P. Paradinas - 2013

Computer Science Security Introduction

Pierre.Paradinas@cnam.fr

P. Paradinas - 2013

Les cours

Introduction et définitions

Matrice d’accès

Politique de sécurité

Sécurité et assurances

Critères communs

Contrôle d’accès

Information flow

Sécurité physiques des composants

Exposés le 20 novembre

Visites au salon CARTES à Villepinte semaine du 18 novembre

2

P. Paradinas - 2013

Sujet des exposés

1 à 2 personnes par groupe

Sujet ouvert : proposition à faire valider

Sujets proposés :

BYOD : les solutions Bull/Thales de téléphone mobile

Sécurité dans la JVM (state of the art et statut actuel dans les naviagteurs)

La sécurité des compteurs électriques et la protection de la vie privée

Un point précis sur la polémique PRISM (quels outils mis en oeuvre par les agences… quelle parade possible…)

Mozilla Social API For Firefox, Facebook Messenger Firs...

(tcrn.ch/WDxYtZ)

Automotive security (http://autosec.org)

La DO178-C & ARINC 6533

P. Paradinas - 2013

Computer Security

Introduction & definitions

(Secure) Design Principles

Modern issues in security

Bibliography

4

P. Paradinas - 2013

Every day there is security issue !

5

P. Paradinas - 2013

Security a key issue

6

SCADA (supervisory contro

l and data acquisitio

n)

attacks

by viru

s Stuxn

et

Privacy is

sues

P. Paradinas - 2011

Exigences critiques sur les SEs

7

!

"#$%&'(!)*+*#$%&'(!,&!-./$0$'1!2345#%&*! ! !96!7!89!

! !

^O '+W'&V!,'(!'/.(P(Q'0'(!,&!-.)$/$'-!'0"1#%&'!

^ONO 'V$)'+/'(!/#$Q$%&'(!'Q!'V$)'+/'(!,'!%&1-$Q'!,'!('#\$/'!

2|^)2iJ2S!JI^`^zh2S!

-'!>541'5&!(&$B5+>!<#*0$('!<.&#!1'(!<#$+0$<5&A!('0>'&#(!G!

! 1'(! <#$+0$<5&A! '+D'&A! ,'! 0#$>$0$>*! 0.+0'#+*(! d(b#'>*! ,'! ;.+0>$.++'3'+>W! (*0&#$>*! ,'(!

<'#(.++'(!'>!,'(!4$'+(W!(*0&#$>*!,'!1V$+;.#35>$.+gW!!

! 15!<#*('+0'!,'!0.+>#5$+>'(!,'!>'3<(F#*'1W!<1&(!.&!3.$+(!o!,&#'(!pW!!

! 15!+*0'(($>*!.&!+.+!,'!3$('!'+!n&B#'!,'!(L(>Z3'(!,'!('0.&#(!d<15+(!,V&#/'+0'!.&W!<1&(!

($3<1'3'+>W!/'(>$.+!,V515#3'(g!'+!05(!,'!<5++'!o!05>5(>#.<H$%&'!pW!

! 1'!+$B'5&!,V'A$/'+0'!'+!>'#3'(!,'!0'#>$;$05>$.+W!

! 15!+5>&#'!,'(!+.#3'(!5((.0$*'(!5&A!<#.0'((&(!,'!,*B'1.<<'3'+>!d3.L'+(!3$(!'+!n&B#'W!

.4D'0>$;(!,'!#*(&1>5>(gX!!

/3464<46>5!

(;<6;B3!

(l3;6>!

(><B346>!

(><B3O!$8i9!

/98637486;5!

6;KI5E3>;@!

);56498!?;!

I788;!<7675O!

'M4=;8<;!?;!

<;364i4<76498!

+93K;5!I39<;55B5!?;!

?>J;@9II;K;86!

R&>.3.4$1'! ! ! ! M&#'(! k&$!

:.L'++'!'+!

0#.$((5+0'!

d^Sk!?a?a?g!

:.L'+(!

N'##.B$5$#'! ! ! ! M&#'(! k&$! N.#>'! :.L'+(!

R*#.+5&>$%&'! ! ! ! M&#'(! k&$! N.#>'! k4D'0>$;(!

2(<50'! ! ! !

M&#'(!<.&#!1'(!

15+0'&#(W!

;5$41'(!<.&#!

1'(!(5>'11$>'(!

S'1.+!1'(!

5<<1$05>$.+(W!

515#3'(!5&!

3$+$3&3!

N.#>'!

k4D'0>$;(W!35$(!5B'0!

<#*0.+$(5>$.+!,'!

3.L'+(!

i&01*5$#'! ! ! ! M&#'(! k&$! N.#>'! k4D'0>$;(!

s+'#/$'!d<#.,&0>$.+W!,$(>#$4&>$.+W!

&>$1$(5>$.+g!! ! ! M&#'(! R15#3'(! U5#$541'! !

Q#.,&0>$.+!$+,&(>#$'11'! ! ! !S'1.+!

1'!<#.0*,*!

S'1.+!

1'!,5+/'#!U5#$541'! !

^+(>#&3'+>5>$.+!3*,$051'! ! ! ! :.L'++'(! R15#3'(! N.#>'! k4D'0>$;(!

"y>$3'+>!d,.3.>$%&'g! ! ! !S'1.+!

1V5<<1$05>$.+!R15#3'(! N5$41'! !

`*1*0.3(! ! ! !S'1.+!

1V5<<1$05>$.+!R15#3'(!

U5#$541'!('1.+!

1'(!#*('5&A!:.L'+(!

s1'0>#.+$%&'!/#5+,!<&41$0! ! ! ! N5$41'(! i.+! N5$41'! !

-./$(>$%&'! ! ! ! N5$41'(! i.+! N5$41'! !

^+;#5(>#&0>&#'(!&#45$+'(! ! ! ! N5$41'(! R15#3'(! N5$41'! !

S*0&#$>*! ! ! !:.L'++'(!\!

;.#>'(!R15#3'(! J#.$((5+>'! :.L'+(!

`#5+(50>$.+!*1'0>#.+$%&'! ! ! ! :.L'++'(! i.+! N.#>'! :.L'+(!

!

!

!

!

P. Paradinas - 2011

La qualité de services dans les SEs (1/2)

8

!

"#$%&'(!)*+*#$%&'(!,&!-./$0$'1!2345#%&*! ! !9?!7!89!

! !

2|^)2iJ2S!M2!zhR-^`2!M2!S2IU^J2!

-'! >541'5&! 0$F,'((.&(! #*(&3'! 1'(! ;.+0>$.+(! \! %&51$>*! ,'! ('#B$0'! 1'(! <1&(! (.&B'+>! 0.+0'#+*'(!

,5+(!0H5%&'!('0>'&#!G!

