1 / 31

“DEVELOPMENT OF SECURITY PLUGIN TO TEST MICRO-CONTROLLER BASED EMBEDDED SYSTEMS” - Poornima M,

“DEVELOPMENT OF SECURITY PLUGIN TO TEST MICRO-CONTROLLER BASED EMBEDDED SYSTEMS” - Poornima M, Deputy Manager, Bharat Electronics Limited. Abstract.

gmuniz
Download Presentation

“DEVELOPMENT OF SECURITY PLUGIN TO TEST MICRO-CONTROLLER BASED EMBEDDED SYSTEMS” - Poornima M,

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “DEVELOPMENT OF SECURITY PLUGIN TO TEST MICRO-CONTROLLER BASED EMBEDDED SYSTEMS” • -Poornima M, • Deputy Manager, • Bharat Electronics Limited

  2. Abstract • The growing number of instances of breaches in security in the last few years has created a compelling case for efforts towards secure electronic systems. • Our work is concerned with the development of security plugin for automatic testing of micro-controller based embedded systems’ security features. • Thesis summarizes the checks on authentication, integrity, confidentiality and non-repudiation properties of the embedded systems using algorithms like RSA PKI, SHA 256, AES and Digital Signatures for respective checks.

  3. Agenda • Goals • Brief Description • Requirements • Design • Implementation • Testing • Conclusion • Bibliography

  4. Goals • Till today in industries, micro-controller based embedded systems were tested manually at system level. There has been a need to automate the testing of embedded systems to reduce the effort spent on testingwhich also includes security testing. • This security plugin automatically checks the following security features: • Authentication • Integrity • Confidentiality • Non-Repudiation

  5. Brief Description • Embedded systems often provide critical functions that could be sabotaged by malicious parties. • When they send or receive sensitive or critical information using communications channels accessible to potential attackers, they should ideally provide basic security functions such as data confidentiality, data integrity and user authentication.[7] Figure 1: Common security requirements of embedded systems

  6. Brief Description • The application is connected to the embedded system with the help of a customized converter and a serial cable. • While performing security testing, the application shall act as a slave unit when it is connected to the master unit and it shall act as the master unit when it is connected to a slave unit. Figure 2: Block Diagram of the System

  7. Requirements • Verification of the following algorithms and its implementation: • Authentication and Key exchange : • The authentication is carried out using public key cryptography. • The RSA based public key cryptography is identified as underlying algorithm to implement PKI. • Confidentiality: Symmetric Key Cryptography • The embedded units use session keys for encryption and decryption of communication packets. • AES 128-bit Symmetric key algorithm in CBC (Cipher Block Chaining) mode is identified to perform such encryption and decryption.

  8. Integrity: Hashing • SHA 256 bit hashing algorithm is identified for hashing purposes. • Non-Repudiation: Digital Certification • The Certificate Authority (CA) is identified by the manufacturer to issue digital certificates to the units at its premises prior to shipping to the end user. • It also loads the CA certificate chain of the manufacturer into units.

  9. Design Figure 3: Solution Architecture

  10. Authentication method:[14] • Traditional authentication techniques include passwords and PINs that provide weak authentication. • Authentication based on public key cryptography has an advantage over many other authentication. • A PKI provides the means to bind public keys to their owners and helps in the distribution of reliable public keys in large heterogeneous networks. • The basic components of a PKI are: Public Key Certificate, CA (Certificate Authority) , Certificate User and Certificate Holder.

