Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
P. Paradinas - 2013
Les cours
Introduction et définitions
Matrice d’accès
Politique de sécurité
Sécurité et assurances
Critères communs
Contrôle d’accès
Information flow
Sécurité physiques des composants
Exposés le 20 novembre
Visites au salon CARTES à Villepinte semaine du 18 novembre
2
P. Paradinas - 2013
Sujet des exposés
1 à 2 personnes par groupe
Sujet ouvert : proposition à faire valider
Sujets proposés :
BYOD : les solutions Bull/Thales de téléphone mobile
Sécurité dans la JVM (state of the art et statut actuel dans les naviagteurs)
La sécurité des compteurs électriques et la protection de la vie privée
Un point précis sur la polémique PRISM (quels outils mis en oeuvre par les agences… quelle parade possible…)
Mozilla Social API For Firefox, Facebook Messenger Firs...
(tcrn.ch/WDxYtZ)
Automotive security (http://autosec.org)
La DO178-C & ARINC 6533
P. Paradinas - 2013
Computer Security
Introduction & definitions
(Secure) Design Principles
Modern issues in security
Bibliography
4
P. Paradinas - 2013
Every day there is security issue !
5
P. Paradinas - 2013
Security a key issue
6
SCADA (supervisory contro
l and data acquisitio
n)
attacks
by viru
s Stuxn
et
Privacy is
sues
P. Paradinas - 2011
Exigences critiques sur les SEs
7
!
"#$%&'(!)*+*#$%&'(!,&!-./$0$'1!2345#%&*! ! !96!7!89!
! !
^O '+W'&V!,'(!'/.(P(Q'0'(!,&!-.)$/$'-!'0"1#%&'!
^ONO 'V$)'+/'(!/#$Q$%&'(!'Q!'V$)'+/'(!,'!%&1-$Q'!,'!('#\$/'!
2|^)2iJ2S!JI^`^zh2S!
-'!>541'5&!(&$B5+>!<#*0$('!<.&#!1'(!<#$+0$<5&A!('0>'&#(!G!
! 1'(! <#$+0$<5&A! '+D'&A! ,'! 0#$>$0$>*! 0.+0'#+*(! d(b#'>*! ,'! ;.+0>$.++'3'+>W! (*0&#$>*! ,'(!
<'#(.++'(!'>!,'(!4$'+(W!(*0&#$>*!,'!1V$+;.#35>$.+gW!!
! 15!<#*('+0'!,'!0.+>#5$+>'(!,'!>'3<(F#*'1W!<1&(!.&!3.$+(!o!,&#'(!pW!!
! 15!+*0'(($>*!.&!+.+!,'!3$('!'+!n&B#'!,'!(L(>Z3'(!,'!('0.&#(!d<15+(!,V&#/'+0'!.&W!<1&(!
($3<1'3'+>W!/'(>$.+!,V515#3'(g!'+!05(!,'!<5++'!o!05>5(>#.<H$%&'!pW!
! 1'!+$B'5&!,V'A$/'+0'!'+!>'#3'(!,'!0'#>$;$05>$.+W!
! 15!+5>&#'!,'(!+.#3'(!5((.0$*'(!5&A!<#.0'((&(!,'!,*B'1.<<'3'+>!d3.L'+(!3$(!'+!n&B#'W!
.4D'0>$;(!,'!#*(&1>5>(gX!!
/3464<46>5!
(;<6;B3!
(l3;6>!
(><B346>!
(><B3O!$8i9!
/98637486;5!
6;KI5E3>;@!
);56498!?;!
I788;!<7675O!
'M4=;8<;!?;!
<;364i4<76498!
+93K;5!I39<;55B5!?;!
?>J;@9II;K;86!
R&>.3.4$1'! ! ! ! M&#'(! k&$!
:.L'++'!'+!
0#.$((5+0'!
d^Sk!?a?a?g!
:.L'+(!
N'##.B$5$#'! ! ! ! M&#'(! k&$! N.#>'! :.L'+(!
R*#.+5&>$%&'! ! ! ! M&#'(! k&$! N.#>'! k4D'0>$;(!
2(<50'! ! ! !
M&#'(!<.&#!1'(!
15+0'&#(W!
;5$41'(!<.&#!
1'(!(5>'11$>'(!
S'1.+!1'(!
5<<1$05>$.+(W!
515#3'(!5&!
3$+$3&3!
N.#>'!
k4D'0>$;(W!35$(!5B'0!
<#*0.+$(5>$.+!,'!
3.L'+(!
i&01*5$#'! ! ! ! M&#'(! k&$! N.#>'! k4D'0>$;(!
s+'#/$'!d<#.,&0>$.+W!,$(>#$4&>$.+W!
&>$1$(5>$.+g!! ! ! M&#'(! R15#3'(! U5#$541'! !
Q#.,&0>$.+!$+,&(>#$'11'! ! ! !S'1.+!
1'!<#.0*,*!
S'1.+!
1'!,5+/'#!U5#$541'! !
^+(>#&3'+>5>$.+!3*,$051'! ! ! ! :.L'++'(! R15#3'(! N.#>'! k4D'0>$;(!
"y>$3'+>!d,.3.>$%&'g! ! ! !S'1.+!
1V5<<1$05>$.+!R15#3'(! N5$41'! !
`*1*0.3(! ! ! !S'1.+!
1V5<<1$05>$.+!R15#3'(!
U5#$541'!('1.+!
1'(!#*('5&A!:.L'+(!
s1'0>#.+$%&'!/#5+,!<&41$0! ! ! ! N5$41'(! i.+! N5$41'! !
-./$(>$%&'! ! ! ! N5$41'(! i.+! N5$41'! !
^+;#5(>#&0>&#'(!-$+'(! ! ! ! N5$41'(! R15#3'(! N5$41'! !
S*0&#$>*! ! ! !:.L'++'(!\!
;.#>'(!R15#3'(! J#.$((5+>'! :.L'+(!
`#5+(50>$.+!*1'0>#.+$%&'! ! ! ! :.L'++'(! i.+! N.#>'! :.L'+(!
!
!
!
!
P. Paradinas - 2011
La qualité de services dans les SEs (1/2)
8
!
"#$%&'(!)*+*#$%&'(!,&!-./$0$'1!2345#%&*! ! !9?!7!89!
! !
2|^)2iJ2S!M2!zhR-^`2!M2!S2IU^J2!
-'! >541'5&! 0$F,'((.&(! #*(&3'! 1'(! ;.+0>$.+(! \! %&51$>*! ,'! ('#B$0'! 1'(! <1&(! (.&B'+>! 0.+0'#+*'(!
,5+(!0H5%&'!('0>'&#!G!
! 3'(&#'!'>!0.33&+$05>$.+W!!
! $+>'#;50'!H.33'F350H$+'W!!
