Information Security of Embedded Systems 2.12.2009: Foundations of Security II Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Slides:



Advertisements
Similar presentations
Information Security of Embedded Systems : Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Advertisements

Information Security of Embedded Systems : Embedded Systems Design Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Chapter 17: WEB COMPONENTS
Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Computer Security and Penetration Testing
Information Security of Embedded Systems : Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
IS Network and Telecommunications Risks
Information Security of Embedded Systems : Public Key Cryptosystems, Communication Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
Information Security of Embedded Systems : Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Information Security of Embedded Systems : remote access, wireless networks Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Web server security Dr Jim Briggs WEBP security1.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Internet Protocol Security (IPSec)
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
OSI Model Routing Connection-oriented/Connectionless Network Services.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Information Security of Embedded Systems : Logics and Proof Methods, Wrap-Up Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
IIT Indore © Neminath Hubballi
NetworkProtocols. Objectives Identify characteristics of TCP/IP, IPX/SPX, NetBIOS, and AppleTalk Understand position of network protocols in OSI Model.
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
FIREWALLS Prepared By: Hilal TORGAY Uğurcan SOYLU.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
Module 9: Fundamentals of Securing Network Communication.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Prepared by Natalie Rose1 Managing Information Resources, Control and Security Lecture 9.
Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
OV Copyright © 2005 Element K Content LLC. All rights reserved. Hardening Internetwork Devices and Services  Harden Internetwork Connection Devices.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.
Lesson 7: Network Security and Attacks. Computer Security Operational Model Protection = Prevention+ (Detection + Response) Access Controls Encryption.
Security fundamentals Topic 10 Securing the network perimeter.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
SECURE SHELL MONIKA GUPTA COT OUTLINE What is SSH ? What is SSH ? History History Functions of Secure Shell ? Functions of Secure Shell ? Elements.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
COMP1321 Digital Infrastructure Richard Henson March 2016.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
Security fundamentals
CompTIA Security+ Study Guide (SY0-401)
Chapter 17 Risks, Security and Disaster Recovery
Security in Networking
CompTIA Security+ Study Guide (SY0-401)
How to Mitigate the Consequences What are the Countermeasures?
Presentation transcript:

Information Security of Embedded Systems : Foundations of Security II Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST

Embedded Security © Prof. Dr. H. Schlingloff Structure 1. Introductory example 2. Embedded systems engineering 1.definitions and terms 2.design principles 3. Foundations of security 1.threats, attacks, measures 2.construction of safe systems 4. Design of secure systems 1.design challenges 2.safety modelling and assessment 3.cryptographic algorithms 5. Communication of embedded systems 1.remote access 2.sensor networks 6. Algorithms and measures 1.digital signatures 2.key management 3.authentification 4.authorization 7. Formal methods for security 1.protocol verification 2.logics and proof methods

Embedded Security © Prof. Dr. H. Schlingloff Security – Basic Terms System, computational system  ownership of information RAMS Safety vs. security Threats, attacks, security holes  Modelling system, stakeholders, boundaries, intentions Example: Internet Thermostat

Embedded Security © Prof. Dr. H. Schlingloff More Basic Terms Access (Zugriff)  interaction between a subject (with intentions) and an object (a computational system)  If the access modifies the object, it is a write access, otherwise a read access  in embedded systems, read access to sensor values, write access to actuator values, read/write access to internal data  An access is authorized, if the owner of the information appreciates it at the time it occurs (the access is in the intent of the owner) Security (Informationssicherheit)  ability of a system to inhibit or restrict unauthorized access to the system (No threats from outside subjects for the system’s information)  confidentiality (Vertraulichkeit): no unauthorized read access  integrity (Integrität): no unauthorized write access

Embedded Security © Prof. Dr. H. Schlingloff Communication Threats e.g., TCP/IP protocol stack Example packet

Embedded Security © Prof. Dr. H. Schlingloff Homework: Monitor your connections! e.g., Microsoft Network Monitor

Embedded Security © Prof. Dr. H. Schlingloff 20097

Embedded Security © Prof. Dr. H. Schlingloff Link layer attacks Security hole via physical access to a wired network (hardware monitoring devices) e.g. ARP masquerading: rerouting of information  send unrequested ARP-reply which associates own HW-id with IP-address of victim  server “updates” cache information WLAN, bluetooth, zigbee security?  embedded devices communicate wireless  security measures in increasing sophistication  cf. ch. 5.2

