” –CPT
Ferguson, Cdr, C/2/87 IN
• "I told my ex-wife (she’s military) all about this.
I can care less for her but these phones will
save lives!” -1SG - D Co 1SG
• "OMG this is some next level sh*t!” -CPT William
- A Co CDR
• “You know what’s cool about this? This is what
Land Warrior should have been.” -1LT Skidmore,
XO, B/1/32 IN
• “The success of this mission was due in part to
the TransApps devices” -CPT Herr
• "Using common graphics (building numbers)
and the TransApps smart phones, Attack Main
provided a talk-on to the position to BJ26 on the
Battery Net. Persistent surveillance by the
PGSS, common graphics (building numbers),
and the use of the smart phones allowed Attack
Company to provide a rapid and concise talk-on
to Blackjack Battery.“ -CPT Herr
• “Awesome.” –MAJ Reeves, Battalion XO, 1/32
IN
• “[TransApps] will give us a definite advantage
over our adversaries” -COL Kolasheski
• “I like it!” -MAJ Nguyen
• “Even standalone these are really useful.” -MAJ
Klein
• “I love it! It’s great!” -CSM Knight, BDE CSM
• "I am 50 years old and I got no training on it.
But I got it right away. And if an old guy like me
can get this then those 20 year old Joe's will be
all over this!“ -CSM Knight
• “I love how user friendly it is. If we want to get
on there and add anything we can. It is
awesome. All the squad leaders, platoon
sergeant, and PL love this device. We want to
take it back to the states.” - SSG Courson
• LTC Matos:“Are there any systems that can do
what TRANSHEAT can do? Provide the data
like in the way TRANSHEAT can?” Jeff
Bierman: “No”
• “ I specifically like that I can scroll over to
where the fire is coming from and have a grid
faster than the FO. It takes him a while to dig
out the laser range finder and figure it all out.” -
SSG Courson
• “If it wasn’t for the HH we would still be lost” -
SGT Washington
• “Just the Maps app alone is great”, SGT Berk
said “ This is great we can put all of our stuff on
here”.
• 1-5IN Bn CSM – CSM Bowen
• · Other competing devices
(GD300+Land Warrior) will fade in the near
future. “[TransApps] will never disappear. It will
be around for a long time."
• “You know how much smaller this is than land
warrior?” –SSG Matthew Huck, 3/B/1-5IN PSG
• “I love TransApps! It’s better than everything
else. Everything else I’ve seen is just junk and a
waste of money.” –SSG Oneal, 3/C/1-5IN PSG
• “This just put Land Warrior out of Business!” -
2LT David Brunett, 2/C/1-5IN PL
• “Land warrior set someone on fire!” –SSG
Falls, 1-25IN BDE NCO
• “This is already better than Land Warrior!” –
CSM Speedie, 1-5IN Bn Ops CSM
• “I use the ACOZ because it links up twice as
fast as the DAGR” -1/C/1-5IN Commo
• “I guarantee if these phones talked to one another I would
stop using my radio”-SSG Matthew Huck, 3/B/1-5IN PSG (as
he expressed his frustration with his MBITR always dropping
connection)
• “This is the best piece of equipment I have ever had; other
than my woobie!” ”-SSG Matthew Huck, 3/B/1-5IN PSG
• “This is a lot simpler [compared to FBCB2]. Saves time!”-CPT
Griffin, 1-10CAV Officer
• “The primary job of Land Warrior FSRs are to
remove Land Warrior from the vehicles.” -1-
25IN BDE NCO
• “This is useful for making waypoints because
FBCB2 takes way too f*ing long” –SFC Griffin,
1-10CAV NCO
• “I am very impressed with the clarity of the imagery!” –
CSM Biggs 4-23 BN CSM
• “I feel that this device will be able to replace 4 or 5
different things they need to carry on mission.” –MAJ
Bookout 4-23 S3
• “The consensus is this the best piece of equipment we
have been issued hands down.” -Co 2/504 FSNCO
• “When I first received the device I thought it would sit
on the shelf and collect dust, but now that I understand
it’s capabilities, I’m excited to put it to work [in our
Brigade].” -3-2 ID BDE S6 MAJ Robinson
• “Can I make a recommendation, Can this replace the FBCB2”-
SGT Woods
• “ This is great we can put all kinds of information on here” -
1SGT FulFord
• “This has pretty much everything” - SGT Cooley
• “ I am very pleased with this operating system” - SSGT Uling
• “Why didn’t we have this 6 months ago”- LT
Schiferli
• “I can’t believe they pay me this much money
to play with this” - SSG Smith
• “This is a common sense approach to system
development” - Mike Cantwell (BDE DSE)
• “This phone’s been very beneficial setting up specific
routes.” -3C/2-87 – CPL Shovlin (team leader)
• The phones are making leaps and bounds, and it’s
only going to go further when connected wirelessly.”
