260 likes | 400 Views
Attack Trees Describing Security in Distributed Internet-Enabled Metrology. Jeanne H. Espedalen. Contents:. Background, attack trees Background, metrology and calibration The basic ideas of the thesis work Performing the task – a case study Some results Conclusion. Author.
E N D
Attack Trees Describing Security in Distributed Internet-Enabled Metrology Jeanne H. Espedalen
Contents: • Background, attack trees • Background, metrology and calibration • The basic ideas of the thesis work • Performing the task – a case study • Some results • Conclusion
Author • Background in metrology and calibration • Electronics Engineer • Worked at Justervesenet from 1994 • Part time student at GUC from 2002
Background, Attack Trees Open locked door • Introduced by Bruce Scheiner in 1999 • Semi-formal method • Root – main goal, sub-goals and Boolean calculation possible attacks • Could include attributes, indicating cost, skills etc. • Used to find vulnerabilities, analyze security threats • Not very well known, or much used as methodology Open door Open lock Open lock with a key Burst door open Dismantle door Open lock without key Get someone with a key to open Get a key to open lock Destroy lock Pick lock and and Convince someone to open Find a person with a key Get hold of a key Know which door the key belongs to Find a key Steal key Bribe Threaten Dupe
Background, Metrology and Calibration • Metrology (BIPM) – “The science of measurement” • Calibration (International Vocabulary of Basic and General Terms in Metrology) – • “set of operations that establish, under specified conditions, the relationship between values of quantities indicated by a measuring instrument or measuring system..”
UUT UUT Background, Traditional Calibration • Long downtime for unit under test (UUT) (~weeks) • Less control with the transport uncertainty introduced in the calibration result • The UUT is calibrated in an environment different from it’s normal working conditions • The customer is not part of the calibration process T1, P1, H1 Calibration location T2, P2, H2 Customer Justervesenet High-precision devices
Transfer standard Transfer standard Background, Internet-Enabled Calibration • Justervesenet investigates effects of transport and environmental conditions for the transfer standard and has more control • The UUT is calibrated in it’s normal working environment • Short downtime for the UUT (~hours) • The customer is part of the calibration process T2, P2, H2 T1, P1, H1 Calibration location www Customer Justervesenet UUT
iMet, a System for the Future DUT • Firewall-friendly, bidirectional HTTPS channel • Updated measurement procedures and instrument drivers in database server • Measurement procedures automatically downloaded to customer, compiled and run • Measurement data returned • Security? Firewall Firewall www Transport standard Firewall Customer Justervesenet Measurement software Measurement data Measurement software Measurement data Server
The Basic Goals of the Project • Investigation of the attack tree method, evaluate usability of this • Security analysis of the iMet system, a case study
A Case Study The case study was performed in a process of several steps: • Identification of critical assets • Attack trees vulnerabilities • Threats • Risk level • Countermeasures
Identifying Critical Assets • Metrology specific: • Correct measurement results • Instruments in setup • System application • IT systems • Application components, SW and HW
Implementing Attack Tree Method • High level analysis, attacks on critical asset: • Correct measurement results
Incorrect calibration values in calibration certificate Incorrect values from data collections Error in calculations Faulty data transfer from cal. result DB to cal.cert. Faulty cal. result in DB Faulty data-collection at customer Faulty data transfer between customer / JV Incorrect calculation routine Error in data input to calculations Error in data-collection at customer Manipulated data-collection at customer Bug in calcu-lation routine Wrong version of calculation routine Incorrect calibra-tion results Incorrect calibrator standard data Perform as customer Use Instr. with incorrect ID Simulate instrument setup at customer Manipulate cal values before they are returned and Pretend to be customer Steal cal. standard in transport Wrong version of program Manipulated calibration results Error in data collection Change ID in Instru-ment Wrong version of program Wrong version of program Wrong version of program Selection based on critical asset
Incorrect calibration values in calibration certificate Incorrect values from data collections Error in calculations Faulty data transfer from cal. result DB to cal.cert. Faulty cal. result in DB Faulty data-collection at customer Faulty data transfer between customer / JV Incorrect calculation routine Error in data input to calculations Error in data-collection at customer Manipulated data-collection at customer Bug in calcu-lation routine Wrong version of calculation routine Incorrect calibra-tion results Incorrect calibrator standard data Perform as customer Use Instr. with incorrect ID Simulate instrument setup at customer Manipulate cal values before they are returned and Pretend to be customer Steal cal. standard in transport Wrong version of program Wrong version of program Manipulated calibration results Error in data collection Change ID in Instru-ment Wrong version of program Wrong version of program Wrong version of program Wrong version of program Wrong version of program Wrong version of program Selection of goal for refinement
Attack Trees • Refinement and ‘digging’ into the critical or interesting parts of the trees: • Goal: Wrong version of program
Wrong version of program Obsolete version used Manipulated version used Manipulated during upload/ download Valid, manipulated version in DB Manipulated program at customer Obsolete version in DB Obsolete version used at customer and Man-in-the-middle attack and and and Manipulate program in DB Sign code with valid key Obsolete version possible to load at customer Obsolete version available at customer Obsolete version available in DB Obsolete version loaded from DB and Access to source code Required skills to perform change Access to valid key Acc-ess to DB Requir-ed skills to perform change Lack of or insuff. routine for deleting and/or removing obsolete version No/faulty version control No/faulty version control Author-ized access Unauthor-ized access Author-ized access Unauthor-ized access Author-ized access Unauthor-ized access Selected goal for refinement
Wrong version of program Manipulated version used Obsolete version used Manipulated during upload/ download Valid, manipulated version in DB Obsolete version in DB Obsolete version used at customer Manipulated program at customer and Man-in-the-middle attack and and Manipulate program in DB Sign code with valid key Obsolete version possible to load at customer Obsolete version available at customer Obsolete version available in DB and Obsolete version loaded from DB and Access to valid key Acc-ess to DB Requir-ed skills to perform change Access to source code Required skills to perform change Lack of or insuff. routine for deleting and/or removing obsolete version No/faulty version control Author-ized access Unauthor-ized access Author-ized access Unauthor-ized access No/faulty version control Author-ized access Unauthor-ized access Selection of branch/goal for example
Identifying Vulnerabilities, an Example • Program could be manipulated and used at customer’s • A skilled customer could manipulate the downloaded source code, and e.g. simulate measurements • Source code is signed in database, and this signature is checked at download. But customer could run another version, and integrity of the returned measurement data is thereby not secured by this signature.
Threats to the System, Example • Customer could want to simulate or manipulate measurements or instrument ID • Save time (instrument should be used in production most of the time) • Fabricate good results
Assessment of Risk Level, Example • “Program could be manipulated and used at customer” • High criticality (integrity of measurement data) • Low/medium threat (we know our customers..) • Risk level MEDIUM
Countermeasures, Example • Technical: Implement code obfuscator • Make the code harder to understand, and thereby manipulate • Administrative: Signing of contract between customer and authority • Define responsibilities, judicial liability • For the future: Build authentication and signing mechanisms into the instruments • Secure integrity of measurement data
Some Results: Usability of Method • (Semi-)Formalized method: • A guide through analysis • Flexibility • Depth of analysis, maturity of system, interpretation of the trees • Presentation of results from analysis • Should adapt to recipients
Some Results: The iMet System • We have identified 14 vulnerabilities • We have suggested mitigation strategies for these, based on risk assessment. Most of them easily achievable
ConclusionWe have performed: • Evaluation of usability of the attack tree method • General usability • For this system (and similar) • A case study of the iMet system • Security analysis • Countermeasures