! 3'(&#'!'>!0.33&+$05>$.+W!!

! $+>'#;50'!H.33'F350H$+'W!!

! #*/&15>$.+!'>!.<>$3$(5>$.+!,&!0.+;.#>!,V&+!.&!,'!<1&($'&#(!&>$1$(5>'&#(W!,V&+!<#.0*,*!.&!

<#.0'((&(!0.3<1'A'W!,'!15!0.+(.335>$.+!.&!,'!15!<#.,&0>$.+!,V*+'#/$'W!!

! %&51$>*!,'!('#B$0'!'+!>'#3'(!,'!,$(<.+$4$1$>*!'>!,'!<'#;.#35+0'(W!!

5$+($! %&'! 1'(! 1$3$>5>$.+(!/*#*'(! '>! 1'(! 1$'+(! '+>#'! ;.+0>$.+(! 0#$>$%&'(!'>! ;.+0>$.+(! \!%&51$>*!,'!

('#B$0'X!!

X98<64985!I348<4I7@;5!

-4K46764985!I348<4I7@;5!$86;37<64985!;863;!i98<64985!<3464LB;5!;6!

i98<64985!G!LB7@46>!?;!5;3J4<;!

(;<6;B3!

0;5B3;!;6!<9K

KO!

$R0!

.I64K

O!/98

i936!

.I64K

O!H39<;55!

.I64K

O!*8;

3=4;!

%B7

@46>!?;

!5;3J4<;!

! !

R&>.3.4$1'! ! ! ! ! ! !J.b>!,'(!0.3<.(5+>(!'>!

,&!1./$0$'1!

R&D.&#,VH&$!G!#*('5&A!'>!<#.0'(('&#(!

$+,*<'+,5+>(X!

^+>*#r>!\!;&($.++'#!,'35$+!v!

N'##.B$5$#'! ! ! ! ! ! !

i*0'(($>*!,V5((&#'#!0'(!

;.+0>$.+(!(5+(!

0.3<#.3'>>#'!15!

(*0&#$>*!

!

^1!;5&>!,*3.+>#'#!1V$+,*<'+,5+0'!'+>#'!1'(!

;.+0>$.+(!S!d0#$>$%&'g!'>!iS!di.+F0#$>$%&'g!

!!(*/#*/5>$.+!.&!,*B'1.<<'3'+>!,'(!

;.+0>$.+(!iS!5B'0!1'!+$B'5&!,'!(*0&#$>*!1'!

<1&(!*1'B*!!

R*#.+5&>$%&'! ! ! ! ! ! !

J.&>W!,&#*'!,'!B$'W!

0.+(.335>$.+!

*+'#/*>$%&'!'>!<.$,(!

^1!;5&>!,*3.+>#'#!1V$+,*<'+,5+0'!'+>#'!1'(!

;.+0>$.+(!S!d0#$>$%&'g!'>!iS!di.+F0#$>$%&'g!

!!(*/#*/5>$.+!.&!,*B'1.<<'3'+>!,'(!

;.+0>$.+(!iS!5B'0!1'!+$B'5&!,'!(*0&#$>*!1'!

<1&(!*1'B*!

2(<50'! ! ! ! ! ! !

Q.$,(!'>!41$+,5/'!,'(!

(L(>Z3'(!!!$3<50>!(&#!

1'(!<#.0'(('&#(!'>!15!

3*3.$#'!,$(<.+$41'!

Q#*,.3$+5+0'!,'(!;.+0>$.+(!1'(!<1&(!

0#$>$%&'(!do!(5;'>L!pg!5((&#*'!<5#!1'!

H5#,c5#'!

i&01*5$#'! ! ! ! ! ! !

J.&>!'>!,&#*'!,'!B$'!

d/'(>$.+!,'!

1V.4(.1'(0'+0'g!

!

s+'#/$'!d<#.,&0>$.+W!

,$(>#$4&>$.+W!&>$1$(5>$.+g!! ! ! ! ! !

J.b>!d<#.,&0>$.+!'>!

$+(>5115>$.+gW!>5$11'W!

51$3'+>5>$.+!'>!

0.+(.335>$.+!

*+'#/*>$%&'!

-$3$>*'(!5&D.&#,VH&$W!35$(!15!05<50$>*!

,V$+>*/#'#!,'(!;.+0>$.+(!,'!<#.>'0>$.+W!

3'(&#'!'>!.<>$3$(5>$.+W!(5+(!<'#>'!,'!

0.+;$5+0'!B$(F\FB$(!,'(!;.+0>$.+(!0#$>$%&'(W!

'(>!&+!(&D'>!$3<.#>5+>!<.&#!1'!;&>&#!

Q#.,&0>$.+!$+,&(>#$'11'! ! ! ! ! ! ! ! !

^+(>#&3'+>5>$.+!3*,$051'! ! ! ! ! ! !

J.&>W!,&#*'!,'!B$'W!

0.+(.335>$.+!

*+'#/*>$%&'!!

"y>$3'+>!d,.3.>$%&'g! ! ! ! ! ! !

J.b>!d<#.,&0>$.+!'>!

$+(>5115>$.+gW!>5$11'W!51$3X!

'>!0.+(.335>$.+!

*+'#/*>$%&'!

!

`*1*0.3(! ! ! ! ! ! !

J.b>(W!<'#;.#35+0'(W!

51$3X!*+'#/*>$%&'!,5+(!

1'(!<5L(!*3'#/'+>(!

S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!

P. Paradinas - 2011 9

!

"#$%&'(!)*+*#$%&'(!,&!-./$0$'1!2345#%&*! ! !9?!7!89!

! !

2|^)2iJ2S!M2!zhR-^`2!M2!S2IU^J2!

-'! >541'5&! 0$F,'((.&(! #*(&3'! 1'(! ;.+0>$.+(! \! %&51$>*! ,'! ('#B$0'! 1'(! <1&(! (.&B'+>! 0.+0'#+*'(!

,5+(!0H5%&'!('0>'&#!G!

! 3'(&#'!'>!0.33&+$05>$.+W!!

! $+>'#;50'!H.33'F350H$+'W!!

! #*/&15>$.+!'>!.<>$3$(5>$.+!,&!0.+;.#>!,V&+!.&!,'!<1&($'&#(!&>$1$(5>'&#(W!,V&+!<#.0*,*!.&!

<#.0'((&(!0.3<1'A'W!,'!15!0.+(.335>$.+!.&!,'!15!<#.,&0>$.+!,V*+'#/$'W!!

! %&51$>*!,'!('#B$0'!'+!>'#3'(!,'!,$(<.+$4$1$>*!'>!,'!<'#;.#35+0'(W!!

