2024: Domino Containers - The Next Step. News from the Domino Container commu...
40 Jahre Informatik Hamburg
1. 26.05.2012
Mit Sicherheit innovativ!
Claudia Eckert
TU München,
Fraunhofer Institut AISEC
1
40 Jahre Informatik Hamburg
18.11. 2011 Universität Hamburg
Outline
1. Motivation: Informatik formt Zukunft
2. Future Internet
Informatik als Innovationsmotor
3. Security Threats
Innovationen benötigen Sicherheit
4. Research Topics 2
Sicherheit benötigt Forschung
Si h h it b öti t F h
5. Selected Examples @AISEC/TUM
Mit Sicherheit innovativ!
6. Summary
Claudia Eckert 2
1
2. 26.05.2012
1. Motivation
Mainframes, Embedded, Smart Environments & CPS
5) Smart
Environments & CPS
4) RFID-Tags Smart Grid Factory of
Embedded the Future
90% of all
1) Mainframes CPUs are
embedded
1User 8.5% growth
1 Computer 1 Computer Multiple Computers 17 Billion total
Multiple Users 1 User M2M revenue
Time
Claudia Eckert 3
1. Motivation
Trends in ICT
Cyber Physical Systems (CPS)
• Integration of physical environments and ICT systems (of systems)
Characteristics:
• Lots of Autonomous devices/sensors e.g. Smart Grid
• Embedded systems
• Heterogeneous networks
• M2M‐communication
Main tasks:
• Controlling & monitoring complex systems often in real‐time
• Collecting data, exchange data, trigger actions, ….
Claudia Eckert 4
2
3. 26.05.2012
1. Motivation
Trends in ICT
Cloud Computing
New style of computing where massively scalable IT‐enabled
capabilities are delivered ‘as a service’ to external customers
using Internet technologies (Gartner 2008)
Claudia Eckert 5
1. Motivation
Trends in ICT
1. Internet of Things =
Embedded Systems + Cyber Physical + Internet
2. Internet of Services/Cloud Computing =
Business Software + new Business Models + Internet
3. Future Internet =
Internet of Things + Internet of Services + Mobility +
Improved Core‐Network + Internet of Knowledge & Content
New Business Opportunities: e.g.
• Smart Grid, Smart Mobility, Smart Health, Smart Cities, Factory of
the Future, Smart Logistics, …
• Challenge: Handling of “Big Data”:
Data Acquisition, Analytics, Provisioning, …
Claudia Eckert 6
3
4. 26.05.2012
Outline
1. Motivation: Informatik formt Zukunft
2. Future Internet
Informatik als Innovationsmotor
3. Security Threats
Innovationen benötigen Sicherheit
4. Research Topics 7
Sicherheit benötigt Forschung
Si h h it b öti t F h
5. Selected Examples @AISEC/TUM
Mit Sicherheit innovativ!
6. Summary
Claudia Eckert 7
2. Future Internet
Business Opportunities
Mobile Application: Convergence private/business
Consumerized IT!
Loyalty
Identity
Payment Management
Communicate
Physical Pay Content
Access Download
Transact Identify
y
DRM Ticketing
Device
Configuration
Claudia Eckert 8
4
5. 26.05.2012
2. Future Internet
Business Opportunities
Consumerized IT
An increasing number of organizations take a strategic
approach to Consumerization by providing IT support
IT support
for personal devices
Quelle: bringyourownit.com/2011/09/26/
trend‐micro‐consumerization‐report‐2011/
Increased Efficency:
Recent studies have shown that allowing employees to
use innovative, state‐of‐the‐art devices and services
of their own choosing can increase their efficiency.
f th i h i i th i ffi i
Reduced Costs:
Reduced capital expenditures are likely as employees turn to their
own personal devices to perform work, with the added benefit of
lower device management and maintenance costs.
Quelle: Booz & Company, Comsumerization of IT, 2010
2. Future Internet
Business Opportunities
Automotive Industry: Connected Drive, Web‐Services in Cars
Intelligent Car
Routing and Traffic info and
Road Billing
g
Navigation
N i ti web cams
(Location based)
Fleet Management web information
GPS Street Inter Car
Parking Communication
Parking Slots
Reservation Contactless Gas Mobile TV
Station
Use of Web Services will be common in the car
Importance of protection against attacks from the internet will increase
Claudia Eckert 10
5
6. 26.05.2012
2. Future Internet
Business Opportunities
Smart Mobility: Internet within the vehicle
• IP‐based communication: few and more complex control units
• Value‐added services Business Apps cloud‐based services
Value‐added services, Business Apps , cloud‐based services
e.g. on‐board diagnostics, entertainment, e‐mobility
Claudia Eckert 11
2. Future Internet
Business Opportunities
Smart Energy: from e‐Energy to eMobility
eMobility
ICT to manage and control energy‐grids
• New pricing billing models
New pricing, billing models Dynamic Management
Power Consumption
• New services, Solar cells when price is low
e.g. AAI
Private Households
Office-facilities
Outage
Processors: Sensors:
Controls Detection of
Disruptions
Storage
Isolated Grid
Wind-Farm Generators: Power plant
Local energy Industrial
producer
plant
12
6
7. 26.05.2012
2. Future Internet
Business Opportunities
Its all about Data, Information & Knowledge!