! #*/&15>$.+!'>!.<>$3$(5>$.+!,&!0.+;.#>!,V&+!.&!,'!<1&($'&#(!&>$1$(5>'&#(W!,V&+!<#.0*,*!.&!
<#.0'((&(!0.3<1'A'W!,'!15!0.+(.335>$.+!.&!,'!15!<#.,&0>$.+!,V*+'#/$'W!!
! %&51$>*!,'!('#B$0'!'+!>'#3'(!,'!,$(<.+$4$1$>*!'>!,'!<'#;.#35+0'(W!!
5$+($! %&'! 1'(! 1$3$>5>$.+(!/*#*'(! '>! 1'(! 1$'+(! '+>#'! ;.+0>$.+(! 0#$>$%&'(!'>! ;.+0>$.+(! \!%&51$>*!,'!
('#B$0'X!!
X98<64985!I348<4I7@;5!
-4K46764985!I348<4I7@;5!$86;37<64985!;863;!i98<64985!<3464LB;5!;6!
i98<64985!G!LB7@46>!?;!5;3J4<;!
(;<6;B3!
0;5B3;!;6!<9K
KO!
$R0!
.I64K
O!/98
i936!
.I64K
O!H39<;55!
.I64K
O!*8;
3=4;!
%B7
@46>!?;
!5;3J4<;!
! !
R&>.3.4$1'! ! ! ! ! ! !J.b>!,'(!0.3<.(5+>(!'>!
,&!1./$0$'1!
R&D.&#,VH&$!G!#*('5&A!'>!<#.0'(('&#(!
$+,*<'+,5+>(X!
^+>*#r>!\!;&($.++'#!,'35$+!v!
N'##.B$5$#'! ! ! ! ! ! !
i*0'(($>*!,V5((&#'#!0'(!
;.+0>$.+(!(5+(!
0.3<#.3'>>#'!15!
(*0&#$>*!
!
^1!;5&>!,*3.+>#'#!1V$+,*<'+,5+0'!'+>#'!1'(!
;.+0>$.+(!S!d0#$>$%&'g!'>!iS!di.+F0#$>$%&'g!
!!(*/#*/5>$.+!.&!,*B'1.<<'3'+>!,'(!
;.+0>$.+(!iS!5B'0!1'!+$B'5&!,'!(*0&#$>*!1'!
<1&(!*1'B*!!
R*#.+5&>$%&'! ! ! ! ! ! !
J.&>W!,&#*'!,'!B$'W!
0.+(.335>$.+!
*+'#/*>$%&'!'>!<.$,(!
^1!;5&>!,*3.+>#'#!1V$+,*<'+,5+0'!'+>#'!1'(!
;.+0>$.+(!S!d0#$>$%&'g!'>!iS!di.+F0#$>$%&'g!
!!(*/#*/5>$.+!.&!,*B'1.<<'3'+>!,'(!
;.+0>$.+(!iS!5B'0!1'!+$B'5&!,'!(*0&#$>*!1'!
<1&(!*1'B*!
2(<50'! ! ! ! ! ! !
Q.$,(!'>!41$+,5/'!,'(!
(L(>Z3'(!!!$3<50>!(&#!
1'(!<#.0'(('&#(!'>!15!
3*3.$#'!,$(<.+$41'!
Q#*,.3$+5+0'!,'(!;.+0>$.+(!1'(!<1&(!
0#$>$%&'(!do!(5;'>L!pg!5((&#*'!<5#!1'!
H5#,c5#'!
i&01*5$#'! ! ! ! ! ! !
J.&>!'>!,&#*'!,'!B$'!
d/'(>$.+!,'!
1V.4(.1'(0'+0'g!
!
s+'#/$'!d<#.,&0>$.+W!
,$(>#$4&>$.+W!&>$1$(5>$.+g!! ! ! ! ! !
J.b>!d<#.,&0>$.+!'>!
$+(>5115>$.+gW!>5$11'W!
51$3'+>5>$.+!'>!
0.+(.335>$.+!
*+'#/*>$%&'!
-$3$>*'(!5&D.&#,VH&$W!35$(!15!05<50$>*!
,V$+>*/#'#!,'(!;.+0>$.+(!,'!<#.>'0>$.+W!
3'(&#'!'>!.<>$3$(5>$.+W!(5+(!<'#>'!,'!
0.+;$5+0'!B$(F\FB$(!,'(!;.+0>$.+(!0#$>$%&'(W!
'(>!&+!(&D'>!$3<.#>5+>!<.&#!1'!;&>&#!
Q#.,&0>$.+!$+,&(>#$'11'! ! ! ! ! ! ! ! !
^+(>#&3'+>5>$.+!3*,$051'! ! ! ! ! ! !
J.&>W!,&#*'!,'!B$'W!
0.+(.335>$.+!
*+'#/*>$%&'!!
"y>$3'+>!d,.3.>$%&'g! ! ! ! ! ! !
J.b>!d<#.,&0>$.+!'>!
$+(>5115>$.+gW!>5$11'W!51$3X!
'>!0.+(.335>$.+!
*+'#/*>$%&'!
!
`*1*0.3(! ! ! ! ! ! !
J.b>(W!<'#;.#35+0'(W!
51$3X!*+'#/*>$%&'!,5+(!
1'(!<5L(!*3'#/'+>(!
S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!
P. Paradinas - 2011 9
!
"#$%&'(!)*+*#$%&'(!,&!-./$0$'1!2345#%&*! ! !9?!7!89!
! !
2|^)2iJ2S!M2!zhR-^`2!M2!S2IU^J2!
-'! >541'5&! 0$F,'((.&(! #*(&3'! 1'(! ;.+0>$.+(! \! %&51$>*! ,'! ('#B$0'! 1'(! <1&(! (.&B'+>! 0.+0'#+*'(!
,5+(!0H5%&'!('0>'&#!G!
! 3'(&#'!'>!0.33&+$05>$.+W!!
! $+>'#;50'!H.33'F350H$+'W!!
! #*/&15>$.+!'>!.<>$3$(5>$.+!,&!0.+;.#>!,V&+!.&!,'!<1&($'&#(!&>$1$(5>'&#(W!,V&+!<#.0*,*!.&!
<#.0'((&(!0.3<1'A'W!,'!15!0.+(.335>$.+!.&!,'!15!<#.,&0>$.+!,V*+'#/$'W!!
! %&51$>*!,'!('#B$0'!'+!>'#3'(!,'!,$(<.+$4$1$>*!'>!,'!<'#;.#35+0'(W!!
5$+($! %&'! 1'(! 1$3$>5>$.+(!/*#*'(! '>! 1'(! 1$'+(! '+>#'! ;.+0>$.+(! 0#$>$%&'(!'>! ;.+0>$.+(! \!%&51$>*!,'!