5$+($! %&'! 1'(! 1$3$>5>$.+(!/*#*'(! '>! 1'(! 1$'+(! '+>#'! ;.+0>$.+(! 0#$>$%&'(!'>! ;.+0>$.+(! \!%&51$>*!,'!

('#B$0'X!!

X98<64985!I348<4I7@;5!

-4K46764985!I348<4I7@;5!$86;37<64985!;863;!i98<64985!<3464LB;5!;6!

i98<64985!G!LB7@46>!?;!5;3J4<;!

(;<6;B3!

0;5B3;!;6!<9K

KO!

$R0!

.I64K

O!/98

i936!

.I64K

O!H39<;55!

.I64K

O!*8;

3=4;!

%B7

@46>!?;

!5;3J4<;!

! !

R&>.3.4$1'! ! ! ! ! ! !J.b>!,'(!0.3<.(5+>(!'>!

,&!1./$0$'1!

R&D.&#,VH&$!G!#*('5&A!'>!<#.0'(('&#(!

$+,*<'+,5+>(X!

^+>*#r>!\!;&($.++'#!,'35$+!v!

N'##.B$5$#'! ! ! ! ! ! !

i*0'(($>*!,V5((&#'#!0'(!

;.+0>$.+(!(5+(!

0.3<#.3'>>#'!15!

(*0&#$>*!

!

^1!;5&>!,*3.+>#'#!1V$+,*<'+,5+0'!'+>#'!1'(!

;.+0>$.+(!S!d0#$>$%&'g!'>!iS!di.+F0#$>$%&'g!

!!(*/#*/5>$.+!.&!,*B'1.<<'3'+>!,'(!

;.+0>$.+(!iS!5B'0!1'!+$B'5&!,'!(*0&#$>*!1'!

<1&(!*1'B*!!

R*#.+5&>$%&'! ! ! ! ! ! !

J.&>W!,&#*'!,'!B$'W!

0.+(.335>$.+!

*+'#/*>$%&'!'>!<.$,(!

^1!;5&>!,*3.+>#'#!1V$+,*<'+,5+0'!'+>#'!1'(!

;.+0>$.+(!S!d0#$>$%&'g!'>!iS!di.+F0#$>$%&'g!

!!(*/#*/5>$.+!.&!,*B'1.<<'3'+>!,'(!

;.+0>$.+(!iS!5B'0!1'!+$B'5&!,'!(*0&#$>*!1'!

<1&(!*1'B*!

2(<50'! ! ! ! ! ! !

Q.$,(!'>!41$+,5/'!,'(!

(L(>Z3'(!!!$3<50>!(&#!

1'(!<#.0'(('&#(!'>!15!

3*3.$#'!,$(<.+$41'!

Q#*,.3$+5+0'!,'(!;.+0>$.+(!1'(!<1&(!

0#$>$%&'(!do!(5;'>L!pg!5((&#*'!<5#!1'!

H5#,c5#'!

i&01*5$#'! ! ! ! ! ! !

J.&>!'>!,&#*'!,'!B$'!

d/'(>$.+!,'!

1V.4(.1'(0'+0'g!

!

s+'#/$'!d<#.,&0>$.+W!

,$(>#$4&>$.+W!&>$1$(5>$.+g!! ! ! ! ! !

J.b>!d<#.,&0>$.+!'>!

$+(>5115>$.+gW!>5$11'W!

51$3'+>5>$.+!'>!

0.+(.335>$.+!

*+'#/*>$%&'!

-$3$>*'(!5&D.&#,VH&$W!35$(!15!05<50$>*!

,V$+>*/#'#!,'(!;.+0>$.+(!,'!<#.>'0>$.+W!

3'(&#'!'>!.<>$3$(5>$.+W!(5+(!<'#>'!,'!

0.+;$5+0'!B$(F\FB$(!,'(!;.+0>$.+(!0#$>$%&'(W!

'(>!&+!(&D'>!$3<.#>5+>!<.&#!1'!;&>&#!

Q#.,&0>$.+!$+,&(>#$'11'! ! ! ! ! ! ! ! !

^+(>#&3'+>5>$.+!3*,$051'! ! ! ! ! ! !

J.&>W!,&#*'!,'!B$'W!

0.+(.335>$.+!

*+'#/*>$%&'!!

"y>$3'+>!d,.3.>$%&'g! ! ! ! ! ! !

J.b>!d<#.,&0>$.+!'>!

$+(>5115>$.+gW!>5$11'W!51$3X!

'>!0.+(.335>$.+!

*+'#/*>$%&'!

!

`*1*0.3(! ! ! ! ! ! !

J.b>(W!<'#;.#35+0'(W!

51$3X!*+'#/*>$%&'!,5+(!

1'(!<5L(!*3'#/'+>(!

S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!

!"#$%&'(!)*+*#$%&'(!,&!-./$0$'1!2345#%&*! ! !99!7!89!! !

X98<64985!I348<4I7@;5!

-4K46764985!I348<4I7@;5!$86;37<64985!;863;!i98<64985!<3464LB;5!;6!

i98<64985!G!LB7@46>!?;!5;3J4<;!

(;<6;B3!

0;5B3;!;6!<9K

KO!

$R0!

.I64K

O!/98

i936!

.I64K

O!H39<;55!

.I64K

O!*8;

3=4;!

%B7

@46>!?;

!5;3J4<;!

! !

s1'0>#.+$%&'!/#5+,!<&41$0! ! ! ! ! ! ! J.b>(! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!-./$(>$%&'! ! ! ! ! ! ! ! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!^+;#5(>#&0>&#'(!&#45$+'(! ! ! ! ! ! ! ! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!S*0&#$>*! ! ! ! ! ! ! ! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!

`#5+(50>$.+!*1'0>#.+$%&'! ! ! ! ! ! ! !S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(W!

/'(>$.+!,'!15!0.+;$5+0'!!

^OUO 1+1-P('!'Q!/.+/-&($.+(!

-'(! >541'5&A! <#*0*,'+>(! ;.+>! 5<<5#5m>#'! ,'(! <.$+>(! 0.33&+(! '>! ,'(!,$;;*#'+0'(! ;.#>'(! '+>#'!('0>'&#(W!5B'0!,'(!0.+(*%&'+0'(!>5+>!0H'P!1'(!$+>*/#5>'&#(!,'!(L(>Z3'(!/1.45&A!d'+!>'#3'(!,'!0.3<*>'+0'(! '>! ,'! <#.0'((&(! ,'! ,*B'1.<<'3'+>gW! %&'! 0H'P! 1'(! *%&$<'3'+>$'#(W! (.0$*>*(! ,'!('#B$0'!'>!*,$>'&#(!,'!1./$0$'1(!$3<1$%&*(!,5+(!1'(!,$;;*#'+>(!('0>'&#(!5<<1$05>$;(X!

2|^)2iJ2S!JI^`^zh2S!

