40 jahre informatik hamburg
DESCRIPTION
Präsentation gehalten von Frau Prof. Eckert zu 40 Jahre Informatik in Hamburg im November 2011.TRANSCRIPT
26.05.2012
1
Mit Sicherheit innovativ!
Claudia Eckert
TU München,
Fraunhofer Institut AISEC1
40 Jahre Informatik Hamburg
18.11. 2011 Universität Hamburg
Outline
1. Motivation: Informatik formt Zukunft
2. Future Internet
2
Informatik als Innovationsmotor
3. Security Threats
Innovationen benötigen Sicherheit
4. Research Topics
Si h h it b öti t F h
2Claudia Eckert
Sicherheit benötigt Forschung
5. Selected Examples @AISEC/TUM
Mit Sicherheit innovativ!
6. Summary
26.05.2012
2
1. Motivation
5) Smart Environments & CPS
Mainframes, Embedded, Smart Environments & CPS
1) Mainframes
4) RFID-TagsEmbedded
90% of allCPUs are embedded
Smart Grid Factory of the Future
3
1 ComputerMultiple Users
1 Computer1 User
1UserMultiple ComputersM2M
Time
8.5% growth17 Billion totalrevenue
Claudia Eckert
Cyber Physical Systems (CPS)
• Integration of physical environments and ICT systems (of systems)
1. MotivationTrends in ICT
Characteristics:
• Lots of Autonomous devices/sensors
• Embedded systems
• Heterogeneous networks
• M2M‐communication
e.g. Smart Grid
Main tasks:
• Controlling & monitoring complex systems often in real‐time
• Collecting data, exchange data, trigger actions, ….
4Claudia Eckert
26.05.2012
3
Cloud Computing
New style of computing where massively scalable IT‐enabled
1. MotivationTrends in ICT
capabilities are delivered ‘as a service’ to external customers
using Internet technologies (Gartner 2008)
5Claudia Eckert
1. Internet of Things = Embedded Systems + Cyber Physical + Internet
1. MotivationTrends in ICT
2. Internet of Services/Cloud Computing =Business Software + new Business Models + Internet
3. Future Internet =Internet of Things + Internet of Services + Mobility + Improved Core‐Network + Internet of Knowledge & Content
6
New Business Opportunities: e.g. • Smart Grid, Smart Mobility, Smart Health, Smart Cities, Factory of
the Future, Smart Logistics, …• Challenge: Handling of “Big Data”:
Data Acquisition, Analytics, Provisioning, …
Claudia Eckert
26.05.2012
4
Outline
1. Motivation: Informatik formt Zukunft
2. Future Internet
7
Informatik als Innovationsmotor
3. Security Threats
Innovationen benötigen Sicherheit
4. Research Topics
Si h h it b öti t F h
7Claudia Eckert
Sicherheit benötigt Forschung
5. Selected Examples @AISEC/TUM
Mit Sicherheit innovativ!
6. Summary
2. Future InternetBusiness Opportunities
Mobile Application: Convergence private/businessConsumerized IT!
Loyalty
Payment
PhysicalAccess
Content Download
IdentityManagement
Loyalty
Pay
Communicate
Transact Identify
8Claudia Eckert
TTicketingDRM
DeviceConfiguration
Transact y
26.05.2012
5
Consumerized IT An increasing number of organizations take a strategic
approach to Consumerization by providing IT support
2. Future InternetBusiness Opportunities
approach to Consumerization by providing IT support
for personal devicesQuelle: bringyourownit.com/2011/09/26/trend‐micro‐consumerization‐report‐2011/
Increased Efficency:Recent studies have shown that allowing employees touse innovative, state‐of‐the‐art devices and servicesf th i h i i th i ffi iof their own choosing can increase their efficiency.
Reduced Costs:Reduced capital expenditures are likely as employees turn to their own personal devices to perform work, with the added benefit of lower device management and maintenance costs.Quelle: Booz & Company, Comsumerization of IT, 2010
2. Future InternetBusiness Opportunities
Automotive Industry: Connected Drive, Web‐Services in Cars
Traffic info andweb cams
Road Billing
Intelligent Car Routing and N i ti
Inter CarCommunication
web cams
GPS Street Parking
(Location based) web information
g
Fleet Management
Navigation
10Claudia Eckert
Mobile TVParking Slots Reservation Contactless Gas
Station
Use of Web Services will be common in the carImportance of protection against attacks from the internet will increase
26.05.2012
6
Smart Mobility: Internet within the vehicle• IP‐based communication: few and more complex control units• Value‐added services Business Apps cloud‐based services
2. Future InternetBusiness Opportunities
• Value‐added services, Business Apps , cloud‐based services e.g. on‐board diagnostics, entertainment, e‐mobility
11Claudia Eckert
Dynamic Management
2. Future InternetBusiness Opportunities
Smart Energy: from e‐Energy to eMobilityICT to manage and control energy‐grids• New pricing billing models
eMobility
Solar cells
Office-facilitiesPrivate Households
Power Consumption when price is low
Dynamic Management
Sensors:Detection of Disruptions
Outage
Processors:Controls
• New pricing, billing models• New services,e.g. AAI
12
Wind-Farm
Industrialplant
Isolated Grid
Power plant
Storage
Generators:Local energy producer
26.05.2012
7
Its all about Data, Information & Knowledge!
