The first step in any system security design is a risk analysis. This is designed to answer questions about external interfaces and threats. While encrypted communication and user authentication controls are straightforward enough, a system security architecture quickly becomes complex when answering the question “how does a system ensure software is trustworthy?”
Attestation is the process of validating software authenticity during start-up and periodically during operation. The purpose is to detect software tampering and code injection. There are many trade-offs to consider in security design, including public key storage, start-up timing, impact on performance, software updates and private key management. Solutions range anywhere from on-chip secure boot, such as the i.MX processor, to a Trusted Platform Module co-processor, or software-based solution. Each has its own risks, cost and design impact, which is why it’s important to engage with cyber security design experts.
Without attestation checks, malicious software can quietly run in the background collecting system and local network data, or even perform a pivot attack by sending malicious commands in an attempt to exploit other devices. Starting with hardware, attestation checks software layer by layer using digital signature algorithms to verify authenticity. This process makes sure none of the operational security controls, such as command authentication and encryption, can be bypassed by the malicious code.
Securing millions of lines of code in the internet of things
Attestation may protect the intended security controls but makes no promises about the quality of the software itself. A zero-day attack is the exploitation of a latent defect within completely authentic software, typically resulting in the injection of malicious code to compromise data or operations. Without attestation, the modified code can be stored to memory and executed every time.
According to the Steve McConnell book Code Complete, the industry average of latent defects is about 15-50 errors per 1,000 lines of delivered code (Kloc). With even the most experienced software developers, Microsoft reports 10-20 defects per Kloc during testing, and 0.5 defects per Kloc in production.
According to a 2017 Visual Capitalist article, an average iPhone app has 50,000 lines of code, a military drone uses 3.5 million lines of code, the Android operating system includes 12-15 million lines, and a modern car contains 100 million lines of software. Most internet of things (IoT) devices rely on an operating system and third-party libraries, so even at a conservative one million lines of code, this means there’s anywhere from 500 latent defects to upwards of 50,000. What’s the probability that there’s a zero-day attack somewhere in there? Now multiply it by the number of different IoT devices currently on your network. Bottom line: even with the best security design, no IoT device is completely trustworthy.
On a more alarming scale, the supply chain attack against SolarWinds’ Orion network monitoring platform in 2020 sent shock waves throughout the world, with suspected state-sponsored hackers gaining access to US government agencies, critical infrastructure entities and private sector organisations. The injection of malicious code into Orion between March and June 2020 allowed the hackers to compromise Microsoft and FireEye, as well as the Defense, State, Treasury, Homeland Security and Commerce departments in the US government. The SolarWinds hack was severe because it took place on the build server, injecting malicious code before the digital signing process. As a result, the compromised software became authenticated and undetected by system attestation checks.
Edge network security
Since attestation and security design are unable to address all vulnerabilities, IoT device users need another layer of defence to protect their data and core computing resources. An edge network security solution provides the required reinforcement to detect and contain the impact of a compromised device though the following capabilities:
1. VPN/VLAN Encryption: segmenting devices onto their own network or private cloud protects other computing resources from traffic monitoring and pivot attacks. The combination of a network encryptor with end-point software are the building blocks to FedRAMP and Commercial Solutions for Classified approval.
2. Gateway: monitors and controls the networks, subnets, addresses and ports that a device may communicate with. This minimises incoming network attacks, while controlling outgoing message destination in the event of compromise. Robust event reporting enables administrators to detect and take action.
3. Deep Packet Inspection: monitors and controls the type of messages that are communicated between approved systems to ensure only valid data is exchanged between approved end points.
Ultra CYBER’s edge network security solutions combine encryption, gateway and deep packet inspection into wired, wireless and embedded form factors to meet any operating need. Ultra CYBER supports clients with best practice products and services to protect critical infrastructure device operation and data.
Gregory Rudy is vice-president, business development at Ultra Intelligence & Communications – CYBER Division.