protection and security for facilities, machines and embedded systems
DESCRIPTION
The world is changing. Smaller, connected computers are used more and more around all of us, even in our everyday lives. Building controls, CCTV cameras, automatic doors, traffic lights, smart meters, and even airliner avionics rely on embedded systems. The devices need to be programmed, maintained, and increasingly supervised and controlled from the outside. This also opens new avenues for attack and intrusion that the former proprietary systems without network or USB access did not offer potential perpetrators. The target of the attack could be any of the following: - Theft of the know-how of the plant (which would threaten the machine manufacturer) - Manipulation of the operating data (which would threaten the machine owner) - Sabotage (which would mainly threaten the machine owner) The actors of the attack can be identified within these main categories: - Competitors - Disgruntled workers - Secret services In this session we are going to analyze the threats and the available protection mechanisms that Wibu-Systems has developed specifically to meet the requirements of this market. With CodeMeter®, Wibu-Systems offers a set of tools for the security of facilities, machines and embedded systems, deeply integrated with numerous operating systems, featuring the strongest encryption mechanisms, and supporting international industrial standards. ******************************** Request CodeMeter SDK and try out Wibu-Systems' premier technology for yourself http://www.wibu.com/cms ********************************TRANSCRIPT
for Facilities, Machines and Embedded Systems
Marco Blume | Product [email protected]
Rüdiger Kügler | Security [email protected]
Protection and Security
Speaker 3
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 2
Introduction
Current Situation
Threats for Manufacturers
Threats for Users
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 3
Current Situation
98% of all processors are used in embedded systems More and more embedded systems are cross-linked Industrie 4.0
New attack vectors for Cyber Physical Systems
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 4
IT threats for manufacturers and users
User Manipulation
Esabotage Intelligence services / disgruntled employees
Intellectual Property (IP) Recipes / operating parameters / patterns
Production data Machine logbook Production amount
Non authorized access to the machine Service incident operation / operator
Manufacturer / Machine builder Reproduction of a machine Imitation of a machine
Extraction of the intellectual property
Manipulation (warranty) Non authorized updates Modification of hour meters Modification of flight records / logs
Non authorized access to service documents
Non authorized access to source code
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 5
The Solution - CodeMeter
Desktop Software
Embedded Devices
Programmable Logic Controllers
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 6
CodeMeter - Overview
CodeMeter Secure key storage (Hardware / Software)
License models
Software Integration Automatic encryption / API
Backoffice Integration License enforcement
License management
Software Integration
Backoffice Integration
CodeMeterTechnology
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 7
CodeMeter @ Embedded Devices
CodeMeter Embedded Driver Lightweight driver as library / source code
Cryptographic API
Basic CodeMeter features
Support of CmDongles / CmActLicenses
Wibu Protection Suite ExProtector
AxProtector
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 8
CodeMeter @ Programmable Logic Controllers
CODESYS Boot project protection
API access
Source code protection
Bernecker + Rainer Technology guard
Rockwell Source code protection
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 9
Wibu Protection Suite
Automatic Encryption
Encryption of Executable Code
Code Signing
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 10
.NET
Stan
dard
Fam
ewor
k
Java
SE
Java
EE
Embe
dded
Ope
ratin
gSy
stem
s
OS
X
Win
dows
Desk
top
Linu
x
Wibu Protection Suite - Overview
Authorization of Software(Secure Loader)
Encryption on method level
Integrity Protection(Tamper Protection)
Automatic Protection(IP Protection)
ExPr
otec
tor
AxPr
otec
tor .
NET
AxPr
otec
tor
Java
Wibu Protection Suite
AxProtector
IxProtector
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 11
VxW
orks
QNX
Win
dows
Embe
dded
Embe
dded
Linu
x
Wibu Protection Suite @ Embedded Devices
Andr
oid
Win
dows
Embe
dded
Com
pact
Wibu Protection Suite
AxPr
otec
tor
ExPr
otec
tor
ExPr
otec
tor
AxPr
otec
tor
ExPr
otec
tor
AxPr
otec
tor
AxPr
otec
tor
ExPr
otec
tor
Embedded DriverCodeMeterRuntime Embedded Driver Embedded Driver
Authorization of Software(Secure Loader)
Individual API usage
Integrity Protection(Tamper Protection)
Automatic Protection(IP Protection)
Embedded DriverEmbedded Driver
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 12
AxProtector .NET – Unproteced Assembly
.Net (and Java) code can
be disassembled
very easily
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 13
AxProtector .NET – Protection Process
Prot
ecte
d As
sem
bly
Com
pile
d As
sem
bly
Header
Original Code
Header
Stub Code(Without Intellectual
Properties)
AxEngine(Security Engine)
Encrypted Code(Original Code with
Intellectual Properties)
AxProtector .NET
Definitionof licenses and
modulesAssembly has same structure
as original Assembly
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 14
AxProtector .NET – Protected Assembly
Code is protected now!