('#B$0'X!!
X98<64985!I348<4I7@;5!
-4K46764985!I348<4I7@;5!$86;37<64985!;863;!i98<64985!<3464LB;5!;6!
i98<64985!G!LB7@46>!?;!5;3J4<;!
(;<6;B3!
0;5B3;!;6!<9K
KO!
$R0!
.I64K
O!/98
i936!
.I64K
O!H39<;55!
.I64K
O!*8;
3=4;!
%B7
@46>!?;
!5;3J4<;!
! !
R&>.3.4$1'! ! ! ! ! ! !J.b>!,'(!0.3<.(5+>(!'>!
,&!1./$0$'1!
R&D.&#,VH&$!G!#*('5&A!'>!<#.0'(('&#(!
$+,*<'+,5+>(X!
^+>*#r>!\!;&($.++'#!,'35$+!v!
N'##.B$5$#'! ! ! ! ! ! !
i*0'(($>*!,V5((&#'#!0'(!
;.+0>$.+(!(5+(!
0.3<#.3'>>#'!15!
(*0&#$>*!
!
^1!;5&>!,*3.+>#'#!1V$+,*<'+,5+0'!'+>#'!1'(!
;.+0>$.+(!S!d0#$>$%&'g!'>!iS!di.+F0#$>$%&'g!
!!(*/#*/5>$.+!.&!,*B'1.<<'3'+>!,'(!
;.+0>$.+(!iS!5B'0!1'!+$B'5&!,'!(*0&#$>*!1'!
<1&(!*1'B*!!
R*#.+5&>$%&'! ! ! ! ! ! !
J.&>W!,&#*'!,'!B$'W!
0.+(.335>$.+!
*+'#/*>$%&'!'>!<.$,(!
^1!;5&>!,*3.+>#'#!1V$+,*<'+,5+0'!'+>#'!1'(!
;.+0>$.+(!S!d0#$>$%&'g!'>!iS!di.+F0#$>$%&'g!
!!(*/#*/5>$.+!.&!,*B'1.<<'3'+>!,'(!
;.+0>$.+(!iS!5B'0!1'!+$B'5&!,'!(*0&#$>*!1'!
<1&(!*1'B*!
2(<50'! ! ! ! ! ! !
Q.$,(!'>!41$+,5/'!,'(!
(L(>Z3'(!!!$3<50>!(&#!
1'(!<#.0'(('&#(!'>!15!
3*3.$#'!,$(<.+$41'!
Q#*,.3$+5+0'!,'(!;.+0>$.+(!1'(!<1&(!
0#$>$%&'(!do!(5;'>L!pg!5((&#*'!<5#!1'!
H5#,c5#'!
i&01*5$#'! ! ! ! ! ! !
J.&>!'>!,&#*'!,'!B$'!
d/'(>$.+!,'!
1V.4(.1'(0'+0'g!
!
s+'#/$'!d<#.,&0>$.+W!
,$(>#$4&>$.+W!&>$1$(5>$.+g!! ! ! ! ! !
J.b>!d<#.,&0>$.+!'>!
$+(>5115>$.+gW!>5$11'W!
51$3'+>5>$.+!'>!
0.+(.335>$.+!
*+'#/*>$%&'!
-$3$>*'(!5&D.&#,VH&$W!35$(!15!05<50$>*!
,V$+>*/#'#!,'(!;.+0>$.+(!,'!<#.>'0>$.+W!
3'(&#'!'>!.<>$3$(5>$.+W!(5+(!<'#>'!,'!
0.+;$5+0'!B$(F\FB$(!,'(!;.+0>$.+(!0#$>$%&'(W!
'(>!&+!(&D'>!$3<.#>5+>!<.&#!1'!;&>&#!
Q#.,&0>$.+!$+,&(>#$'11'! ! ! ! ! ! ! ! !
^+(>#&3'+>5>$.+!3*,$051'! ! ! ! ! ! !
J.&>W!,&#*'!,'!B$'W!
0.+(.335>$.+!
*+'#/*>$%&'!!
"y>$3'+>!d,.3.>$%&'g! ! ! ! ! ! !
J.b>!d<#.,&0>$.+!'>!
$+(>5115>$.+gW!>5$11'W!51$3X!
'>!0.+(.335>$.+!
*+'#/*>$%&'!
!
`*1*0.3(! ! ! ! ! ! !
J.b>(W!<'#;.#35+0'(W!
51$3X!*+'#/*>$%&'!,5+(!
1'(!<5L(!*3'#/'+>(!
S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!
!"#$%&'(!)*+*#$%&'(!,&!-./$0$'1!2345#%&*! ! !99!7!89!! !
X98<64985!I348<4I7@;5!
-4K46764985!I348<4I7@;5!$86;37<64985!;863;!i98<64985!<3464LB;5!;6!
i98<64985!G!LB7@46>!?;!5;3J4<;!
(;<6;B3!
0;5B3;!;6!<9K
KO!
$R0!
.I64K
O!/98
i936!
.I64K
O!H39<;55!
.I64K
O!*8;
3=4;!
%B7
@46>!?;
!5;3J4<;!
! !
s1'0>#.+$%&'!/#5+,!<&41$0! ! ! ! ! ! ! J.b>(! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!-./$(>$%&'! ! ! ! ! ! ! ! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!^+;#5(>#&0>&#'(!-$+'(! ! ! ! ! ! ! ! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!S*0&#$>*! ! ! ! ! ! ! ! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!
`#5+(50>$.+!*1'0>#.+$%&'! ! ! ! ! ! ! !S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(W!
/'(>$.+!,'!15!0.+;$5+0'!!
^OUO 1+1-P('!'Q!/.+/-&($.+(!
-'(! >541'5&A! <#*0*,'+>(! ;.+>! 5<<5#5m>#'! ,'(! <.$+>(! 0.33&+(! '>! ,'(!,$;;*#'+0'(! ;.#>'(! '+>#'!('0>'&#(W!5B'0!,'(!0.+(*%&'+0'(!>5+>!0H'P!1'(!$+>*/#5>'&#(!,'!(L(>Z3'(!/1.45&A!d'+!>'#3'(!,'!0.3<*>'+0'(! '>! ,'! <#.0'((&(! ,'! ,*B'1.<<'3'+>gW! %&'! 0H'P! 1'(! *%&$<'3'+>$'#(W! (.0$*>*(! ,'!('#B$0'!'>!*,$>'&#(!,'!1./$0$'1(!$3<1$%&*(!,5+(!1'(!,$;;*#'+>(!('0>'&#(!5<<1$05>$;(X!
2|^)2iJ2S!JI^`^zh2S!
