This document presents a security control center designed for an IoT device security platform. It motivates the need for such a system given the lack of security in many IoT devices and the absence of control systems. It reviews related works in general security control systems and issues with applying them to IoT. The proposed system monitors elements of the SecurePi security platform like the trusted platform module, firmware integrity and updates, file system integrity and encryption. The implementation includes an SCC server to collect data and an SCC client for monitoring. Future work involves expanding the system to secure Arduino devices.
1. - 1 -
Mobile & Embedded System Lab.
Dept. of Computer Engineering
Kyung Hee Univ.
Design and Implementation of
Security Control Center based on
IoT Device Security Platform
Presented by Junyoung Jung
2. - 2 - Kyung Hee University
Mobile Embedded System Lab.
Motivation
Recent Trends
Accelerated the launch of a variety of IoT products & services
Increased interest in IoT device security issues
Problems
Manufactured without considering security level
Absence of a security control system
▶ Difficult to respond to security attacks
Need for a Security Control System
(Collecting and Analyzing the information about security attacks.)
3. - 3 - Kyung Hee University
Mobile Embedded System Lab.
Related works
General Security Control System
Monitoring and management
Rapid response handling
▶ Real-time monitoring
▶ Fault handling
Problems of general Security Control System
Connect to the Internet on PC and mobile
▶ The number of protected objects is limited.
IoT devices connect various sensors and things
▶ The number of protected is not clearly defined.
General Security Control System Not suitable
for IoT service
4. - 4 - Kyung Hee University
Mobile Embedded System Lab.
Related works
SecurePi: Secure Raspberry Pi (Using TPM*)
Linux based high-end secure COTS IoT device platform
① Secure Key Storage & Management
② Secure Boot
③ Secure Firmware Update
④ Remote Attestation
⑤ Secure Communication
⑥ Mandatory Access Control
⑦ Filesystem Integrity
⑧ Filesystem Encryption
*TPM : Trusted Platform Module
5. - 5 - Kyung Hee University
Mobile Embedded System Lab.
Contribution
Suggested in the paper
SecurePi is a platform to satisfy the measures against IoT device
security issues.
However, if Secure Pi’s TPM does not work, another security issue
may arise.
Propose SCC(Security Control Center),
a system that can control SecurePi
6. - 6 - Kyung Hee University
Mobile Embedded System Lab.
Contribution
Improvements through the paper
Enables monitoring of secure element tech. of Secure Pi
▶ Does the TPM run normal?
▶ Is encryption key data securely maintained/managed?
▶ Is the integrity of the F/W guaranteed?
▶ Is the F/W update safe?
▶ Is the integrity of the files in the filesystem guaranteed?
▶ Is the confidentiality of files in the filesystem guaranteed?
▶ Is a device login attempt detected?
▶ Is a device allow/deny packet detected?
7. - 7 - Kyung Hee University
Mobile Embedded System Lab.
Proposed System
Functional requirements (for performing Security Controls)
① Ensure availability of sensitive data
▶ Storing and managing the encryption key data in TPM
▶ Secure Key Storage & Management Monitoring
② Ensure F/W integrity (Secure Boot)
▶ Firmware replacement attacks prevention
▶ Secure Boot Monitoring
③ Ensure secure F/W update
▶ The previous versions of firmware install prevention
▶ Secure Firmware Update Monitoring
④ Ensure F/W integrity (Remote Attestation)
▶ Firmware replacement attacks prevention through other device
▶ Remote Attestation Monitoring
8. - 8 - Kyung Hee University
Mobile Embedded System Lab.
Proposed System
Functional requirements (for performing Security Controls)
⑤ Ensure the integrity of files in the filesystem
▶ Using IMA/EVM to provide integrity of files in filesystem
▶ Filesystem Integrity Monitoring
⑥ Ensure the confidentiality of files in the filesystem
▶ Using eCryptFS to provide confidentiality of files in the filesystem
▶ Filesystem Encryption Monitorng
⑦ Detect the device login attempt
▶ Checking the login log(/var/log/auth.log) periodically
▶ Login Monitoring
⑧ Detect the device allow/deny packet
▶ Checking the iptables log periodically
▶ Packet Monitoring
9. - 9 - Kyung Hee University
Mobile Embedded System Lab.
Implementation
SCC system
10. - 10 - Kyung Hee University
Mobile Embedded System Lab.
Implementation
SCC-Server
11. - 11 - Kyung Hee University
Mobile Embedded System Lab.
Implementation
SCC-Client
Main page
http://163.180.142.73:3000
Host PC: Ubuntu 16.04 LTS
12. - 12 - Kyung Hee University
Mobile Embedded System Lab.
Conclusion
Conclusion
Need security platform for considering device level
Need security control system for monitoring the security platform
Future works
SArduino: Secure Arduino (Using SE)
▶ RTOS/FIRMWARE based low-end secure COTS IoT device platform