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 15
AxProtector – Protection Process
Prot
ecte
d Ex
ecut
able
/ Li
brar
y
Com
pile
d Ex
ecut
able
/ Li
brar
y
Header
Code Section
Header
EncryptedCode Section
AxEngine(Security Engine)
AxProtector
Definitionof licenses and
modules
Data SectionEncrypted
Data Section
EncryptedResource Section
Resource Section
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 16
ExProtector – Protection Process
Prot
ecte
d Ex
ecut
able
/ Li
brar
y
Orig
inal
Exe
cuta
ble
/ Lib
rary
Header
Original Code
Header
Encrypted Code
Credentials(Hash, Signature, …)
ExProtector
Keys for EncryptionKeys for Code
Signing
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 17
ExProtector – Keys and Credentials
Prot
ecte
d Ex
ecut
able
/ Li
brar
y
Orig
inal
Exe
cuta
ble
/ Lib
rary
Header
Original Code
Header
Encrypted Code
Credentials(Hash, Signature, …)
ExProtector
Keys for EncryptionKeys for Code
Signing
AES Key (FSB)
ECC Private Key
Certificate(s)
Encrypted Random AES Key
Firm Code | Product Code
Hash
Signature
Certificate(s)
ExProtector
Credentials(Hash, Signature, …)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 18
ExProtector – Integration into Loader
Operating System
ExEngine(ExProtector Runtime)
CodeMeter Embedded Driver
Operating System(without modification)
Engineering
Modified LoaderOriginal Loader
Root Public Key
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 19
ExProtector – During Runtime (Load of Executable / Library)
Mem
ory
of E
mbe
dded
Dev
ice
Prot
ecte
d Ex
ecut
able
/ Li
brar
y
Header
Encrypted Code
Header
Decrypted CodeExEngine
Public Root KeyLicense with
Firm Code and Product Code
Credentials(Hash, Signature, …)
Credentials(Hash, Signature, …)
Additional Security:
Watchdog
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 20
Secure Key Storage
CmDongles
CmActLicenses
License Server in Network
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 21
CmDongle – Secure Smart Card Chip
Smart card chip Protected against side channel attacks
Differential Power Analysis (DPA)
Firmware update New security features
New features
Secure update channel
64 kByte | 384 kByte secure storage for licenses
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 22
CodeMeter – Firm Code and Product Code
License Entry = Firm Code | Product Code Firm Code: defined by Wibu-Systems Product Code: Defined by software vendor Each license entry can have different license
options: Product Item Options (PIOs) Up to 6,000 per CmDongle or CmActLicense
…
Firm Code: 10
PIOs
Product Code: 301.000
PIOs
Product Code: 301.001
PIOs
Product Code: 301.002
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 23
Activation via Internet (Online)
Vendor UserSOAP (XML), JSON,HTTP Post
Ticket +License Request
License Update
Receipt
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 24
Activation via File (Offline)
UserVendor
ü
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 25
CmActLicenses
Virtual CmDongles Same features
Remote Activation
License Models / Product Item Options
CodeMeter SmartBind® for desktop systems Adapter for embedded devices License bound to individual hardware properties
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 26
CmActLicenses – Binding to hardware
Public Key (Fingerprint)
License File
C
Computer VendorCC VV
Data(Encryption Keys)
Hash
Signature
AES Key Encrypts
Signs
C
V
Signs with Private Key of Vendor
Encrypts with Public Key of computer
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 27
Key Features
Symmetric Encryption 128-Bit AES (Advanced Encryption Standard)
Usage for software encryption / data encryption
Asymmetric Encryption 224-Bit ECC (Elliptic Curve Cryptography)
2048-Bit RSA (Rivest Shamir Adleman)
Usage for Signatures and Authentication
Protection of Software as a Service (SaaS)
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 28
Secure Boot
Forward Check
Backward Check
Anchor of Trust
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 29
Secure Boot
Integrity Protection starts at boot Integration into boot loader Signature and encryption of complete operating system Forward check and backward check (state engine) of integrity
04/13/2023
Secure Boot
Application / Runtime / PLC
Operating System (VxWorks, …)
Boot Loader (UEFI, …)
Hardware / Pre-Boot Loader
Load Check Start Check
Load Check Start Check
Load Check Start Check
Protection and Security for Facilities, Machines and Embedded Systems 30
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 31
Forward and Backward Check
InnerShell
OuterShell
TrustedDevice
Sets state
Checks stateUses state
Not allowed
InnerShell
OuterShell
Hash &Signature
Forward check Backward check
CmDongleor
TPM
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 32
Challenges
It needs to be performed for each shell Certificate Chain
Process of creating private keys and certificates
Allowed Controllers How to get a unique ID of the computer / Different CmActLicenses for identification
Performance of Solution Amount of certificates in certificate chain
Anchor of Trust
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 33
Certificate Chain
Definition of a certificate (similar to X.509)
Definition of rules by vendor Public Root Key hard codes in
device Distribution by CodeMeter
License Central
Authority ID Subject ID Name of subject Public key Signature of private key Certificate chain Access level (Boot | OS |
App | Config) * Device class / ID range * Expiration Data
Trusted
Certificate
04/13/2023 Protection and Security for Facilities, Machines and Embedded Systems 34
Thank you very much
WIBU-SYSTEMS AG
www.wibu.com