Successfully reported this slideshow.
Your SlideShare is downloading. ×

Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer

Loading in …3
×

Check these out next

1 of 20 Ad
1 of 20 Ad

Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer

Download to read offline

This is the PowerPoint presentation held by Luca Mannella during WoRIE'21: 10th Workshop on the Reliability of Intelligent Environments.
The presented paper is entitled: Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer.

This is the PowerPoint presentation held by Luca Mannella during WoRIE'21: 10th Workshop on the Reliability of Intelligent Environments.
The presented paper is entitled: Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer.

Advertisement
Advertisement

More Related Content

Slideshows for you (19)

Advertisement

Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer

  1. 1. Perception of Security Issues in the Development of Cloud-IoT Systems by a Novice Programmer Fulvio CORNO, Luigi DE RUSSIS, and Luca MANNELLA e-Lite Research Group, Politecnico di Torino, Turin, Italy WoRIE’21: June 22nd, 2021 10th Workshop On the Reliability of Intelligent Environments
  2. 2. OUTLINE • Introduction • Use Case Architecture Analysis • Amazon Web Services Security Analysis • Developers’ Perspective on AWS Security • Conclusions & Discussions 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 2
  3. 3. INTRODUCTION • Research Question: Is a Cloud-IoT platform secure when is used by a Novice IoT Programmer? • Novice IoT Programmer • Software developer novice to the IoT world • Not novice to programming • An attractive platform for Novice IoT Programmer: Amazon Web Services • Very famous and widespread • One of the most complete cloud platform • Provides services on demand 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 3
  4. 4. USE CASE ARCHITECTURE ANALYSIS 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 4
  5. 5. A CLOUD-IOT ARCHITECTURE • Sensing devices • Acting devices • Some front-end devices • AWS cloud back-end • Manages the devices • Store data on a database • Provides some APIs for the front-end devices 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 5
  6. 6. MAIN COMMON ATTACK POINTS • Back-end • The developed code inside the AWS Lambda functions • The database 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 6
  7. 7. MAIN COMMON ATTACK POINTS • Back-end • The developed code inside the AWS Lambda functions • The database • Front-end devices • Out of the developer control 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 7
  8. 8. MAIN COMMON ATTACK POINTS • Back-end • The developed code inside the AWS Lambda functions • The database • Front-end devices • Out of the developer control • The data-flows between • The sensors and the back-end • The back-end and the actuators • The APIs’ gateway and the front-end devices 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 8
  9. 9. AMAZON WEB SERVICES SECURITY ANALYSIS 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 9
  10. 10. AWS ANALYSIS • Data Flow Protection • Data could be eavesdropped, tampered with, and forged • AWS requires ciphered connections with its backend • TLS for HTTP connections • IPsec using Amazon VPC • Database Protection • Requests to DB must contain a valid HMAC-SHA256 signature • DynamoDB is accessible via TLS endpoints • Data in transit are protected • By default, DynamoDB data are ciphered at rest • Fine-grained access control policies (through IAM) 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 10
  11. 11. AWS ACCOUNT PROTECTION • Two different types of account • Root user • Identity and Access Management (IAM) users • Created by Root user • An account with customizable privileges • Weakness in Amazon’s policies • Users not forced to create IAM accounts • Password policy is vulnerable to dictionary attacks • E.g.: a password like “Amaz0nWS” is accepted 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 11
  12. 12. DEVELOPERS’ PERSPECTIVE ON AWS SECURITY 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 12
  13. 13. OUR NOVICE PROGRAMMERS • Developers from a consulting engineering company in Italy • They were starting their first Cloud-IoT professional project • They have to work on AWS for the first time • They had just followed a short Cloud-IoT course • That has a final project to deliver • After the course we asked to fulfill the survey • 6 out of 9 attendees from the Cloud-IoT Course (all males) 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 13
  14. 14. DEVELOPER’S PERCEPTION • They feel to be inexperienced about cybersecurity • 5 out of 6 answer 1/5; the other answer 2/5 • Who is in charge of the security of what you developed on AWS? • 2 out of 6 => “Entirely the developer” • 4 out of 6 => “Both developer and AWS” • All think the architecture could include security issues • no one acted to mitigate the security problems in his mind 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 14
  15. 15. DEVELOPER’S PERCEPTION ABOUT THE ARCHITECTURE SECURITY • The most secure point • AWS DynamoDB Database • The less secure point • The data flows between back-end and sensors/actuators • The most critical points 1. Data flows to the actuators 2. The back-end code on AWS Lambda 3. Data flows from the sensors to the backend • The worst consequences 1. Cyber-physical attacks 2. A Data Breach 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 15
  16. 16. SECURITY BEST PRACTICES • They all created “strong” passwords • Dictionary attacks? • Only 1 out of 6 created a IAM account • 2 out of 5 specified they should have • 4 out of 6 did not check if they were using TLS • 5 out of 6 did not check if DB data at rest are encrypted or not • No one used an additional service to improve security • E.g., AWS IoT Device Defender 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 16
  17. 17. CONCLUSIONS & FUTURE WORKS 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 17
  18. 18. CONCLUSIONS • Even professionals does not feel comfortable in cybersecurity • Novice in IoT, not Novice Programmers • Knowing that security is important is not enough to act • 2 out of 6 answer: “security is a responsibility of the developer” • all thought the architecture could be insecure • no one acted to mitigate the problem • AWS is a good choice for implementing a secure Clout-IoT solution • Even for a novice programmer • Suggestions for AWS: • forcing users to create at least one IAM account • password policy should avoid basic dictionary attack 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 18
  19. 19. FUTURE WORKS • Having a survey on a larger sample of Novice IoT Programmers • Analyzing other specifical aspects and platform • E.g., Arduino devices • Provide best practices and tools for developing more reliable IoT systems 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA 19
  20. 20. THANK YOU FOR YOUR KIND ATTENTION! ANY QUESTIONS? 2021-06-22 WORIE'21: FULVIO CORNO, LUIGI DE RUSSIS, AND LUCA MANNELLA Fulvio Corno Luigi De Russis Luca Mannella 20

×