-V$3<.#>5+0'!;.#>'!'+!N#5+0'!,'!,$;;*#'+>(!('0>'&#(!(.&3$(!\!,'(!'A$/'+0'(!0#$>$%&'(!'+!>'#3'(!,'! 5l3;6>! ?;! i98<64988;K;86! '>! ,'! 5><B346>! ?;5! I;35988;5! ;6! ?;5! h4;85! 5! '&! <.&#! ';;'>! 1'!,*B'1.<<'3'+>! ,'! >'0H+$%&'(! $++.B5+>'(! '>! ,'! 0.3<*>'+0'(! ,5+(! 1'! ,.35$+'! 505,*3$%&'W!0H'P! 1'(! *,$>'&#(! ,'! 1./$0$'1(! '>W! ,'!35+$Z#'! <1&(! $+*/51'W! 5&! ('$+! ,'(! /#5+,(! /#.&<'(X! J'>>'!5B5+0'!'(>!0'<'+,5+>!\!0.+>#5(>'#!\!,'&A!;50>'&#(!,'!;5$41'(('!G!
! S$!,5+(!15!<1&<5#>!,'(!('0>'&#(!0.+0'#+*(!d5&>.3.4$1'W!;'##.B$5$#'W!5*#.+5&>$%&'W!'(<50'W!+&01*5$#'W!*+'#/$'W! >*1*0.3(gW!,'!/#5+,(!/#.&<'(!<#*,.3$+'+>!<5#3$! 1'(! $+>*/#5>'&#(!'>!1'(! (.&(F>#5$>5+>(! ,'! #5+/! 6W! 1'(! Q:2! (.+>! 4'5&0.&<! <1&(! +.34#'&('(! <5#3$! 1'(! (.&(F>#5$>5+>(!,'! #5+/! (&<*#$'&#! '>! 1'(! 0.3<*>'+0'(! (.&B'+>! >#.<!3.#0'1*'(!<.&#!4*+*;$0$'#!,'(!(L+'#/$'(!'+>#'!('0>'&#(X!
! -5! >'+($.+! '+>#'! 35m>#$('! ,'(! 0.b>(! '>! 'A$/'+0'(! ,'! 0'#>$;$05>$.+! +'! (V'A<#$3'! <5(! ,'!35+$Z#'! H.3./Z+'! (&#! 1V'+('341'! ,'! 0'(! ('0>'&#(X! M5+(! 1'! 0.+>'A>'! *B.%&*! 5&! <.$+>!<#*0*,'+>W! 0'>>'! ,$;;*#'+0'! 5! <.&#! 0.+(*%&'+0'! &+'! 3.$+,#'! 5(($3$15>$.+! ,'(!>'0H+.1./$'(! ,'! (b#'>*! '>! (*0&#$>*! ,5+(! 1'(! ('0>'&#(! ,V'A$/'+0'! 3.L'++'! .&! B5#$541'W!0.33'!1V*+'#/$'!'>!1'(!>*1*0.3(W!<5#!'A'3<1'X!
-'! #'+;.#0'3'+>! ,'(! (L+'#/$'(! '>! 1'! ,*B'1.<<'3'+>! ,'! 4#$%&'(! >'0H+.1./$%&'(! '>! ,V.&>$1(!15#/'3'+>!#*&>$1$(541'(!,V&+!('0>'&#!\!1V5&>#'!d'>!0'#>$;$*(!5&>5+>!%&'!<.(($41'g!<'#3'>>#5$>!,.+0!d$g! 5&A! ;.&#+$(('&#(!,'! >'0H+.1./$'! $++.B5+>(! ,V500#.m>#'! 1'&#!35#0H*! d'>! ,.+0!,'! /#5+,$#g! '>!d$$g!5&A! /#5+,(! $+>*/#5>'&#(! ,'! #'+;.#0'#! 1'&#! 5B5+>5/'! 0.+0&##'+>$'1! '+! >'#3'(! ,'! (b#'>*! ,'!;.+0>$.++'3'+>! '>! ,'! (*0&#$>*! ,'(! <'#(.++'(! '>! ,'(! 4$'+(X! -5! ,$(<.+$4$1$>*! ,'! 3$,,1'c5#'!0'#>$;$*W!35(%&5+>!15!,*<'+,5+0'!5&!35>*#$'1!.&!;50$1$>5+>!15!0.'A$(>'+0'!,'!;.+0>$.+(!0#$>$%&'(!'>! ,'! ;.+0>$.+(! \! %&51$>*! ,'! ('#B$0'! (&#! &+'! 3r3'! <15>'F;.#3'! 3&1>$F0n&#(W! '>! 1'!,*B'1.<<'3'+>! ,V&+'! /533'! 0.H*#'+>'! ,V.&>$1(! ,'! ,*B'1.<<'3'+>W! ,V$+>*/#5>$.+W! ,'!($3&15>$.+W!,'!B51$,5>$.+!'>!,'!/'(>$.+!,'!>'(>(W!(.+>!,'(!*1*3'+>(!01*(!\!0.+($,*#'#!,5+(!0'>>'!<'#(<'0>$B'X!Q5#511Z1'3'+>!\!0'(!';;.#>(!,'!#'0H'#0H'!'>!,*B'1.<<'3'+>W!&+'!0..<*#5>$.+!<1&(!
!"#$%&'(!)*+*#$%&'(!,&!-./$0$'1!2345#%&*! ! !99!7!89!! !
X98<64985!I348<4I7@;5!
-4K46764985!I348<4I7@;5!$86;37<64985!;863;!i98<64985!<3464LB;5!;6!
i98<64985!G!LB7@46>!?;!5;3J4<;!
(;<6;B3!
0;5B3;!;6!<9K
KO!
$R0!
.I64K
O!/98
i936!
.I64K
O!H39<;55!
.I64K
O!*8;
3=4;!
%B7
@46>!?;
!5;3J4<;!
! !
s1'0>#.+$%&'!/#5+,!<&41$0! ! ! ! ! ! ! J.b>(! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!-./$(>$%&'! ! ! ! ! ! ! ! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!^+;#5(>#&0>&#'(!-$+'(! ! ! ! ! ! ! ! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!S*0&#$>*! ! ! ! ! ! ! ! S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(!
`#5+(50>$.+!*1'0>#.+$%&'! ! ! ! ! ! ! !S*0&#$>*!$+;.!<.&#!>.&>'(!;.+0>$.+(W!
/'(>$.+!,'!15!0.+;$5+0'!!
^OUO 1+1-P('!'Q!/.+/-&($.+(!
