towards a secure internet of thingsgr/uploads/percom-2018-k1.pdf · data security: research and...
TRANSCRIPT
![Page 1: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/1.jpg)
Towards a Secure Internet of Things
Philip LevisStanford University
Keynote TalkIEEE International Conference on Pervasive Computing and Communication
March 20, 2018
1
![Page 2: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/2.jpg)
The Internet of Things (IoT)
2
![Page 3: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/3.jpg)
A Security Disaster
31http://fortifyprotect.com/HP_IoT_Research_Study.pdf
• HP conducted a security analysis of IoT devices1
▶ 80% had privacy concerns▶ 80% had poor passwords▶ 70% lacked encryption▶ 60% had vulnerabilities in UI▶ 60% had insecure updates
![Page 4: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/4.jpg)
This Talk
• Technology trends: why today?
• Security: why is it so hard?
• Research: what we’re doing
4
![Page 5: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/5.jpg)
515.iii.2005 Stanford Interview Talk 2
The EmNets Vision• “Information technology (IT) is on the verge of
another revolution… The use of EmNets [embedded networks] throughout society could well dwarf previous milestones.” 1
• “The motes [EmNet nodes] preview a future pervaded by networks of wireless battery-powered sensors that monitor our environment, our machines, and even us.” 2
1 National Research Council. Embedded, Everywhere, 2001.2 MIT Technology Review. 10 Technologies That Will Change the World, 2003.
![Page 6: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/6.jpg)
Two Game-Changers
• ARM Cortex M series▶ First released 2004▶ Ultra-low power 32-bit processor▶ 8-96kB of RAM, 64-512kB code flash▶ Sleep currents recently dropped <1µA
• Bluetooth Low Energy▶ First released in 2006▶ Send a 30 byte packet once per second, last
for a year on a coin cell battery▶ Support was weak until Apple incorporated
into iBeacon, now all major smartphones include it
6
![Page 7: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/7.jpg)
Example Part: nRF51422
• Cortex M0+ with integrated 2.4GHz transceiver▶ Supports Bluetooth Low Energy▶ Two models: 32kB/256kB or 16kB/128kB
• DigiKey cost for 3,000: $1.88
7
![Page 8: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/8.jpg)
Two Game-Changers
• ARM Cortex M series▶ First released 2004▶ Ultra-low power 32-bit processor▶ 8-96kB of RAM, 64-512kB code flash▶ Sleep currents recently dropped <1µA
• Bluetooth Low Energy▶ First released in 2006▶ Send a 30 byte packet once per second, last
for a year on a coin cell battery▶ Support was weak until Apple incorporated
into iBeacon, now all major smartphones include it
8
![Page 9: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/9.jpg)
Typical Hardware Designsimix, Stanford/Berkeley
• Imix development board,many debugging pinouts
• Multi-core system▶ 802.15.4 radio▶ Cortex-M4 application MCU▶ Cortex-M0 BLE SoC
9
![Page 10: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/10.jpg)
• Squall: ultra-low cost embedded device▶ nRF51822 BLE/CortexM0+ and a few expansion headers
10
Typical Hardware DesignsSquall, University of Michigan
![Page 11: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/11.jpg)
Why Today?
1. Chips and radios are now low power enough to enable long lived, low data rate devices
2. BLE enables phones to control and collect data from IoT devices
11
![Page 12: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/12.jpg)
This Talk
• Technology trends: why today?
• Security: why is it so hard?
