Securing the supply chain: A multi-pronged approach · Securing the supply chain: A multi-pronged...
Transcript of Securing the supply chain: A multi-pronged approach · Securing the supply chain: A multi-pronged...
Securing the supply chain: A multi-pronged approach
By Jason Jaskolka and John VillasenorStanford UniversityUniversity of California, Los Angeles
June 1, 2017
This presentation addresses two key issues
1. Supply chain security in relation to the integrated circuits (“chips”) that are at the core of every electronics system, including in US critical infrastructure (work done by John Villasenor at UCLA; pre-CIRI)
2. Supply chain security in relation to critical infrastructure networks (work done under CIRI by Jason Jaskolka and John Villasenor at Stanford)
© 2017 CIRI / A Homeland Security Center of Excellence 2
Chips: A gaping cybersecurity exposure
© 2017 CIRI / A Homeland Security Center of Excellence 4
• Chips are used to• make the internet work• manage antilock braking in cars• position flaps on modern airliners• control access to ATMs• manage financial transactions - big and small• run the stock market• run the electricity grid• run our communications systems• store and access information• run key aspects of every critical infrastructure sector
Chips: A gaping cybersecurity exposure
© 2017 CIRI / A Homeland Security Center of Excellence 5
• The importance of chip supply chain integrity is well recognized, particularly with respect to counterfeits
• Yet the supply chain is almost completely unprotected against a threat that may turn out to be more significant in the long term:
• Chips could be intentionally compromised during the design process, before they are even manufactured
A chip-launched cyberattack could . . .
© 2017 CIRI / A Homeland Security Center of Excellence 6
• Stop or impede the chip (and possibly the system containing it) from functioning
• Exfiltrate data while making the chip appear to function normally
• Corrupt data within the chip
• Some combination of the above
Creating a chip: A simplified view
© 2017 CIRI / A Homeland Security Center of Excellence 7
Design Manufacture Test ShipSpecification
Creating a chip: A simplified view
© 2017 CIRI / A Homeland Security Center of Excellence 8
Design Manufacture Test ShipSpecification
Much of the attention to hardwaretrust issues has been directed here
Creating a chip: A simplified view
© 2017 CIRI / A Homeland Security Center of Excellence 9
Design Manufacture Test ShipSpecification
Much of the attention to hardwaretrust issues has been directed hereWe also need to
be looking here
Inside a chip: A (very!) simplified view
© 2017 CIRI / A Homeland Security Center of Excellence 10
• Chips often contain a combination of outsourced and in-house designs
Design practices
© 2017 CIRI / A Homeland Security Center of Excellence 11
• In the early days of ICs, the design was carried out in-house within a single company using small teams composed of people working towards a common purpose
• Many of the protocols developed in those days – for example that the various parts of a circuit will behave as expected – assumed all participants were trusted
• In those days, that was a reasonable assumption
• Analogy with internet: early assumptions of trust haven’t held true
Why testing for hardware attacks is hard
© 2017 CIRI / A Homeland Security Center of Excellence 12
• Example: A block that adds 6
ADD6
Why testing for hardware attacks is hard
© 2017 CIRI / A Homeland Security Center of Excellence
• Example: A block that adds 6
ADD620 26
Why testing for hardware attacks is hard
© 2017 CIRI / A Homeland Security Center of Excellence
• Example: A block that adds 6
ADD620 26
ADD6127 133
Why testing for hardware attacks is hard
© 2017 CIRI / A Homeland Security Center of Excellence
• Example: A block that adds 6
ADD620 26
ADD6127 133
Test100,000moreinputs...
