Smarter Scheduling (Priorities, Preemptive Priority Scheduling, Lottery and Stride Scheduling)
Improving IoT Security: the role of the manufacturer · •Connected Spaces is a big deal •...
Transcript of Improving IoT Security: the role of the manufacturer · •Connected Spaces is a big deal •...
Eliot Lear
Improving IoT Security: the role of the manufacturer
Introduction
• Connected Spaces is a big deal• Automated and efficient lighting• Room assignment and
scheduling• Changing of conditions for
different customer profiles
A View Through a Light Bulb
A non-networked light bulb
On/Off
Dim(Power)
Color(R,G,B,W) %
A networked lightbulbOn/Off
Dim(Power)Color
(R,G,B,W) %
Enterprise+
Internet
IdentityCrypto
Data model
DiscoveryS/W
managementNetwork
$
• Entire house Internet-enabled
• A single lightbulb took down his IoT house.
• It was an SNMP bug.
Introducing Raul Rohas
From Fusion.net (3 March 2015)
What do manufacturers wish to avoid
• Attacker causes device to not perform its function or to malfunction
• Attacker uses device to attack other systems
General Threats To Defend Against
By AMIR MARINE (Wikimedia) - Own work, CC BY-SA 3.0,
The Network Administrator’s Problem: Number of Types of Things
$
$
Cost of configuration
Static environments Dynamic systems
– +
What access should a device have?
Clouds offer-• A rendezvous point• Substantial processing
power
Cloud capabilities will continue to expand.
A common design pattern: the cloud
Understanding the attack surfaceMobile phone
Controllers
Internet
Understanding the attack surfaceMobile phone
Controllers
Internet
Manufacturer Usage Descriptions
Assumptions and AssertionsAssumptions Assertions
Because a Thing has a single or a small number of intended uses, it all other uses must be unintended
Any intended use can be clearly identified by the manufacturer
All other uses can be warned against in a statement by the manufacturer
Manufacturers are in a generally good position to make the distinction
A Thing has a single use or a small number of uses.
Things are tightly constrained. Very VERY dumb. Resource constraints are tight.
Even those Things that can protect themselves today may not be able to do so tomorrow
Network administrators are the ultimate arbiters of how their networks will be used
Translating intent into config
access-list 10 permit host controller.mfg.example.com
Any intended use can be clearly identified by the manufacturer
All other uses can be warned againstin a statement by the manufacturer
access-list 10 deny any any
Router or firewall queries connected.example.com for policy associated with that URI
Device emits a URI using DHCP, LLDP, or through 802.1ar
Expressing Manufacturer Usage Descriptions
https://example.com/.well-known/mud/…
…
MUD File Server
DeviceMUD
Controller
Internet
Access Switch
How to locate the policy? A URL
https://mud.mfg.example.com/.well-known/mud/v1/CAS11LCDLversion2.12
“Manufacturer” Model
{"ietf-acl:access-lists": {
"ietf-acl:access-list": [{"acl-name": "mud-10387-v4in","acl-type": "ipv4-acl","ietf-mud:packet-direction": "to-device","access-list-entries": {"ace": [{"rule-name": "clout0-in","matches" : {
"ietf-mud:direction-initiated" : "from-device"},
"actions": {"permit": [null
]}
},{"rule-name": "entin0-in","matches": {
"ietf-mud:controller":"http://dvr264.example.com/controller",
"ietf-mud:direction-initiated" : "to-device"},"actions": {
"permit": [null
]
}}
]}
},{"acl-name": "mud-10387-v4out","acl-type": "ipv4-acl","ietf-mud:packet-direction": "from-device",
….
The MUD File
Expressing Manufacturer Usage Descriptions
https://example.com/.well-known/mud/…
…
MUD File Server
DeviceMUD
Controller
Internet
Allow access to justcontroller.connected.example.com
Site returns abstractedXML (based on
YANG) to device or firewall
More precise configis instantiated
Access Switch
BenefitsCustomer
• Reduces target surface of exploding number of devices
• No additional CAPEX
• Helps to reduce OPEX through efficiency gains
• Standards-based approach uses existing equipment
Manufacturer • Reduces product risk at almost no cost
• Will increase customer satisfaction and reduce support costs
• Avoids the front page
• Standards-based approach
• Reduces risk of government technology mandates
What does it mean to be connected?
Open Access Limited Access
Open Innovation Only published uses to authorized devices
?