And “We’ve been able to help the mortar teams a lot.”
– SGT D'achille (squad leader)
• “Your 5590 battery adapter at work, in the field,
providing long range situational awareness and battle
tracking.” -Terese, Timothy MAJ USA 5-20 IN S3
• "A heads up for you guys the story of this
win is gonna have to be told because the
other programs are not producing these
kinds of results and it is mostly because
they're not structured right.” -Dr. Dugan
(DARPA Director)
• “The PANTHR devices and client laptops
are being tracked like a pacing item in the
BN. TRANSAPPS slant is actually part of
the report to the BN CDR.” --CPT Strickland
is the BN S6 for 3/85th MP BN
• “We work with 1-5 IN and during our interaction with them we
noticed that they were using Dell handhelds and some tablet
device used for plotting enemy and friendly locations, as well
as waypoints for SIGACTs. We wanted to know if we could get
some of these devices to try out on our operations here. We
do a lot of dismounted patrols as well as Special
Reconnaissance missions up in the mountains and in hide
sights and these devices could greatly assist in our
operations.” –CPT Ben Harrow, Special Forces Detachment
Commander (via email)
• “The PANTHR devices and client laptops are being tracked
like a pacing item in the BN. TRANSAPPS slant is actually
part of the report to the BN CDR.” CPT Strickland
• “TRANS APPs has potential in greatly increasing the overall
situational awareness of al users, and ultimately easing the
execution of the combat mission across the battlefield.” –
SSGT Mychal Hoyt (JTAC feedback on TransApps 8 Febuary
2012)
• “Wow, this is awesome. I’m impressed!” –CW5 Kelly
• “This is very cool. I’m excited!”- Theater DSE
• “Our TransApp devices were invaluable to the success of
this mission!” –SSG Morgan D Co 1/504
• “The consensus is this is the best piece of equipment we
have been issued.” –SSG King A Co 2/504
• “This is exactly what I was truping to find to help me
accomplish my mission. This really is the ultimate COIST
tool.” –SGT Switzer B Co 2/504
• “We got issued these devices prior to JRTC and since we
have arrived in theater have been issued more. Soldiers and
leaders love them. The FSR support we have, Aarow, is prior
service and is one of the best FSRs we have. I have CC’d
him. They are still working through the networking issue and
our ability to use them with 117G and 152 for comsec
reasons. Highly recommended Division purchasing them and
letting us take ours home with us.” –email from MAJ Mills,
BDE S-6
• "As an Infantry Platoon Leader, the PANTHR Device has completely changed the way I operate on the battlefield. Where I once had to carry numerous maps, GTAs, and pamphlets, I am now able to carry everything I need in one light and compact device. The PANTHR Device has set a new standard for battlefield technology." - 2LT Wallace, Charleston PL, 2nd PLT, C. CO, 1-23 IN / 3-2 SBCT
• “We have seen the evolution of battle field technology in various forms through time; I have in my hand the greatest, and most practical development thus far.”
• “What I love about it (PANTHR device) is its many
features; it takes the place of my digital camera, DAGR,
paper maps, and pen and paper." "I still have all that stuff
on hand, but its kept out of the way, and leaves me free to
carry other mission essential gear.” –SSG Logue
• “I take the Trans Apps with me every time I go out, ever
since I got it I have never gone outside the wire without it.”
“This is an amazing time saver, instead of carrying a
laptop with pictures and other sensitive information on it, I
just carry this.” “This is far more than just a cool toy, it is a
tool that allows me to do my job effectively.” -Mr. Kevin
Conner 1-14 CAV LEP
• "I literally have my TransApp in one hand and my rifle in the
other.” -HHT commander
• MAJ Curtis, 5-20 S3 - "the streak, when used as intended, is one
of the most valuable assets the soldiers and leaders have on the
battle field.”
