Thoughts on Telematics Attack Surfaces and Implications for IC

Transcript

1. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

   Some Thoughts on Telematics Attack Surfaces and Implications for IC Daniel Bilar [email protected] ⌅ Arlington, Virginia September 10th, 2014

2. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

   What am I going to talk about? Car/Telematics Attack Surfaces ECU, In-Car Networks Car Attack Surface Infrastructure Attack Surface O ensive ’Lenses’ Systems, Assumptions & Constraints Security Composition Adversarial Dynamics Systemic Issues Incentive Structures IC Some proposed implications, directions, ‚ Figure: Telematics Toyota Prius 2010: Qualcomm chip, 3G/CDMA connection. Researchers previously remotely exploited a telematics unit without user interaction. Picture from [VM14]

3. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

   In-Car Networks Figure: Vehicle networks: CAN, FlexRay, MOST, and LIN networks, interconnected by a gateway.

4. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

   Drill down: Vehicle ECUs Figure: Communication paths/access channels into vehicle ECUs

5. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

   Zoom out: Vehicle Infrastructure Figure: Connected car infrastructure: vehicle, V2V, and V2I networks

6. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

   Automotive Network Architecture Review Scope: In-Car Networks Messaging Entry points “Remote Attack Surface”: Anti-theft, tire pressure, remote key entry, Bluetooth, RDS, Telematics, Internet/Apps Compromise “Network architecture”: gateway/bridge ECUs, jump to other internal networks Gain messaging access to “Cyber Physical” safety critical ECUs Cyberphysical Park assist, cruise control, collision prevention, lane keep assist Findings ‘Hackability’ See table right Recommendations Architectural containers, car IDS, crypto against rogue plugged in devices Figure: ‘Hackability’ – (least) to ++ (most). Table from [VM14]

7. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

   Hacking Tra c Systems Figure: Sensys Systems: Wireless Sensors , Repeaters, Access Points. No encryption, wireless comms in clear. Firmware updates not signed or encrypted. Picture [Cer14]

8. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

   Hacking Tra c Systems Figure: Tra c analytics/control software based on sensors (50,000+ world-wide). Bricking, DoS attacks, fake tra c. Picture [Cer14]

9. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

   O ensive Mindset When Someone Talks about ‘Security’ Parameters Matter What does make the system secure mean? Defender has to decide What part to protect, against whom, against what, for how long, at what costs, risks, and using which methods? Threat/Attacker capabilities model often only implied, neglected No One-Size Fits All Answers Mission and Adversary model dependent. Trade-o s inevitable Keywords for today Assumptions Attacks vs Errors, Trust [Bil10] Incentive structures Easy: Mechanism design [GNG08] ,“skin in the game” Compositional Security Unlikely (for real systems): LANGSEC [LSS11] Systemic Security “Rise of Machines” [Joh13]

10. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    Systems, Subsystems and nth Order Attacks [Bil09] Objective Induce Instabilities in mission-sustaining ancillary systems that ultimately degrade, disable or subvert end system n: Degree of relation 0th order targets the end system, 1st order targets an ancillary system of the end system, 2nd order an ancillary system of the ancillary system etc. Systems Definition A whole that functions by virtue of interaction between constitutive components. Defined by relationships. Components may be other systems. Key points: Open, isomorphic laws Nature Technical, algorithmic, societal, psychological, ideological, economic, biological and ecological Examples Resource allocation / throughput / stability control, manufacturing, visualization environments, social welfare systems, voting systems, data / goods / energy generation/ transmission/ distribution, reputation management, entropy externalization, business models and economic systems

11. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    Systems, Attacks and Assumption Violation Assumptions Fundamentally, attacks work because they violate assumptions Finite (i.e real life engineered or evolved) systems incorporate implicit/explicit assumptions into structure, functionality, language System geared towards ‘expected’, ‘typical’ cases Assumptions reflect those ‘designed-for’ cases Intuitive Examples of Attacks and Assumption Violations Man-in-Middle Attacks Identity assumption violated Race Condition Attacks Ordering assumption violated BGP Routing Attacks Trust assumption violated Generative Mechanism and Assumptions Optimization process incorporating tradeo s between objective functions and resource constraints under uncertainty Assumptions implicit/explicit in optimization formulations

12. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    Optimization Process: Highly Optimized Tolerance HOT Background Generative first-principles approach proposed to account for power laws P(m) s mαe− m kc in natural/engineered systems [CSN07, CD00] Optimization model incorporates tradeo s between objective functions and resource constraints in probabilistic environments Used Forest, internet tra c, power, immune systems, computer security (me) Pertinent Trait Robust towards common perturbations, but fragile towards rare events Inducing ‘rare events’ in ancillary systems goal of nth order attack ‘Connected Car’ composed of nested, embedded, embedding ancillary systems Probability, Loss, Resource Optimization [MCD05] min J (1) subject to ￿ ri ≤ R (2) J = ￿ pi li (3) li = f (ri ) (4) 1 ≤ i ≤ M (5) M events (Eq. 5) occurring iid with probability pi incurring loss li (3) Sum-product is objective func to be minimized (1) Resources ri are hedged against losses li , with normalizing f (ri ) = − log ri (4), subject to resource bounds R (2).

13. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    LANGSEC: Parsers, Recognizers Figure: Every piece of software that takes inputs contains a de facto recognizer for accepting valid or expected inputs and rejecting invalid or malicious ones. This recognizer code is often ad hoc, spread throughout the program, and interspersed with processing logic (a “shotgun parser”). This lends the processing logic to exploitation and programmers to false assumptions of data safety [SB14]. Picture from [SBH13]

14. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    LANGSEC: Compositional Security Secure Composition Problem Composition What can you say about composition of modules A and B? Parsers, Language Classes & Power Formal Input Verification Input to parser constitutes valid expression in input-handler’s protocol Secure Composition Prove computational equivalence of input-handling routines, i.e. do two grammars produce exactly the same language? (if not, in extremis birth of ’weird machines’) Requirement Equivalence undecidable for complex protocols - starting from language classes that require Non-Deterministic PDA to recognize input language Way Forward: Minimum Power Principle to Reduce Insecurity of Composition 1 Parser must not provide more than the minimal computational strength necessary to interpret the protocol it is intended to parse 2 Protocols should be designed to require the computationally weakest parser necessary to achieve the intended operation DECIDABLE For regular + deterministic context-free grammars “LangSec” (Nov 2011) IMHO, most fundamental intuition in computer security since Thompson (1984) “Trusting Trust” [LSS11].

15. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    Adversarial Dynamics Background Data US border security, computer vulnerability databases, o ensive & defensive coevolution of worms (Conficker) Modeled as players in adversarial situation Findings Performance metrics oscillate over time No asymptotic convergence not monotonic Classic Game Theory not useful, no good fit Claim In realistic (adversarial) games, players do not compute Nash Equilibria over strategy sets Use myopically perceived best responses at each time step Why? Not a stationary environment! Ongoing sequences of countermoves, deception and strategic adaptation Figure: Non-adversarial: Tra c deaths Figure: Adversarial: Vulns / Exploits

16. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    Adversarial Dynamics: Conficker Figure: Game evolution between Conficker A-E and environment. Picture from [BMC13]

17. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    “Security of the autonomous vehicle future” Figure: Scenarios from Gerdes of Utah State (NSF $1.2m grant to study) Atlantic Monthly 09/08/2014 [Mad14]

18. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    Collective Behavior of Interacting Agents Collective Behavior of Interacting Agents Beginnings Bell Labs ‘Core War’ 1960 Conway ‘Game of Life’ 1970s Yesterday Flash Crash 2010: Billions USD evaporated in fraction of second Today 1000s of mini-Flash Crashes every week. HFT shenanigans & collusion schemes finally being investigated by NY AG “Rise of the Machines” [Joh13] Phenomenological ‘signatures’ of automated black-box algorithmic trading All-machine time regime characterized by frequent ‘black swan’ events with ultrafast durations Collective behavior unpredictable No useful security guarantees anent dynamics possible Figure: HFT “Painting the Tape” Illegal practice of creating fictitious activity in a stock: 70k+ meaningless bids / o ers blasted in 47 seconds. Picture from Nanex

19. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    Big Data Quandary: High Dim & Adversarial Space Figure: Two player adversarial non-zero sum game with reinforcement learning strategies. α is memory (0 ≈ all steps , 1 ≈ no memory). Γ is deviation from zero sum game (-1 ≈ zero-sum, 0 ≈ uncorrelated payo s, 1 ≈ payo s identical. β is intensity of choice (0 ≈ all moves equally likely, large ≈ some preferential moves). α ≈ 0 corresponds to replicator dynamics (previous slides).

20. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    Ramifications for IC R & D Repurpose In-Car Vulnerabilities Defensive Disable tracking (On-star, TPMS, etc) through ODB-II plug-in (⌅ idea) O ensive Bind/intercept cell signal of occupants via RF circuitry in embedded systems (⌅ idea) Control Sensor Networks O ensive Destabilize/degrade tra c sensor system (Cesar Cerrudo’s DefCon 2014) Defensive Stabilization via signals ‘nudging’ back to stable state [Bil09] Observe Adversarial Metrics Performance Oscillations modeled by replicator equations. Typically 3rd order, non-linear, analytically di cult Inverse estimating RE params from observations of behavior tractable O ensive/Defensive Infer actual game being played, unfolding: Players motives, costs and move options.

21. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    R & D funding as Shì ‚ ‚ Propensity of Things [JL95] Characteristics Formal, dynamic, strategic; fusion of form and momentum; exploiting achieved position to maximum e ect Metaphors life of brush on fluid line, potential of womb Reality perceived as a particular arrangement of things to be relied upon and worked to one’s advantage Investments as ‚ Drivers & Incentive Structures to evolve the “game-creating game” [Mechanism Design [GNG08] (Nobel Econ 2007) ] Game-creating Game Meta-game that drives co-evolution between attacker and defender towards position favorable to defense [Ant10] Cautionary Tale Conficker A-E: Ad-hoc defensive measures (no meta-game consideration) that ultimately resulted in a net worse defense position [BMC13]

22. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    Thank you How Scientists Relax Infrared spectroscopy on a vexing problem of our times: Truly comparing apples and oranges. Thank You Thank you for your time and the consideration of these ideas. I appreciate the invitation to speak at ⌅⌅ in lovely Virginia ¨ ￿ Figure: A spectrographic analysis of ground, desiccated samples of a Granny Smith apple and a Sunkist navel orange. Picture from [San95]

23. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    References I Gary Anthes, Mechanism design meets computer science., Commun. ACM 53 (2010), no. 8, 11–13. Daniel Bilar, On nth order attacks, The virtual battlefield : Perspectives on cyber warfare (Christian Czosseck and Kenneth Geers, eds.), IOS Press, 2009, pp. 262–281. , Degradation and subversion through subsystem attacks, IEEE Security & Privacy 8 (2010), no. 4, 70–73. D. Bilar, J. Murphy, and G. Cybenko, Adversarial dynamics: Conficker case study, Moving Target Defenses (S. Jajodia, ed.), vol. II, Springer, 2013, pp. 41–71. Jean Carlson and John Doyle, Highly Optimized Tolerance: Robustness and Design in Complex Systems, Physical Review Letters 84 (2000), no. 11, 2529+. Cesar Cerrudo, Hacking us tra c control systems, DefCon, vol. 22, 2014. Aaron Clauset, Cosma R. Shalizi, and Mark Newman, Power-Law Distributions in Empirical Data, SIAM Reviews (2007).

24. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    References II Dinesh Garg, Y Narahari, and Sujit Gujar, Foundations of mechanism design: A tutorial part 1-key concepts and classical results, Sadhana (Academy Proceedings in Engineering Sciences), vol. 33, Indian Academy of Sciences, 2008, pp. 83–130. François Jullien and Janet Lloyd, The propensity of things: Toward a history of e cacy in china, Zone Books New York, 1995. Neil Johnson, Abrupt rise of new machine ecology beyond human response time, Nature Science Reports 3 (2013). Sergey Bratus Len Sassaman, Meredith L. Patterson and Anna Shubina, The halting problems of network stack insecurity, ;login 36 (2011), no. 6. Alexis C. Madrigal, 9 2014. Lisa Manning, Jean Carlson, and John Doyle, Highly Optimized Tolerance and Power Laws in Dense and Sparse Resource Regimes, Physical Review E 72 (2005), no. 1, 16108+. Scott Sandford, Apples and oranges: a comparison, Annals of Improbable Research 1 (1995), no. 3. Felix Lindner Sergey Bratus, Information security war room, Usenix, 2014.

25. Telematics Systems Attacker Lenses Composition Adversarial Dynamics Systemic Issues Epilogue/References

    References III Meredith Patterson Sergey Bratus and Dan Hirsch, From “shotgun parsers” to more secure stacks, ShmooCon, 2013. Chris Valasek and Charlie Miller, A survey of remote automotive attack surfaces, BlackHat US, 2014.