Embedded Security © Prof. Dr. H. Schlingloff Network layer attacks (1) Address spoofing: Attacker pretends to be somebody else (via manipulated IP-headers)  Flooding attacks - direct: SYN-Flooding - indirect: Smurf

Embedded Security © Prof. Dr. H. Schlingloff

Embedded Security © Prof. Dr. H. Schlingloff Network layer attacks (2) Eavesdropping of IP-packets (tcpdump)  IP provides unencrypted communication (no confidentiality, integrity, authenticity,...)  routing nondeterministic - strict source routing attack - RIP (routing inf. protocol) and redirect attack

Embedded Security © Prof. Dr. H. Schlingloff Transport layer attacks (1) Access via faked packets  TCP: sequence numbering / acknowledgement  upon receipt of a connection request, the server generates a new sequence number, sends it back, and waits for an acknowledgement  “guessing” of ack numbers allows write access blocking of receipt at victim’s site

Embedded Security © Prof. Dr. H. Schlingloff Transport layer attacks (2) “session hijacking”  eavesdrop communication  kill client  use false packets to continue communication, e.g., install backdoor on server

Embedded Security © Prof. Dr. H. Schlingloff

Embedded Security © Prof. Dr. H. Schlingloff Application Layer Threats (1) Web Applications, viruses, worms, trojans, …  responsible for 90% of present-day security problems  mobile code, e.g. ActiveX, VB Scripts  MIME-threats: attachments, links, …  no security guaranteed (esp. authenticity) ftp, telnet, rlogin, rsh  password encryption?  anonymous FTP: write access? NFS: false mounting of exported files  NFS masquerading: UID on untrusted hosts can be arbitrarily manipulated  faking of NFS file handles (replay attack)  similar problems with NetBIOS  (workgroup or password-level access)

Embedded Security © Prof. Dr. H. Schlingloff Application Layer Threats (2) NIS  supplies password information to outside  password shadowing HTTP Cookies: Write access  “permission assumed”  personal data, e.g., passwords, user profiles  disallow by default! CGI-scripts  execution of arbitrary commands on server  errors in scripts can open security holes  minimal rights principle! DNS poisoning: Attacker fudges IP number / name assignment  system access via.rhosts and rlogin

Embedded Security © Prof. Dr. H. Schlingloff General Construction Principles Fail-safe defaults principle  access denied if not explicitly allowed Complete mediation principle  each access hat to be supervised Need-to-know principle  each subject has exactly the rights needed for its tasks Open design principle  security does not depend on design knowledge  “no security by obscurity” Economy of mechanisms principle  measures must be efficient and easy to use

Embedded Security © Prof. Dr. H. Schlingloff System Construction Phases (1) “Design for security”: respect security issues in each phase, enrich life cyle by special (sub-) phases 1. System requirements analysis  System environment, functionality, use scenarios  necessary components, available resources 2. Threat and risk analysis  list vulnerabilities and possible attacks  estimate potential damage and occurrence probability 3. Security strategy and security model  derive and classify necessary security mechanisms - effort, cost, importance,...  build a model of the system and prove properties

Embedded Security © Prof. Dr. H. Schlingloff System Construction Phases (2) 4. System architecture (coarse-grained design)  Realisation of the model  Interface definitions, services and protocols, module decomposition 5. Module definition (fine-grained design)  algorithms, data and control structures,...  adaption or extension of existing architectures and modules 6. Module and system implementation  Coding and integration of components

Embedded Security © Prof. Dr. H. Schlingloff System Construction Phases (3) 7. Validation, testing and evaluation  code-inspection, module testing, integration testing - (e.g., find logical time bombs, security holes, hidden channels)  testing of security measures  validation of implementation of security model 8. Security classification  according to different criteria catalogues (TCSEC, ITSEC,...)  certification authorities, e.g., TÜV, BSI 9. Installation, maintenance  establishment of security infrastructure  assert that security policy is being followed, fixing of known security holes etc.

Embedded Security © Prof. Dr. H. Schlingloff Construction of Secure Systems Security engineering: “The effort to achieve and maintain optimal security and survivability of a system throughout its life cycle” [InfoSec 1999]  Integration with the SW-engineering process  New phases: Threat and risk analysis, security strategy; Security classification, infrastructure Lit.:  Ross Andersen, Security Engineering; Addison-Wesley, 2001 (Case Studies)  Nancy G. Leveson, Safeware; Addison-Wesley 1995 (Safety)  Ed Amoroso, Fundamentals of Computer Security Technology

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.