• (same) manufacturer
• controller
In search of that happy middle: MUD Classes
• A URI• Use of {dhcp, EAP-TLS, lldp} to get it out• Retrieval of a MUD file from a server• Instantiation of class information onto the router
Summary: Manufacturer Usage Descriptions
What is this Thing on my network?
802.1AR with EAP-TLS: a scalable approach, but…
Luminaire
Thermostat
Intranet
Registrar
• EAP-TLS makes use of certificates to identify new elements
• Assertion about device is initially from manufacturer, and then from administrator. • NOT from the device!
• Requires a common trust anchor
• Constrained devices lack capacity for common trust anchors
ANIMA Flow: ActorsNew Entity Proxy Domain Vendor
Service
Factory Default for all settings/configuration
Enrolled in the domainLogical entity or physical after 1st hop
Handles fragmentation issues
The domain Registration Authority, Certificate Authority, Authorization Database etc
Cloud Service
Problems to solveNew Entity Domain Vendor
Service
Authentication
Imprint
Authentication
Enroll
Data StorageAuthzmodel
Authorization
handles fragmentationProxy
Connectivity & Discovery
Discovery, ConnectivityNew Entity Proxy Domain Vendor
Service
Connectivity & Discovery
New entity boots in CLEAN STATERFC3927 IPv4 Link-Local AddressRFC4862 IPv6 Stateless Address Autoconfiguraion <— design for this
RFC6763/RFC6762 mDNS query (or ietf-anima-grasp-02 GRASP query) using unsolicited broadcasts.
New Entity AuthenticationNew Entity Proxy Domain Vendor
Service
Connectivity & Discovery
Authentication
(d)TLS established. This is to-be RFC7030 EST with a bootstrapping extension.The New Entity authenticates with IEEE 802.1AR credentials
The Domain authenticates with current Domain credentials which the new entity *PROVISIONALLY* accepts. This is to support (d)TLS model and is EST compatible.
Authorization by the DomainNew Entity Proxy Domain Vendor
Service
Connectivity & Discovery
AuthenticationAuthorization
<Verify 802.1AR credential against white list?>Extract MASA server information from 802.1AR credential extensions (via MUD extensions) else the registrar needs to be configured appropriately
Logging or Decision by the VendorNew Entity Proxy Domain Vendor
Service
Connectivity & Discovery
Authentication Logging
Authzmodel
Authorization
OPTIONAL: MASA *or* NETCONF ownership voucher flowNOTE: Can occur in advance!!
MASA: Manufacturer Authorized Signing AuthorityA certified log mechanism: “Append Only, Cryptographically Assured, Publically Auditable” - CTAll decisions made within the Domain. The MASA only facilitates logging.
EST extensionsNETCONF: Vendor service “knows” which Domain owns which device
Transmit back to deviceNew Entity Proxy Domain Vendor
Service
Connectivity & Discovery
Authentication
Provisional authentication now replaced with vendor authorized message(Verify then forward the Vendor Service response)
Authentication
Logging
Authzmodel
Authorization
ImprintNew Entity Proxy Domain Vendor
Service
Connectivity & Discovery
Authentication
Imprint
Authentication
Logging
Authzmodel
Authorization
Device verifies Logging proof or signed Vendor authorization.At this point the Device has key material of the Domain
Device Enrolls: Joins domainNew Entity Proxy Domain Vendor
Service
Connectivity & Discovery
Authentication
Imprint
Authentication
Enroll
Logging
Authzmodel
Authorization
• What you get• Device gets a trust root and a certificate for the local deployment• Local deployment now has authenticated the device• Device can connect to network using certificate
• What you don’t get• Automated selection of network (working on that)• Automated profiling of the device (MUD)• Application-specific authorization model
(but you have an identity anchor to build such a thing)
What you get and don’t with all of that…
Parting Thoughts
• What do Thing manufacturers need to do?
• What do home routers and firewalls need to do?
• What do service providers need to do?• What do consumers need to do?• What do governments need to do?
We need something broader than BCP 38Who Needs to do what?
1. Recognize that they have to do some stuff2. Make use of good coding practices (like turning off
unused services)3. Establish an incident response capability4. Establish appropriate software management processes5. Identify device and its profile to the network
So… what should manufacturers do?
(Nearly) all of this has been done by others!
• WPA Personal in the home is suboptimal
(shared keys)
Future work: the heavy lifting
By Cwawebber - Own work, CC BY 3.0
• [email protected]• [email protected]• draft-ietf-opsawg-mud-01• draft-ietf-anima-bootstrap-keyinfra-04• draft-lear-network-helps-01
More information