  11. Authentication method : Power On Master Certificate Slave Verify with Trusted Certificate Match No Match Process Termination Success Status Byte Unsuccessful Status Byte Further Processing Figure 4 : Authentication procedure of the embedded system

  12. Integrity method:[13] • A cryptographic hash function is used to ensure the integrity of the transmitted data or stored data. • It is found that, none of the hash algorithm is secure to ensure the integrity except SHA-2. • Following table gives comparison of all the algorithms: Table 1: Comparison between different hash algorithms on basis of general properties

  13. Integrity method : Start Process Unit 1. Challenge 2. Response Dump byte Verifier Verify with Reference Code Match No Match Further Challenges Display Error Message Start Process Figure 5 : Integrity procedure of the embedded system

  14. Confidentiality Method: [12] • The primary advantage of symmetric-key cryptography is speed. • Symmetric-key algorithms are generally significantly faster than asymmetric-key algorithms, and the keys are shorter in length for the same security strength. • The AES algorithm is a symmetric block cipher that can encrypt and decrypt information. • AES was found the most secure, faster and better among all the existing algorithm with no serious weaknesses such as weak keys, insecure transmission of secret key, speed, flexibility, authentication and reliability e.g. in DES,IDEA,Triple-DES.

  15. Confidentiality Method : Figure 6: Confidentiality procedure of the embedded system

  16. Non-Repudiation Method:[13] • Historically, handwritten signatures were used to provide authenticity and liability for a document. The proposed successor to handwritten signatures is digital signatures. • Digital signatures offer protection that is not available by using alternative signature techniques like digitized signature. • Digitized signatures can be forged and can be duplicated and appended to other electronic data; digitized signatures cannot be used to determine if information has been altered after it is signed. • Digital signatures, however, are computed on each message using a private key known only by the signer.

  17. Non-Repudiation Method : Figure 7: Non-Repudiation procedure of the embedded system

  18. Implementation Table 2: Development Environment

  19. User Interface Figure 8: User interfaces of Main Window and Module Window

  20. Testing • Some of the test flows used for testing the security features of the embedded systems are: • Certificate Format Check (Authentication) • Master Unit Validation (Authentication) • Slave Unit Validation (Authentication) • Source Validation (Non-Repudiation)

  21. Continued… • Session Key Validation (Confidentiality) • Random Number Validation (Confidentiality) • Validation of Encrypted data (Confidentiality) • Validation of Challenge Response(Confidentiality) • Program Hash Validation (Integrity) • Program Code Validation (Integrity)

  22. Security Testing Metrics Following diagram shows some of the security testing metrics which are aimed to be achieved after performing automatic test execution through the security plugin SSDFC - Security Sensitive Data Flow Coverage STC - Security Testing Coverage MTTMV - Mean-Time to Mitigate Vulnerabilities CL - Confidentiality loss IL - Integrity loss NoV - Total Number of Vulnerabilities Figure 14: Security Testing Metrics

  23. Security Testing Metrics • Security Sensitive Data Flow Coverage (SSDFC) = No. of executed security sensitive branches / No. of total security sensitive branches (230/330=0.69) • Security Testing Coverage (STC) = No. of tested security modules / No. of total security modules (3/3=1) • Mean-Time to Mitigate Vulnerabilities (MTTMV) = Sum (Date of mitigation – Date of Detection) / No. of Mitigated Vulnerabilities [19] • Confidentiality loss [17] • CL (O; A; Y; R; t) = p (o; A; Y; t) cost (O; R) • Integrity loss [17] • IL (O; A; Y; R; t) = DE (O; A; Y; R; t) + PE (O; A; Y; R; t) • Total Number of Vulnerabilities (NoV) with Severity ratings.

  24. Conclusion • We have undertaken the study of various literatures on security of embedded systems and its verification. • Accordingly, we have proposed an exhaustive potential solution. • This plugin helps in automatic checking of authenticity, integrity, confidentiality and non-repudiation of the micro-controller based embedded systems. • With the proposed approach, security testing can be performed for all the possible conditions on the embedded systems in an effective manner. • Based on this design that is feasible to be implemented, the outcome expected is a robust embedded system which overcomes the flaws of manual testing of micro-controller based embedded systems.

