Security Agents for Embedded Intrusion Detection

Knowingly or unknowingly, we interact with hundreds of networked-embedded devices in our day-to-day lives such as mobile devices, electronic households, medical equipment, automobiles, media players, and many more. This increased dependence of our lives on the networked-embedded devices, nevertheless, has raised serious security concerns. In the past, security of embedded systems was not a major concern as these systems were a stand-alone network that contained only trusted devices with little or no communication to the external world. One could execute an attack only with a direct physical or local access to the internal embedded network or to the device. Today, however, almost every embedded device is connected to other devices or the external world (e.g., the Cloud) for advanced monitoring and management capabilities. On one hand, enabling networking capabilities paves the way for a smarter world that we currently live in, while on the other hand, the same capability raises severe security concerns in embedded devices. Recent attacks on embedded device product portfolios in the Black Hat and Defcon conferences has identified remote exploit vulnerabilities (e.g., an adversary who exploits the remote connectivity of embedded devices to launch attacks such as privacy leakage, malware insertion, and denial of service) as one of the major attack vectors. A handful of research efforts along the lines of traditional security defenses have been proposed to enhance the security posture of these networked devices. These solutions, however, do not entirely solve the problem and we therefore argue the need for a light weight intrusion-defense capability within the embedded device.

In particular, we observe that the networking capability of embedded devices can indeed be leveraged to provide an in-home secure proxy server that monitors all the network traffic to and from the devices. The proxy server will act as a gateway performing policy based operations on all the traffic to and from the interconnected embedded devices inside the household. In order to do so, the proxy server will implement an agent based computing model where each embedded device is required to run a light weight checker agent that periodically reports the device status back to the server; the server verifies the operation integrity and signals back the device to perform its normal functionality. A similar approach is proposed Ang Cui and Salvatore J. Stolfo’s 2011 paper, “Defending Embedded Systems with Software Symbiotes,” where a piece of software called Symbiote is injected into the device’s firmware that uses a secure checksum-based approach to detect any malicious intrusions into the device.

In contrast to Symbiote, we exploit lightweight checker agents at devices that merely forward device status to the server and all the related heavy computations are offloaded to the proxy server, which in turn proves our approach computationally efficient. Alternatively, the proposed model incurs a very small computational overhead in gathering and reporting critical device status messages to the server. Also, the communication overhead can be amortized under most circumstances as the sensor data from the checker agents can be piggybacked to the original data messages being transferred between the device and the server. Our model, as what’s described in the aforementioned Cui and Stolfo paper, can be easily integrated with legacy embedded devices as the only modification required to the legacy devices is a “firmware upgrade that includes checker agents.”

To complete the picture, we propose an additional layer of security for modern embedded devices by designing an AuditBox, as in the article, “Pillarbox,” by K. Bowers, C. Hart, A. Juels, and N. Triandopoulos. It keeps an obfuscated log of malicious events taking place at the device which are reported back to the server at predefined time intervals. This enables our server to act accordingly by either revoking the device from the network or by restoring it to a safe state. AuditBox will enforce integrity by being able to verify whether the logs at the device have been tampered with by an adversary who is in control of the device and covertness by hiding from an attacker with access to the device whether the log reports detection of malicious behavior. To realize these requirements, AuditBox will exploit the concept of forward secure key generation.

Embedded systems security is of crucial importance and the need of the hour. Along with the advancement in embedded systems technology, we need to put an equal emphasis on its security in order for our world to be truly a smarter place.

RESOURCES
K. Bowers, C. Hart, A. Juels, & N. Triandopoulos, “Pillarbox: Combating Next-Generation Malware with Fast Forward-Secure Logging,” in Research in Attacks, Intrusions and Defenses, ser. Lecture Notes in Computer Science, A. Stavrou, H. Bos, and G. Portokalidis (Eds.), Springer, 2014, http://dx.doi.org/10.1007/978-3-319-11379-1_3.

A. Cui & S. J. Stolfo, “Defending embedded systems with software symbiotes,” in Proceedings of the 14th international conference on Recent Advances in Intrusion Detection (RAID’11), R. Sommer, D. Balzarotti, and G. Maier (Eds.), Springer-Verlag, 2011, http://dx.doi.org/10.1007/978-3-642-23644-0_19.

DevuDr. Devu Manikantan Shila is the Principal Investigator for Cyber Security area within the Embedded Systems and Networks Group at the United Technologies Research Center (UTRC).

 

Marten van DijkMarten van Dijk is an Associate Professor of Electrical and Computing Engineering at the University of Connecticut, with over 10 years research experience in system security both in academia and industry.

 

Syed Kamran HaiderSyed Kamran Haider is pursuing a PhD in Computer Engineering supervised by Marten van Dijk at the University of Connecticut.

 

This essay appears in Circuit Cellar 297 (April 2015).