-V$3<.#>5+0'!;.#>'!'+!N#5+0'!,'!,$;;*#'+>(!('0>'&#(!(.&3$(!\!,'(!'A$/'+0'(!0#$>$%&'(!'+!>'#3'(!,'! 5l3;6>! ?;! i98<64988;K;86! '>! ,'! 5><B346>! ?;5! I;35988;5! ;6! ?;5! h4;85! 5! '&! <.&#! ';;'>! 1'!,*B'1.<<'3'+>! ,'! >'0H+$%&'(! $++.B5+>'(! '>! ,'! 0.3<*>'+0'(! ,5+(! 1'! ,.35$+'! 505,*3$%&'W!0H'P! 1'(! *,$>'&#(! ,'! 1./$0$'1(! '>W! ,'!35+$Z#'! <1&(! $+*/51'W! 5&! ('$+! ,'(! /#5+,(! /#.&<'(X! J'>>'!5B5+0'!'(>!0'<'+,5+>!\!0.+>#5(>'#!\!,'&A!;50>'&#(!,'!;5$41'(('!G!

! S$!,5+(!15!<1&<5#>!,'(!('0>'&#(!0.+0'#+*(!d5&>.3.4$1'W!;'##.B$5$#'W!5*#.+5&>$%&'W!'(<50'W!+&01*5$#'W!*+'#/$'W! >*1*0.3(gW!,'!/#5+,(!/#.&<'(!<#*,.3$+'+>!<5#3$! 1'(! $+>*/#5>'&#(!'>!1'(! (.&(F>#5$>5+>(! ,'! #5+/! 6W! 1'(! Q:2! (.+>! 4'5&0.&<! <1&(! +.34#'&('(! <5#3$! 1'(! (.&(F>#5$>5+>(!,'! #5+/! (&<*#$'&#! '>! 1'(! 0.3<*>'+0'(! (.&B'+>! >#.<!3.#0'1*'(!<.&#!4*+*;$0$'#!,'(!(L+'#/$'(!'+>#'!('0>'&#(X!

! -5! >'+($.+! '+>#'! 35m>#$('! ,'(! 0.b>(! '>! 'A$/'+0'(! ,'! 0'#>$;$05>$.+! +'! (V'A<#$3'! <5(! ,'!35+$Z#'! H.3./Z+'! (&#! 1V'+('341'! ,'! 0'(! ('0>'&#(X! M5+(! 1'! 0.+>'A>'! *B.%&*! 5&! <.$+>!<#*0*,'+>W! 0'>>'! ,$;;*#'+0'! 5! <.&#! 0.+(*%&'+0'! &+'! 3.$+,#'! 5(($3$15>$.+! ,'(!>'0H+.1./$'(! ,'! (b#'>*! '>! (*0&#$>*! ,5+(! 1'(! ('0>'&#(! ,V'A$/'+0'! 3.L'++'! .&! B5#$541'W!0.33'!1V*+'#/$'!'>!1'(!>*1*0.3(W!<5#!'A'3<1'X!

-'! #'+;.#0'3'+>! ,'(! (L+'#/$'(! '>! 1'! ,*B'1.<<'3'+>! ,'! 4#$%&'(! >'0H+.1./$%&'(! '>! ,V.&>$1(!15#/'3'+>!#*&>$1$(541'(!,V&+!('0>'&#!\!1V5&>#'!d'>!0'#>$;$*(!5&>5+>!%&'!<.(($41'g!<'#3'>>#5$>!,.+0!d$g! 5&A! ;.&#+$(('&#(!,'! >'0H+.1./$'! $++.B5+>(! ,V500#.m>#'! 1'&#!35#0H*! d'>! ,.+0!,'! /#5+,$#g! '>!d$$g!5&A! /#5+,(! $+>*/#5>'&#(! ,'! #'+;.#0'#! 1'&#! 5B5+>5/'! 0.+0&##'+>$'1! '+! >'#3'(! ,'! (b#'>*! ,'!;.+0>$.++'3'+>! '>! ,'! (*0&#$>*! ,'(! <'#(.++'(! '>! ,'(! 4$'+(X! -5! ,$(<.+$4$1$>*! ,'! 3$,,1'c5#'!0'#>$;$*W!35(%&5+>!15!,*<'+,5+0'!5&!35>*#$'1!.&!;50$1$>5+>!15!0.'A$(>'+0'!,'!;.+0>$.+(!0#$>$%&'(!'>! ,'! ;.+0>$.+(! \! %&51$>*! ,'! ('#B$0'! (&#! &+'! 3r3'! <15>'F;.#3'! 3&1>$F0n&#(W! '>! 1'!,*B'1.<<'3'+>! ,V&+'! /533'! 0.H*#'+>'! ,V.&>$1(! ,'! ,*B'1.<<'3'+>W! ,V$+>*/#5>$.+W! ,'!($3&15>$.+W!,'!B51$,5>$.+!'>!,'!/'(>$.+!,'!>'(>(W!(.+>!,'(!*1*3'+>(!01*(!\!0.+($,*#'#!,5+(!0'>>'!<'#(<'0>$B'X!Q5#511Z1'3'+>!\!0'(!';;.#>(!,'!#'0H'#0H'!'>!,*B'1.<<'3'+>W!&+'!0..<*#5>$.+!<1&(!

!"#$%&'(!)*+*#$%&'(!,&!-./$0$'1!2345#%&*! ! !99!7!89!! !

X98<64985!I348<4I7@;5!

-4K46764985!I348<4I7@;5!$86;37<64985!;863;!i98<64985!<3464LB;5!;6!

i98<64985!G!LB7@46>!?;!5;3J4<;!

(;<6;B3!

0;5B3;!;6!<9K

KO!

$R0!

.I64K

O!/98

i936!

.I64K

O!H39<;55!

.I64K

O!*8;

3=4;!

%B7

@46>!?;

!5;3J4<;!

! !

s1'0>#.+$%&'!/#5+,!<&41$0! ! ! ! ! ! ! J.b>(! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!-./$(>$%&'! ! ! ! ! ! ! ! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!^+;#5(>#&0>&#'(!&#45$+'(! ! ! ! ! ! ! ! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!S*0&#$>*! ! ! ! ! ! ! ! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!

`#5+(50>$.+!*1'0>#.+$%&'! ! ! ! ! ! ! !S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(W!

/'(>$.+!,'!15!0.+;$5+0'!!

^OUO 1+1-P('!'Q!/.+/-&($.+(!