Iftheanswerisalwayscorrect,concludethattheblockworks
Why testing for hardware attacks is hard
© 2017 CIRI / A Homeland Security Center of Excellence
• Example: A block that adds 6• But . . . Suppose there is one particular input leads to another result:
• It’s simply not possible to test every possible input
• Thus, the trigger, in this case consisting of the input 126,321,204, is likely to never be tested before deployment
ADD6126,321,204 Startattack
Addressing the problem
© 2017 CIRI / A Homeland Security Center of Excellence
• Publication in IEEE Transactions on VLSI Systems
Addressing the problem
© 2017 CIRI / A Homeland Security Center of Excellence
• Publication in IEEE Transactions on Reliability
Addressing the problem
© 2017 CIRI / A Homeland Security Center of Excellence
• Publication in IEEE Transactions on VLSI Systems
Addressing the problem: Example approaches
© 2017 CIRI / A Homeland Security Center of Excellence
• Secure bus system: Analyzes statistical patterns of system bus access by different functional blocks, flags aberrant behavior
Addressing the problem: Example approaches
© 2017 CIRI / A Homeland Security Center of Excellence
• Memory gatekeeper: Ensures that functional blocks are able to access only authorized portions of memory; Helps to prevent corruption or exfiltration of data; Flags any attempts at unauthorized access
Addressing the problem: Example approaches
© 2017 CIRI / A Homeland Security Center of Excellence
• Input/output monitor: Analyzes flow of data on and off the chip, compares with expected flows, flags aberrations
Addressing the problem: Example approaches
© 2017 CIRI / A Homeland Security Center of Excellence
• Warning to other devices: A chip under attack can send a warning to other devices, allowing them to preemptively protect themselves against impending attacks.
Policy solutions
© 2017 CIRI / A Homeland Security Center of Excellence
• Brookings Institution Paper
Goal
© 2017 CIRI / A Homeland Security Center of Excellence 26
• To develop rigorous (formal methods-based) assessment approaches to better understand, identify, analyze, and mitigate implicit component interactions in critical infrastructures
Overview
© 2017 CIRI / A Homeland Security Center of Excellence 27
• Critical infrastructures consist of numerous components and even more interactions, some of which may be:
• Can indicate unforeseen design flaws allowing for these interactions• Intentional or accidental, malicious or innocuous
• Constitute linkages of which designers are generally unaware⇒ security vulnerability
• Can be exploited to mount cyber-attacks at a later time
• Unfamiliar, unplanned, or unexpected• Not visible or not immediately comprehensible ⇒ Implicit Interactions
Approach
© 2017 CIRI / A Homeland Security Center of Excellence 28
1. Model critical infrastructure systems using a mathematical framework• Communicating Concurrent Kleene Algebra
2. Formulate and identify the existence of implicit interactions• Potential for Communication
3. Analyze the severity of identified implicit interactions• Measuring and Classifying Severity, Exploitability, and Impact
4. Mitigate the existence of and/or minimize the threat posed by identified implicit interactions• Preemptive and Reactive Solutions
Modelling critical infrastructure systems
© 2017 CIRI / A Homeland Security Center of Excellence 29
Illustrative example: Maritime port terminal• Maritime ports consist of a number of physical
components and just as many, if not more, intangible software components distributed throughout the system in order to coordinate and control its overall functionality
• We can view the system as having the following classes of agents responsible for coordinating and controlling system components in order to safely and securely operate with efficiency and reliability:• Port Captain• Ship Managers• Stevedores
• Terminal Managers• Crane Managers• Carrier Coordinators
Aker American Shipping YardSource: Tmarinucci via Wikimedia Commons
Analyzing implicit interactions
© 2017 CIRI / A Homeland Security Center of Excellence 30
Illustrative example: Maritime port terminal• For illustrative maritime port terminal with 8 agents, 21 basic events, and 25 basic behaviors:
• 3902 of the 4596 total interactions are implicit interactions
• Result of the potential for out-of-sequence/unexpected messages from system components• Caused by cyber-attack or failure
• After identifying that implicit interactions exist, we have (or are developing) approaches for:
• Measuring the severity of identified implicit interactions
• Measuring the exploitability of identified implicit interactions
• Studying impact of implicit interactions through simulation
Addressing supply chain challenges
© 2017 CIRI / A Homeland Security Center of Excellence 31
• Perform system-level analysis to identify the vulnerabilities and risks introduced by the inclusion of particular components in the system
• Example: If a supplied component comes pre-loaded with a malicious fault designed to evade quality assurance tests, it may not be until the component in composed with other components that it begins to exhibit behaviors that are unintended or unexpected, thereby causing potentially significant system instabilities, and altered or interrupted information flows.