-'(! >541'5&A! <#*0*,'+>(! ;.+>! 5<<5#5m>#'! ,'(! <.$+>(! 0.33&+(! '>! ,'(!,$;;*#'+0'(! ;.#>'(! '+>#'!('0>'&#(W!5B'0!,'(!0.+(*%&'+0'(!>5+>!0H'P!1'(!$+>*/#5>'&#(!,'!(L(>Z3'(!/1.45&A!d'+!>'#3'(!,'!0.3<*>'+0'(! '>! ,'! <#.0'((&(! ,'! ,*B'1.<<'3'+>gW! %&'! 0H'P! 1'(! *%&$<'3'+>$'#(W! (.0$*>*(! ,'!('#B$0'!'>!*,$>'&#(!,'!1./$0$'1(!$3<1$%&*(!,5+(!1'(!,$;;*#'+>(!('0>'&#(!5<<1$05>$;(X!
2|^)2iJ2S!JI^`^zh2S!
-V$3<.#>5+0'!;.#>'!'+!N#5+0'!,'!,$;;*#'+>(!('0>'&#(!(.&3$(!\!,'(!'A$/'+0'(!0#$>$%&'(!'+!>'#3'(!,'! 5l3;6>! ?;! i98<64988;K;86! '>! ,'! 5><B346>! ?;5! I;35988;5! ;6! ?;5! h4;85! 5! '&! <.&#! ';;'>! 1'!,*B'1.<<'3'+>! ,'! >'0H+$%&'(! $++.B5+>'(! '>! ,'! 0.3<*>'+0'(! ,5+(! 1'! ,.35$+'! 505,*3$%&'W!0H'P! 1'(! *,$>'&#(! ,'! 1./$0$'1(! '>W! ,'!35+$Z#'! <1&(! $+*/51'W! 5&! ('$+! ,'(! /#5+,(! /#.&<'(X! J'>>'!5B5+0'!'(>!0'<'+,5+>!\!0.+>#5(>'#!\!,'&A!;50>'&#(!,'!;5$41'(('!G!
! S$!,5+(!15!<1&<5#>!,'(!('0>'&#(!0.+0'#+*(!d5&>.3.4$1'W!;'##.B$5$#'W!5*#.+5&>$%&'W!'(<50'W!+&01*5$#'W!*+'#/$'W! >*1*0.3(gW!,'!/#5+,(!/#.&<'(!<#*,.3$+'+>!<5#3$! 1'(! $+>*/#5>'&#(!'>!1'(! (.&(F>#5$>5+>(! ,'! #5+/! 6W! 1'(! Q:2! (.+>! 4'5&0.&<! <1&(! +.34#'&('(! <5#3$! 1'(! (.&(F>#5$>5+>(!,'! #5+/! (&<*#$'&#! '>! 1'(! 0.3<*>'+0'(! (.&B'+>! >#.<!3.#0'1*'(!<.&#!4*+*;$0$'#!,'(!(L+'#/$'(!'+>#'!('0>'&#(X!
! -5! >'+($.+! '+>#'! 35m>#$('! ,'(! 0.b>(! '>! 'A$/'+0'(! ,'! 0'#>$;$05>$.+! +'! (V'A<#$3'! <5(! ,'!35+$Z#'! H.3./Z+'! (&#! 1V'+('341'! ,'! 0'(! ('0>'&#(X! M5+(! 1'! 0.+>'A>'! *B.%&*! 5&! <.$+>!<#*0*,'+>W! 0'>>'! ,$;;*#'+0'! 5! <.&#! 0.+(*%&'+0'! &+'! 3.$+,#'! 5(($3$15>$.+! ,'(!>'0H+.1./$'(! ,'! (b#'>*! '>! (*0&#$>*! ,5+(! 1'(! ('0>'&#(! ,V'A$/'+0'! 3.L'++'! .&! B5#$541'W!0.33'!1V*+'#/$'!'>!1'(!>*1*0.3(W!<5#!'A'3<1'X!
-'! #'+;.#0'3'+>! ,'(! (L+'#/$'(! '>! 1'! ,*B'1.<<'3'+>! ,'! 4#$%&'(! >'0H+.1./$%&'(! '>! ,V.&>$1(!15#/'3'+>!#*&>$1$(541'(!,V&+!('0>'&#!\!1V5&>#'!d'>!0'#>$;$*(!5&>5+>!%&'!<.(($41'g!<'#3'>>#5$>!,.+0!d$g! 5&A! ;.&#+$(('&#(!,'! >'0H+.1./$'! $++.B5+>(! ,V500#.m>#'! 1'&#!35#0H*! d'>! ,.+0!,'! /#5+,$#g! '>!d$$g!5&A! /#5+,(! $+>*/#5>'&#(! ,'! #'+;.#0'#! 1'&#! 5B5+>5/'! 0.+0&##'+>$'1! '+! >'#3'(! ,'! (b#'>*! ,'!;.+0>$.++'3'+>! '>! ,'! (*0&#$>*! ,'(! <'#(.++'(! '>! ,'(! 4$'+(X! -5! ,$(<.+$4$1$>*! ,'! 3$,,1'c5#'!0'#>$;$*W!35(%&5+>!15!,*<'+,5+0'!5&!35>*#$'1!.&!;50$1$>5+>!15!0.'A$(>'+0'!,'!;.+0>$.+(!0#$>$%&'(!'>! ,'! ;.+0>$.+(! \! %&51$>*! ,'! ('#B$0'! (&#! &+'! 3r3'! <15>'F;.#3'! 3&1>$F0n&#(W! '>! 1'!,*B'1.<<'3'+>! ,V&+'! /533'! 0.H*#'+>'! ,V.&>$1(! ,'! ,*B'1.<<'3'+>W! ,V$+>*/#5>$.+W! ,'!($3&15>$.+W!,'!B51$,5>$.+!'>!,'!/'(>$.+!,'!>'(>(W!(.+>!,'(!*1*3'+>(!01*(!\!0.+($,*#'#!,5+(!0'>>'!<'#(<'0>$B'X!Q5#511Z1'3'+>!\!0'(!';;.#>(!,'!#'0H'#0H'!'>!,*B'1.<<'3'+>W!&+'!0..<*#5>$.+!<1&(!
P. Paradinas - 2013
Computer Security
Introduction & Definitions
(Secure) Design Principles
Modern issues in security
Bibliography
10
P. Paradinas - 2013
Computer Science Security Definitions
Basics and definitions about confidentiality, integrity and availability
About threats
Policy and mechanisms
Assumptions and trust
Assurance
From specifications to the program
11
P. Paradinas - 2013
Basics
A system provides features. The threats may corrupt the system
Security protects the system against threats
Security is based on policies and mechanisms
System security analyzing improves security
Security is also related to trust
Human beings are part of the system and generally the weakest link !
12
P. Paradinas - 2013
Basic security properties
Confidentiality
Integrity
Availability
These properties are different and related to the system context
13
P. Paradinas - 2013
Basic security properties: confidentiality
Confidentiality is the feature of information where it have to be keep “secret” and not to be “revealed”
Examples:
secret key involved in a cryptographic protocol
information “reserved” to a group of person
password
...