Its is all about Security of Data:
• Correctly identified person, service, device? Authenticity
• Correct data, not manipulated? Integrity
• No data leakages to unauthorized parties? Confidentiality
• Is authorized access to data possible? Availability
Security is essential
Claudia Eckert 13
2. Future Internet
Business Opportunities
And .....
Appropriate Security Measures are urgently required
Because ....
• Attack surfaces grow
• Lots of attacks that jeopardize the Security
Claudia Eckert 14
7
8. 26.05.2012
Outline
1. Motivation: Informatik formt Zukunft
2. Future Internet
Informatik als Innovationsmotor
3. Security Threats
Innovationen benötigen Sicherheit
4. Research Topics 15
Sicherheit benötigt Forschung
Si h h it b öti t F h
5. Selected Examples @AISEC/TUM
Mit Sicherheit innovativ!
6. Summary
Claudia Eckert 15
3. Security Threats
Hardware Attacks
Malicious Hardware
• Physical Access to Hardware like
Physical Access to Hardware like
Sensors (e.g in cars):
• Generate manipulated data,
• Delete data,
• Data leakages Manipulated Smart Meter
in AISEC Lab
• Product counterfeiting:
• Forged hardware with low quality
• Safety problems
• Liability problems
Forged break disc (left original)
Claudia Eckert 16
8
9. 26.05.2012
3. Security Threats
Software Manipulation Attacks
Malicious Software
• Vulnerable Software (Operating System, Web‐
( p g y
Application, Server)
• Code Injection
• Data access: manipulation, deletion
• Session Hijacking
• ID Spoofing
• Denial of Service:
Safety‐critical applications
can be influenced as well!
Claudia Eckert 17
‚alltägliche‘ Angriffe
18
9
11. 26.05.2012
3. Security Threats
Example:Smart Grids
Claudia Eckert 21
Current Look & Feel ….
Future Internet will be a Security Nightmare
Any Hope? What is required?
Security Technology: Scalable, adaptable, seamless
Built‐in Security: New Architectures
Secure by Design
Health‐Monitoring: New Services, Security as Service
Secure during operation
Security Culture: Education, Training, Awareness
Claudia Eckert 22
11
12. 26.05.2012
Outline
1. Motivation: Informatik formt Zukunft
2. Future Internet
Informatik als Innovationsmotor
3. Security Threats
Innovationen benötigen Sicherheit
4. Research Topics 23
Sicherheit benötigt Forschung
Si h h it b öti t F h
5. Selected Examples @AISEC/TUM
Mit Sicherheit innovativ!
6. Summary
Claudia Eckert 23
4. Research Topics
Security Technology
e.g. Scalable Hardware‐Security
• Attack‐resistant Hardware modules
• Reconfigurable hardware cores
• Secure Object Ids for M2M authentication
• Lightweight cryptography to support resource‐poor sensors
Claudia Eckert 24
12
13. 26.05.2012
4. Research Topics
Secure by Design
e.g. Trustworthy Software‐Architectures:
• Secure Programming:
• Input Filtering etc.
• Isolated execution environments
• Controlled isolation of applications
• Trusted Input/Output , trusted path
• Security & integrity checks
Security & integrity checks
• Security check‐points , metrics
• Detection of invalid system states
• Rollback
Claudia Eckert 25
4. Research Topics
Secure by Design
Example: next Generation Mobile Phones
Mobile Payment Mobile Banking Mobile Ticketing Mobile Visa Mobile Health Mobile Public
Services Services
Trusted
Applications
Trusted
Execution
Environment
13
14. 26.05.2012
4. Research Topics
Secure during Operation
e.g. Security as a Service
• Identity Management
e.g. with nPA
mobile nPA (not yet)
• Health monitoring &
Malware detection
e.g. Improve detection and
e g Improve detection and
reaction methods
Learn from observed
attacker behavior
Claudia Eckert 27
Outline
1. Motivation: Informatik formt Zukunft
2. Future Internet
Informatik als Innovationsmotor
3. Security Threats
Innovationen benötigen Sicherheit
4. Research Topics 28
Sicherheit benötigt Forschung
Si h h it b öti t F h
5. Selected Examples @AISEC/TUM
Mit Sicherheit innovativ!
6. Summary
Claudia Eckert 28
14
15. 26.05.2012
5. Selected Examples @ AISEC/TUM
Lightweight Cryptography
Secure Remote Key-less Entry, RKE
Problem:
Many vehicle access systems possess
intrinsic security weaknesses
Symmetric cryptography for
authentication often used
Easy to crack!