  25. References [1] Tushar Puri,Jaspreet Singh,Hemant Kaushal,”Prototyping of Indian Electronic Voting Machine”, International Journal of Engineering Research and Development, May 2017. [2] Faiqa Maqsood,Muhammad Ahmed,Muhammad Mumtaz, Munam Ali Shah, “Cryptography: A Comparative Analysis for Modern Techniques”, (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 8, No. 6, 2017. [3] James Graham, Richard Howard, Ryan Olson, “Cyber Security Essentials”, Auerbach Publications, Taylor & Francis Group, 2011. [4] Paul Kocher, Ruby Lee, Gary McGraw, Anand Raghunathan and Srivaths Ravi, “Security as a New Dimension in Embedded System Design”, Design Automation Conference,2004, 41st proceedings. IEEE ISSN: 0738-1007

  26. References [5] Hari K. Prasad, J. Alex Halderman, Rop Gonggrijp, Scott Wolchok, Eric Wustrow, Arun Kankipati, Sai Krishna Sakhamuri, Vasavya Yagati, “Security Analysis of India’s Electronic Voting Machines”, Proceedings of the 17th ACM conference on computer communications security, 2010. [6] Sahibzada Muhammad Ali, Chaudhary Arshad Mehmood, Ahsan Khawja, Rahat Nasim, Muhammad Jawad,Saeeda Usman, ikandar Khan, Saqib Salahuddin,Mian Atif Ihsan , “Micro-Controller Based Smart Electronic Voting Machine System”, IEEE International Conference on Electro/Information Technology, Milwaukee, WI, 2014, pp.438-442. [7] Kwang-Hyun Baek, Sergey Bratus, Sara Sinclair, Sean W. Smith, “Attacking and Defending Networked Embedded Devices”, Workshop on Embedded Systems Security (WESS 07), October 2007.

  27. References [8] William Stallings, “Cryptography and Network Security Principles and Practices”, Pearson Education, Inc., 2011. [9] Dimitrios Zissis, “Methodologies and Technologies for Designing Secure Electronic Voting Information Systems”, a dissertation submitted to the Department of Product and Systems Design Engineering for the partial fulfillment of the requirements for the degree of Doctor of Philosophy in the subject of Information and Communication Systems Security2007-2011. [10] June Andronick1, Boutheina Chetali1, and Christine Paulin-Mohrin, “Formal Verification of Security Properties of Smart Card Embedded Source Code”, Proceedings of the 2005 international conference on Formal Methods, 2005.  

  28. References [11] Thomas Wollinger, Jorge Guajardo, and ChristofPaar , “Cryptography in Embedded Systems: An Overview”, Proceedings of the Embedded World 2003 Exhibition and Conference, pp. 735-744, Design & Elektronik, Nuernberg, Germany, February 18-20, 2003. [12] Aysha Albarqi1, Ethar Alzaid1, Fatimah Al Ghamdi1, Somaya Asiri1, Jayaprakash Kar2, “Public Key Infrastructure: A Survey”, Journal of Information Security, 2015. [13] Jawahar Thakur1, Nagesh Kumar2, “DES, AES, and Blowfish: Symmetric Key Cryptography Algorithms Simulation based Performance Analysis”, International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com (ISSN 2250-2459, Volume 1, Issue 2, December 2011)

  29. References [14] MansoorEbrahim, Shujaat Khan, Umer Bin Khalid, “Symmetric Algorithm Survey: A Comparative Analysis”, International Journal of Computer Applications (0975-8887) Volume 61–No.20, January 2013. [15] KamleshkumarRaghuvanshi, PurnimaKhurana, PurnimaBindal, “Study and Comparative Analysis of Different Hash Algorithm”, Journal of Engineering Computers & Applied Sciences (JECAS), Volume-3, No.9, September 2014. [16] Annabelle Lee, “Guideline for Implementing Cryptography in the Federal Government”, NIST Special Publication 800-21, U.S. Department of Commerce Technology Administration National Institute of Standards and Technology. [17] Elaine Barker, “Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms”, NIST Special Publication 800-175B.

  30. ? Any Questions?

  31. THANK YOU “The man who trades freedom for security does not deserve nor will he ever receive either…” Under Guidance of: Ms. Anna Peter, Sr. DGM Ms. Indira Devi.K, Mgr Ms. Bhagya Lakshmi A.N., Mgr Ms. Deepti Vidyarthi, Asst. Proff. Mr. Hiran Kumar, DM

More Related