14
P. Paradinas - 2013
Basic security properties: integrity
Integrity is a feature of information where there is trust on the data (or resources) in term of alterations/modifications (data integrity) and on data origin (origin integrity some time call authentication)
Examples:
In a operating system, “user management” must be based on integrity. Only “user” authorized may change the rules and authorization attached to a user
In a fund transfer integrity is on the amount, origin and destination
Integrity Mechanisms:
Prevention (how to protect )
Detection (how to detect if an information was altered)
15
P. Paradinas - 2013
Basic security properties: availability
Availability refers to the possibility to use data or resources of a system
Availability is part of the security issues as if some one establish conditions where the data or resources of a system are no longer available for a normal use it causes a “deny of access”
Examples:
DOS on Internet are well known
If a bank network is not available the day before Christmas then many commercial transactions will be impossible or done without “confirmation” from the bank
The system design (statical, expected pattern, parameters,...) defines a usage model, if it fails we enter in DOS
DOS detection is very complex task
16
P. Paradinas - 2013
Threats/Attacks
A threat is a potential violation of security. When the violation occurs, it is an attack. The attacks are performed by attackers
A system must be prepared to prevent attacks and executes countermeasures
4 large classes of threat:
Disclosure (non authorized information are revealed)
Deception (acceptance of false data)
Disruption (interruption of operation)
Usurpation (non authorized control of the system)
17
P. Paradinas - 2013
Different threats
Snooping (wiretapping, passive wiretapping)
Modification
Masquerade
Delegation
Repudiation of origin
Denial of receipt
DOS
18
P. Paradinas - 2013
Policy and mechanism
Definition: A security policy is a statement of what is, and what is not allowed
A security policy specifies “secure” and “non secure” states and actions
Definition: A security mechanism is a method, tool, or procedure for enforcing a security policy
A security policy can (must) be defined by mathematical and formal technics
Example:
Change its password is allowed for an entity
Request a proof of an identity before to accept to change a password is a security mechanism
19
P. Paradinas - 2013
Goals of policy and mechanism
For a given security policy security mechanisms can:
Prevent
In this case attacks fail, attacks are not efficient,
Detect
The mechanism is able to detect that attacks are performed, detected and have to be reported
Recovery
Is the set of actions necessary to put in place to reach and establish a new “secure state” of the system
20
P. Paradinas - 2013
Assumptions and Trust
Security is based on assumptions:
Policy splits system states in two part with no ambiguity: “secure” and “non-secure”
Mechanism prevent to move from “secure” state to “non secure” state
If one of these assumptions are false then the system is non secure
Let P the set of system states. Let Q the set of system secure state. Let R the set of reduced system states by the mechanisms (R ≤ P).
A security mechanism is secure if R ≤ Q
A security mechanism is precise if R = Q
A security mechanism is broad if there are state r€R et r€Q
21
P. Paradinas - 2013
Security and Precision (R=P)ACCESS CONTROL MECHANISMS 201
FIGURE 4.4 Security and precision.
All States Authorized States
S (given policy)
Unauthorized States
Reachable States (given mechanism)
Secure' R c p
Precise: R = P
systems whose security can be verified. Finally, we shall examine theoretical ques- tions related to proving properties about the transfer of rights in abstract models.
4.2.2 Reliability and Sharing
Protection mechanisms enforce policies of controlled sharing and reliability. Sev- eral levels of sharing are possible:
o
2. 3. 4.
No sharing at all (complete isolation). Sharing copies of data objects. Sharing originals of data objects. Sharing untrusted programs.
Each level of sharing imposes additional requirements on the security mechanisms of a system. The sharing of data introduces a problem of suspicion, where the owner s of a data object x may not trust another subject sl with whom s shares access. For example, s may fear that sl will grant its access rights to x to
22
P. Paradinas - 2013
Assumptions and Trust
In real word, mechanisms are broad
Trust in mechanisms requires assumptions:
Each mechanism implement one or more part of the security policy
The union of mechanisms implements the all policy
The mechanism are correctly implemented, installed and managed during the life cycle of the system
23
P. Paradinas - 2013
Insurance
Trust is difficult to evaluate ? How much you trust a system ?
How you develop your system provides an assurance level of the trust in the system
A system is said to satisfy a specification if the specification correctly states how the system will work.
24
P. Paradinas - 2013
Specification
Specifications are a precise statement of the system behaviors
It describe what the system is allow to do (and not to do)
The specification may be formal (based on mathematical or formal language) or informal (set of phrases) description
The level of description may be different (low or high level language description)
The specification are not only relevant to security function but on the system itself
Use the same formalism is challenging and benefit for the system
Security is a non functional property
25
P. Paradinas - 2013
Design and implementation
The design of a system transforms the specification into a component that will implement them
The design is said to satisfy the specifications, in any cases, the design will not permit the system to violate the specification
The design implementation realizes the functions (execute the “system functions”)
On CS it is a program executable on an engine
By transitivity an implementation satisfy a system specification
A program is correct if it implementation performs as specified
Proof of program is very complex and difficult to do !
As correctness is a big issue, a posteriori technics like verification of the system by testing are performed
26
P. Paradinas - 2013
Operational issues and others points
Cost benefit analysis
Risk analysis
Laws and customs (cryptography)
Certifications
Organizational problems
People problems
inside and outside
27
P. Paradinas - 2013
Not so simple
The different notions are “interleaved” and nested
System is in “real word” and the word changes !
The cost of security have to be compared with the system (and threats) costs
Threats/Attacks
Policy/Requirements
Specification
Design
Implementation
Operation
28
P. Paradinas - 2013
From D. Denning books
DATA SECURITY 5
modification and injection of false messages by making it infeasible for an oppo- nent to create ciphertext that deciphers into meaningful plaintext. Note, however, that whereas it can be used to detect message modification, it cannot prevent it.
Encryption alone does not protect against replay, because an opponent could simply replay previous ciphertext. Cryptographic techniques for protecting against this problem are discussed in Chapter 3. Although encryption cannot prevent message deletion, the cryptographic techniques discussed in Chapter 3 can detect deletions of blocks or characters within a message stream. Deletion of entire mes- sages can be detected with communication protocols that require message acknowledgment.
FIGURE 1.4 Threats to data stored in computer systems.
Computer system
overwriting modifying
replaying
browsing
P classified
data
"'"k__ confidential
data
statistic
inference
FT]
leaking
r
unclassified user
inserting
deleting
29
P. Paradinas - 2013
Computer Security
Introduction & Definitions
(Secure) Design Principles
Modern issues in security
Bibliography
30
P. Paradinas - 2013
Design principles
As in all system design phase is essential
In security, following principles avoid some classical mistakes, errors, ... the principles are not an insurance but may help !