-'(! >541'5&A! <#*0*,'+>(! ;.+>! 5<<5#5m>#'! ,'(! <.$+>(! 0.33&+(! '>! ,'(!,$;;*#'+0'(! ;.#>'(! '+>#'!('0>'&#(W!5B'0!,'(!0.+(*%&'+0'(!>5+>!0H'P!1'(!$+>*/#5>'&#(!,'!(L(>Z3'(!/1.45&A!d'+!>'#3'(!,'!0.3<*>'+0'(! '>! ,'! <#.0'((&(! ,'! ,*B'1.<<'3'+>gW! %&'! 0H'P! 1'(! *%&$<'3'+>$'#(W! (.0$*>*(! ,'!('#B$0'!'>!*,$>'&#(!,'!1./$0$'1(!$3<1$%&*(!,5+(!1'(!,$;;*#'+>(!('0>'&#(!5<<1$05>$;(X!

2|^)2iJ2S!JI^`^zh2S!

-V$3<.#>5+0'!;.#>'!'+!N#5+0'!,'!,$;;*#'+>(!('0>'&#(!(.&3$(!\!,'(!'A$/'+0'(!0#$>$%&'(!'+!>'#3'(!,'! 5l3;6>! ?;! i98<64988;K;86! '>! ,'! 5><B346>! ?;5! I;35988;5! ;6! ?;5! h4;85! 5! '&! <.&#! ';;'>! 1'!,*B'1.<<'3'+>! ,'! >'0H+$%&'(! $++.B5+>'(! '>! ,'! 0.3<*>'+0'(! ,5+(! 1'! ,.35$+'! 505,*3$%&'W!0H'P! 1'(! *,$>'&#(! ,'! 1./$0$'1(! '>W! ,'!35+$Z#'! <1&(! $+*/51'W! 5&! ('$+! ,'(! /#5+,(! /#.&<'(X! J'>>'!5B5+0'!'(>!0'<'+,5+>!\!0.+>#5(>'#!\!,'&A!;50>'&#(!,'!;5$41'(('!G!

! S$!,5+(!15!<1&<5#>!,'(!('0>'&#(!0.+0'#+*(!d5&>.3.4$1'W!;'##.B$5$#'W!5*#.+5&>$%&'W!'(<50'W!+&01*5$#'W!*+'#/$'W! >*1*0.3(gW!,'!/#5+,(!/#.&<'(!<#*,.3$+'+>!<5#3$! 1'(! $+>*/#5>'&#(!'>!1'(! (.&(F>#5$>5+>(! ,'! #5+/! 6W! 1'(! Q:2! (.+>! 4'5&0.&<! <1&(! +.34#'&('(! <5#3$! 1'(! (.&(F>#5$>5+>(!,'! #5+/! (&<*#$'&#! '>! 1'(! 0.3<*>'+0'(! (.&B'+>! >#.<!3.#0'1*'(!<.&#!4*+*;$0$'#!,'(!(L+'#/$'(!'+>#'!('0>'&#(X!

! -5! >'+($.+! '+>#'! 35m>#$('! ,'(! 0.b>(! '>! 'A$/'+0'(! ,'! 0'#>$;$05>$.+! +'! (V'A<#$3'! <5(! ,'!35+$Z#'! H.3./Z+'! (&#! 1V'+('341'! ,'! 0'(! ('0>'&#(X! M5+(! 1'! 0.+>'A>'! *B.%&*! 5&! <.$+>!<#*0*,'+>W! 0'>>'! ,$;;*#'+0'! 5! <.&#! 0.+(*%&'+0'! &+'! 3.$+,#'! 5(($3$15>$.+! ,'(!>'0H+.1./$'(! ,'! (b#'>*! '>! (*0&#$>*! ,5+(! 1'(! ('0>'&#(! ,V'A$/'+0'! 3.L'++'! .&! B5#$541'W!0.33'!1V*+'#/$'!'>!1'(!>*1*0.3(W!<5#!'A'3<1'X!

-'! #'+;.#0'3'+>! ,'(! (L+'#/$'(! '>! 1'! ,*B'1.<<'3'+>! ,'! 4#$%&'(! >'0H+.1./$%&'(! '>! ,V.&>$1(!15#/'3'+>!#*&>$1$(541'(!,V&+!('0>'&#!\!1V5&>#'!d'>!0'#>$;$*(!5&>5+>!%&'!<.(($41'g!<'#3'>>#5$>!,.+0!d$g! 5&A! ;.&#+$(('&#(!,'! >'0H+.1./$'! $++.B5+>(! ,V500#.m>#'! 1'&#!35#0H*! d'>! ,.+0!,'! /#5+,$#g! '>!d$$g!5&A! /#5+,(! $+>*/#5>'&#(! ,'! #'+;.#0'#! 1'&#! 5B5+>5/'! 0.+0&##'+>$'1! '+! >'#3'(! ,'! (b#'>*! ,'!;.+0>$.++'3'+>! '>! ,'! (*0&#$>*! ,'(! <'#(.++'(! '>! ,'(! 4$'+(X! -5! ,$(<.+$4$1$>*! ,'! 3$,,1'c5#'!0'#>$;$*W!35(%&5+>!15!,*<'+,5+0'!5&!35>*#$'1!.&!;50$1$>5+>!15!0.'A$(>'+0'!,'!;.+0>$.+(!0#$>$%&'(!'>! ,'! ;.+0>$.+(! \! %&51$>*! ,'! ('#B$0'! (&#! &+'! 3r3'! <15>'F;.#3'! 3&1>$F0n&#(W! '>! 1'!,*B'1.<<'3'+>! ,V&+'! /533'! 0.H*#'+>'! ,V.&>$1(! ,'! ,*B'1.<<'3'+>W! ,V$+>*/#5>$.+W! ,'!($3&15>$.+W!,'!B51$,5>$.+!'>!,'!/'(>$.+!,'!>'(>(W!(.+>!,'(!*1*3'+>(!01*(!\!0.+($,*#'#!,5+(!0'>>'!<'#(<'0>$B'X!Q5#511Z1'3'+>!\!0'(!';;.#>(!,'!#'0H'#0H'!'>!,*B'1.<<'3'+>W!&+'!0..<*#5>$.+!<1&(!

P. Paradinas - 2013

Computer Security

Introduction & Definitions

(Secure) Design Principles

Modern issues in security

Bibliography

10

P. Paradinas - 2013

Computer Science Security Definitions

Basics and definitions about confidentiality, integrity and availability

About threats

Policy and mechanisms

Assumptions and trust

Assurance

From specifications to the program

11

P. Paradinas - 2013

Basics

A system provides features. The threats may corrupt the system

Security protects the system against threats

Security is based on policies and mechanisms

System security analyzing improves security

Security is also related to trust

Human beings are part of the system and generally the weakest link !

12

P. Paradinas - 2013

Basic security properties

Confidentiality

Integrity

Availability

These properties are different and related to the system context

13

P. Paradinas - 2013

Basic security properties: confidentiality

Confidentiality is the feature of information where it have to be keep “secret” and not to be “revealed”

Examples:

secret key involved in a cryptographic protocol

information “reserved” to a group of person

password

...