DEFCON for Kids—Giving Kids the r00tz to Learn

This summer may be coming to an end, but it’s never too early to start thinking about next year. If you have children between the ages of 8 and 18, you may be planning another year of summer camp. And, if you’re an engineer whose children are interested in electronics, figuring out how things work, and learning how to break things, r00tz Asylum may be the perfect fit.

r00tz Asylum (formerly known as DEFCON Kids) is a part of the widely attended DEFCON hacker convention, which takes place annually in Las Vegas, NV. Parents who attend DEFCON can bring their children to r00tz Asylum sessions where they can learn about white-hat hacking.

Electrical engineer Joe Grand is a former member of the well-known hacker collective L0pht Heavy Industries and now runs product development firm Grand Idea Studio. Grand instructs hardware hacking classes for computer security researchers and has taken a subset of that work to share with r00tz Asylum kids.

“I enjoy teaching kids because of the direct connection you have with them,” Grand said. “When you talk to them normally and explain things in simple ways, they get it!” he added. “It’s fun to see their eyes light up.”

But is teaching kids hacking a good thing? “Naysayers don’t understand the hacking mindset, which is about free thinking, circumventing limitations, and creating elegant solutions to tricky problems” Grand said. “Teaching kids to hack gives them super powers—with guidance.”

r00tz Asylum agrees. According its website, “Hacking gives you super-human powers. You can travel time and space. It is your responsibility to use these powers for good and only good.”

Teaching kids about white-hat hacking helps them learn to solve problems, be aware of the law, and understand the consequences for breaking it. And that’s where instruction in a positive and supportive environment comes in.

“Technology isn’t going away. We’re only going to become more immersed in it,” Grand said. “Kids need to be exposed to new things. It’s important to give them an environment where it’s okay to break things, that it’s okay if things fail.” But he stressed that, “Kids need boundaries. It’s our responsibility to teach them right from wrong.”

In addition to various classes, r00tz Asylum attendees have access to a hangout space of sorts with a soldering station and other resources. Last year the space featured a MakerBot 3-D printer, this year an Eggbot open-source art robot was available.

I asked Grand if either of his children would be attending r00tz Asylum in the future. He said he recently watched DEFCON: The Documentary with his four year old. When they watched the part about DEFCON Kids, his son’s reaction was: “I want to go!”

For more information about r00tz Asylum visit www.r00tz.org

Free Raspberry Pi Poster

The Raspberry Pi is a computer with no casing, no keyboard, no hard disk and no screen. Despite all that, it’s taking the world by storm!

Get your free Raspberry Pi poster now, courtesy of Elektor, RS Components, and CC! Go ahead: download, print, and then enjoy!

Free Raspberry Pi Poster

RASPBERRY PI ESSENTIALS

Model A has 256-MB RAM, one USB port, and no Ethernet port (network connection). Model B has 512-MB RAM, two USB ports, and an Ethernet port.

The Raspberry Pi Model B, revision 2 board:

  • Status led labels: top led has label “ACT” and bottom led has label “100”
  • Header P2 is not populated
  • The text underneath the Raspberry Pi logo reads: “(C) 2011,12”
  • The area next to the micro usb port has CE and FCC logos and the text “Made in China or UK” along the board edge.
  • There are two 2.9-mm holes in the PCB, which can be used as mounting holes.
  • P5 is a new GPIO header with four additional GPIO pins and four power pins. Also note that some pin and I2C port numbers of connector P1 have been modified between revisions!
  • Header P6 (left from the HDMI port) was added, short these two pins to reset the computer or wake it up when powered down with the “sudo halt” command.

The Raspberry Pi measures 85.60 mm × 56 mm × 21 mm, with a little overlap for the SD card and connectors which project over the edges. It weighs 45 g.

The SoC is a Broadcom BCM2835. This contains an ARM ARM1176JZFS, with floating point, running at 700 MHz, and a Videocore 4 GPU. The GPU is capable of BluRay quality playback, using H.264 at 40 Mbps. It has a fast 3D core which can be accessed using the supplied OpenGL ES2.0 and OpenVG libraries.

The Raspberry Pi is capable of using hardware acceleration for MPEG-2 and VC-1 playback, but you’ll need to buy license keys at the Raspberry Pi Store to unlock this functionality.

Which programming languages can you use? Python, C/C++, Perl, Java, PHP/MySQL, Scratch, and many more that can run under Linux.

TROUBLESHOOTING TIPS

If you’re getting a flashing red PWR LED or random restarts during the booting process, it’s likely that your PSU or USB cable has problems. The Raspberry Pi is pretty picky and requires a solid 5-V/1000-mA power supply. For other issues and more troubleshooting tips check out the extensive overview at the eLinux website

Circuitcellar.com is an Elektor International Media website.