• Our approach can also be used to model different components in the macro-level supply chain to identify unforeseen linkages between suppliers and businesses
• Can show how a disruption of one business may have consequences both upstream and downstream in the supply chain
Impact and value to homeland security
© 2017 CIRI / A Homeland Security Center of Excellence 32
• Our approach, backed by rigorous modelling and testing, can provide vital information that can drive decisions on where and how to spend valuable resources in mitigating the potential for such attacks on systems and/or disruption of supply chains
• Formal foundation upon which mitigation approaches can be developed
• Basis for developing policies and guidelines for designing and implementing critical infrastructure systems that are resilient to cyber-threats
• Community engagement can enable contributions to emerging challenges in critical infrastructure cybersecurity
Understanding and addressing network vulnerabilities: Contributions and publications
© 2017 CIRI / A Homeland Security Center of Excellence 33
1. J. Jaskolka and J. Villasenor. Identifying implicit component interactions in distributed cyber-physical systems. In Proceedings of the 50th Hawaii International Conference on System Sciences, HICSS-50, pages 5988–5997, January 2017.
2. J. Jaskolka and J. Villasenor. An approach for identifying and analyzing implicit interactions in distributed systems. IEEE Transactions on Reliability, pages 1–18, March 2017.
3. J. Jaskolka and J. Villasenor. Securing Cyber-Dependent Maritime Ports and Operations. NMIO Technical Bulletin. (Forthcoming).
4. J. Jaskolka and J. Villasenor. Evaluating the exploitability of implicit interactions in distributed systems. ACM Transactions on Privacy and Security. (Under Review).
5. J. Jaskolka and J. Villasenor. Assessing the impact of implicit interactions through attack scenario simulation. (In Preparation).
OverviewOperational Need• Significant progress has been made in quality assurance for software and components
used to build critical infrastructure systems
• Much less attention and progress in making the supply chain robust against intentionally compromised hardware and/or software
• Specifically designed to remain undetected in tests formulated to detect accidental design flaws
• Often only visible, or known, after a system experiences some kind of compromiseor failure
• Cyber-attacks launched using built-in hardware and/or software vulnerabilities could have a devastating impact
© 2017 CIRI / A Homeland Security Center of Excellence 35
Research Challenge and Goals
© 2017 CIRI / A Homeland Security Center of Excellence 36
Research Challenge
• Develop rigorous (formal methods-based) assessment approaches to better understand, identify, analyze, and mitigate implicit component interactions in critical infrastructures
Research Goals• Enable the critical infrastructure community to much more effectively:
1. Identify and analyze systemic supply chain-related vulnerabilities, such as implicit interactions
2. Preemptively mitigate at least some of those vulnerabilities3. Quickly and effectively respond to attacks that might exploit the subset of those
vulnerabilities that escape advanced mitigation
Identifying Implicit Interactions
© 2017 CIRI / A Homeland Security Center of Excellence 37
Illustrative Example: Maritime Port Terminal• Each system agent coordinates it actions/behaviors by passing messages to each other or
writing to/reading from shared variables
• The design of the system can be represented as a (sequenced) message passing diagram• Provides a set of expected or intended interactions (𝑃"#$%#&%&)
• An implicit interaction exists in a system formed by a set 𝒜 of agents, if and only if for any two agents 𝐴, 𝐵 ∈ 𝒜 with 𝐴 ≠ 𝐵:
∃ 𝑝 𝑝 ⟹ 𝐴 →3 𝐵 :∀ 𝑞 𝑞 ∈ 𝑃"#$%#&%& ∶ ¬SubPath(𝑝, 𝑞))where:
𝐴 →3 𝐵 indicates that 𝐴 can influence the behavior of 𝐵 andSubPath(𝑝, 𝑞) indicates that 𝑝 is a subpath of 𝑞
Addressing Supply Chain Challenges
© 2017 CIRI / A Homeland Security Center of Excellence 38
• Our approach indirectly addresses cybersecurity challenges faced by critical infrastructure supply chains ⇒ direct approach is intractable
• Perform system-level analysis to identify the vulnerabilities and risks introduced by the inclusion of particular components in the system
• Example: If a supplied component comes pre-loaded with a malicious fault designed to evade quality assurance tests, it may not be until the component in composed with other components that it begins to exhibit behaviors that are unintended or unexpected, thereby causing potentially significant system instabilities, and altered or interrupted information flows.
• Our approach can also be used to model different components in the macro-level supply chain to identify unforeseen linkages between suppliers and businesses
• Can show how a disruption of one business may have consequences both upstream and downstream in the supply chain