14

P. Paradinas - 2013

Basic security properties: integrity

Integrity is a feature of information where there is trust on the data (or resources) in term of alterations/modifications (data integrity) and on data origin (origin integrity some time call authentication)

Examples:

In a operating system, “user management” must be based on integrity. Only “user” authorized may change the rules and authorization attached to a user

In a fund transfer integrity is on the amount, origin and destination

Integrity Mechanisms:

Prevention (how to protect )

Detection (how to detect if an information was altered)

15

P. Paradinas - 2013

Basic security properties: availability

Availability refers to the possibility to use data or resources of a system

Availability is part of the security issues as if some one establish conditions where the data or resources of a system are no longer available for a normal use it causes a “deny of access”

Examples:

DOS on Internet are well known

If a bank network is not available the day before Christmas then many commercial transactions will be impossible or done without “confirmation” from the bank

The system design (statical, expected pattern, parameters,...) defines a usage model, if it fails we enter in DOS

DOS detection is very complex task

16

P. Paradinas - 2013

Threats/Attacks

A threat is a potential violation of security. When the violation occurs, it is an attack. The attacks are performed by attackers

A system must be prepared to prevent attacks and executes countermeasures

4 large classes of threat:

Disclosure (non authorized information are revealed)

Deception (acceptance of false data)

Disruption (interruption of operation)

Usurpation (non authorized control of the system)

17

P. Paradinas - 2013

Different threats

Snooping (wiretapping, passive wiretapping)

Modification

Masquerade

Delegation

Repudiation of origin

Denial of receipt

DOS

18

P. Paradinas - 2013

Policy and mechanism

Definition: A security policy is a statement of what is, and what is not allowed

A security policy specifies “secure” and “non secure” states and actions

Definition: A security mechanism is a method, tool, or procedure for enforcing a security policy

A security policy can (must) be defined by mathematical and formal technics

Example:

Change its password is allowed for an entity

Request a proof of an identity before to accept to change a password is a security mechanism

19

P. Paradinas - 2013

Goals of policy and mechanism

For a given security policy security mechanisms can:

Prevent

In this case attacks fail, attacks are not efficient,

Detect

The mechanism is able to detect that attacks are performed, detected and have to be reported

Recovery

Is the set of actions necessary to put in place to reach and establish a new “secure state” of the system

20

P. Paradinas - 2013

Assumptions and Trust

Security is based on assumptions:

Policy splits system states in two part with no ambiguity: “secure” and “non-secure”

Mechanism prevent to move from “secure” state to “non secure” state

If one of these assumptions are false then the system is non secure

Let P the set of system states. Let Q the set of system secure state. Let R the set of reduced system states by the mechanisms (R ≤ P).

A security mechanism is secure if R ≤ Q

A security mechanism is precise if R = Q

A security mechanism is broad if there are state r€R et r€Q

21

P. Paradinas - 2013

Security and Precision (R=P)ACCESS CONTROL MECHANISMS 201

FIGURE 4.4 Security and precision.

All States Authorized States

S (given policy)

Unauthorized States

Reachable States (given mechanism)

Secure' R c p

Precise: R = P

systems whose security can be verified. Finally, we shall examine theoretical ques- tions related to proving properties about the transfer of rights in abstract models.

4.2.2 Reliability and Sharing

Protection mechanisms enforce policies of controlled sharing and reliability. Sev- eral levels of sharing are possible:

o

2. 3. 4.

No sharing at all (complete isolation). Sharing copies of data objects. Sharing originals of data objects. Sharing untrusted programs.

Each level of sharing imposes additional requirements on the security mechanisms of a system. The sharing of data introduces a problem of suspicion, where the owner s of a data object x may not trust another subject sl with whom s shares access. For example, s may fear that sl will grant its access rights to x to

22

P. Paradinas - 2013

Assumptions and Trust

In real word, mechanisms are broad

Trust in mechanisms requires assumptions:

Each mechanism implement one or more part of the security policy

The union of mechanisms implements the all policy

The mechanism are correctly implemented, installed and managed during the life cycle of the system

23

P. Paradinas - 2013

Insurance

Trust is difficult to evaluate ? How much you trust a system ?

How you develop your system provides an assurance level of the trust in the system

A system is said to satisfy a specification if the specification correctly states how the system will work.

24

P. Paradinas - 2013

Specification

Specifications are a precise statement of the system behaviors

It describe what the system is allow to do (and not to do)

The specification may be formal (based on mathematical or formal language) or informal (set of phrases) description

The level of description may be different (low or high level language description)

The specification are not only relevant to security function but on the system itself

Use the same formalism is challenging and benefit for the system

Security is a non functional property

25

P. Paradinas - 2013

Design and implementation

The design of a system transforms the specification into a component that will implement them

The design is said to satisfy the specifications, in any cases, the design will not permit the system to violate the specification

The design implementation realizes the functions (execute the “system functions”)

On CS it is a program executable on an engine

By transitivity an implementation satisfy a system specification

A program is correct if it implementation performs as specified

Proof of program is very complex and difficult to do !

As correctness is a big issue, a posteriori technics like verification of the system by testing are performed

26

P. Paradinas - 2013

Operational issues and others points

Cost benefit analysis

Risk analysis

Laws and customs (cryptography)

Certifications

Organizational problems

People problems

inside and outside

27

P. Paradinas - 2013

Not so simple

The different notions are “interleaved” and nested

System is in “real word” and the word changes !

The cost of security have to be compared with the system (and threats) costs

Threats/Attacks

Policy/Requirements

Specification

Design

Implementation

Operation

28

P. Paradinas - 2013

From D. Denning books

DATA SECURITY 5

modification and injection of false messages by making it infeasible for an oppo- nent to create ciphertext that deciphers into meaningful plaintext. Note, however, that whereas it can be used to detect message modification, it cannot prevent it.

Encryption alone does not protect against replay, because an opponent could simply replay previous ciphertext. Cryptographic techniques for protecting against this problem are discussed in Chapter 3. Although encryption cannot prevent message deletion, the cryptographic techniques discussed in Chapter 3 can detect deletions of blocks or characters within a message stream. Deletion of entire mes- sages can be detected with communication protocols that require message acknowledgment.

FIGURE 1.4 Threats to data stored in computer systems.

Computer system

overwriting modifying

replaying

browsing

P classified

data

"'"k__ confidential

data

statistic

inference

FT]

leaking

r

unclassified user

inserting

deleting

29

P. Paradinas - 2013

Computer Security

Introduction & Definitions

(Secure) Design Principles

Modern issues in security

Bibliography

30

P. Paradinas - 2013

Design principles

As in all system design phase is essential

In security, following principles avoid some classical mistakes, errors, ... the principles are not an insurance but may help !