• Research: what we’re doing
12
![Page 13: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/13.jpg)
Internet(s) of Things
13
IndustrialAutomation
Thousands/personThousands/personControlled Environment
High reliabilityHigh reliabilityControl networks
Industrial requirements
WirelessHART, 802.15.46tsch, RPL
IEEE/IIC/IETF
![Page 14: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/14.jpg)
Internet(s) of Things
14
Home AreaNetworksHundreds/personHundreds/person
Uncontrolled EnvironmentUnlicensed spectrumUnlicensed spectrum
ConvenienceConsumer requirements
ZigBee, Z-WaveZigBee, Z-Wave6lowpan, RPL6lowpan, RPL
IETF/ZigBee/private
IndustrialAutomation
Thousands/personThousands/personControlled Environment
High reliabilityHigh reliabilityControl networks
Industrial requirements
WirelessHART, 802.15.46tsch, RPL
IEEE/IIC/IETF
![Page 15: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/15.jpg)
Internet(s) of Things
15
Personal AreaNetworks
Tens/personTens/personPersonal environmentUnlicensed spectrumUnlicensed spectrum
InstrumentationFashion vs. function
Bluetooth, BLE3G/LTE
3GPP/IEEE
Home AreaNetworksHundreds/personHundreds/person
Uncontrolled EnvironmentUnlicensed spectrumUnlicensed spectrum
ConvenienceConsumer requirements
ZigBee, Z-WaveZigBee, Z-Wave6lowpan, RPL6lowpan, RPL
IETF/ZigBee/private
IndustrialAutomation
Thousands/personThousands/personControlled Environment
High reliabilityHigh reliabilityControl networks
Industrial requirements
WirelessHART, 802.15.46tsch, RPL
IEEE/IIC/IETF
![Page 16: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/16.jpg)
Internet(s) of Things
16
NetworkedDevices
Tens/personTens/personUncontrolled Environment
Unlicensed spectrumUnlicensed spectrumConvenience
Powered
WiFi/802.11TCP/IP
IEEE/IETF
Personal AreaNetworks
Tens/personTens/personPersonal environmentUnlicensed spectrumUnlicensed spectrum
InstrumentationFashion vs. function
Bluetooth, BLE3G/LTE
3GPP/IEEE
Home AreaNetworksHundreds/personHundreds/person
Uncontrolled EnvironmentUnlicensed spectrumUnlicensed spectrum
ConvenienceConsumer requirements
ZigBee, Z-WaveZigBee, Z-Wave6lowpan, RPL6lowpan, RPL
IETF/ZigBee/private
IndustrialAutomation
Thousands/personThousands/personControlled Environment
High reliabilityHigh reliabilityControl networks
Industrial requirements
WirelessHART, 802.15.46tsch, RPL
IEEE/IIC/IETF
![Page 17: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/17.jpg)
eMbeddeddevices
17
IoT: MGC Architecture
6lowpan,ZigBee,ZWave,
Bluetooth,WiFi,
WirelessHART
![Page 18: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/18.jpg)
eMbeddeddevices
Gateways
18
IoT: MGC Architecture
6lowpan,ZigBee,ZWave,
Bluetooth,WiFi,
WirelessHART
![Page 19: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/19.jpg)
3G/4G,TCP/IP
eMbeddeddevices
GatewaysCloud
19
IoT: MGC Architecture
6lowpan,ZigBee,ZWave,
Bluetooth,WiFi,
WirelessHART
![Page 20: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/20.jpg)
3G/4G,TCP/IP
eMbeddeddevices
GatewaysCloud
20End application
IoT: MGC Architecture
6lowpan,ZigBee,ZWave,
Bluetooth,WiFi,
WirelessHART
![Page 21: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/21.jpg)
Secure Internet of Things 23
Obj-C/C++, Java, Swift, Javascript/HTML
embedded C(ARM, avr, msp430)
ZigBee,ZWave,
Bluetooth,WiFi
3G/4G,TCP/IP
Ruby/Rails,Python/Django,J2EE, PHP, Node.js
IoT Security is Hard
• Complex, distributed systems▶ 103-106 differences in resources across tiers▶ Many languages, OSes, and networks▶ Specialized hardware
• Just developing applications is hard
• Securing them is even harder▶ Enormous attack surface▶ Reasoning across hardware, software, languages, devices, etc.▶ What are the threats and attack models?