The principles
The principle of Least Privilege states that a subject should be given only those privileges that it needs in order to complete its task
Program or process have only access to their data. A wrong program will not be able to modify data of an other program or process
The principle of Fail-Safe Defaults states that, unless a subject is given explicit access to an object, it should be denied access to that object
If we come back to privilege modes, there is a contradiction with this principle. In a super mode all access are allowed and its more large than the restriction on the objets
31
P. Paradinas - 2013
Design Principle (Cont’d)
The principle of Economy Mechanism states that the security should be as simple as possible
Doesn’t build a “gaze factory”
32
P. Paradinas - 2013
Design Principle (Cont’d)
The principle of Complete Mediation requires that all accesses to object be checked to ensure that they are allowed
Let a subject request to read a file F. If it is allowed to read the file and the file is read in different step. After some step if the status of the file change (i.e. the right granted is remove) the subject may continue to read the file
33
P. Paradinas - 2013
Design Principle (Cont’d)
The principle of Open Design states that the security of a system is not based on secrecy of its design and implementation
It is not true to think that secret design or implementation increase the security...
In cryptography publication of algorithms and protocols improve the security because the community is able to see the design and to evaluate the strength of it
34
P. Paradinas - 2013
Design Principle (Cont’d)
The principe of Separation of Privilege states that a system should not grant permission based on a single condition
Example:
in organization some decisions or actions require the agreement of different person
during a count creation on information system is necessary to get authorization of HR services and from IT department
in Unix to switch on root mode needs the root password and be part of the group with GID 0 in Berkley based Unix
35
P. Paradinas - 2013
Design Principle (Cont’d)
The principe of Least Common Mechanism states that mechanisms used to access resources should not be shared
Rationale:
In a system where resources are shared by different users may provide information through “information channels”. To avoid these issues isolation and confinement are established by OS
36
P. Paradinas - 2013
Design Principle (Cont’d)
The principle of Psychological Acceptability states that:
the mechanism must be easy and completely to use (i.e. acceptable and no bypass)
the mechanism should not increase the conditions to access information
37
P. Paradinas - 2013
Computer Security
Introduction & Definitions
(Secure) Design Principles
Modern issues in security
Bibliography
38
P. Paradinas - 2013
Mobile devices...
39
P. Paradinas - 2013
Mobile phone security
What it is important to protect ?
What are the threats
Data (calendar, contact, access code...)
privacy
Identity of the phone owner
ID & pwd
Availability
Who are the attacker (same as IT)
Professional, thieves and hackers
Consequences
...
40
P. Paradinas - 2013
Mobile phone security
Consequences
Data deletion, loss, stolen,...
Record conversations between the users
Decrease HS performances (battery)
Phone calls perform on number taxed
Use as a zombie machine
…
41
P. Paradinas - 2013
What are the technics
Attacks on:
Attack based on SMS & MMS
Attacks based on communication networks
GSM
Wi-Fi, Buetooth
Physical attacks and reverse engineering
and on software...
42
P. Paradinas - 2013
What are the technics (cont’d)
Attacks based on vulnerabilities in software
OS
Web and App
Malicious Software (Malware)
Viruses and Trojans
Spyware
• Long list on the wikipedia article
43
P. Paradinas - 2013
Contermeasure
Hardware
Firmware, bootloader
Operating System
With isolation, rights,…
Memory protection and sand box mechanisms
VM, hyperviser
Applications distribution model
Access control (where are the protections)
Pin Code, or advanced biometrics device like on iPhone 5S
But also…
44
P. Paradinas - 2013
Contermeasure (cont’d)
Completed by
Resource Monitoring in the smartphone
Network audit and surveillance
Manufacturer's audit and surveillance
User awareness (!)
45
P. Paradinas - 2013
Automotive
46
!
!
!
Master SEMS : Systèmes Embarqués Mobiles Sûrs CNAM – Département Informatique École SITI
Selon plusieurs études les systèmes embarqués sont un des domaines des Nouvelles
Technologies de l’Information et de la Communication les plus actifs en terme de création
d’emplois et de génération de valeur pour les entreprises au travers d’applications innovantes.
Comme le souligne le « rapport Potier1 », les systèmes embarqués ne se limitent pas au
domaine des systèmes temps réel critiques liés aux applications classiques du transport et/ou
du contrôle-commande. Il existe aussi de très nombreux autres domaines qui embarquent du
matériel et du logiciel complexe à réaliser en résolvant les contraintes fortes de prix, sécurité,
fiabilité, efficacité et de qualité de services offerts comme : les cartes à puce, la téléphonie
mobile, la gestion des immeubles, la gestion des énergies, l’intelligence ambiante et les
applications tournées vers la personne. Le CNAM et le département Informatique de l’école SITI (Science Industrielle et
Technologies de l’Information) ont mis en place le Master SEMS : Systèmes Embarqués
Mobiles et Sûrs permettant de préparer les étudiants aux métiers du développement de
systèmes embarqués mobiles sûrs. Le Master-SEMS est associé à l’Ecole nationale supérieure d’informatique pour l’industrie et
l’entreprise, à l’Ecole Centrale d’électronique de Paris, l'Institut Supérieur d'Electronique de
Paris sous forme d’habilitation pour l’ENSIEE (http://www.ensiie.fr) et de convention pour
l’ECE (http://ece.fr) et l'ISEP (http://www.isep.fr/).
Ce Master est destiné en priorité à des étudiants de niveau master informatique (master M1
ou en dernière année d'école d'ingénieur), ayant un goût prononcé pour les applications
mobiles, embarquées développées de manière sécurisée et sûre.
Objectifs La formation a pour but de former des spécialistes en informatique de niveau Bac + 5 qui
soient au fait des dernières technologies en matière de système embarqué mobiles et sûrs
comprenant : • Langages de programmation pour l’embarqué : Java, C, C++,…
• Plateforme d’exécution : Java ME, Java Card, Android, iOS, OSEK, …
• Réseaux mobiles, réseaux de capteurs ; • Plateformes embarquées de confiance : cartes à puce, TPM, TEE,…
• Technologies pour la mise en place d’application sécurisée (cryptographie, sécurité
informatique, détection d’intrusion, …) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1 http://www.industrie.gouv.fr/logiciel-embarque/!
P. Paradinas - 2013
!
!
!
Master SEMS : Systèmes Embarqués Mobiles Sûrs CNAM – Département Informatique École SITI
Selon plusieurs études les systèmes embarqués sont un des domaines des Nouvelles
Technologies de l’Information et de la Communication les plus actifs en terme de création
d’emplois et de génération de valeur pour les entreprises au travers d’applications innovantes.
