Defined
12/6/2016
Embedded Security: Where Are We At?
2
Embedded Programming 1970s - 2016 Typical tools: ●Programming: C/C++ ●Building: GNU Make/GCC ●Debugging: GDB
3
From Embedded Systems to Cyber Physical Systems
src: Kathleen Fisher, http://www.cyber.umd.edu/sites/default/files/documents/symposium/fisher-HACMS-MD.pdf
4
Hacking Cars
New York Times
5
With deference to
Proceedings of the ninth ACM symposium on Operating systems principles, 1983
Five Hints 1.Use Turing-incomplete languages 2.Simple interfaces are secure interfaces 3.Program the glue code and architecture 4.System verification is a probabilistic game 5.High-assurance systems require a high-assurance culture
d that the cover art can or could be obtained from Faber & Faber., Fair use, https://en.wikipedia.org/w/index.php?curid=2350876
12/6/2016
Constrain the Programming Languages
Example Attacks
Table from Comprehensive Experimental Analyses of Automotive Attack Surfaces, Stephen Checkoway et al.
10
The Problem(s) With C ●
Memory unsafe
●
Undefined behavior! ●
●
Dereferencing, arithmetic, casting, etc.
Implementation-defined behavior! ●
Type sizes, bit-fields, type-punning, etc.
11
Even Defined C is Problematic
Distilled autopilot porting bug discovered by Galois: ... uint8_t a = 10; uint8_t b = 250; printf("Answer: %i, %i", a-b > 0, (uint8_t)(a-b) > 0); ...
Answer: 0, 1 sizeof(int) ≥ sizeof(int16_t)
12
Rice's Theorem ●
Rice's Theorem: all non-trivial properties of Turing-complete languages are undecidable ●
●
●
Including termination, memory usage, control-flow, etc.
Could develop static analysis tools with false-negatives and/or false positives, or... Use Turing-incomplete languages! ●
But keep Turing-completeness at compile time!
14
Ivory ●
Embedded domain-specific language (eDSL) in Haskell for low-level programming
●
Guarantees memory-safety, type safety
●
Haskell meta-programming ●
●
E.g., Haskell automatic differentiation for inertial navigation system 25k of Ivory → 100k C autopilot
15
Use Turing-incomplete languages with simple, unsurprising semantics.
“The rules!” shouted Ralph, “You're breaking the rules!”
Secure the Interfaces
ASN.1 ●
Used in email, LDAP, VoIP, Kerberos, SNMP, X.509 certs…
●
And vehicle-to-vehicle (V2V) communications ●
Better safety, reliability, … but security?
src: safecar.gov
ASN.1 is a Popular Source of CVEs!
Secure Interfaces
ASN.1 Problems ●
Complex language (information objects)
●
8 encoding rules, with special cases
●
Requires context-sensitive parsing
Interface Hints We know how to spot correct interfaces! Round trip: encoding a message and then decoding it returns the original message:
●
dec(enc(msg)) = msg
Rejection: bad messages won't be decoded:
●
dec(x) = ERROR or dec(x) = msg, and enc(msg) = x And that's all: no undefined behavior
●
Simple interfaces are secure interfaces.
The world, that understandable and lawful world, was slipping away.
Five Hints 1.Use Turing-incomplete languages 2.Simple interfaces are secure interfaces 3.Program the glue code and architecture 4.System verification is a probabilistic game 5.High-assurance systems require a high-assurance culture
Thanks!
Embedded Security: Where Are We At?
2
Embedded Programming 1970s - 2016 Typical tools: ●Programming: C/C++ ●Building: GNU Make/GCC ●Debugging: GDB
3
From Embedded Systems to Cyber Physical Systems
src: Kathleen Fisher, http://www.cyber.umd.edu/sites/default/files/documents/symposium/fisher-HACMS-MD.pdf
4
Hacking Cars
New York Times
5
With deference to
Proceedings of the ninth ACM symposium on Operating systems principles, 1983
Five Hints 1.Use Turing-incomplete languages 2.Simple interfaces are secure interfaces 3.Program the glue code and architecture 4.System verification is a probabilistic game 5.High-assurance systems require a high-assurance culture
d that the cover art can or could be obtained from Faber & Faber., Fair use, https://en.wikipedia.org/w/index.php?curid=2350876
12/6/2016
Constrain the Programming Languages
Example Attacks
Table from Comprehensive Experimental Analyses of Automotive Attack Surfaces, Stephen Checkoway et al.
10
The Problem(s) With C ●
Memory unsafe
●
Undefined behavior! ●
●
Dereferencing, arithmetic, casting, etc.
Implementation-defined behavior! ●
Type sizes, bit-fields, type-punning, etc.
11
Even Defined C is Problematic
Distilled autopilot porting bug discovered by Galois: ... uint8_t a = 10; uint8_t b = 250; printf("Answer: %i, %i", a-b > 0, (uint8_t)(a-b) > 0); ...
Answer: 0, 1 sizeof(int) ≥ sizeof(int16_t)
12
Rice's Theorem ●
Rice's Theorem: all non-trivial properties of Turing-complete languages are undecidable ●
●
●
Including termination, memory usage, control-flow, etc.
Could develop static analysis tools with false-negatives and/or false positives, or... Use Turing-incomplete languages! ●
But keep Turing-completeness at compile time!
14
Ivory ●
Embedded domain-specific language (eDSL) in Haskell for low-level programming
●
Guarantees memory-safety, type safety
●
Haskell meta-programming ●
●
E.g., Haskell automatic differentiation for inertial navigation system 25k of Ivory → 100k C autopilot
15
Use Turing-incomplete languages with simple, unsurprising semantics.
“The rules!” shouted Ralph, “You're breaking the rules!”
Secure the Interfaces
ASN.1 ●
Used in email, LDAP, VoIP, Kerberos, SNMP, X.509 certs…
●
And vehicle-to-vehicle (V2V) communications ●
Better safety, reliability, … but security?
src: safecar.gov
ASN.1 is a Popular Source of CVEs!
Secure Interfaces
ASN.1 Problems ●
Complex language (information objects)
●
8 encoding rules, with special cases
●
Requires context-sensitive parsing
Interface Hints We know how to spot correct interfaces! Round trip: encoding a message and then decoding it returns the original message:
●
dec(enc(msg)) = msg
Rejection: bad messages won't be decoded:
●
dec(x) = ERROR or dec(x) = msg, and enc(msg) = x And that's all: no undefined behavior
●
Simple interfaces are secure interfaces.
The world, that understandable and lawful world, was slipping away.
Five Hints 1.Use Turing-incomplete languages 2.Simple interfaces are secure interfaces 3.Program the glue code and architecture 4.System verification is a probabilistic game 5.High-assurance systems require a high-assurance culture
Thanks!
