Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Controls in Smart Cars: Needs and Solutions

Published by서 조 Modified over 5 years ago

Similar presentations

Presentation on theme: "Access Controls in Smart Cars: Needs and Solutions"— Presentation transcript:

1 Access Controls in Smart Cars: Needs and Solutions
Maanak Gupta Postdoctoral Research Fellow Institute for Cyber Security University of Texas at San Antonio Guest Lecture CS 6393/4593 April 05, 2019

2 Smart Cars Ecosystem Safety and Assistance
High Mobility, Location Centric Time Sensitive, Dynamic Pairing Multiple Fog/Cloud Infrastructures Information and Entertainment

3 No More Isolated.! 100 million lines of code
Software Reliance , Broad Attack Surface, Untrusted Entities

4 (Read/write/execute/control)
The Perfect World.! operates on (Read/write/execute/control) USER OBJECT Confidentiality Integrity Availability I TRUST my users. Everything is Secure. !! Thank YOU.!!

5 Access Control Mechanisms
Access Request Access Control Enforcer GRANT DENY USER OBJECT manages ADMIN A user [U] is allowed to perform an operation [OP] on an object [OB] if security policy [P] is satisfied.

6 Access Control Mechanisms
PROTECTION Access Request Access Control Enforcer GRANT DENY USER OBJECT manages Post Authentication Complements other mechanisms ADMIN A user [U] is allowed to perform an operation [OP] on an object [OB] if security policy [P] is satisfied.

7 Attribute Based Access Control
Three Dominant Models: DAC, MAC and RBAC. ABAC: Decision based on the attributes of entities Attributes are name value pair: age (Alice)  29 Core entities in ABAC include: Users Objects Attributes Environment or Context Operations Authorization Policies: determine rights just in time retrieve attributes of relevant entities in request Enhance flexibility and fine grained access control NIST Guidelines to ABAC User:---age, gender, department, desingatin, role Object: created by, last modified, Only nurse in the pediatric department is allowed to read the files of children which visit the clinic. Only owner iot.

8 Access Control Needs in Smart Cars
On-Board Data, Applications and Sensors Third Party devices V2X fake messages User Privacy Preferences Over the Air updates Loss of Information in Cloud Location and time sensitivity of the services. In-vehicle communication

9 Scope of Contribution Scope Contribution
Access Control Oriented Architecture for Smart Cars. Propose formalized ABAC model for cloud assisted applications. Dynamic groups and user preferences. Implementation of the model in AWS. Scope Single Central Cloud No direct access and physical tampering Communication Channel is encrypted. Data in Cloud is secure In-vehicle security not considered

10 Extended Access Control Oriented Architecture
E-ACO architecture Vehicular IoT components in architecture

11 Authorization Framework
An Authorization Framework: Helps understand access control needs. Helps understand models suitability for each.

12 Authorization Framework
AWS-IoTAC Model Policy Based Limited Attributes AWS-IoT-ACMVO Model For Virtual Objects ACLs, RBAC, ABAC

13 Authorization Framework
AWS-IoTAC Model Policy Based Limited Attributes AWS-IoT-ACMVO Model For Virtual Objects ACLs, RBAC, ABAC Our Solution Pure ABAC User Privacy Cloud Supported

14 Location Groups Categorizing wide locations into smaller groups.
Vehicles dynamically become member based on current GPS, vehicle-type or individual user preferences. Ensure relevance of alerts and notifications

15 Attributes and Alerts Speed Limit: 50 mph Deer Threat: ON Ice on Road: NO Speed Limit: 30 mph Flood Warning: ON Road Work: ON Speed Limit: 20 mph School Zone: ON Amber Alert: ABC123 Vehicle moves and are assigned to different groups and inherits their attributes/alerts.