Solution:
Lightweight implementation of ECC
and PKI: strong cryptography
Secure access protocols
Claudia Eckert 29
5. Selected Examples @ AISEC/TUM
New Concepts for Component Identification
‘Finger prints’ for Objects: Unclonable Material-Based Security
Problem
• Secrets can be extracted :
spoofed component ID, insecure keys
Solution
• Physical unclonable function (PUF)
• Object fingerprints, depend on variations
of the of manufacturing process
• M2M Authentication:
Physical structure generates
Challenge-Response-Pairs in an unpredictable way
• Secure generation of cryptographic keys for standard protocols
• No protected memory necessary
Claudia Eckert
15
16. 26.05.2012
5. Selected Examples @ AISEC/TUM
Scalable Hardware Security Modules
Automotive Environment
Problem
• Fl h Storage is insecure: not appropriate
Flash St i i t i t
for keys and sensitive data
• Secure Storage within each ECU is very
expensive
Solution
Central key manaegment using a
dedicated Secure Hardware Element
Benefit
• Secure M2M authentication of components
• Manipulation-resistant storage and cryptographic services
• Basis for secure In-Car and Car2X communication
Claudia Eckert 31
5. Selected Examples @ AISEC/TUM
Secure by Design
Smart Meter/Gateway
Problem:
• data leakages, privacy issues
leakages
Solution
• Secure Smart Meter
Compliant to BSI Protection Profile
• Based on Hardware Security Module Display
• Secure Handling of metering data:
authentication, Access control, HSM
data confidentiality (encryption)
• Privacy by design:
HSM
data aggregation, filtering
Claudia Eckert 32
16
17. 26.05.2012
5. Selected Examples @ AISEC/TUM
Secure by Design
Product Piracy Protection
Problem
C Copy, Re-Engineering Hi h T h Componentes
R E i i High-Tech C t
Solution
Secure Element used as trust anchor for firmware
Authentication between firmware und hardware
Software Obfuscation for firmware
Tight coupeling of firmware & hardware
Claudia Eckert 33
5. Selected Examples @ AISEC/TUM
Secure during Operation
Monitoring of Cloud-Services Workflow
Manager
GRC
Manager
Problem Policy Metrics
a age
Manager a age
Manager
Cloud-user lose control over their data: where is
the data (leakages?), who has access, … PLUGINS
Solution Application
Modelle Vorlagen
KPIs to measure security
Event Bus
Application Server
DSL Interpreter
status of outsourced Appl. App Controller
Complex Event Processing
Dynamic controls to detect Java VM MONITORING FRAMEWORK
misbehaviour, deviations
Virtuelle Maschine Virtuelle Maschine
Monitoring: e.g.
Xen / KVM Hypervisor
Data flows (where is my data),
Log-files (who had access), Betriebssystem
Events (IDS, …)
Claudia Eckert 34
17
18. 26.05.2012
5. Selected Examples @ AISEC/TUM
Secure during Operation
New Approaches for Malware Analytics: Topic Models
Latent topics in
system Call traces
E.g. Expert view:
Tr1: graphics program
Tr2: read and transmit
file content
Tr 3: receive and display
a picture
Expert reveals latent structures: clustering/classifying using
semantic expert know-how
Claudia Eckert 35
5. Secure during Operation
Some AISEC/TUM Examples
Improved Malware analytics: SST Supervised Topic Transition
Using Machine Learning Techniques and Topic Modeling for clustering
Improved ‘semantic’ Clustering and Classification of malware
Claudia Eckert 36
18
19. 26.05.2012
5. Secure during Operation
Some AISEC/TUM Examples
SST Supervised Topic Transition
>70 topics: High accuracy, low false alarm rate, low missing rate!
37
Putting it all together:
Example: Secure Smart Grids
19
20. 26.05.2012
Summary & Take Home Message
ICT driver of Innovations:
• Huge amounts of data are collected, processed, distributed
Innovation needs Security:
• Data security, integrity, confidentiality is a MUST have
Security needs Research:
• Security Technologies: Scalable, adaptable
• Built‐in Security & Health Monitoring: Architectures, Services
Security needs Multidisciplinarity
• Informatics, Engineering, Math: Architecture, SE, HMI, Networks
• Business Administration, Law, Ethics,...
Security needs Education: Security Culture
Claudia Eckert 39
40 Jahre Informatik an der
Universität Hamburg
Herzlichen Glückwunsch!
• Informatik formt die Zukunft
• Informatik ist Innovationsmotor
• Informatik an der Universität Hamburg
Technologie & Gesellschaft
Mit Sicherheit innovativ!
Alles Gute für die nächsten 40 Jahre!
Claudia Eckert 40
20
21. 26.05.2012
Thank you for your Attention
Claudia Eckert
Fraunhofer AISEC
TU München, Chair for IT Security
E-Mail: claudia.eckert@aisec.fraunhofer.de
Internet: http://www.aisec.fraunhofer.de
Claudia Eckert 41
21