Comme le souligne le « rapport Potier1 », les systèmes embarqués ne se limitent pas au
domaine des systèmes temps réel critiques liés aux applications classiques du transport et/ou
du contrôle-commande. Il existe aussi de très nombreux autres domaines qui embarquent du
matériel et du logiciel complexe à réaliser en résolvant les contraintes fortes de prix, sécurité,
fiabilité, efficacité et de qualité de services offerts comme : les cartes à puce, la téléphonie
mobile, la gestion des immeubles, la gestion des énergies, l’intelligence ambiante et les
applications tournées vers la personne. Le CNAM et le département Informatique de l’école SITI (Science Industrielle et
Technologies de l’Information) ont mis en place le Master SEMS : Systèmes Embarqués
Mobiles et Sûrs permettant de préparer les étudiants aux métiers du développement de
systèmes embarqués mobiles sûrs. Le Master-SEMS est associé à l’Ecole nationale supérieure d’informatique pour l’industrie et
l’entreprise, à l’Ecole Centrale d’électronique de Paris, l'Institut Supérieur d'Electronique de
Paris sous forme d’habilitation pour l’ENSIEE (http://www.ensiie.fr) et de convention pour
l’ECE (http://ece.fr) et l'ISEP (http://www.isep.fr/).
Ce Master est destiné en priorité à des étudiants de niveau master informatique (master M1
ou en dernière année d'école d'ingénieur), ayant un goût prononcé pour les applications
mobiles, embarquées développées de manière sécurisée et sûre.
Objectifs La formation a pour but de former des spécialistes en informatique de niveau Bac + 5 qui
soient au fait des dernières technologies en matière de système embarqué mobiles et sûrs
comprenant : • Langages de programmation pour l’embarqué : Java, C, C++,…
• Plateforme d’exécution : Java ME, Java Card, Android, iOS, OSEK, …
• Réseaux mobiles, réseaux de capteurs ; • Plateformes embarquées de confiance : cartes à puce, TPM, TEE,…
• Technologies pour la mise en place d’application sécurisée (cryptographie, sécurité
informatique, détection d’intrusion, …) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1 http://www.industrie.gouv.fr/logiciel-embarque/!
Automotive
More and more ECU in a car
A CAN bus (Controller Area Network)
47
Low-Speed High-SpeedComponent Functionality Comm. Bus Comm. BusECM Engine Control Module
Controls the engine using information from sensors to determine the amountof fuel, ignition timing, and other engine parameters.
X
EBCM Electronic Brake Control ModuleControls the Antilock Brake System (ABS) pump motor and valves, prevent-ing brakes from locking up and skidding by regulating hydraulic pressure.
X
TCM Transmission Control ModuleControls electronic transmission using data from sensors and from the ECMto determine when and how to change gears.
X
BCM Body Control ModuleControls various vehicle functions, provides information to occupants, andacts as a firewall between the two subnets.
X X
Telematics Telematics ModuleEnables remote data communication with the vehicle via cellular link.
X X
RCDLR Remote Control Door Lock ReceiverReceives the signal from the car’s key fob to lock/unlock the doors andthe trunk. It also receives data wirelessly from the Tire Pressure MonitoringSystem sensors.
X
HVAC Heating, Ventilation, Air ConditioningControls cabin environment.
X
SDM Inflatable Restraint Sensing and Diagnostic ModuleControls airbags and seat belt pretensioners.
X
IPC/DIC Instrument Panel Cluster/Driver Information CenterDisplays information to the driver about speed, fuel level, and various alertsabout the car’s status.
X
Radio RadioIn addition to regular radio functions, funnels and generates most of the in-cabin sounds (beeps, buzzes, chimes).
X
TDM Theft Deterrent ModulePrevents vehicle from starting without a legitimate key.
X
Table I. Key Electronic Control Units (ECUs) within our cars, their roles, and which CAN buses they are on.
The CARSHARK Tool. To facilitate our experimentalanalysis, we wrote CARSHARK — a custom CAN bus ana-lyzer and packet injection tool (see Figure 4). While thereexist commercially available CAN sniffers, none were ap-propriate for our use. First, we needed the ability to processand manipulate our vendor’s proprietary extensions to theCAN protocol. Second, while we could have performedlimited testing using a commercial CAN sniffer coupledwith a manufacturer-specific diagnostic service tool, thiscombination still doesn’t offer the flexibility to support ourfull range of attack explorations, including reading out ECUmemory, loading custom code into ECUs, or generatingfuzz-testing packets over the CAN interface.
IV. INTRA-VEHICLE NETWORK SECURITY
Before experimentally evaluating the security of indi-vidual car components, we assess the security propertiesof the CAN bus in general, which we describe below.We do so by first considering weaknesses inherent to theprotocol stack and then evaluating the degree to whichour car’s components comply with the standard’s specifi-cations.
A. CAN Bus
There are a variety of protocols that can be implementedon the vehicle bus, but starting in 2008 all cars sold in theU.S. are required to implement the Controller Area Network(CAN) bus (ISO 11898 [17]) for diagnostics. As a result,CAN — roughly speaking, a link-layer data protocol — hasbecome the dominant communication network for in-carnetworks (e.g., used by BMW, Ford, GM, Honda, andVolkswagen).
A CAN packet (shown in Figure 5) does not includeaddresses in the traditional sense and instead supports apublish-and-subscribe communications model. The CAN IDheader is used to indicate the packet type, and each packetis both physically and logically broadcast to all nodes,which then decide for themselves whether to process thepackets.
The CAN variant for our car includes slight extensionsto framing (e.g., on the interpretation of certain CAN ID’s)and two separate physical layers — a high-speed bus whichis differentially-signaled and primarily used by powertrainsystems and a low-speed bus (SAE J2411) using a singlewire and supporting less-demanding components. Whennecessary, a gateway bridge can route selected data between
Appears in 2010 IEEE Symposium on Security and Privacy. See http://www.autosec.org/ for more information. 5
?
P. Paradinas - 2013
Security/safety
Part of the bus is dedicated to critic systems
Part of the bus is dedicated infotainement systems
New scenario is:
The control is taken by external entity on the car
Control may be used to corrupt car function
Security issues on the CAN bus
Broadcast Nature
Fragility to DoS
No Authenticator Fields
Weak Access Control
48
P. Paradinas - 2013
Other domains
Airplane
DO178B & DO178C
& ARINC 653
…
Smart grid and privacy
Your electric consumption is related to what TV program you watch !s
49
P. Paradinas - 2013
Bibliograhy
Books:
Computer Security - Art and Science, Matt Bishop, Addison Wesley, 2003
Security Engineering, Ross Anderson, Addison Wesley
Cryptography and Data Security - Addison Wesley, Dorothy Denning, 1982
Available on the web
Web
http://www.schneier.com/
http://www.autosec.org
Rapport Pottier
Identity Theft Resource Center (Dashable.com)
50
P. Paradinas - 2013
Computer Science Security (Secure) Design Principles