2. Future Internet Business Opportunities
Its is all about Security of Data:
• Correctly identified person, service, device? Authenticity
• Correct data, not manipulated? Integrity
• No data leakages to unauthorized parties? Confidentiality
• Is authorized access to data possible? Availability
13
Is authorized access to data possible? Availability
Security is essential
Claudia Eckert
And .....
2. Future Internet Business Opportunities
Appropriate Security Measures are urgently required
Because ....
•Attack surfaces grow
14
• Lots of attacks that jeopardize the Security
Claudia Eckert
26.05.2012
8
Outline
1. Motivation: Informatik formt Zukunft
2. Future Internet
15
Informatik als Innovationsmotor
3. Security Threats
Innovationen benötigen Sicherheit
4. Research Topics
Si h h it b öti t F h
15Claudia Eckert
Sicherheit benötigt Forschung
5. Selected Examples @AISEC/TUM
Mit Sicherheit innovativ!
6. Summary
3. Security Threats Hardware Attacks
Malicious Hardware
• Physical Access to Hardware likePhysical Access to Hardware like Sensors (e.g in cars):• Generate manipulated data, • Delete data, • Data leakages Manipulated Smart Meter
in AISEC Lab
16
• Product counterfeiting:• Forged hardware with low quality• Safety problems• Liability problems
Claudia Eckert
Forged break disc (left original)
26.05.2012
9
3. Security Threats Software Manipulation Attacks
Malicious Software
• Vulnerable Software (Operating System, Web‐( p g yApplication, Server)
• Code Injection
• Data access: manipulation, deletion
• Session Hijacking
• ID Spoofing
17
• Denial of Service:
Safety‐critical applications
can be influenced as well!
Claudia Eckert
‚alltägliche‘ Angriffe
18
26.05.2012
10
3. Security Threats Network based Attacks
Vulnerable Networks
• Heterogeneous Technologies (e.g. GSM/LTE, WLAN, SCADA)
• Injection of false messages,
• Message Replay , Sniffing, Spoofing
• Drop messages
• DDoS
Example:Example:
Stuxnet
Attack 2010
19Claudia Eckert
Hacken kritischer Infrastrukturen
26.05.2012
11
3. Security ThreatsExample:Smart Grids
21Claudia Eckert
Current Look & Feel ….
Future Internet will be a Security Nightmare
Any Hope? What is required?
Security Technology: Scalable, adaptable, seamless
Built‐in Security: New Architectures
22
Secure by Design
Health‐Monitoring: New Services, Security as Service
Secure during operation
Security Culture: Education, Training, Awareness
Claudia Eckert
26.05.2012
12
Outline
1. Motivation: Informatik formt Zukunft
2. Future Internet
23
Informatik als Innovationsmotor
3. Security Threats
Innovationen benötigen Sicherheit
4. Research Topics
Si h h it b öti t F h
23Claudia Eckert
Sicherheit benötigt Forschung
5. Selected Examples @AISEC/TUM
Mit Sicherheit innovativ!
6. Summary
4. Research TopicsSecurity Technology
e.g. Scalable Hardware‐Security
• Attack‐resistant Hardware modules
• Reconfigurable hardware cores
• Secure Object Ids for M2M authentication
• Lightweight cryptography to support resource‐poor sensors
24Claudia Eckert
26.05.2012
13
4. Research TopicsSecure by Design
e.g. Trustworthy Software‐Architectures:
• Secure Programming:
• Input Filtering etc.
• Isolated execution environments
• Controlled isolation of applications
• Trusted Input/Output , trusted path
• Security & integrity checks
25
• Security & integrity checks
• Security check‐points , metrics
• Detection of invalid system states
• Rollback
Claudia Eckert
Example: next Generation Mobile Phones
4. Research TopicsSecure by Design
Mobile Payment Mobile Banking Mobile Ticketing Mobile Visa Mobile Health Services
Mobile Public Services
Trusted
TrustedApplications
ExecutionEnvironment
26.05.2012
14
4. Research TopicsSecure during Operation
e.g. Security as a Service
• Identity Management
e.g. with nPA
mobile nPA (not yet)
• Health monitoring &
Malware detection
e g Improve detection and
27
e.g. Improve detection and
reaction methods
Learn from observed
attacker behavior
Claudia Eckert
Outline
1. Motivation: Informatik formt Zukunft
2. Future Internet
28
Informatik als Innovationsmotor
3. Security Threats
Innovationen benötigen Sicherheit
4. Research Topics
Si h h it b öti t F h
28Claudia Eckert
Sicherheit benötigt Forschung
5. Selected Examples @AISEC/TUM
Mit Sicherheit innovativ!
6. Summary
26.05.2012
15
Problem:
Secure Remote Key-less Entry, RKE
5. Selected Examples @ AISEC/TUMLightweight Cryptography
Many vehicle access systems possess
intrinsic security weaknesses
Symmetric cryptography for
authentication often used
Easy to crack!