• Valuable data: personal, location, presence
• Rush to development + hard ➔ avoid, deal later
21
![Page 22: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/22.jpg)
What We’re Doing
22
![Page 23: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/23.jpg)
SITP
• Secure Internet of Things Project▶ 5 year project (in year 4)▶ 13 faculty collaborators▶ 3 universities: Stanford, Berkeley, and Michigan
• Rethink IoT systems, software, and applications from the ground up
• Make a secure IoT application as easy as a modern web application
23
![Page 24: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/24.jpg)
Dawson EnglerStanfordSoftware
24
Philip LevisStanford
Embedded Systems
Mark HorowitzStanford
Hardware
Zakir DurumericStanford
Internet Security
Dan BonehStanford
Cryptography
Keith WinsteinStanford
Networks
Prabal DuttaBerkeley/Michigan
Embedded Hardware
David MazièresStanfordSecurity
Björn HartmannBerkeley
Prototyping
Raluca Ada PopaBerkeleySecurity
Steve EglashStanford
Executive Director
Philip LevisStanfordFaculty Director
Who?
David CullerBerkeley
Low Power Systems
Peter BailisStanford
Databases
![Page 25: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/25.jpg)
Two Goals
25
1. Data security: research and define new cryptographic computational models for secure data analytics and actuation on enormous streams of real-time data from embedded systems.
2. System security: Research and implement a secure, open source framework that makes it easy to quickly build Internet of Things applications that use these new computational models.
![Page 26: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/26.jpg)
Two Goals
26
1. Data security: research and define new cryptographic computational models for secure data analytics and actuation on enormous streams of real-time data from embedded systems.
2. System security: Research and implement a secure, open source framework that makes it easy to quickly build Internet of Things applications that use these new computational models.
![Page 27: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/27.jpg)
A Few Projects
• Beetle and Bark: connecting the Internet of Things
• Tock: a secure embedded operating system
27
![Page 28: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/28.jpg)
The Internet of Things
28
Internet
![Page 29: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/29.jpg)
The Reality
29
![Page 30: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/30.jpg)
BLE Is the Problem
30
socket
TCP/IP
![Page 31: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/31.jpg)
Beetle• Virtualizes BLE devices
• Multiple applications can use a single peripheral
• Peripherals can communicate with one another
• Security policies for peripheral management
• Can now build previously impossible applications▶ Smart watch opens smart lock▶ Energy monitor application▶ Decouple logging and UI
31
Beetle!
OS!
BLE!
Application!
Application!
Virtual Device!
Controller!
Peripherals!
HAT!
![Page 32: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/32.jpg)
Virtual Devices
• Beetle allows any process to present virtual devices▶ Virtual devices provide the standard Generic Attribute (GATT)
interface to attributes: Notify, Read, Write, etc.▶ Many processes can access a virtual device
• Gateway (controller) re-advertises profiles to its peripherals through handle address translation (HAT)▶ Phone connects to a lock, advertises that it is now a lock
• Software can provide arbitrary profiles (e.g., bridge to larger Internet)
32
T
W
W
P
T
P
![Page 33: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/33.jpg)
Security Policies: Bark
• Default-off communication▶ IoT devices are different, require narrow communication▶ Explicitly enable communication
• Five questions: who, what, where, how, when?
• Map these to underlying network primitives
Allow 𝒑𝟏, at 𝒈𝟏, to perform 𝒂 on 𝑹 of 𝒑𝟐, at 𝒈𝟐, when ⊤ = (𝒄𝟏∧ 𝒄𝟐) ∨ 𝒄𝟑 …
Subject{(p1, g1)} Action{a}
Object{(R, p2, g2)} Conditions{(c1∧ c2) ∨ c3 …}
who{𝑝1}
who{𝑝2}
where{𝑔1}
where{𝑔2}what{𝑅}
how{𝑎}
when{𝑐1} when{𝑐2} when{𝑐3}
33
![Page 34: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/34.jpg)
Example Rules
34
Allow the bedroom switch to changeon/off of bedroom lights at any time
Who{Bedroom Switch}