The principles

The principle of Least Privilege states that a subject should be given only those privileges that it needs in order to complete its task

Program or process have only access to their data. A wrong program will not be able to modify data of an other program or process

The principle of Fail-Safe Defaults states that, unless a subject is given explicit access to an object, it should be denied access to that object

If we come back to privilege modes, there is a contradiction with this principle. In a super mode all access are allowed and its more large than the restriction on the objets

31

P. Paradinas - 2013

Design Principle (Cont’d)

The principle of Economy Mechanism states that the security should be as simple as possible

Doesn’t build a “gaze factory”

32

P. Paradinas - 2013

Design Principle (Cont’d)

The principle of Complete Mediation requires that all accesses to object be checked to ensure that they are allowed

Let a subject request to read a file F. If it is allowed to read the file and the file is read in different step. After some step if the status of the file change (i.e. the right granted is remove) the subject may continue to read the file

33

P. Paradinas - 2013

Design Principle (Cont’d)

The principle of Open Design states that the security of a system is not based on secrecy of its design and implementation

It is not true to think that secret design or implementation increase the security...

In cryptography publication of algorithms and protocols improve the security because the community is able to see the design and to evaluate the strength of it

34

P. Paradinas - 2013

Design Principle (Cont’d)

The principe of Separation of Privilege states that a system should not grant permission based on a single condition

Example:

in organization some decisions or actions require the agreement of different person

during a count creation on information system is necessary to get authorization of HR services and from IT department

in Unix to switch on root mode needs the root password and be part of the group with GID 0 in Berkley based Unix

35

P. Paradinas - 2013

Design Principle (Cont’d)

The principe of Least Common Mechanism states that mechanisms used to access resources should not be shared

Rationale:

In a system where resources are shared by different users may provide information through “information channels”. To avoid these issues isolation and confinement are established by OS

36

P. Paradinas - 2013

Design Principle (Cont’d)

The principle of Psychological Acceptability states that:

the mechanism must be easy and completely to use (i.e. acceptable and no bypass)

the mechanism should not increase the conditions to access information

37

P. Paradinas - 2013

Computer Security

Introduction & Definitions

(Secure) Design Principles

Modern issues in security

Bibliography

38

P. Paradinas - 2013

Mobile devices...

39

P. Paradinas - 2013

Mobile phone security

What it is important to protect ?

What are the threats

Data (calendar, contact, access code...)

privacy

Identity of the phone owner

ID & pwd

Availability

Who are the attacker (same as IT)

Professional, thieves and hackers

Consequences

...

40

P. Paradinas - 2013

Mobile phone security

Consequences

Data deletion, loss, stolen,...

Record conversations between the users

Decrease HS performances (battery)

Phone calls perform on number taxed

Use as a zombie machine

…

41

P. Paradinas - 2013

What are the technics

Attacks on:

Attack based on SMS & MMS

Attacks based on communication networks

GSM

Wi-Fi, Buetooth

Physical attacks and reverse engineering

and on software...

42

P. Paradinas - 2013

What are the technics (cont’d)

Attacks based on vulnerabilities in software

OS

Web and App

Malicious Software (Malware)

Viruses and Trojans

Spyware

• Long list on the wikipedia article

43

P. Paradinas - 2013

Contermeasure

Hardware

Firmware, bootloader

Operating System

With isolation, rights,…

Memory protection and sand box mechanisms

VM, hyperviser

Applications distribution model

Access control (where are the protections)

Pin Code, or advanced biometrics device like on iPhone 5S

But also…

44

P. Paradinas - 2013

Contermeasure (cont’d)

Completed by

Resource Monitoring in the smartphone

Network audit and surveillance

Manufacturer's audit and surveillance

User awareness (!)

45

P. Paradinas - 2013

Automotive

46

!

!

!

Master SEMS : Systèmes Embarqués Mobiles Sûrs CNAM – Département Informatique École SITI

Selon plusieurs études les systèmes embarqués sont un des domaines des Nouvelles

Technologies de l’Information et de la Communication les plus actifs en terme de création

d’emplois et de génération de valeur pour les entreprises au travers d’applications innovantes.

Comme le souligne le « rapport Potier1 », les systèmes embarqués ne se limitent pas au

domaine des systèmes temps réel critiques liés aux applications classiques du transport et/ou

du contrôle-commande. Il existe aussi de très nombreux autres domaines qui embarquent du

matériel et du logiciel complexe à réaliser en résolvant les contraintes fortes de prix, sécurité,

fiabilité, efficacité et de qualité de services offerts comme : les cartes à puce, la téléphonie

mobile, la gestion des immeubles, la gestion des énergies, l’intelligence ambiante et les

applications tournées vers la personne. Le CNAM et le département Informatique de l’école SITI (Science Industrielle et

Technologies de l’Information) ont mis en place le Master SEMS : Systèmes Embarqués

Mobiles et Sûrs permettant de préparer les étudiants aux métiers du développement de

systèmes embarqués mobiles sûrs. Le Master-SEMS est associé à l’Ecole nationale supérieure d’informatique pour l’industrie et

l’entreprise, à l’Ecole Centrale d’électronique de Paris, l'Institut Supérieur d'Electronique de

Paris sous forme d’habilitation pour l’ENSIEE (http://www.ensiie.fr) et de convention pour

l’ECE (http://ece.fr) et l'ISEP (http://www.isep.fr/).

Ce Master est destiné en priorité à des étudiants de niveau master informatique (master M1

ou en dernière année d'école d'ingénieur), ayant un goût prononcé pour les applications

mobiles, embarquées développées de manière sécurisée et sûre.

Objectifs La formation a pour but de former des spécialistes en informatique de niveau Bac + 5 qui

soient au fait des dernières technologies en matière de système embarqué mobiles et sûrs

comprenant : • Langages de programmation pour l’embarqué : Java, C, C++,…

• Plateforme d’exécution : Java ME, Java Card, Android, iOS, OSEK, …

• Réseaux mobiles, réseaux de capteurs ; • Plateformes embarquées de confiance : cartes à puce, TPM, TEE,…

• Technologies pour la mise en place d’application sécurisée (cryptographie, sécurité

informatique, détection d’intrusion, …) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1 http://www.industrie.gouv.fr/logiciel-embarque/!

P. Paradinas - 2013

!

!

!

Master SEMS : Systèmes Embarqués Mobiles Sûrs CNAM – Département Informatique École SITI

Selon plusieurs études les systèmes embarqués sont un des domaines des Nouvelles

Technologies de l’Information et de la Communication les plus actifs en terme de création

d’emplois et de génération de valeur pour les entreprises au travers d’applications innovantes.