29
Solution:
Lightweight implementation of ECC
and PKI: strong cryptography
Secure access protocols
29Claudia Eckert
Problem
• Secrets can be extracted :
‘Finger prints’ for Objects: Unclonable Material-Based Security
5. Selected Examples @ AISEC/TUMNew Concepts for Component Identification
Secrets can be extracted :
spoofed component ID, insecure keys
Solution
• Physical unclonable function (PUF)
• Object fingerprints, depend on variations
of the of manufacturing process
• M2M Authentication:
Physical structure generates
Challenge-Response-Pairs in an unpredictable way
• Secure generation of cryptographic keys for standard protocols
• No protected memory necessary
Claudia Eckert
26.05.2012
16
Problem
Fl h St i i t i t
Automotive Environment
5. Selected Examples @ AISEC/TUMScalable Hardware Security Modules
• Flash Storage is insecure: not appropriate for keys and sensitive data
• Secure Storage within each ECU is very expensive
Solution
Central key manaegment using a
dedicated Secure Hardware Elementdedicated Secure Hardware Element
Benefit
• Secure M2M authentication of components
• Manipulation-resistant storage and cryptographic services
• Basis for secure In-Car and Car2X communication
31Claudia Eckert
Smart Meter/Gateway
Problem:
data leakages privacy issues
5. Selected Examples @ AISEC/TUMSecure by Design
• data leakages, privacy issues
Solution
• Secure Smart Meter
Compliant to BSI Protection Profile
• Based on Hardware Security Module
• Secure Handling of metering data:
Display
authentication, Access control,
data confidentiality (encryption)
• Privacy by design:
data aggregation, filtering
HSM
HSM
32Claudia Eckert
26.05.2012
17
Problem
C R E i i Hi h T h C t
Product Piracy Protection
5. Selected Examples @ AISEC/TUMSecure by Design
Copy, Re-Engineering High-Tech Componentes
Solution
Secure Element used as trust anchor for firmware
Authentication between firmware und hardware
Software Obfuscation for firmware
Tight coupeling of firmware & hardware
33Claudia Eckert
Problem PolicyManager
WorkflowManager
GRCManager
MetricsManager
Monitoring of Cloud-Services
5. Selected Examples @ AISEC/TUMSecure during Operation
Cloud-user lose control over their data: where is
the data (leakages?), who has access,
Solution
KPIs to measure security
status of outsourced Appl.
Dynamic controls to detectMONITORING FRAMEWORKJava VM
App Controller
Application Server
Application Modelle
DSL Interpreter
Complex Event ProcessingEve
nt
Bu
s
Vorlagen
PLUGINS
a age a age
…
misbehaviour, deviations
Monitoring: e.g.
Data flows (where is my data),
Log-files (who had access),
Events (IDS, …)
34
Betriebssystem
Xen / KVM Hypervisor
Virtuelle Maschine Virtuelle Maschine
Claudia Eckert
26.05.2012
18
New Approaches for Malware Analytics: Topic Models
5. Selected Examples @ AISEC/TUMSecure during Operation
Latent topics in
system Call traces
E.g. Expert view:
Tr1: graphics program
Tr2: read and transmit
35
file content
Tr 3: receive and display
a picture
Expert reveals latent structures: clustering/classifying using
semantic expert know-howClaudia Eckert
Improved Malware analytics: SST Supervised Topic Transition
Using Machine Learning Techniques and Topic Modeling for clustering
5. Secure during OperationSome AISEC/TUM Examples
Improved ‘semantic’ Clustering and Classification of malware
36Claudia Eckert
26.05.2012
19
SST Supervised Topic Transition
>70 topics: High accuracy, low false alarm rate, low missing rate!
5. Secure during OperationSome AISEC/TUM Examples
37
Putting it all together:Example: Secure Smart Grids
26.05.2012
20
Summary & Take Home Message
ICT driver of Innovations:
• Huge amounts of data are collected, processed, distributed
Innovation needs Security:
• Data security, integrity, confidentiality is a MUST have
Security needs Research:
• Security Technologies: Scalable, adaptable
• Built‐in Security & Health Monitoring: Architectures, Services
39
Security needs Multidisciplinarity
• Informatics, Engineering, Math: Architecture, SE, HMI, Networks
• Business Administration, Law, Ethics,...
Security needs Education: Security Culture
Claudia Eckert
Herzlichen Glückwunsch!
40 Jahre Informatik an derUniversität Hamburg
• Informatik formt die Zukunft
• Informatik ist Innovationsmotor
• Informatik an der Universität Hamburg
40
Technologie & Gesellschaft
Mit Sicherheit innovativ!
Alles Gute für die nächsten 40 Jahre!
Claudia Eckert
26.05.2012
21
Thank you for your Attention
Claudia Eckert
Fraunhofer AISEC
TU München, Chair for IT Security
E-Mail: [email protected]
41
Internet: http://www.aisec.fraunhofer.de
Claudia Eckert