16 Using Location Groups Administrative Questions:
How the attributes or alerts of groups are updated? How are moving entities assigned to groups? How groups hierarchy is created? Operational Questions: How attributes and groups are used to provide security? How user privacy preferences are considered? How to realize dynamic location groups and how it works? Speed Limit: 50 mph Deer Threat: ON Ice on Road: NO Speed Limit: 30 mph Flood Warning: ON Road Work: ON Reported MQTT message

17 CV-ABACG Model

18 Model Components user, sensor, car, mechanic, restaurant { location, size, IP, direction, speed, VIN, cuisine-type}

19 Model Components { read, write, control, notify, administrative actions }

20 Model Components Sensor, ECU, Cars, traffic lights, smart-devices
on-board apps Location groups, service-specific, vehicle-type

21 Model Components Operational and Administrative Activities
{notification, alerts, group hierarchy updates} System Wide Policies Individualized Privacy Policies

22 Formal Specification Attribute Function Attribute Type Group Hierarchy
Attribute Mapping

23 Formal Specification Attributes more Dynamic Attributes Inheritance

24 Policy Language Administrators in the police department can send alert to location-groups in city limits. Authalert(u:U, g:G) :: dept (u) Police ʌ parent-city(g) = Austin ʌ Austin ∈jursidiction u . Only mechanic in the technician department from Toyota-X dealership must be able to read sensor in Camry LE. Further, this operation must be done between time 9 am to 6 pm. Authread(u:U, co:CO) :: role (u) Technician ʌ employer(u) = Toyota-X ʌ make (co) = Toyota ʌ model(co) = Camry LE ʌ operation_time(u) ∈ {9am,10,11…6pm}

25 Activity Authorization Decision
Evaluate all relevant policies to make a decision A restaurant in group A must be allowed to send notifications to all vehicles in location group A and group B. System defined DECISION I only want notifications from Cheesecake factory. User Preference

26 Implementation in Amazon Web Services (AWS)

27 Vehicles and Groups 4 Location Groups (static demarcation)
Vehicles movement (coordinates generated using Google API) Snapshot (table keeps changing)

28 Administrative Policy
Implemented Policies Administrative Policy Road side motion sensor with [id = 1] and current GPS in group [Location- A] can only [modify] attribute [Deer Threat] to value [ON, OFF] for group [Location-A]. Operational Policy Restaurant Notification Use Case System Defined Policy A restaurant located within group [Location-A] can only [send notifications] to members of groups [Location-A, Location-B]. User Preferences Send notifications only between [7 pm to 9 pm] only on [Wednesdays].

29 Policy Enforcer Execution Time
Performance Metrics CARS NOTIFIED nth Request With ABAC Policy Without Policy 41st 20 50 42nd 30 43rd 44th 45th 46th Number of Requests Policy Enforcer Execution Time (in ms) 10 0.0501 20 0.1011 30 0.1264 40 0.1630 50 0.1999 Policy Enforcement Time Relevance of Alerts and Notifications

30 Performance Metrics Comparing Policy vs No Policy Execution Time

31 Lets Talk ..!! Questions, Comments or Concerns gmaanakg@yahoo.com

Download ppt "Access Controls in Smart Cars: Needs and Solutions"

Similar presentations

Institute for Cyber Security

Institute for Cyber Security
Institute for Cyber Security

Institute for Cyber Security
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.

Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics CHARLES UNIVERSITY IN PRAGUE faculty of mathematics.

CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics CHARLES UNIVERSITY IN PRAGUE faculty of mathematics.
© Synergetics 2007. 3Portfolio Security Aspecten.

© Synergetics Portfolio Security Aspecten.
1 Grand Challenges in Authorization Systems Prof. Ravi Sandhu Executive Director and Endowed Chair November 14, 2011

1 Grand Challenges in Authorization Systems Prof. Ravi Sandhu Executive Director and Endowed Chair November 14, 2011
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.
Preserving User Privacy from Third-party Applications in Online Social Networks Yuan Cheng, Jaehong Park and Ravi Sandhu Institute for Cyber Security University.

Preserving User Privacy from Third-party Applications in Online Social Networks Yuan Cheng, Jaehong Park and Ravi Sandhu Institute for Cyber Security University.
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.

1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
Privilege Management Chapter 22.

Privilege Management Chapter 22.
M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date: 2014-01-27.

M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:
IS3220 Information Technology Infrastructure Security

IS3220 Information Technology Infrastructure Security

Similar presentations

Ads by Google