Comme le souligne le « rapport Potier1 », les systèmes embarqués ne se limitent pas au

domaine des systèmes temps réel critiques liés aux applications classiques du transport et/ou

du contrôle-commande. Il existe aussi de très nombreux autres domaines qui embarquent du

matériel et du logiciel complexe à réaliser en résolvant les contraintes fortes de prix, sécurité,

fiabilité, efficacité et de qualité de services offerts comme : les cartes à puce, la téléphonie

mobile, la gestion des immeubles, la gestion des énergies, l’intelligence ambiante et les

applications tournées vers la personne. Le CNAM et le département Informatique de l’école SITI (Science Industrielle et

Technologies de l’Information) ont mis en place le Master SEMS : Systèmes Embarqués

Mobiles et Sûrs permettant de préparer les étudiants aux métiers du développement de

systèmes embarqués mobiles sûrs. Le Master-SEMS est associé à l’Ecole nationale supérieure d’informatique pour l’industrie et

l’entreprise, à l’Ecole Centrale d’électronique de Paris, l'Institut Supérieur d'Electronique de

Paris sous forme d’habilitation pour l’ENSIEE (http://www.ensiie.fr) et de convention pour

l’ECE (http://ece.fr) et l'ISEP (http://www.isep.fr/).

Ce Master est destiné en priorité à des étudiants de niveau master informatique (master M1

ou en dernière année d'école d'ingénieur), ayant un goût prononcé pour les applications

mobiles, embarquées développées de manière sécurisée et sûre.

Objectifs La formation a pour but de former des spécialistes en informatique de niveau Bac + 5 qui

soient au fait des dernières technologies en matière de système embarqué mobiles et sûrs

comprenant : • Langages de programmation pour l’embarqué : Java, C, C++,…

• Plateforme d’exécution : Java ME, Java Card, Android, iOS, OSEK, …

• Réseaux mobiles, réseaux de capteurs ; • Plateformes embarquées de confiance : cartes à puce, TPM, TEE,…

• Technologies pour la mise en place d’application sécurisée (cryptographie, sécurité

informatique, détection d’intrusion, …) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1 http://www.industrie.gouv.fr/logiciel-embarque/!

Automotive

More and more ECU in a car

A CAN bus (Controller Area Network)

47

Low-Speed High-SpeedComponent Functionality Comm. Bus Comm. BusECM Engine Control Module

Controls the engine using information from sensors to determine the amountof fuel, ignition timing, and other engine parameters.

X

EBCM Electronic Brake Control ModuleControls the Antilock Brake System (ABS) pump motor and valves, prevent-ing brakes from locking up and skidding by regulating hydraulic pressure.

X

TCM Transmission Control ModuleControls electronic transmission using data from sensors and from the ECMto determine when and how to change gears.

X

BCM Body Control ModuleControls various vehicle functions, provides information to occupants, andacts as a firewall between the two subnets.

X X

Telematics Telematics ModuleEnables remote data communication with the vehicle via cellular link.

X X

RCDLR Remote Control Door Lock ReceiverReceives the signal from the car’s key fob to lock/unlock the doors andthe trunk. It also receives data wirelessly from the Tire Pressure MonitoringSystem sensors.

X

HVAC Heating, Ventilation, Air ConditioningControls cabin environment.

X

SDM Inflatable Restraint Sensing and Diagnostic ModuleControls airbags and seat belt pretensioners.

X

IPC/DIC Instrument Panel Cluster/Driver Information CenterDisplays information to the driver about speed, fuel level, and various alertsabout the car’s status.

X

Radio RadioIn addition to regular radio functions, funnels and generates most of the in-cabin sounds (beeps, buzzes, chimes).

X

TDM Theft Deterrent ModulePrevents vehicle from starting without a legitimate key.

X

Table I. Key Electronic Control Units (ECUs) within our cars, their roles, and which CAN buses they are on.

The CARSHARK Tool. To facilitate our experimentalanalysis, we wrote CARSHARK — a custom CAN bus ana-lyzer and packet injection tool (see Figure 4). While thereexist commercially available CAN sniffers, none were ap-propriate for our use. First, we needed the ability to processand manipulate our vendor’s proprietary extensions to theCAN protocol. Second, while we could have performedlimited testing using a commercial CAN sniffer coupledwith a manufacturer-specific diagnostic service tool, thiscombination still doesn’t offer the flexibility to support ourfull range of attack explorations, including reading out ECUmemory, loading custom code into ECUs, or generatingfuzz-testing packets over the CAN interface.

IV. INTRA-VEHICLE NETWORK SECURITY

Before experimentally evaluating the security of indi-vidual car components, we assess the security propertiesof the CAN bus in general, which we describe below.We do so by first considering weaknesses inherent to theprotocol stack and then evaluating the degree to whichour car’s components comply with the standard’s specifi-cations.

A. CAN Bus

There are a variety of protocols that can be implementedon the vehicle bus, but starting in 2008 all cars sold in theU.S. are required to implement the Controller Area Network(CAN) bus (ISO 11898 [17]) for diagnostics. As a result,CAN — roughly speaking, a link-layer data protocol — hasbecome the dominant communication network for in-carnetworks (e.g., used by BMW, Ford, GM, Honda, andVolkswagen).

A CAN packet (shown in Figure 5) does not includeaddresses in the traditional sense and instead supports apublish-and-subscribe communications model. The CAN IDheader is used to indicate the packet type, and each packetis both physically and logically broadcast to all nodes,which then decide for themselves whether to process thepackets.

The CAN variant for our car includes slight extensionsto framing (e.g., on the interpretation of certain CAN ID’s)and two separate physical layers — a high-speed bus whichis differentially-signaled and primarily used by powertrainsystems and a low-speed bus (SAE J2411) using a singlewire and supporting less-demanding components. Whennecessary, a gateway bridge can route selected data between

Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 5

?

P. Paradinas - 2013

Security/safety

Part of the bus is dedicated to critic systems

Part of the bus is dedicated infotainement systems

New scenario is:

The control is taken by external entity on the car

Control may be used to corrupt car function

Security issues on the CAN bus

Broadcast Nature

Fragility to DoS

No Authenticator Fields

Weak Access Control

48

P. Paradinas - 2013

Other domains

Airplane

DO178B & DO178C

& ARINC 653

…

Smart grid and privacy

Your electric consumption is related to what TV program you watch !s

49

P. Paradinas - 2013

Bibliograhy

Books:

Computer Security - Art and Science, Matt Bishop, Addison Wesley, 2003

Security Engineering, Ross Anderson, Addison Wesley

Cryptography and Data Security - Addison Wesley, Dorothy Denning, 1982

Available on the web

Web

http://www.schneier.com/

http://www.autosec.org

Rapport Pottier

Identity Theft Resource Center (Dashable.com)

50

P. Paradinas - 2013

Computer Science Security (Secure) Design Principles