This is the PowerPoint presentation held by Luca Mannella during WoRIE'21: 10th Workshop on the Reliability of Intelligent Environments.
The presented paper is entitled: Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer.
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer
1. Perception of Security Issues in the
Development of Cloud-IoT Systems
by a Novice Programmer
Fulvio CORNO, Luigi DE RUSSIS, and Luca MANNELLA
e-Lite Research Group, Politecnico di Torino, Turin, Italy
WoRIE’21: June 22nd, 2021
10th Workshop On the Reliability of Intelligent Environments
2. OUTLINE
• Introduction
• Use Case Architecture Analysis
• Amazon Web Services Security Analysis
• Developers’ Perspective on AWS Security
• Conclusions & Discussions
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 2
3. INTRODUCTION
• Research Question:
Is a Cloud-IoT platform secure when is used by a Novice IoT Programmer?
• Novice IoT Programmer
• Software developer novice to the IoT world
• Not novice to programming
• An attractive platform for Novice IoT Programmer: Amazon Web Services
• Very famous and widespread
• One of the most complete cloud platform
• Provides services on demand
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 3
4. USE CASE ARCHITECTURE ANALYSIS
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 4
5. A CLOUD-IOT
ARCHITECTURE
• Sensing devices
• Acting devices
• Some front-end devices
• AWS cloud back-end
• Manages the devices
• Store data on a database
• Provides some APIs for the front-end
devices
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 5
6. MAIN COMMON
ATTACK POINTS
• Back-end
• The developed code inside
the AWS Lambda functions
• The database
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 6
7. MAIN COMMON
ATTACK POINTS
• Back-end
• The developed code inside
the AWS Lambda functions
• The database
• Front-end devices
• Out of the developer control
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 7
8. MAIN COMMON
ATTACK POINTS
• Back-end
• The developed code inside
the AWS Lambda functions
• The database
• Front-end devices
• Out of the developer control
• The data-flows between
• The sensors and the back-end
• The back-end and the actuators
• The APIs’ gateway
and the front-end devices
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 8
10. AWS ANALYSIS
• Data Flow Protection
• Data could be eavesdropped, tampered with, and forged
• AWS requires ciphered connections with its backend
• TLS for HTTP connections
• IPsec using Amazon VPC
• Database Protection
• Requests to DB must contain a valid HMAC-SHA256 signature
• DynamoDB is accessible via TLS endpoints
• Data in transit are protected
• By default, DynamoDB data are ciphered at rest
• Fine-grained access control policies (through IAM)
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 10
11. AWS ACCOUNT PROTECTION
• Two different types of account
• Root user
• Identity and Access Management (IAM) users
• Created by Root user
• An account with customizable privileges
• Weakness in Amazon’s policies
• Users not forced to create IAM accounts
• Password policy is vulnerable to dictionary attacks
• E.g.: a password like “Amaz0nWS” is accepted
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 11
13. OUR NOVICE PROGRAMMERS
• Developers from a consulting engineering company in Italy
• They were starting their first Cloud-IoT professional project
• They have to work on AWS for the first time
• They had just followed a short Cloud-IoT course
• That has a final project to deliver
• After the course we asked to fulfill the survey
• 6 out of 9 attendees from the Cloud-IoT Course (all males)
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 13
14. DEVELOPER’S PERCEPTION
• They feel to be inexperienced about cybersecurity
• 5 out of 6 answer 1/5; the other answer 2/5
• Who is in charge of the security of what you developed on AWS?
• 2 out of 6 => “Entirely the developer”
• 4 out of 6 => “Both developer and AWS”
• All think the architecture could include security issues
• no one acted to mitigate the security problems in his mind
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 14
15. DEVELOPER’S PERCEPTION
ABOUT THE ARCHITECTURE SECURITY
• The most secure point
• AWS DynamoDB Database
• The less secure point
• The data flows between back-end
and sensors/actuators
• The most critical points
1. Data flows to the actuators
2. The back-end code on AWS Lambda
3. Data flows from the sensors to the backend
• The worst consequences
1. Cyber-physical attacks
2. A Data Breach
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 15
16. SECURITY BEST PRACTICES
• They all created “strong” passwords
• Dictionary attacks?
• Only 1 out of 6 created a IAM account
• 2 out of 5 specified they should have
• 4 out of 6 did not check if they were using TLS
• 5 out of 6 did not check if DB data at rest are encrypted or not
• No one used an additional service to improve security
• E.g., AWS IoT Device Defender
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 16
18. CONCLUSIONS
• Even professionals does not feel comfortable in cybersecurity
• Novice in IoT, not Novice Programmers
• Knowing that security is important is not enough to act
• 2 out of 6 answer: “security is a responsibility of the developer”
• all thought the architecture could be insecure
• no one acted to mitigate the problem
• AWS is a good choice for implementing a secure Clout-IoT solution
• Even for a novice programmer
• Suggestions for AWS:
• forcing users to create at least one IAM account
• password policy should avoid basic dictionary attack
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 18
19. FUTURE WORKS
• Having a survey on a larger sample of Novice IoT Programmers
• Analyzing other specifical aspects and platform
• E.g., Arduino devices
• Provide best practices and tools for developing more reliable IoT systems
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 19
20. THANK YOU FOR YOUR KIND ATTENTION!
ANY QUESTIONS?
2021-06-22
WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA
Fulvio
Corno
Luigi
De Russis
Luca
Mannella
20