Conferences and supporting programme
Security Filters for IoT Domain Isolation
Modern IoT security architectures generally make use of partitions to define security domains and try to impose strict access policies on the message flows that need to go from one domain to another. The correct implementation of such filtering points is essential for the whole security of the system as the only path available to hackers to perform remote attacks when the architecture is well designed is to go through (or send triggering inputs through) these controlled channels. Gateways in new automotive architectures are example of such filtering points. They are typically used to define various security domains, such as the powertrain domain, the infotainment domain, etc. The filtering of data on such gateways is typically implemented using a firewall architecture. We will explain in the final paper and presentation why the security threats are different of that of general IT systems, both in terms of needed resistance and in terms of security policies to be implemented by such filters, and why such architectures are not satisfactory. We will show that high level security policies need to be expressed and enforced by the gateways and that it is not easy (i.e. at the very best error prone and in some cases impossible with the right level of precision) to express such policies on low level objects (such as IP packets) that firewalls normally use. The administrator in charge of configuring such firewalls or the security architect defining the gateway has to use low level concepts such as ports whereas she/he wants to implement a high level security policy where they want to precisely specify and restrict the type of high level commands or data that gets in or out. Second the resistance of such implementations is not high enough to cope with the remote attacks at stake. Thus, even if the firewalls are properly configured, hackers will still have many ways to attack such entry points. They will typically bypass implemented access control policies by exploiting bugs and errors usually found in protocol stacks and OSs used to implement such firewalls. In fact the security level reached by the most secure firewalls is usually very limited. In addition the most secure ones have an expensive bill of material, which does no fit well with embedded systems requirements. We present a filtering approach that rely on an off-the-shelf highly secure formally proven OS kernel, a simple configurable formally proven filtering application that directly implements any given high level access control security policy, some non security sensitive protocol stack layers that allow for protocol disruption (analysis and reconstruction), and a kernel-enabled application control policy that forces all communication to go through the filtering application. Such a filter is currently experimented in areas such as avionics, automotive or railway, etc., is ready for a Common Criteria EAL7 certification, and uses a very small Trusted Computing Base.
--- Date: 28.02.2018 Time: 5:00 PM - 5:30 PM Location: Conference Counter NCC Ost