security considerations for next-generation operating ...cdgill/ngoscps2019/...ngoscps - 5 bcw...
TRANSCRIPT
Security Considerations for Next-Generation Operating Systems for Cyber-Physical Systems
Bryan C. Ward,1 Richard Skowyra,1 Samuel Jero,1 Nathan Burow,1 Hamed Okhravi,1 Howard Shrobe,2 and Roger Khazan1
1MIT Lincoln Laboratory, 2MIT CSAIL
NGOSCPS 4/15/2019
DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. This material is based upon work supported by the Under Secretary of Defense for Research and Engineering under Air Force Contract No. FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Under Secretary of Defense for Research and Engineering. © 2019 Massachusetts Institute of Technology. Delivered to the U.S. Government with Unlimited Rights, as defined in DFARS Part 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work.
NGOSCPS - 2 BCW 04/15/19
Attacks on CPS Systems
2018: Russian cyber activity targets U.S. critical-infrastructure sectors 2017: Triton attack against ICS safety controllers
2017: Attack on Broadcomm embedded Wi-Fi chips
2015: Remote exploitation of an unaltered passenger vehicle
NGOSCPS - 3 BCW 04/15/19
Existing Operating Systems in CPS
Bare metal FreeRTOS VxWorks Linux
• Low latency • High predictability • More difficult to program
• All security mechanisms must be provided by the application developer (i.e., likely zero)
• Low latency • Strong real-time performance
• Some security mechanisms provided • Process isolation • Memory protection
• Security mechanisms are frequently not enabled, often due to performance concerns
• Many FreeRTOS systems do not enable kernel memory protection
• Potential higher latency • Highly complex OS • Less predictable real-time
performance • Well known and relatively easier to
build upon
• Many more security features are available
• Many security features are enabled by default
Need operating systems that can support the real-time performance demands of CPS and also provide strong security capabilities
NGOSCPS - 4 BCW 04/15/19
Organization
• Threat models – Security principles – Access vectors – Attack techniques
• Case study – Industrial Control System • Recommendations
– Memory safety – Fine-grained isolation – Privilege and trust minimization – Recovery
NGOSCPS - 5 BCW 04/15/19
Security General Principles
• Information security “CIA Triad” – Confidentiality: Data is not disclosed to unauthorized
individuals, entities, or processes – Integrity: Data cannot be modified in an unauthorized manner – Availability: Data must be available when needed
• In many CPS systems, there is a fourth tenant: – Safety: The system must function without causing physical
damage
• The relative importance of each of these security properties is different in some CPS domains – E.g., power grid: safety & availability paramount – Must consider attacker intentions
NGOSCPS - 6 BCW 04/15/19
Access Vectors
Co-hosted application, Software supply chain Hardware ports
e.g., USB, CAN
Remote attackers
Attacker’s access vector drives the types of attack technique they can employ, and thus the type of defenses needed
NGOSCPS - 7 BCW 04/15/19
Attack Techniques
Side Channels
Memory Corruption Command injection
Message Forgery
NGOSCPS - 8 BCW 04/15/19
Case Study - Industrial Control Systems Enterprise Network
OT/ICS Network
Sensor/ Actuator
Sensor/ Actuator
Sensor/ Actuator
PLC PLC PLC
HMI
PLC: Programmable Logic Controller HMI: Human Machine Interface OT: Operation Technology
Controller
NGOSCPS - 9 BCW 04/15/19
Case Study - Industrial Control Systems Enterprise Network
OT/ICS Network
Sensor/ Actuator
Sensor/ Actuator
Sensor/ Actuator
PLC PLC PLC
HMI
PLC: Programmable Logic Controller HMI: Human Machine Interface OT: Operation Technology
Credential Theft Phishing
Message forgery Memory
Corruption (Crash Override, 2016)
(Triton, 2018)
(Ukraine Grid Attack, 2015) (Ukraine Grid Attack, 2015)
Controller
NGOSCPS - 10 BCW 04/15/19
• Threat models for CPS are not necessarily the same as that of general-purpose and enterprise systems – Attackers seldom co-hosted as in cloud applications – Privileged control interfaces are more common, e.g., CAN
• Defenses for CPS systems should address relevant threat models for given application
• Any solutions applied to a real-time or safety-critical CPS application, also must be designed for runtime determinism and predictability
Implications
NGOSCPS - 11 BCW 04/15/19
Memory Safety
Most CPS software currently written in C/C++
Memory corruption starts with vulnerabilities in unsafe code
Modern programming languages such as Rust ensure memory safety
Example OS developed in Rust
Next-generation Operating Systems should be developed in type-safe languages to eliminate large classes of vulnerabilities
NGOSCPS - 12 BCW 04/15/19
Isolation
In practice, many next-generation system will include legacy code and unsafe code sections
Temporal Isolation Provide strong
isolation among software components
Isolation mechanisms are needed minimize effects of attacks
ACES: Automatic Compartmentalization for Embedded Systems, USENIX ‘18
NGOSCPS - 13 BCW 04/15/19
Minimization of Privileges and Trust
System components should be minimized to reduce trust, and the privileges of each component
Hierarchical privilege models give undue privileges to the lowest-level,
especially in CPS
In CPS, trust and privileges must be considered through the lens of both the cyber and the physical domains
Component-based operating systems
Capability system enables fine-grained permissions
NGOSCPS - 14 BCW 04/15/19
Recovery
In response to an attack, a CPS device must be able to respond and recover
Many CPS systems are not easily accessible for manual intervention and recovery
Other CPS system have high availability requirements, requiring
fast micro-reboot capabilities
There are many parallels with fault tolerance, but attackers are not stochastic processes
NGOSCPS - 15 BCW 04/15/19
Conclusion
• Security must be considered in the design of CPS systems
• Security of CPS must consider access vectors and specific threat models relevant to
the problem domain
• Recommendations for ways forward:
– Memory safety
– Minimization of privileges and trust
– Isolation
– Recovery