Who{Group(Bedroom Lights)}
Subject{(Bedroom Switch, *[all])} Action{BLE/GATT write}
How{BLE/GATT write}
What{UUID(on/off)} When{Cron(* * * * *)}
Object{(UUID(on/off), Group(Bedroom Lights), *[all])} Conditions{Cron(* * * * *)}
Allow anyone, from near the home, to see/changelock/unlock of front door lock when homeowner allows it
Who{front door lock}
Who{*[one]}
Subject{(*[one], Group(home gateways)} Action{BLE/GATT read/write}
How{BLE/GATT read/write}
What{UUID(lock/unlock)} When{AdminAuthorization(homeowner)[30s]}
Object{(UUID(lock/unlock), front door lock), *[all])} Conditions{AdminAuthorization(homeowner)[30s]}
Where{Group(home gateways)}
![Page 35: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/35.jpg)
A Few Projects
• Beetle and Bark: connecting the Internet of Things
• Tock: a secure embedded operating system
35
![Page 36: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/36.jpg)
Challenges
• Modern software development wants to incorporate libraries, drivers, external code
• Want code to execute safely▶ Driver bug can’t crash device▶ Security flaw in external code can’t compromise whole system
• Microcontrollers lack traditional isolation mechanisms▶ No virtual memory▶ No segmentation
• Microcontrollers are memory-constrained▶ 16-64kB, 12-80MHz CPU▶ Can’t have many execution stacks, exhaustion easy
36
![Page 37: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/37.jpg)
Tock Operating System
• Safe, multi-tasking operating system for memory-constrained devices
• Core kernel written in Rust, a safe systems language▶ Small amount of trusted code (can do unsafe things)
- Rust bindings for memory-mapped I/O- Core scheduler, context switches
• Core kernel can be extended with capsules▶ Safe, written in Rust▶ Run inside kernel
• Processes can be written in any language (asm, C) ▶ Leverage Cortex-M memory protection unit (MPU)▶ User-level, traps to kernel with system calls
37
![Page 38: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/38.jpg)
Tock Architecture
38
HAL Scheduler Config
SPI
I2C
GPIO
Console
UART
Timer
Core kernel(Trusted)
Capsules(Untrusted)
Proc
esse
s(A
ny la
ngua
ge)
Kern
el(R
ust)
…heapstack
textdata
grant
heapstack
textdata
grant
RAM
Flash
ProcessAccessible
Memory
![Page 39: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/39.jpg)
Rust Safety
• Tackles two problems:▶ Thread safety (concurrent access)▶ Memory safety (address contains proper type)
• Rule 1: a memory location can have one read/write pointer or multiple read-only pointers▶ mutable references and references in Rust parlance
• Rule 2: a reference can only point to memory that is assured to outlive the reference▶ prevents dangling pointers
39
![Page 40: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/40.jpg)
Rust Rule
• A memory location can have one read/write pointer or multiple read-only pointers▶ mutable references and references in Rust parlance
40
let mut x = 5;let y = &x;let z = &x;
let mut x = 5;let y = &mut x;let z = &x;
let mut x = 5;let y = &mut x;let z = &mut x;
OK No No
![Page 41: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/41.jpg)
Why
41
enum NumOrPointer { Num(u32), Pointer(&'static mut u32)}
// n.b. illegal example let external : &mut NumOrPointer; match external { &mut Pointer(ref mut internal) => { // This would violate safety and // write to memory at 0xdeadbeef *external = Num(0xdeadbeef); *internal = 12345; }, ... }
![Page 42: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/42.jpg)
Problem 1: Events
• Often want to register multiple event callbacks on a single structure▶ E.g., networking stack has packet reception and timers
• Each callback needs a mutable reference
42
6lowpantimer
RF233
timeout
recv
![Page 43: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/43.jpg)
Problem 2: System Calls
• System calls need to dynamically allocate memory▶ Create a timer, kernel needs to keep timer’s state▶ Enqueue a packet to send, kernel needs reference to packet
• Kernel can’t dynamically allocate memory!▶ Otherwise a process can exhaust kernel memory▶ Fragmentation
43
![Page 44: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/44.jpg)
Events: Insight
• If we can ensure memory outlives reference, then multiple mutable references can be safe