• It was “100% easier to brief on TransApps” device versus any
other method used
• 2LT Jimenez (C/1-504 COIST OIC) – “We are hardcore
dependent on [TransApps]…I don’t know how others went without
this!”
• CPT Vest (A/2-504 Cdr) – “It is the best product I have ever seen
the Army issued.”
• CPT Vest (A/2-504 Cdr) – “I love how I can have historical data
right in the palm of my hands.”
• 1LT Harting (A/2-504) – “Awesome tool. Better than all the other
garbage they give us.”
• A few weeks ago [a platoon] used [PANTHR] to
recon the area around an objective they were
going to assault. When conducting the recon
using TA imagery they found a possible position
that they could be ambushed from. They planned
for this and maneuvered around the locations.
They then deemed that no hostiles where at the
location and it proved to be a perfect position to
set up a support by fire line while they assaulted
the objective.
• 4APR they had to escorted a media team with them
on a dismounted patrol. He was the lead squad and
used planned his route using map draw and saved
it as a layer. He would reference his location and
when a few hundred meters away from a house
would run ahead with his squad and clear the
building or possible threats. His goal was to keep
these civilians as safe as possible and felt that TA
was able to help him with this task.
• We rode with the 209th MP’s to ACS-4 (A Co 1-10 CAV). After about 45 min into the convoy we noticed that we started to make a couple of U turns. We asked the CPL if some of the vehicles got turned around (i.e. your lost). She replied “we are where we are supposed to be”. We pulled the HH out to see our location and quickly figured that we were lost because when we looked at the HH our location was outside the BDE’s AO. Well about 10 minutes later she saw Javier sitting beside her messing around on his HH and she noticed the imagery and Javier tracking our position. She said to Javier “ Can we use that? We are lost” . They had gone out of the AO and could not find ACS-4. Javier put in the grid made a spot and hit Nav To then handed the HH up to the TC. We were at ACS-4 within 10 minutes or less. In other words we saved the day. When we arrived Javier had a mob of people around him, the MP’s were really impressed and asked how they could get them. Turns out they are under 1-10 but they were not on the BDE fielding plan. One of the MP’s SGT Washington said “If it wasn’t for the HH we would still be lost”
• A few weeks ago [a platoon] used [PANTHR] to
recon the area around an objective they were
going to assault. When conducting the recon
using TA imagery they found a possible position
that they could be ambushed from. They planned
for this and maneuvered around the locations.
They then deemed that no hostiles where at the
location and it proved to be a perfect position to
set up a support by fire line while they assaulted
the objective.
• "Yesterday was a slow day. 1st PLT had gone out on patrol and didn't come back until late. I was in the TOC at the time of SAF, however and there was confusion over where 1st PLT was. They couldn't find them on the cameras and the grid they were giving was not showing anything either. The XO grabbed the mic and said 'Use your TransApps! What's your location?' After that they were able to focus on a 10 digit grid and the plt was found in a grape row.” –Suzanne Rashka
• "Yesterday, SSG Mills of the ASG platoon used MILTRANS application to communicate with a detainee while he waited for the interpreter to show up. He was able to extract basic information from the detainee just using the device.” –Aaron Hartwig
• Two days ago while on a dismounted patrol in the Horn of Panjwai,
his platoon received small arms fire from a village. 2LT Wallace
used the distance tool in the Maps application on his PANTHR
device to calculate the distance from his position to his element
taking fire, and also the distance from the element taking fire to the
enemy that was engaging them. He used that information to walk in
his remaining elements to fix and finish the enemy.
• Two weeks ago, after one of his men was struck with an IED, 2LT
Wallace used the Medevac application to find the grid of a HLZ.
Enabling him to call up the 9 Line Medevac request while moving
the casualty. Saving precious minutes of time.
• Last month LT Wallace received a complaint from a local
farmer, claiming that the US Army damaged his property and
killed some of his livestock. Using the Risk Estimate
Distance program on his PANTHR device, 2LT Wallace was
able to show his CO the exact grid where the indirect fire
struck, the minimum safe distance of the munition used,
and exactly where the locals property was located in relation
to the indirect fire, well away from MSD circle.