• Rule: if there is a reference to memory block M, there cannot be any references inside M
44
6lowpan
timer
RF233
timeout
recv
6lowpan
timer
RF233
timeout
recv
Safe Unsafe
![Page 45: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/45.jpg)
System Call Insight
45
HAL Scheduler Config
SPI
I2C
GPIO
Console
UART
Timer
Core kernel(Trusted)
Capsules(Untrusted)
Proc
esse
s(A
ny la
ngua
ge)
Kern
el(R
ust)
…heapstack
textdata
grant
heapstack
textdata
grant
RAM
Flash
ProcessAccessible
Memory
![Page 46: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/46.jpg)
System Call Insight
HAL Scheduler Config
���
���
����
����� �
��
����
Core kernel(Trusted)
Capsules(Untrusted)
Proc
esse
s(A
ny la
ngua
ge)
Kern
el(R
ust)
…heapstack
textdata
grant
heapstack
textdata
grant
RAM
Flash
ProcessAccessible
Memory
grantgrant• Processes given
block of memory
• Dynamically allocated when process loaded
• Kernel can allocate memory from process
• But references can’t escape…
46
![Page 47: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/47.jpg)
Mechanism: MapCells
• Rust-enforced encapsulation:cannot access internal fields
• Code must copy in and out▶ Expensive!▶ Introduce new types that use closures
to allow callers to access internal state
• Safe to have multiple referencesto a container
• Can pass a closure into the cell
47
sam4l::spi::Spi
regs
callback
dma_read
dma_write
reading
writing
read_buffer
write_buffer
dma_length
grant container
callerfunction
self.tx_client.get().map(|c| { c.send_done(buf.unwrap(), ReturnCode::SUCCESS); });
![Page 48: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/48.jpg)
Process Grant Regions
• Kernel can allocate objects from the grant block
• References to objects cannot escape the block▶ Process failure/crash does not lead to dangling pointers
• Users pass a function to the container with enter
48
grant container
callerfunction
self.apps.enter(appid, |app, _| { app.read_buffer = Some(slice); app.read_idx = 0; 0}).unwrap_or(-1)
![Page 49: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/49.jpg)
Tock Status
• Support for three platforms▶ imix: multicore development board▶ signpost: extensible community sensing platform▶ squall/nRF51: BLE/CortexM0 SoC▶ http://tockos.org▶ https://github.com/helena-project/tock
• Increasing community support▶ launchxl platform▶ EK-TM4C1294X (launchpad)▶ nRF52
• Other platforms: security USB devices, etc.
49
![Page 50: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/50.jpg)
Why Now?
• Technology has just reached the tipping point▶ BLE, iBeacon▶ Cortex M series▶ Sensors▶ Harvesting circuits
• We've been waiting▶ Leaders in prototyping, cryptographic computation, IoT networking,
secure systems, analytics, and hardware design▶ What are the threats? Application attackers?
• But it's still early enough▶ Most big applications haven't been thought of yet▶ Let's not repeat the web (as good as it is for publications)
50
![Page 51: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/51.jpg)
Securing the Internet of Things
• Secure Internet of Things Project▶ 5 year project (starting now)▶ 12 faculty collaborators▶ 3 universities: Stanford, Berkeley, and Michigan
• Rethink IoT systems, software, and applications from the ground up▶ Beetle communication and Bark policies▶ Tock, a secure embedded operating system
• Make a secure IoT application as easy as a modern web application
51
![Page 52: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/52.jpg)
Dawson EnglerStanfordSoftware
52
Philip LevisStanford
Embedded Systems
Mark HorowitzStanford
Hardware
Zakir DurumericStanford
Internet Security
Dan BonehStanford
Cryptography
Keith WinsteinStanford
Networks
Prabal DuttaBerkeley/Michigan
Embedded Hardware
David MazièresStanfordSecurity
Björn HartmannBerkeley
Prototyping
Raluca Ada PopaBerkeleySecurity
Steve EglashStanford
Executive Director
Philip LevisStanfordFaculty Director
Thank you!
David CullerBerkeley
Low Power Systems
Peter BailisStanford
Databases
![Page 53: Towards a Secure Internet of Thingsgr/uploads/percom-2018-k1.pdf · Data security: research and define new cryptographic computational models for secure data analytics and actuation](https://reader035.vdocument.in/reader035/viewer/2022071011/5fc90f2514ef0f43a247f7eb/html5/thumbnails/53.jpg)
Questions
53